/* file: experiment3.c
   -------------------
   author:  Ted Baker
   version: $Version$
   last modified by: $Author: cop4610 $ on: $Date: 2002/08/21 19:27:43 $
   purpose: demonstrate linux/x86 stack modification to exec /bin/sh
*/ 

#include <unistd.h> 
#include <stdio.h> 
#include <errno.h> 
#include <string.h>

#include "execwrapper.i"

#define SAFETY_MARGIN 60
#define RETURN_ADDRESS_OFFSET 28

char const * arg;

void sub () {
  char buf[10];
  int i;

  /* copy execwrapper code onto stack via overflow of buf */
  strncpy (buf + SAFETY_MARGIN, (char *) execwrapper, EXECWRAPPER_SIZE);

  /* overwrite return address with entrypoint of execwrapper */
  *((int *) &buf[RETURN_ADDRESS_OFFSET]) = (int) (buf + SAFETY_MARGIN);

}

int main (int argc, const char **argv) { 
  if (argc != 2) {
     fprintf (stderr, "this program expects a single command-line argument\n");
     exit (-1);
  }
  arg = argv[1];
  sub ();
  return 0;
}