From 8c542d83091f9ba5ccb095fad730651f8e6c1eef Mon Sep 17 00:00:00 2001 From: Epoch Qwert Date: Thu, 23 Oct 2014 01:20:02 -0500 Subject: fixed gopherd's LFI and added excuting files. httpd had flushing issues. realpath is new! does what it says. gives absolute path of a file. deddos, peerip, peerip.pl, were laying around elsewhere. gethostbyname got a new trick. can do decimal addresses among other things. hop0 is a shell script that gets what IP will be put on the source address of outgoing packets sent to $1. rtfs. --- .gitignore | 2 ++ nocompile/bin/hop0 | 6 +++++ nocompile/libexec/gopherd.sh | 33 +++++++++++++++++++++++++++ nocompile/libexec/peerip.pl | 5 +++++ rebuild.sh | 4 +++- src/bin/gethostbyname.c | 10 ++++++++- src/bin/realpath.c | 10 +++++++++ src/libexec/deddos.c | 53 ++++++++++++++++++++++++++++++++++++++++++++ src/libexec/httpd.c | 13 +++++++---- src/libexec/peerip.c | 13 +++++++++++ 10 files changed, 143 insertions(+), 6 deletions(-) create mode 100644 .gitignore create mode 100755 nocompile/bin/hop0 create mode 100755 nocompile/libexec/gopherd.sh create mode 100755 nocompile/libexec/peerip.pl create mode 100644 src/bin/realpath.c create mode 100644 src/libexec/deddos.c create mode 100644 src/libexec/peerip.c diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..867ebf8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +bin +libexec diff --git a/nocompile/bin/hop0 b/nocompile/bin/hop0 new file mode 100755 index 0000000..7dc0812 --- /dev/null +++ b/nocompile/bin/hop0 @@ -0,0 +1,6 @@ +#!/bin/sh +if [ "_$(uname -s)" != "_Linux" ];then + /sbin/route -n get "$1" | grep "local addr" | cut -d: -f2 | tr -d ' ' +else + /sbin/ip r g "$1" | cut '-d ' -f8 +fi diff --git a/nocompile/libexec/gopherd.sh b/nocompile/libexec/gopherd.sh new file mode 100755 index 0000000..6d12cd6 --- /dev/null +++ b/nocompile/libexec/gopherd.sh @@ -0,0 +1,33 @@ +#!/bin/bash +#I'm aware of the LFI. Have fun looking around my server. +read -t 10 req +base="$1" +req=$(echo "$req" | tr -d '\r') +realpath=$(realpath ${base}${req}) +if grep -v "^${base}" <<< "${realpath}" > /dev/null;then + echo ${base} + echo ${realpath} + exit 1 +fi +hostname=$(/usr/local/bin/hop0 $(/usr/local/libexec/peerip)) +type=$(file "${realpath}" | cut -d: -f2-) +if grep directory <<< "$type" 2>&1 > /dev/null; then + if [ -e "${realpath}/.header" ];then + cat "${realpath}/.header" | sed "s/^/i&/g" | sed "s/\$/"`printf "\r"`"/g" + fi + for i in $(ls "${realpath}");do + stype=$(file "${realpath}/${i}" | cut -d: -f2-) + if grep directory <<< "$stype" 2>&1 > /dev/null; then + printf "1%s\t%s\t%s\t70\r\n" ${req}/${i} ${req}/${i} $hostname + else + printf "0%s\t%s\t%s\t70\r\n" ${req}/${i} ${req}/${i} $hostname + fi + done + printf ".\r\n" +else + if stat "${realpath}" | cut '-d ' -f3 | grep x >/dev/null;then + "${realpath}" + else + cat "${realpath}" + fi +fi diff --git a/nocompile/libexec/peerip.pl b/nocompile/libexec/peerip.pl new file mode 100755 index 0000000..2000ad9 --- /dev/null +++ b/nocompile/libexec/peerip.pl @@ -0,0 +1,5 @@ +#!/usr/pkg/bin/perl +use Socket; +($port,$addr) = sockaddr_in(getpeername(STDIN)); +print inet_ntoa($addr) . "\n"; + diff --git a/rebuild.sh b/rebuild.sh index f705cdb..62380e3 100755 --- a/rebuild.sh +++ b/rebuild.sh @@ -1,4 +1,6 @@ -#!/bin/sh -v +#!/bin/sh -vq +rm bin/* +rm libexec/* for i in src/*;do iout=$(basename $i) mkdir -p $iout diff --git a/src/bin/gethostbyname.c b/src/bin/gethostbyname.c index 646bf0a..b670b1e 100644 --- a/src/bin/gethostbyname.c +++ b/src/bin/gethostbyname.c @@ -1,10 +1,18 @@ #include #include +#include int main(int argc,char *argv[]) { int i; if(argc < 2) return 1; - struct hostent *he=gethostbyname(argv[1]); + char *addr; + struct in_addr saddr; + if(inet_aton(argv[1],&saddr)) + addr=inet_ntoa(saddr); + else + addr=argv[1]; + struct hostent *he=gethostbyname(addr); + for(i=0;he->h_addr_list[i];i++) { printf("%u.