OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: [Tim Newsham: ]

[Tim Newsham: ]

Tim Newsham (newshamuhunix.uhcc.hawaii.edu)
Sun, 2 Oct 1994 08:16:03 -1000

/*
 * Copyright (c) 1983 Regents of the University of California.
 * All rights reserved.  The Berkeley software License Agreement
 * specifies the terms and conditions for redistribution.
 */

#ifndef lint
char copyright[] =
"(#) Copyright (c) 1983 Regents of the University of California.\n\
 All rights reserved\n\n\
 adapted 27 April 1994 by ME.\n";
#endif not lint

#ifndef lint
static  char sccsid[] = "(#)rexec.c 1.31, from rsh.c 1.1"; 
#endif not lint

/* rexec.c 
 *
 * This programm uses the rexec port to execute a command on a remote
 * machine. Also supports interactive use.
 * 
 * version 1.01 beta
 * tested under sunos 4.1.1  1 December 1992
 * version 1.1 blocked signals on client side
 * tested under sunos 4.1.1 16 February 1993
 * version 1.2 removed blocking, added signal forwarding, childprocess
 * to prevent trouble when stoping etc. snarfed lots of code from BSD rsh
 * tested under sunos 4.1.1 18 February 1993
 * version 1.21 fixed typo. discoverd bug where rexec fails when gethostbyaddr
 * fails (not fixed)
 * tested under sunos 4.1.1 8 March 1993
 * versions 1.31 rewritten on the basis of rsh. rexec now works with numeric
 * adresses as well, and sports an rsh type syntax (man rsh)
 * tested under sunos 4.1.3 C April 27 1994
 *
 */
 

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/file.h>

#include <netinet/in.h>

#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <pwd.h>
#include <netdb.h>

/*
 * rexec - remote shell
 */
/* VARARGS */
int	error();
char	*index(), *rindex(), *malloc(), *getpass(), *sprintf(), *strcpy();
char   *getlogin();
#ifndef S5EMUL
char    *sprintf();
#endif

struct	passwd *getpwuid();

int	errno;
int	options;
int	rfd2;
int	sendsig();

int is_numeric(host,len)
char *host; 
int len;
{
        int j;
        for(j=0;j<len; j++) {
                if (!(isdigit(host[j]) || (host[j] == '.')))
                        return(0);
        }
        return(1);
}               

rexec(ahost, rport, name, pass, cmd, fd2p)
        char **ahost;
        int rport;
        char *name, *pass, *cmd;
        int *fd2p;
{
        int s, timo = 1, s3;
	long iaddr;
        struct sockaddr_in sin, sin2, from;
        char c;
        u_short port;
        struct hostent *hp;
	if (is_numeric(*ahost,strlen(*ahost))) 
		iaddr = inet_addr(*ahost);
	else { 
        	hp = gethostbyname(*ahost);
        	if (hp == 0) {
                	fprintf(stderr, "%s: unknown host\n", *ahost);
                	return (-1);
        	}
        }
	/*
	 * implementing this garbage properly would take to much time
         * It hast two purposes:
	 * 1: it ask's for a password if necessary (not necessary in
         *    rexec, since ALLWAYS given.
         * 2: it scan's the users netrc's for likely passwords.
          *ahost = hp->h_name;
        _ruserpass(hp->h_name, &name, &pass);
	*/
retry:
        s = socket(AF_INET, SOCK_STREAM, 0);
        if (s < 0) {
                perror("rexec: socket");
                return (-1);
        }
	if (iaddr) {
		sin.sin_family = AF_INET;
		bcopy(&iaddr, (caddr_t)&sin.sin_addr,sizeof(iaddr) );
	}
	else {		
 		sin.sin_family = hp->h_addrtype;
        	bcopy(hp->h_addr, (caddr_t)&sin.sin_addr, hp->h_length);
	}
	sin.sin_port = rport;
        if (connect(s, &sin, sizeof(sin)) < 0) {
                if (errno == ECONNREFUSED && timo <= 16) {
                        (void) close(s);
                        sleep(timo);
                        timo *= 2;
                        goto retry;
                }
                perror(hp->h_name);
                (void) close(s);
                return (-1);
        }
        if (fd2p == 0) {
                (void) write(s, "", 1);
                port = 0;
        } else {
                char num[8];
                int s2, sin2len;
                
                s2 = socket(AF_INET, SOCK_STREAM, 0);
                if (s2 < 0) {
			(void) close(s);
                        return (-1);
                }
                listen(s2, 1);
                sin2len = sizeof (sin2);
                if (getsockname(s2, (char *)&sin2, &sin2len) < 0 ||
                  sin2len != sizeof (sin2)) {
                        perror("getsockname");
                        (void) close(s2);
                        goto bad;
                }
                port = ntohs((u_short)sin2.sin_port);
                (void) sprintf(num, "%u", port);
                (void) write(s, num, strlen(num)+1);
                { int len = sizeof (from);
                  s3 = accept(s2, &from, &len);
                  close(s2);
                  if (s3 < 0) {
                        perror("accept");
                        port = 0;
                        goto bad;
                  }
                }
	 *fd2p = s3;
        }
        (void) write(s, name, strlen(name) + 1);
        /* should public key encypt the password here */
        (void) write(s, pass, strlen(pass) + 1);
        (void) write(s, cmd, strlen(cmd) + 1);
        if (read(s, &c, 1) != 1) {
                perror(*ahost);
                goto bad;
        }
        if (c != 0) {
                while (read(s, &c, 1) == 1) {
                        (void) write(2, &c, 1);
                        if (c == '\n')
                                break;
                }
                goto bad;
        }
        return (s);
bad:
        if (port)
                (void) close(*fd2p);
        (void) close(s);
     return (-1);
}

