Study the following exploit code taken from a Linux machine and answer the questions below:
echo “ingreslock stream tcp nowait root /bin/sh sh –I” > /tmp/x;
/usr/sbin/inetd –s /tmp/x;
sleep 10;
/bin/ rm –f /tmp/x AAAA…AAA
In the above exploit code, the command “/bin/sh sh –I” is given.
What is the purpose, and why is ‘sh’ shown twice?
A.
The command /bin/sh sh –i appearing in the exploit code is actually part of an inetd
configuration file.
B.
The length of such a buffer overflow exploit makes it prohibitive for user to enter manually.
The second ‘sh’ automates this function.
C.
It checks for the presence of a codeword (setting the environment variable) among the
environment variables.
D.
It is a giveaway by the attacker that he is a script kiddy.
Explanation:
What’s going on in the above question is the attacker is trying to write to the unix
filed /tm/x (his inetd.conf replacement config) — he is attempting to add a service called
ingresslock (which doesnt exist),which is “apparently” suppose to spawn a shell the given port
specified by /etc/services for the service “ingresslock”,ingresslock is a non-existant service,and if
an attempt were made to respawn inetd,the service would error out on that line. (he would have to
add the service to /etc/services to suppress the error). Now the question is asking about /bin/sh sh
-i which produces an error that should read “sh: /bin/sh: cannot execute binary file”,the -i option
places the shell in interactive mode and cannot be used to respawn itself.
A
Could anyone please give a simpler, and clearer explanation?
Madre mía, an avid Linux user please?