Bugtraq mailing list archives
[Tim Newsham: ]
From: brent () miles greatcircle com (Brent Chapman)
Date: Sun, 2 Oct 1994 10:08:42 -1000
Once again, why are you posting this to Firewalls? What is its relevance? -Brent -- Brent Chapman | Great Circle Associates | Call or email for info about Brent () GreatCircle COM | 1057 West Dana Street | upcoming Internet Security +1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates ------- Forwarded Message Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [143.191.19.67]) by miles.greatcircle.com (8.6.5/Miles-941001) with ESMTP id MAA11624; Sun, 2 Oct 1994 12:57:31 -0700 Received: from localhost by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940930) id SAA04063; Sun, 2 Oct 1994 18:16:45 GMT Received: from miles.greatcircle.com by mycroft.GreatCircle.COM (8.6.5/SMI-4.1/Brent-940930) id LAA04051; Sun, 2 Oct 1994 11:16:34 -0700 Received: from relay1.Hawaii.Edu (relay1.Hawaii.Edu [128.171.41.53]) by miles.greatcircle.com (8.6.5/Miles-941001) with SMTP id LAA11293 for <firewalls () greatcircle com>; Sun, 2 Oct 1994 11:17:19 -0700 Received: from uhunix.uhcc.Hawaii.Edu ([128.171.44.6]) by relay1.Hawaii.Edu with SMTP id <11368>; Sun, 2 Oct 1994 08:16:34 -1000 Received: by uhunix.uhcc.Hawaii.Edu id <184397>; Sun, 2 Oct 1994 08:16:12 -1000 Message-Id: <94Oct2.081612hst.184397 () uhunix uhcc Hawaii Edu> From: Tim Newsham <newsham () uhunix uhcc Hawaii Edu> To: firewalls () GreatCircle COM Date: Sun, 2 Oct 1994 08:16:03 -1000 Sender: Firewalls-Owner () GreatCircle COM Precedence: bulk /* * Copyright (c) 1983 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ #ifndef lint char copyright[] = "@(#) Copyright (c) 1983 Regents of the University of California.\n\ All rights reserved\n\n\ adapted 27 April 1994 by ME.\n"; #endif not lint #ifndef lint static char sccsid[] = "@(#)rexec.c 1.31, from rsh.c 1.1"; #endif not lint /* rexec.c * * This programm uses the rexec port to execute a command on a remote * machine. Also supports interactive use. * * version 1.01 beta * tested under sunos 4.1.1 1 December 1992 * version 1.1 blocked signals on client side * tested under sunos 4.1.1 16 February 1993 * version 1.2 removed blocking, added signal forwarding, childprocess * to prevent trouble when stoping etc. snarfed lots of code from BSD rsh * tested under sunos 4.1.1 18 February 1993 * version 1.21 fixed typo. discoverd bug where rexec fails when gethostbyaddr * fails (not fixed) * tested under sunos 4.1.1 8 March 1993 * versions 1.31 rewritten on the basis of rsh. rexec now works with numeric * adresses as well, and sports an rsh type syntax (man rsh) * tested under sunos 4.1.3 C April 27 1994 * */ #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/file.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <signal.h> #include <pwd.h> #include <netdb.h> /* * rexec - remote shell */ /* VARARGS */ int error(); char *index(), *rindex(), *malloc(), *getpass(), *sprintf(), *strcpy(); char *getlogin(); #ifndef S5EMUL char *sprintf(); #endif struct passwd *getpwuid(); int errno; int options; int rfd2; int sendsig(); int is_numeric(host,len) char *host; int len; { int j; for(j=0;j<len; j++) { if (!