Shell Programming:
an Exploit Explained, continued...
Now save it as
s.sh. The "sh" at the end of the name tells you
it is a shell script. After saving it, be sure to make it executable
by giving the command "chmod 700 s.sh". That
means only you (or someone in your shell account) can run this
program. If you want anyone to be able to run it, give
the command "chmod 777".
What does this
cute little shell script do? It writes C programming language
commands into two files, "leshka.c" and "smtpd.c",
puts them in the right directories on your computer, compiles
them, makes them executable, runs them, then erases them, then
prompts the user to enter his or her brand new Unix shell, "/tmp/sh",
inside of which the user will discover he or she is root (the
superuser with control over the entire victim computer).
Let's take this
program apart so we understand how it does its thing.
1) It writes two c programs. For example, the file leshka.c
is written withthe shell commands:
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
2) Next the script compiles both c programs:
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
Note that you must
know the command to run the C compiler on that computer.If the
C compiler command is "gcc", then substitute "gcc"
for "cc" in this line of the shell script.
You also must know
the path to sendmail. Check it with the command "whereissendmail".
If it has a different path than "/usr/sbin/sendmail,"
you mustsubstitute the correct path.
3) Next this shell script runs shell commands to run the exploit:
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr
-cs "[:digit:]"
"\n"|head -n 1`
4) It takes an instant to erase the evidence:
rm leshka.c leshka smtpd.c /tmp/smtpd
5) Then it sends a message to the screen:
echo "Now type: /tmp/sh"
That reminds you
to give the command /tmp/sh to get into your own private root
shell. You have to do this quickly because this exploit
only lets you get into a root shell for a short time.
==========================================================
You can get punched in the nose warning: When you are
root it is really easy to mess things up. Even if you have
permission to be root, be careful! If a friend gave you permission
to break into his computer, just think how he will feel if he
has to reinstall his operating system because you hit a wrong
key or two!
This is a good reason not to break into a stranger's computer.
You may think you are quietly, harmlessly sneaking around, when,
boom, you accidentally trash things.
===========================================================
(You can learn much more about how this exploit works on the
GTMHH on how to program in C.)
More
shell programming --->>
