7etsuo/7etsuo_exploit.c

## 7etsuo_exploit.c
/**
 *		 ______   _______ _________ _______
 *		/ ___  \ (  ____ \\__   __/(  ____ \|\     /|
 *		\/   )  )| (    \/   ) (   | (    \/| )   ( |
 *		    /  / | (__       | |   | (_____ | |   | |
 *		   /  /  |  __)      | |   (_____  )| |   | |
 *		  /  /   | (         | |         ) || |   | |
 *		 /  /    | (____/\   | |   /\____) || (___) |
 *		 \_/     (_______/   )_(   \_______)(_______)
 *
 */

#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#include <ws2tcpip.h>

#pragma warning(disable : 4996) // We use _CRT_SECURE_NO_WARNINGS here otherwise it will complain about using strcpy()
#pragma comment(lib, "Ws2_32.lib")

#define PORT 12345
#define BUFFER_SIZE 1024

#pragma optimize("", off)

void gadget1(void)
{
	__asm {
		mov[eax], ecx
		ret
	};
}

void gadget2(void)
{
	__asm {
		add eax, ecx
		ret
	};
}

void gadget3(void)
{
	__asm {
		neg eax
		ret
	};
}

void gadget4(void)
{
	__asm {
		inc eax
		ret
	};
}

void gadget5(void)
{
	__asm {
		mov eax, esi
		pop esi
		ret
	};
}

void gadget6(void)
{
	__asm {
		mov ecx, eax
		mov eax, esi
		pop esi
		retn 0x0010
	};
}

void gadget7(void)
{
	__asm {
		pop eax
		ret
	};
}


void gadget8(void)
{
	__asm {
		pop ecx
		ret
	};
}

void gadget9(void)
{
	__asm {
		push eax
		pop esi
		ret
	};
}

void gadgetA(void)
{
	__asm {
		push esp
		pop esi
		ret
	};
}

void gadgetB(void)
{
	__asm {
		xchg eax, esp
		ret
	};
}

void vulnerable(char* input, size_t size)
{
	char buffer[128];
	memcpy(buffer, input, size);  // Vulnerable function call
}

int main(int argc, char** argv)
{
	WSADATA wsaData;
	SOCKET listenSocket = INVALID_SOCKET, clientSocket = INVALID_SOCKET;
	struct sockaddr_in serverAddr;
	char recvBuffer[BUFFER_SIZE];
	int recvSize;

	// Initialize Winsock
	if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
		printf("WSAStartup failed. Error: %d\n", WSAGetLastError());
		return 1;
	}

	// Create a socket
	listenSocket = socket(AF_INET, SOCK_STREAM, 0);
	if (listenSocket == INVALID_SOCKET) {
		printf("Socket creation failed. Error: %d\n", WSAGetLastError());
		WSACleanup();
		return 1;
	}

	// Bind the socket
	serverAddr.sin_family = AF_INET;
	serverAddr.sin_addr.s_addr = INADDR_ANY;
	serverAddr.sin_port = htons(PORT);

	if (bind(listenSocket, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) == SOCKET_ERROR) {
		printf("Bind failed. Error: %d\n", WSAGetLastError());
		closesocket(listenSocket);
		WSACleanup();
		return 1;
	}

	// Listen for connections
	if (listen(listenSocket, SOMAXCONN) == SOCKET_ERROR) {
		printf("Listen failed. Error: %d\n", WSAGetLastError());
		closesocket(listenSocket);
		WSACleanup();
		return 1;
	}

	printf("Listening on port %d...\n", PORT);

	// Accept a client connection
	clientSocket = accept(listenSocket, NULL, NULL);
	if (clientSocket == INVALID_SOCKET) {
		printf("Accept failed. Error: %d\n", WSAGetLastError());
		closesocket(listenSocket);
		WSACleanup();
		return 1;
	}

	// Receive data from the client
	recvSize = recv(clientSocket, recvBuffer, BUFFER_SIZE - 1, 0);
	if (recvSize == SOCKET_ERROR) {
		printf("Recv failed. Error: %d\n", WSAGetLastError());
		closesocket(clientSocket);
		closesocket(listenSocket);
		WSACleanup();
		return 1;
	}
	recvBuffer[recvSize] = '\0'; // Null-terminate the received data

	// Process the received data
	vulnerable(recvBuffer, recvSize);

	printf("Executed normally\n");