#define	mask(s)	(1 << ((s) - 1))

main(argc0, argv0)
	int argc0;
	char **argv0;
{
	int rem, pid, argc = argc0;
	char *host, *cp, **ap, buf[BUFSIZ], *args, **argv = argv0, *user = 0;
	char *passwd, *a;
	register int cc;
	int asrexec = 0;
	struct passwd *pwd;
	int readfrom, ready;
	int one = 1;
	struct servent *sp;
	int omask;

	host = rindex(argv[0], '/');
	if (host)
		host++;
	else
		host = argv[0];
	argv++, --argc;
	if (!strcmp(host, "rexec")) {
		if (argc == 0)
			goto usage;
		if (*argv[0] != '-') {
			host = *argv++, --argc;
			asrexec = 1;
		} else
			host = 0;
	}
another:
	if (argc > 0 && !strcmp(*argv, "-l")) {
		argv++, argc--;
		if (argc > 0)
			user = *argv++, argc--;
		goto another;
	}
	if (argc > 0 && !strcmp(*argv, "-n")) {
		argv++, argc--;
		(void) close(0);
		(void) open("/dev/null", 0);
		goto another;
	}
	if (argc > 0 && !strcmp(*argv, "-d")) {
		argv++, argc--;
		options |= SO_DEBUG;
		goto another;
	}
	if (host == 0) {
                if (argc == 0)
                        goto usage;
                host = *argv++, --argc;
                asrexec = 1;
        }
        if (argv[0] == 0)
		asrexec = 1;
	else
		asrexec = 0;		
	pwd = getpwuid(getuid());
	if (pwd == 0) {
		fprintf(stderr, "who are you?\n");
		exit(1);
	}
	cc = 0;
	for (ap = argv; *ap; ap++)
		cc += strlen(*ap) + 1;
	cp = args = malloc(cc);
	for (ap = argv; *ap; ap++) {
		(void) strcpy(cp, *ap);
		while (*cp)
			cp++;
		if (ap[1])
			*cp++ = ' ';
	}
	passwd = getpass("Password: ");
	sp = getservbyname("exec", "tcp");
	if (sp == 0) {
		fprintf(stderr, "rexec: shell/tcp: unknown service\n");
		exit(1);
	}
	if (asrexec)
		rem = rexec(&host,sp->s_port, user ? user : pwd->pw_name,passwd,
			    "/bin/true; exec /bin/sh -i", &rfd2);
	else 
                rem = rexec(&host, sp->s_port,
	    user ? user : pwd->pw_name,passwd, args, &rfd2);
	while(argc0--) {
		a=*argv0++;
		while(*a) *a++ = '\0';
	}
        if (rem < 0)
                exit(1);
	if (rfd2 < 0) {
		fprintf(stderr, "rexec: can't establish stderr\n");
		exit(2);
	}
	if (options & SO_DEBUG) {
		if (setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0)
			perror("rexec: setsockopt (stdin)");
		if (setsockopt(rfd2, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0)
			perror("rexec: setsockopt (stderr)");
	}
	omask = sigblock(mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
	if (signal(SIGINT, SIG_IGN) != SIG_IGN)
		signal(SIGINT, sendsig);
	if (signal(SIGQUIT, SIG_IGN) != SIG_IGN)
		signal(SIGQUIT, sendsig);
	if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
		signal(SIGTERM, sendsig);
        pid = fork();
        if (pid < 0) {
		perror("rexec: fork");
                exit(1);
        }
	ioctl(rfd2, FIONBIO, &one);
	ioctl(rem, FIONBIO, &one);
        if (pid == 0) {
		char *bp; int rembits, wc;
		(void) close(rfd2);
	reread:
		errno = 0;
		cc = read(0, buf, sizeof buf);
		if (cc <= 0)
			goto done;
		bp = buf;
	rewrite:
		rembits = 1<<rem;
		if (select(sizeof(int)*8, 0, &rembits, 0, 0) < 0) {
			if (errno != EINTR) {
				perror("rexec: select");
				exit(1);
			}
			goto rewrite;
		}
		if ((rembits & (1<<rem)) == 0)
			goto rewrite;
		wc = write(rem, bp, cc);
		if (wc < 0) {
			if (errno == EWOULDBLOCK)
				goto rewrite;
			goto done;
		}
		cc -= wc; bp += wc;
		if (cc == 0)
			goto reread;
		goto rewrite;
	done:
		(void) shutdown(rem, 1);
		exit(0);
	}
	sigsetmask(omask);
	readfrom = (1<<rfd2) | (1<<rem);
	do {
		ready = readfrom;
		if (select(sizeof(int)*8, &ready, 0, 0, 0) < 0) {
			if (errno != EINTR) {
				perror("rexec: select");
				exit(1);
			}
			continue;
		}
		if (ready & (1<<rfd2)) {
			errno = 0;
			cc = read(rfd2, buf, sizeof buf);
			if (cc <= 0) {
				if (errno != EWOULDBLOCK)
					readfrom &= ~(1<<rfd2);
			} else
				(void) write(2, buf, cc);
		}
		if (ready & (1<<rem)) {
			errno = 0;
			cc = read(rem, buf, sizeof buf);
			if (cc <= 0) {
				if (errno != EWOULDBLOCK)
					readfrom &= ~(1<<rem);
			} else
				(void) write(1, buf, cc);
		}
        } while (readfrom);
        (void) kill(pid, SIGKILL);
	exit(0);
usage:
	fprintf(stderr,
	    "usage: rexec [ -l login ] [ -n ] host command\n");
	exit(1);
	/* NOTREACHED */
}

sendsig(signo)
	char signo;
{

	(void) write(rfd2, &signo, 1);
}