Re: rlogin revealed
Article: 8433 of alt.hackers From: cjsonnack@mmm.com (Chris Sonnack) Newsgroups: alt.hackers Subject: Re: rlogin revealed Date: 10 Aug 1995 10:43:28 -0500 Organization: 3M/IT/EIS (St.Paul,MN 55144) Lines: 75 Approved: byme@isthataproblem.com Message-ID: 40d9f0$ia9@dawn.mmm.com Reply-To: cjsonnack@mmm.com (Chris Sonnack) X-Newsreader: TIN [version 1.2 PL2] Status: RO
Peter Seebach (seebs@solutions.solon.com) wrote: >> main() >> { >> execl("/bin/rlogin jamminbox.site.dom", "vi thesis.tex", (char *) NULL); >> } > > int > main(int argc, char *argv[]) > { > /* ... */ > } > > Known bugs: > [...] commands which only show argv[0] will show 'vi thesis' [...] You could just show "vi", since you can just invoke vi and use ":e" to grab (or create) the file you're editing. You version looks much like mine (we have a nosy manager-wannabe co-employee who likes to do a ps and see what we're doing...the dork also scans .sh_history in our $HOME directories, if you can believe that crap!): This ObHack is good for spoofing the name of a local program, but doesn't work for remsh and rlogin since these programs actually pay attention to argv[0]. (NOTE: I'm guessing here, but...) As most (?) of you probably know, you can set up soft links to remsh (and I assume rlogin) such that the link name is the name of a host: ln -s /usr/bin/remsh remote_host_name Now, you can type "remote_host_name" instead of "remsh remote_host_name". How (I think) remsh does this is look at its argv[0] arg. If it's NOT "remsh", it assumes it's a host name an proceeds from there. What UNIX does with a link like above is set argv[0] to the link name, so what remsh sees in such a situation is argv[0]="remote_host_name". If you make a quick hack that dumps its args, point a soft link to it and execute it via the link, you'll see what I mean. Or if you use Peter's or my program to invoke remsh/rlogin, you'll get an error that "name_of_spoofing_program" host not found. #include <ObHack> #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char* argv[]) { if (argc > 1) { char** new_argv = (char**) malloc (sizeof(char*)*argc); int i; new_argv[0] = "vuedit"; for (i=2; i<argc; i++) new_argv[i-1] = argv[i]; new_argv[argc-1] = NULL; execvp (argv[1], new_argv); } exit(0); return 0; } /*** usage: noshow program_name ***/ -- Chris Sonnack | 3M/Information Technology/Engineering Info Svcs cjsonnack@mmm.com | 3M Center, Bld 42-6E-01, St.Paul, MN, 55144-1000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TODAY'S RULE: No Smoffing or Fnargling!