	// Cleanup
	closesocket(clientSocket);
	closesocket(listenSocket);
	WSACleanup();

	return 0;
}
	/**
	* ______ _______ _________ _______
	* / ___ \ ( ____ \\__ __/( ____ \\|\ /\|
	* \/ ) )\| ( \/ ) ( \| ( \/\| ) ( \|
	* / / \| (__ \| \| \| (_____ \| \| \| \|
	* / / \| __) \| \| (_____ )\| \| \| \|
	* / / \| ( \| \| ) \|\| \| \| \|
	* / / \| (____/\ \| \| /\____) \|\| (___) \|
	* \_/ (_______/ )_( \_______)(_______)
	*
	*/

	#include <stdio.h>
	#include <string.h>
	#include <winsock2.h>
	#include <ws2tcpip.h>

	#pragma warning(disable : 4996) // We use _CRT_SECURE_NO_WARNINGS here otherwise it will complain about using strcpy()
	#pragma comment(lib, "Ws2_32.lib")

	#define PORT 12345
	#define BUFFER_SIZE 1024

	#pragma optimize("", off)

	void gadget1(void)
	{
	__asm {
	mov[eax], ecx
	ret
	};
	}

	void gadget2(void)
	{
	__asm {
	add eax, ecx
	ret
	};
	}

	void gadget3(void)
	{
	__asm {
	neg eax
	ret
	};
	}

	void gadget4(void)
	{
	__asm {
	inc eax
	ret
	};
	}

	void gadget5(void)
	{
	__asm {
	mov eax, esi
	pop esi
	ret
	};
	}

	void gadget6(void)
	{
	__asm {
	mov ecx, eax
	mov eax, esi
	pop esi
	retn 0x0010
	};
	}

	void gadget7(void)
	{
	__asm {
	pop eax
	ret
	};
	}


	void gadget8(void)
	{
	__asm {
	pop ecx
	ret
	};
	}

	void gadget9(void)
	{
	__asm {
	push eax
	pop esi
	ret
	};
	}

	void gadgetA(void)
	{
	__asm {
	push esp
	pop esi
	ret
	};
	}

	void gadgetB(void)
	{
	__asm {
	xchg eax, esp
	ret
	};
	}

	void vulnerable(char* input, size_t size)
	{
	char buffer[128];
	memcpy(buffer, input, size); // Vulnerable function call
	}

	int main(int argc, char** argv)
	{
	WSADATA wsaData;
	SOCKET listenSocket = INVALID_SOCKET, clientSocket = INVALID_SOCKET;
	struct sockaddr_in serverAddr;
	char recvBuffer[BUFFER_SIZE];
	int recvSize;

	// Initialize Winsock
	if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
	printf("WSAStartup failed. Error: %d\n", WSAGetLastError());
	return 1;
	}

	// Create a socket
	listenSocket = socket(AF_INET, SOCK_STREAM, 0);
	if (listenSocket == INVALID_SOCKET) {
	printf("Socket creation failed. Error: %d\n", WSAGetLastError());
	WSACleanup();
	return 1;
	}

	// Bind the socket
	serverAddr.sin_family = AF_INET;
	serverAddr.sin_addr.s_addr = INADDR_ANY;
	serverAddr.sin_port = htons(PORT);

	if (bind(listenSocket, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) == SOCKET_ERROR) {
	printf("Bind failed. Error: %d\n", WSAGetLastError());
	closesocket(listenSocket);
	WSACleanup();
	return 1;
	}

	// Listen for connections
	if (listen(listenSocket, SOMAXCONN) == SOCKET_ERROR) {
	printf("Listen failed. Error: %d\n", WSAGetLastError());
	closesocket(listenSocket);
	WSACleanup();
	return 1;
	}

	printf("Listening on port %d...\n", PORT);

	// Accept a client connection
	clientSocket = accept(listenSocket, NULL, NULL);
	if (clientSocket == INVALID_SOCKET) {
	printf("Accept failed. Error: %d\n", WSAGetLastError());
	closesocket(listenSocket);
	WSACleanup();
	return 1;
	}

	// Receive data from the client
	recvSize = recv(clientSocket, recvBuffer, BUFFER_SIZE - 1, 0);
	if (recvSize == SOCKET_ERROR) {
	printf("Recv failed. Error: %d\n", WSAGetLastError());
	closesocket(clientSocket);
	closesocket(listenSocket);
	WSACleanup();
	return 1;
	}
	recvBuffer[recvSize] = '\0'; // Null-terminate the received data

	// Process the received data
	vulnerable(recvBuffer, recvSize);

	printf("Executed normally\n");

	// Cleanup
	closesocket(clientSocket);
	closesocket(listenSocket);
	WSACleanup();

	return 0;
	}