(isdigit(host[j]) || (host[j] == '.'))) return(0); } return(1); } rexec(ahost, rport, name, pass, cmd, fd2p) char **ahost; int rport; char *name, *pass, *cmd; int *fd2p; { int s, timo = 1, s3; long iaddr; struct sockaddr_in sin, sin2, from; char c; u_short port; struct hostent *hp; if (is_numeric(*ahost,strlen(*ahost))) iaddr = inet_addr(*ahost); else { hp = gethostbyname(*ahost); if (hp == 0) { fprintf(stderr, "%s: unknown host\n", *ahost); return (-1); } } /* * implementing this garbage properly would take to much time * It hast two purposes: * 1: it ask's for a password if necessary (not necessary in * rexec, since ALLWAYS given. * 2: it scan's the users netrc's for likely passwords. *ahost = hp->h_name; _ruserpass(hp->h_name, &name, &pass); */ retry: s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) { perror("rexec: socket"); return (-1); } if (iaddr) { sin.sin_family = AF_INET; bcopy(&iaddr, (caddr_t)&sin.sin_addr,sizeof(iaddr) ); } else { sin.sin_family = hp->h_addrtype; bcopy(hp->h_addr, (caddr_t)&sin.sin_addr, hp->h_length); } sin.sin_port = rport; if (connect(s, &sin, sizeof(sin)) < 0) { if (errno == ECONNREFUSED && timo <= 16) { (void) close(s); sleep(timo); timo *= 2; goto retry; } perror(hp->h_name); (void) close(s); return (-1); } if (fd2p == 0) { (void) write(s, "", 1); port = 0; } else { char num[8]; int s2, sin2len; s2 = socket(AF_INET, SOCK_STREAM, 0); if (s2 < 0) { (void) close(s); return (-1); } listen(s2, 1); sin2len = sizeof (sin2); if (getsockname(s2, (char *)&sin2, &sin2len) < 0 || sin2len != sizeof (sin2)) { perror("getsockname"); (void) close(s2); goto bad; } port = ntohs((u_short)sin2.sin_port); (void) sprintf(num, "%u", port); (void) write(s, num, strlen(num)+1); { int len = sizeof (from); s3 = accept(s2, &from, &len); close(s2); if (s3 < 0) { perror("accept"); port = 0; goto bad; } } *fd2p = s3; } (void) write(s, name, strlen(name) + 1); /* should public key encypt the password here */ (void) write(s, pass, strlen(pass) + 1); (void) write(s, cmd, strlen(cmd) + 1); if (read(s, &c, 1) != 1) { perror(*ahost); goto bad; } if (c != 0) { while (read(s, &c, 1) == 1) { (void) write(2, &c, 1); if (c == '\n') break; } goto bad; } return (s); bad: if (port) (void) close(*fd2p); (void) close(s); return (-1); } #define mask(s) (1 << ((s) - 1)) main(argc0, argv0) int argc0; char **argv0; { int rem, pid, argc = argc0; char *host, *cp, **ap, buf[BUFSIZ], *args, **argv = argv0, *user = 0; char *passwd, *a; register int cc; int asrexec = 0; struct passwd *pwd; int readfrom, ready; int one = 1; struct servent *sp; int omask; host = rindex(argv[0], '/'); if (host) host++; else host = argv[0]; argv++, --argc; if (!strcmp(host, "rexec")) { if (argc == 0) goto usage; if (*argv[0] != '-') { host = *argv++, --argc; asrexec = 1; } else host = 0; } another: if (argc > 0 && !strcmp(*argv, "-l")) { argv++, argc--; if (argc > 0) user = *argv++, argc--; goto another; } if (argc > 0 && !strcmp(*argv, "-n")) { argv++, argc--; (void) close(0); (void) open("/dev/null", 0); goto another; } if (argc > 0 && !strcmp(*argv, "-d")) { argv++, argc--; options |= SO_DEBUG; goto another; } if (host == 0) { if (argc == 0) goto usage; host = *argv++, --argc; asrexec = 1; } if (argv[0] == 0) asrexec = 1; else asrexec = 0; pwd = getpwuid(getuid()); if (pwd == 0) { fprintf(stderr, "who are you?