ustaz99
19-03-04, 12:14 PM
malas la kat ittutor.net diorang jenis taknak tolong la..
harap dapat petunjuk dari korang lak ek, saya baru belajar benda2 nie...
malam tadi test port forwarding ke pc windows, port 135, 139, 445,
dari local pc mdk9.2.
WinXP tu tanpa service pack is vulnerable to dcom&dcom2 exploit.
tapi dgn pforw ni dpt drop pattern '\x90' yg slalunya wujud dlm
stack based buffer overflow..
buat masa nie, testing kat port samba cam takde masalah dan dgn port http.
yg kali nie, buat dalam thread version lak, pid adalah sama utk setiap thread
tapi berlainan tid..
koding yg nie sesajer taruk kod thread mutex dgn cond, tapi tak guna pun,
tapi tu bermakna saya cuba mula membuat applikasi soket yg lain,
cam, simple relay chat. erm... tak tau taktiknya camner, tapi kan,
boleh ker setiap client yg connect, app ni akan menggunakan satu tty/pty utk
semua connections, atau tekniknya dgn tambah satu thread akan pool setiap
setiap active connection dan manage buffer yg menyimpan setiap text line.
<pre>
#include <sys/socket.h>
#include <sys/select.h>
#include <netdb.h>
#include <signal.h>
#include <sys/wait.h>
#include <pthread.h>
#define BUFLEN 1024
#define BUFFER_QUEUE_SIZE 16
#define OVER -1
/* Circular buffer of integers. */
struct prodcons {
int buffer[BUFFER_QUEUE_SIZE];/* the actual data */
pthread_mutex_t lock; /* mutex ensuring exclusive access to buffer */
int readpos, writepos; /* positions for reading and writing */
pthread_cond_t notempty; /* signaled when buffer is not empty */
pthread_cond_t notfull; /* signaled when buffer is not full */
} buffer; /* global variable */
struct curconnect {
char *hostname;
int port;
char *forw_server;
int forw_port;
int num_curr_conn;
} conn;
/* Initialize a buffer */
void init(struct prodcons * B)
{
pthread_mutex_init(&b->lock, NULL);
pthread_cond_init(&b->notempty, NULL);
pthread_cond_init(&b->notfull, NULL);
b->readpos = 0;
b->writepos = 0;
}
/* Store an integer in the buffer */
void put(struct prodcons * b, int data)
{
pthread_mutex_lock(&b->lock);
/* Wait until buffer is not full */
while ((b->writepos + 1) % BUFFER_QUEUE_SIZE == b->readpos) { // BUFFER_QUEUE_SIZE + 1 = 1
pthread_cond_wait(&b->notfull, &b->lock);
/* pthread_cond_wait reacquired b->lock before returning */
}
/* Write the data and advance write pointer */
b->buffer[b->writepos] = data;
b->writepos++;
if (b->writepos >= BUFFER_QUEUE_SIZE) b->writepos = 0;
/* Signal that the buffer is now not empty */
pthread_cond_signal(&b->notempty);
pthread_mutex_unlock(&b->lock);
}
/* Read and remove an integer from the buffer */
int get(struct prodcons * B)
{
int data;
pthread_mutex_lock(&b->lock);
/* Wait until buffer is not empty */
while (b->writepos == b->readpos) {
pthread_cond_wait(&b->notempty, &b->lock);
}
/* Read the data and advance read pointer */
data = b->buffer[b->readpos];
b->readpos++;
if (b->readpos >= BUFFER_QUEUE_SIZE) b->readpos = 0;
/* Signal that the buffer is now not full */
pthread_cond_signal(&b->notfull);
pthread_mutex_unlock(&b->lock);
return data;
}
in_addr_t resolve(char *);
void *thread(void *);
int delchar(char *, int *, char, int);
int connectfd(int *, char *, int);
int listenfd(int *, unsigned long, int);
int pow(int num, int mul) {
int ret = 1;
for(;mul>0;mul--)
ret *= num;
return ret;
}
int stoi(char *str) {