%u.%u.%u\n", (unsigned char)he->h_addr_list[i][0], diff --git a/src/bin/realpath.c b/src/bin/realpath.c new file mode 100644 index 0000000..e47f020 --- /dev/null +++ b/src/bin/realpath.c @@ -0,0 +1,10 @@ +#include +#include +#include + +int main(int argc,char *argv[]) { + char path[MAXPATHLEN+1]; + if(!realpath(argv[1],path)) return 1; + puts(path); + return 0; +} diff --git a/src/libexec/deddos.c b/src/libexec/deddos.c new file mode 100644 index 0000000..245ba41 --- /dev/null +++ b/src/libexec/deddos.c @@ -0,0 +1,53 @@ + +#include +#include +#include +#include +#include +#include + +void ignore(int a) {} + +int main(int argc,char *argv[]) { + int i; + struct sockaddr sa; + signal(SIGALRM,exit); + alarm(10); + int sl=sizeof(sa); + char host[256]; + char serv[256]; + char cmd[256]; + char line[256]; + char iface[256]; + char *name[16]; + getpeername(0,&sa,&sl); + //this function is nifty as shit. + getnameinfo(&sa,sl,host,256,serv,256,NI_NUMERICHOST); + printf("connecting from: %s port %s\n",host,serv); + fflush(stdout); + printf("select interface:\n"); + fflush(stdout); + system("/bin/cat /etc/interfaces | /usr/bin/tr '\n' ' ' | /usr/bin/fold"); + fflush(stdout); + fgets(iface,sizeof(iface)-1,stdin); + for(i=0;iface[i];i++) { + if((iface[i] >= 'a' && iface[i] <= 'z') || (iface[i] >= '0' && iface[i] <= '9')) { + + } else { + iface[i]=0; + } + } + alarm(60); + name[0]="/usr/sbin/tcpdump"; + name[1]="-c10"; + name[2]="-ni"; + name[3]=iface; + name[4]="host"; + name[5]=host; + name[6]="and"; + name[7]="proto"; + name[8]="UDP"; + name[9]=0; + execv(name[0],name); + printf("shit fucked.\n"); +} diff --git a/src/libexec/httpd.c b/src/libexec/httpd.c index 4b14269..9da149f 100644 --- a/src/libexec/httpd.c +++ b/src/libexec/httpd.c @@ -2,13 +2,15 @@ #include #include #include +#include #define VHOST_ROOT "/var/www" #define CGI "cgi-bin" #define SERVER "epochttpd/2.0 (Unix)" void standard_headers() { - printf("Server: %s\n",SERVER); + printf("Server: %s\r\n",SERVER); + printf("Connection: close\r\n"); } int main(int argc,char *argv[]) { @@ -22,6 +24,8 @@ int main(int argc,char *argv[]) { char *get_param; char line[getpagesize()]; fgets(line,sizeof(line)-1,stdin); +// syslog(LOG_INFO,"ADDRESS did a LINE"); +// syslog(LOG_WARNING,"httpd syslog test\n"); if(!strchr(line,'\n')) { printf("HTTP/1.1 413 Entity Too Large\r\n"); standard_headers(); @@ -71,7 +75,7 @@ int main(int argc,char *argv[]) { printf("Location: /%sindex.html\r\n\r\n",page); return 0; } - if(fd=open(page,O_RDONLY) != -1) {//need to check that the file isn't a directory. :P + if((fd=open(page,O_RDONLY)) != -1) {//need to check that the file isn't a directory. :P printf("HTTP/1.1 200 OK\r\n"); standard_headers(); name[0]="/usr/local/bin/mime-type"; @@ -92,8 +96,9 @@ int main(int argc,char *argv[]) { wait(&s); fflush(stdout); printf("\r\n"); - while((n=read(fd,line,sizeof(line))) > 0) { - write(1,line,n); + fflush(stdout); + while((n=read(fd,line,sizeof(line)-1)) > 0) { + write(STDOUT_FILENO,line,n); } } else { printf("HTTP/1.1 404 Not Found\r\n"); diff --git a/src/libexec/peerip.c b/src/libexec/peerip.c new file mode 100644 index 0000000..d35aca7 --- /dev/null +++ b/src/libexec/peerip.c @@ -0,0 +1,13 @@ +#include +#include +#include + +int main(int argc,char *argv[]) { + int i; + struct sockaddr sa; + int sl=sizeof(sa); + char host[256]; + getpeername(0,&sa,&sl); + getnameinfo(&sa,sl,host,256,0,0,NI_NUMERICHOST); + puts(host); +} -- cgit v1.2.3