\n"); exit(1); } cc = 0; for (ap = argv; *ap; ap++) cc += strlen(*ap) + 1; cp = args = malloc(cc); for (ap = argv; *ap; ap++) { (void) strcpy(cp, *ap); while (*cp) cp++; if (ap[1]) *cp++ = ' '; } passwd = getpass("Password: "); sp = getservbyname("exec", "tcp"); if (sp == 0) { fprintf(stderr, "rexec: shell/tcp: unknown service\n"); exit(1); } if (asrexec) rem = rexec(&host,sp->s_port, user ? user : pwd->pw_name,passwd, "/bin/true; exec /bin/sh -i", &rfd2); else rem = rexec(&host, sp->s_port, user ? user : pwd->pw_name,passwd, args, &rfd2); while(argc0--) { a=*argv0++; while(*a) *a++ = '\0'; } if (rem < 0) exit(1); if (rfd2 < 0) { fprintf(stderr, "rexec: can't establish stderr\n"); exit(2); } if (options & SO_DEBUG) { if (setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0) perror("rexec: setsockopt (stdin)"); if (setsockopt(rfd2, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0) perror("rexec: setsockopt (stderr)"); } omask = sigblock(mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM)); if (signal(SIGINT, SIG_IGN) != SIG_IGN) signal(SIGINT, sendsig); if (signal(SIGQUIT, SIG_IGN) != SIG_IGN) signal(SIGQUIT, sendsig); if (signal(SIGTERM, SIG_IGN) != SIG_IGN) signal(SIGTERM, sendsig); pid = fork(); if (pid < 0) { perror("rexec: fork"); exit(1); } ioctl(rfd2, FIONBIO, &one); ioctl(rem, FIONBIO, &one); if (pid == 0) { char *bp; int rembits, wc; (void) close(rfd2); reread: errno = 0; cc = read(0, buf, sizeof buf); if (cc <= 0) goto done; bp = buf; rewrite: rembits = 1<<rem; if (select(sizeof(int)*8, 0, &rembits, 0, 0) < 0) { if (errno != EINTR) { perror("rexec: select"); exit(1); } goto rewrite; } if ((rembits & (1<<rem)) == 0) goto rewrite; wc = write(rem, bp, cc); if (wc < 0) { if (errno == EWOULDBLOCK) goto rewrite; goto done; } cc -= wc; bp += wc; if (cc == 0) goto reread; goto rewrite; done: (void) shutdown(rem, 1); exit(0); } sigsetmask(omask); readfrom = (1<<rfd2) | (1<<rem); do { ready = readfrom; if (select(sizeof(int)*8, &ready, 0, 0, 0) < 0) { if (errno != EINTR) { perror("rexec: select"); exit(1); } continue; } if (ready & (1<<rfd2)) { errno = 0; cc = read(rfd2, buf, sizeof buf); if (cc <= 0) { if (errno != EWOULDBLOCK) readfrom &= ~(1<<rfd2); } else (void) write(2, buf, cc); } if (ready & (1<<rem)) { errno = 0; cc = read(rem, buf, sizeof buf); if (cc <= 0) { if (errno != EWOULDBLOCK) readfrom &= ~(1<<rem); } else (void) write(1, buf, cc); } } while (readfrom); (void) kill(pid, SIGKILL); exit(0); usage: fprintf(stderr, "usage: rexec [ -l login ] [ -n ] host command\n"); exit(1); /* NOTREACHED */ } sendsig(signo) char signo; { (void) write(rfd2, &signo, 1); } ------- End of Forwarded Message
Current thread:
- [Tim Newsham: ] Tim Newsham (Oct 02)
- <Possible follow-ups>
- [Tim Newsham: ] Tim Newsham (Oct 02)
- [Tim Newsham: ] Tim Newsham (Oct 02)
- [Tim Newsham: ] Brent Chapman (Oct 02)
- [Tim Newsham: ] Brent Chapman (Oct 02)