int i,ret=0,len=strlen(str);
for(i=0;i<len;i++)
ret+=pow(10,len-i-1)*((int)(*(str+i))-48);
return ret;
}
in_addr_t resolve(char *name)
{
struct hostent *he;
in_addr_t ip;
if((ip=inet_addr(name))==(-1)) //convert ip dot notation style to binary
{
if((he=gethostbyname(name))==0) // else, the arg is in name
exit(1);
memcpy(&ip,he->h_addr,4);
}
return ip;
}
int main(int argc, char *argv[]) {
int sock, *scli, slen;
pthread_t tid;
init(&buffer);
if(argc<4) {
printf("[!] Please type %s [s-port] [d-hostname] [d-port]\n", argv[0]);
return 1;
}
conn.port = stoi(argv[1]);
conn.forw_server = argv[2];
conn.forw_port = stoi(argv[3]);
struct sockaddr_in client;
if(!listenfd(&sock, INADDR_ANY, conn.port)) {
return 1;
}
while(1) {
slen = sizeof(client);
scli = (int *)malloc(sizeof(int));
*scli = accept(sock, (struct sockaddr *) &client, &slen);
pthread_create(&tid, NULL, thread, scli);
pthread_detach(tid);
}
close(sock);
return 0;
}
int listenfd(int *sockfd, unsigned long long_ip, int port) {
struct sockaddr_in host;
host.sin_family = AF_INET;
host.sin_addr.s_addr = htonl(long_ip);
host.sin_port = htons(port);
if ((*sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("[!] Socket");
return 0;
}
if (bind(*sockfd, (struct sockaddr *) &host, sizeof(host)) < 0) {
perror("[!] Bind");
return 0;
}
if (listen(*sockfd, 1024) < 0) {
perror("[!] Listen");
return 0;
}
return *sockfd;
}
int connectfd(int *sockfd, char *hostname, int port) {
struct sockaddr_in host;
host.sin_family = AF_INET;
host.sin_addr.s_addr = resolve(hostname);
host.sin_port = htons(port);
if ((*sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("[!] Socket");
return 0;
}
if (connect(*sockfd, (struct sockaddr *)&host, sizeof(host)) != 0) {
perror("[!] Connect");
return 0;
}
return *sockfd;
}
// delete num of char(s) from word given
int delchar(char *word, int *len, char c, int num)
{
int i,k,found=0;
for(i=0;i<*len;i++)
{
if(*(word+i)==c)
{
if(++k>=num && !(*(word+i+1)==c))
{
found+=k;
k=0;
} else
*(word+i-found)=*(word+i);
} else {
*(word+i-found)=*(word+i);
k=0;
}
}
return (*len)-=found;
}
void *thread(void *vargp)
{
int i, len, scli = *((int *)vargp);
int sser, tid = pthread_self();
char buf[BUFLEN];
fd_set fdreadme;
free(vargp);
if(!connectfd(&sser, conn.forw_server, conn.forw_port)) {
close(scli);
return NULL;
}
FD_ZERO(&fdreadme);
while(1) {
FD_SET(scli, &fdreadme);
FD_SET(sser, &fdreadme);
if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
// recieve packet from server to client
if(FD_ISSET(sser, &fdreadme))
{
// read packet from server
if((len = recv(sser, buf, sizeof(buf), 0)) <= 0)
{
//printf("\n Connection close\n");
close(sser);
close(scli);
return 0;
}
if(write(scli, buf, len) <= 0) break;
}
// write packet from client to server
if(FD_ISSET(scli, &fdreadme))
{
// read from client
if((len = read(scli, buf, sizeof(buf))) <= 0)
{
//printf("\n Connection terminated\n");
close(sser);
close(scli);
return 0;
}
// check for BOF pattern "\x90\x90\x90"...
delchar(buf, &len, '\x90', 3); // try with at least '\x90'*3
// send packet to server
if(send(sser, buf, len, 0) <= 0) break;
}
}
close(sser);
close(scli);
return NULL;
}
</pre>
harap dapat petunjuk dari korang lak ek, saya baru belajar benda2 nie...
malam tadi test port forwarding ke pc windows, port 135, 139, 445,
dari local pc mdk9.2.
