I’ve just found a file called ‘cvs_sploit.c’ in my filesystem, dating from Feb last year….
“Any access to the pserver will work, anonymous is enough.
The exploit tries to bind to port 30464 on the target and exec a shell on connection,
It will connect there itself and pass control to you if it succeeds. Accidentally, this means that
if that port is firewalled, the exploit will fail.
Here’s what you need to do:
1. Compile the proggie: gcc -o sploit this_file.c
2. Make sure the target is running Linux, use nmap -O, it won’t work unless it’s a Linux
3. Run the proggie: ./sploit -r repository -u user [ -p password if not empty ] target_host
4. Look for output, if the exploit doesn’t work:
a. If after readjusting in memory ( you will be told when it happens ) the figures that you see
(return codes) are 3’s, and nothing else, tweak the -j parameter, the default is 7, but
I had to use 0 on a debian cvs 1.11.1, it worked in the end, you might even try low negative integers
b. If after readjusting you see not only 3’s but 0’s, occasionally -2’s and others,
but 0’s are of interest, then chances are the -j is correct, then set the -s to 4,
setting it to 4 means it will bruteforce for longer, but will try every address
5. If successful, clean up the mess after yourself: rm -rf /tmp/cvs*
6. Enjoy it even if you don’t break in anywhere :)”
…wonder how that got there…bet it doesn’t still work…