#!/usr/local/bin/perl
#
# Andy Welter
# www.the-welters.com
# January 10, 2000
# 
# This script acts as a "rexec" client.  The rexec protocol is a 
# is a method for executing commands on a remote system using a 
# username and password for authentication.  This diffentiates
# rexec from rsh.  Rsh commands use .rhosts and hosts.equiv files
# to set up trust relationships between systems, and allow command
# execution without a seperate password challenge.
#
# There are security drawbacks to each approach.  Trust relationships
# can be used to compromise other systems once one system is breached.
# And rexec has no logging for failed login attempts.  This allows it
# to be used as a conduit for dictionary password guessing attacks on 
# a system.  
# 
# Systems exposed to the internet should not run the execd.  Systems on
# controlled networks should use software such as TCP Wrappers in order
# to put logging in place on this service.  inetd listens for rexec requests
# via TCP connections on port 512.
# 
# rexec format as documented in the man page for rexec:  The input stream
# consists of null separated values. 
# port for standard error\0username\0password\0command and args\0
#
use Socket;

sub sendcmd {
$sockaddr = 'S n a4 x8';
($name, $aliases, $proto) = getprotobyname('tcp');
($name, $aliases, $type, $len, $thisaddr) = gethostbyname($host);
$thisport = pack($sockaddr, &AF_INET, 0, $thisaddr);
$thatport = pack($sockaddr, &AF_INET, $port, $thisaddr);

socket(S, &PF_INET, &SOCK_STREAM, $proto) ||
	die "cannot create socket\n";
	connect(S,$thatport) || die "cannot connect socket\n";

# Set socket to write after each print
select(S); $| = 1; select(STDOUT);

#
# Send command
#
printf S "0\0%s\0%s\0%s\0",$user,$passwd,$command;
#
# Read responses from server and print them out 
#
while ( $_ = <S> ) {
	printf ("$_");
};
close(S);
};

#
# MAIN
#
#
$port=512;
$host=$ARGV[0];
$user=$ARGV[1];
$passwd=$ARGV[2];
$command=$ARGV[3];
sendcmd;

exit 0;