WinXP tu tanpa service pack is vulnerable to dcom&dcom2 exploit.
tapi dgn pforw ni dpt drop pattern '\x90' yg slalunya wujud dlm
stack based buffer overflow..
buat masa nie, testing kat port samba cam takde masalah dan dgn port http.
yg kali nie, buat dalam thread version lak, pid adalah sama utk setiap thread
tapi berlainan tid..
koding yg nie sesajer taruk kod thread mutex dgn cond, tapi tak guna pun,
tapi tu bermakna saya cuba mula membuat applikasi soket yg lain,
cam, simple relay chat. erm... tak tau taktiknya camner, tapi kan,
boleh ker setiap client yg connect, app ni akan menggunakan satu tty/pty utk
semua connections, atau tekniknya dgn tambah satu thread akan pool setiap
setiap active connection dan manage buffer yg menyimpan setiap text line.
<pre>
#include <sys/socket.h>
#include <sys/select.h>
#include <netdb.h>
#include <signal.h>
#include <sys/wait.h>
#include <pthread.h>
#define BUFLEN 1024
#define BUFFER_QUEUE_SIZE 16
#define OVER -1
/* Circular buffer of integers. */
struct prodcons {
int buffer[BUFFER_QUEUE_SIZE];/* the actual data */
pthread_mutex_t lock; /* mutex ensuring exclusive access to buffer */
int readpos, writepos; /* positions for reading and writing */
pthread_cond_t notempty; /* signaled when buffer is not empty */
pthread_cond_t notfull; /* signaled when buffer is not full */
} buffer; /* global variable */
struct curconnect {
char *hostname;
int port;
char *forw_server;
int forw_port;
int num_curr_conn;
} conn;
/* Initialize a buffer */
void init(struct prodcons * B)
{
pthread_mutex_init(&b->lock, NULL);
pthread_cond_init(&b->notempty, NULL);
pthread_cond_init(&b->notfull, NULL);
b->readpos = 0;
b->writepos = 0;
}
/* Store an integer in the buffer */
void put(struct prodcons * b, int data)
{
pthread_mutex_lock(&b->lock);
/* Wait until buffer is not full */
while ((b->writepos + 1) % BUFFER_QUEUE_SIZE == b->readpos) { // BUFFER_QUEUE_SIZE + 1 = 1
pthread_cond_wait(&b->notfull, &b->lock);
/* pthread_cond_wait reacquired b->lock before returning */
}
/* Write the data and advance write pointer */
b->buffer[b->writepos] = data;
b->writepos++;
if (b->writepos >= BUFFER_QUEUE_SIZE) b->writepos = 0;
/* Signal that the buffer is now not empty */
pthread_cond_signal(&b->notempty);
pthread_mutex_unlock(&b->lock);
}
/* Read and remove an integer from the buffer */
int get(struct prodcons * B)
{
int data;
pthread_mutex_lock(&b->lock);
/* Wait until buffer is not empty */
while (b->writepos == b->readpos) {
pthread_cond_wait(&b->notempty, &b->lock);
}
/* Read the data and advance read pointer */
data = b->buffer[b->readpos];
b->readpos++;
if (b->readpos >= BUFFER_QUEUE_SIZE) b->readpos = 0;
/* Signal that the buffer is now not full */
pthread_cond_signal(&b->notfull);
pthread_mutex_unlock(&b->lock);
return data;
}
in_addr_t resolve(char *);
void *thread(void *);
int delchar(char *, int *, char, int);
int connectfd(int *, char *, int);
int listenfd(int *, unsigned long, int);
int pow(int num, int mul) {
int ret = 1;
for(;mul>0;mul--)
ret *= num;
return ret;
}
int stoi(char *str) {
int i,ret=0,len=strlen(str);
for(i=0;i<len;i++)
