/*
 * a demonstration of a format string attack
 * goal: change the value of test_val
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
 * macros
 */
#define BUF_SIZE 1024		/* size of an array */

/*
 * it all starts here ..
 */
int main(int argc, char * argv[])
{
	char buf[BUF_SIZE];				/* a buffer to mess with */
	static int test_val = 0x00414141; /* "AAA" (note NUL byte at end) */
      
	/* check for the right number of arguments */
	if (argc != 2){
		fprintf(stderr, "%s: need a format string as argument\n", argv[0]);
		return(1);
	}

	/* now copy the first argument into the buffer */
	/* make sure there is no overflow!             */
	strncpy(buf, argv[1], BUF_SIZE);
	
	/* we now print the argument safely */
	printf("Right: ");
	printf("%s", buf);		/* note it is *not* the format! */
	printf("\n\n");
	
	/* now live dangerously */
	printf("Wrong: ");
	printf(buf);			/* note it *is* the format! */
	printf("\n\n");
	
	/* now print the address and value of test_val */
	printf("*****test_val: location %p, value %d (0x%08x)\n", 
										&test_val, test_val, test_val);
										
	/* bye! */
	return(0);
}