#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int payload();
int exploit(char *d);


int main() {
	int distance;
	char a[512] = {0};
	distance = exploit(NULL);
	memset(a, 0xFF, distance);
	/*Get our payload address*/
	*(void**)(a + distance) = &payload;
	*(void**)(a + distance + sizeof(void*)) = 0; /*cap*/
	/*exploit the payload*/
	exploit(a);
	/*we never reach this*/
	return 255;
}

/*
 * exploit()
 * This overflows its own buffers and causes the return to jump to payload()
 */
int exploit(char *d) {
	char a[400] = {0};
	void *i;
	int distance = 0;
	char payld[sizeof(void*) + 1];
	void *myret;
	void *z;

	if (!d) {
		myret = __builtin_return_address(0);
		/*find the distance between a and myret*/
		for (i = (void*)a; *(void**)i != myret; i++) {
			distance++;
		}
		return distance;
	}
	/*We're passed a d buffer, so strcpy it unsafely*/
	strcpy(a,d);
	/*Return to payload()*/
	return 1;

}

int payload() {
	printf("Payload executed successfully!\n");
	/*0:  Unsafe; successful exploit*/
	_exit(0);
}