ret+=pow(10,len-i-1)*((int)(*(str+i))-48);
return ret;
}
in_addr_t resolve(char *name)
{
struct hostent *he;
in_addr_t ip;
if((ip=inet_addr(name))==(-1)) //convert ip dot notation style to binary
{
if((he=gethostbyname(name))==0) // else, the arg is in name
exit(1);
memcpy(&ip,he->h_addr,4);
}
return ip;
}
int main(int argc, char *argv[]) {
int sock, *scli, slen;
pthread_t tid;
init(&buffer);
if(argc<4) {
printf("[!] Please type %s [s-port] [d-hostname] [d-port]\n", argv[0]);
return 1;
}
conn.port = stoi(argv[1]);
conn.forw_server = argv[2];
conn.forw_port = stoi(argv[3]);
struct sockaddr_in client;
if(!listenfd(&sock, INADDR_ANY, conn.port)) {
return 1;
}
while(1) {
slen = sizeof(client);
scli = (int *)malloc(sizeof(int));
*scli = accept(sock, (struct sockaddr *) &client, &slen);
pthread_create(&tid, NULL, thread, scli);
pthread_detach(tid);
}
close(sock);
return 0;
}
int listenfd(int *sockfd, unsigned long long_ip, int port) {
struct sockaddr_in host;
host.sin_family = AF_INET;
host.sin_addr.s_addr = htonl(long_ip);
host.sin_port = htons(port);
if ((*sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("[!] Socket");
return 0;
}
if (bind(*sockfd, (struct sockaddr *) &host, sizeof(host)) < 0) {
perror("[!] Bind");
return 0;
}
if (listen(*sockfd, 1024) < 0) {
perror("[!] Listen");
return 0;
}
return *sockfd;
}
int connectfd(int *sockfd, char *hostname, int port) {
struct sockaddr_in host;
host.sin_family = AF_INET;
host.sin_addr.s_addr = resolve(hostname);
host.sin_port = htons(port);
if ((*sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("[!] Socket");
return 0;
}
if (connect(*sockfd, (struct sockaddr *)&host, sizeof(host)) != 0) {
perror("[!] Connect");
return 0;
}
return *sockfd;
}
// delete num of char(s) from word given
int delchar(char *word, int *len, char c, int num)
{
int i,k,found=0;
for(i=0;i<*len;i++)
{
if(*(word+i)==c)
{
if(++k>=num && !(*(word+i+1)==c))
{
found+=k;
k=0;
} else
*(word+i-found)=*(word+i);
} else {
*(word+i-found)=*(word+i);
k=0;
}
}
return (*len)-=found;
}
void *thread(void *vargp)
{
int i, len, scli = *((int *)vargp);
int sser, tid = pthread_self();
char buf[BUFLEN];
fd_set fdreadme;
free(vargp);
if(!connectfd(&sser, conn.forw_server, conn.forw_port)) {
close(scli);
return NULL;
}
FD_ZERO(&fdreadme);
while(1) {
FD_SET(scli, &fdreadme);
FD_SET(sser, &fdreadme);
if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
// recieve packet from server to client
if(FD_ISSET(sser, &fdreadme))
{
// read packet from server
if((len = recv(sser, buf, sizeof(buf), 0)) <= 0)
{
//printf("\n Connection close\n");
close(sser);
close(scli);
return 0;
}
if(write(scli, buf, len) <= 0) break;
}
// write packet from client to server
if(FD_ISSET(scli, &fdreadme))
{
// read from client
if((len = read(scli, buf, sizeof(buf))) <= 0)
{
//printf("\n Connection terminated\n");
close(sser);
close(scli);
return 0;
}
// check for BOF pattern "\x90\x90\x90"...
delchar(buf, &len, '\x90', 3); // try with at least '\x90'*3
// send packet to server
if(send(sser, buf, len, 0) <= 0) break;
}
}
close(sser);
close(scli);
return NULL;
}
</pre>