summaryrefslogtreecommitdiff
path: root/usr.bin/nc/data/rservice.c
blob: d6794df9411ba526db4330b4b2ec43a286753ab8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/*	$OpenBSD: rservice.c,v 1.2 2001/01/29 01:58:12 niklas Exp $	*/

/* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up
   rsh/rexec attacks.  Needs to be a prog because shells strip out nulls.

   args:
	locuser remuser [cmd]
	remuser passwd [cmd]

   cmd defaults to "pwd".

   ... whatever.  _H*/

#include <stdio.h>

/* change if you like; "id" is a good one for figuring out if you won too */
static char cmd[] = "pwd";

static char buf [256];

main(argc, argv)
  int argc;
  char * argv[];
{
  register int x;
  register int y;
  char * p;
  char * q;

  p = buf;
  memset (buf, 0, 256);

  p++;				/* first null */
  y = 1;

  if (! argv[1])
    goto wrong;
  x = strlen (argv[1]);
  memcpy (p, argv[1], x);	/* first arg plus another null */
  x++;
  p += x;
  y += x;

  if (! argv[2])
    goto wrong;
  x = strlen (argv[2]);
  memcpy (p, argv[2], x);	/* second arg plus null */
  x++;
  p += x;
  y += x;

  q = cmd;
  if (argv[3])
    q = argv[3];
  x = strlen (q);		/* not checked -- bfd */
  memcpy (p, q, x);		/* the command, plus final null */
  x++;
  p += x;
  y += x;

  memcpy (p, "\n", 1);		/* and a newline, so it goes */
  y++;

  write (1, buf, y);		/* zot! */
  exit (0);

wrong:
  fprintf (stderr, "wrong!  needs 2 or more args.\n");
  exit (1);
}