develooper Front page | perl.fwp | Postings from August 2003

Need to hack my own machine ! Help !

Thread Next
Alexandre Jousset@NL
August 12, 2003 11:08
Need to hack my own machine ! Help !
Message ID:

	I have a problem... I'm using RH7.1 and for some reason I don't know, 
after upgrading some packages (including sshd) and restarting sshd, this 
one do not work anymore... The problem is that I'm not at my home and I 
don't have the access to the console...

	So I investigated what could be done to have root access to my box (of 
course this is *really* my box, I have the root password) and I found 
that one of my Mason scripts has a hole in it because Mason do not run 
in tainted perl mode. So I have access to a ftp user on my box 
(anonymous is disabled) so I can upload a script in /tmp, I can run it 
with a tweaked URL on my web server and of course it runs under the 
apache user... I use it to launch a server on a high port number and I 
want to be able to launch commands like 'su' to enter my password, have 
root access and correct the problem.

	Here (below) is the script I use but I cannot manage to have it work 
well. I surely have something wrong but I don't know what. I use a 
specified pty that I know is not in use to avoir pty search and you can 
also note that I have not the IO::Pty module installed. Installing it 
from user apache did not succeed (I used CPAN module to try). The 
problem is that I progress very slowly because each time I have to enter 
a tweaked URL, redirect it to a file in /tmp and download it by ftp to 
see the result.

	The problem with the script is that I can enter commands, execute them, 
but I don't see the result. The result is sent to normal STDOUT so it is 
redirected in /tmp by the tweaked URL. Also, when I send 'su' (blindly) 
and enter the password, it says (again, in /tmp/x) that the password is 
wrong. In the file in /tmp I see 'Password:' (output of su), the good 
password I entered followed by a ^M, 2 blank lines and 'su: incorrect 
password' (again output of su)...

	Can you help me please ?

	Here is the script I use (I made it from several scripts discovered on 
the net, none of them is what I need) :

#!/usr/bin/perl -w
use IO::Socket;
use Net::hostent;		# for OO version of gethostbyaddr
use POSIX;

$PORT = 9009;

$server = IO::Socket::INET->new( Proto     => 'tcp',
                                  LocalPort => $PORT,
                                  Listen    => SOMAXCONN,
                                  Reuse     => 1);

die "can't setup server" unless $server;
print "[Server $0 accepting clients]\n";

open(${master}, "/dev/ptycd") or die "can't open /dev/ptycd: $!";
fcntl(${master}, F_SETFL(), O_NONBLOCK());
open(SLAVE, "/dev/ttycd") or die "can't open /dev/ttycd: $!";

while ($client = $server->accept()) {
     print $client "Welcome to $0; type help for command list.\n";
     $hostinfo = gethostbyaddr($client->peeraddr);
     printf "[Connect from %s]\n", $hostinfo->name || $client->peerhost;
     print $client "Command? ";
     while (<$client>) {
         next unless /\S/;	     # blank line
         if    (/quit|exit/i)    { last; }
         elsif (/bye/i)          { exit(0);  }
         else {
	    my $pid = fork;
	    die "can't fork: $!" unless defined $pid;
	    if ($pid == 0) {
		open(STDIN, '<&'.fileno(SLAVE));
		open(STDOUT, '>&'.fileno(SLAVE));
		open(STERR, '>&'.fileno(SLAVE));
	    } else {
		local ($|) = (1);
		open(STDIN, '<&'.fileno(${master}));
		open(STDOUT, '>&'.fileno(${master}));
		open(STERR, '>&'.fileno(${master}));
		while(1) {
		    print $client ":";
		    $_ = <$client>;
		    last if /exit/;
		    print $client "Sending [$_]";
		    print $_;
		    my $buf;
		    while (my $rd = sysread(STDIN, $buf, 1024)) {
			print ${client} $buf;
     } continue {
         print $client "Command? ";
     close $client;

	I hope you can help me because I will go back home (in Paris) only when 
I will have a job interview. For the moment I am at my sister's in 
Almere, near Amsterdam. I am searching for an entire day without success 
and I hope you will be able to help me.

	Bye and thank you in advance !

Alexandre Jousset.

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About