/*
 * -( nemo1.c )-
 * by nemo 2005
 *
 * v0.2
 * 
 * Bit of fun, for #social.
 *
 * Thanks to hawkes for working on this with me
 * to make it exploitable.
 *
 * http://www.pulltheplug.org
 */

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>

#define NBUFSIZ 1024

char *buf,*brrr;
void (*mfptrr)(); 
char buf2[NBUFSIZ];

void func1(char *arg)
{
	char envar[NBUFSIZ+1];
	
	strncpy(envar,arg,NBUFSIZ);
	envar[NBUFSIZ] = 0;
	printf("[*] Environment variable: %s\n",envar);

	return;
}

void int_handler()
{
	if(strlen(buf) >= NBUFSIZ -1) {
		exit(1);
	}
	
	memcpy(buf2,buf,strlen(buf)-1);
	printf("[+] Local buffer: %s.\n",buf2);

	mfptrr(0);
	
}

void cont_handler()
{
	printf("[+] :D\n");
	mfptrr(0);
}

void check_main(char **av)
{
	long key;
	char *home;


	if(home = getenv("HOME")) {
		if(home[1])
			key = rand() + (int)home[0] + (int)home[1];
	}

	if(key == 0xdeadbeef) {
		signal(SIGINT, int_handler);
		signal(SIGCONT, cont_handler);

		if(getenv("TIMER")) 
			sleep(1);	// weak :P
		
		buf = malloc(NBUFSIZ + 1);
		strncpy(buf,av[1],NBUFSIZ);
		buf[NBUFSIZ] = 0;
	}

	return;
}

int main(int ac, char **av, char **env)
{
	char **tmp = env,*loc_brrr;
	mfptrr = exit;

	srand(0xcafebabe);


	if((long)&buf2 > (long)&mfptrr) {
		printf("[!] Sorry, it's unlikely you can exploit this with your version of gcc.\n");
		printf("[!] feel free to remove this check, and let me know if you get it working.\n");
		exit(1);
	}
	
	if(getenv("BUFFER"))
		buf = strdup(getenv("BUFFER"));
	
	if(getenv("TERM"))
		brrr = strdup(getenv("TERM"));

	while(*(++tmp))
		func1(*tmp);

	check_main(av);	

	return 1;
}