我们的目标是Sub7你认为,你在Sub7的服务端设置了一个密码,那么其他人就无法连接它了吗? Our goal is to Sub7 you think, you Sub7 server-side set up a password, then other people can not connect it yet?
你犯了一个大错误! You made a big mistake! 这儿我就向你展示,我是怎样在这木马服务端找到安全漏洞的。 Here I'll show you, how I found this Trojan server security vulnerabilities.
你需要的工具: The tools you need:
(x) SoftICE (+ SymbolLoader.)可以从crack迷们要到,许多crack网站也可以找到! (X) SoftICE (+ SymbolLoader.) Fans from going to crack, many crack sites can also be found!
(x) Hiew 6.16,一个编辑器。 (X) Hiew 6.16, an editor.
(x) 目标, Sub7, 可在这里找到: subseven.slak.org (X) target, Sub7, can be found here: subseven.slak.org
(x) SoftICE's 命令和汇编语言的基础知识. (X) SoftICE's command and the basics of assembly language.
让我们开始吧: Let's get started:
我对连接客户端的时候,让密码进行比较的过程比较感兴趣。 I connect the client when compared to the password more interested in the process. 所以,我使用SoftICE's的symbol So, I use SoftICE's the symbol
loader输入一些winsock的端口:) loader enter some winsock port:)
运行loader,点击“FILE--LOAD EXPORTS”菜单,指向你的windows系统目录,选择"wsock32.dll" Run loader, click on "FILE - LOAD EXPORTS" menu, point to your windows system directory, select "wsock32.dll"
打开。 Open the. SymbolLoader应该显示: SymbolLoader should show:
"Exports for Z:\WINDBLOWZ\SYSTEM\Wsock32.dll loaded sucessfully" "Exports for Z: \ WINDBLOWZ \ SYSTEM \ Wsock32.dll loaded sucessfully"
现在去使用EditServer.exe文件设置Sub7的服务端(请看其它文档,我在这儿不提了)我设置端口为666,密码为“abuse”.运行服务端的木马,你不久就可以被安装好服务端,但千万别在网上。 Now set to use EditServer.exe file Sub7 server-side (see other documents, I do not mention here) I set the port to 666, the password is "abuse". Running the service side of the horse, you can soon be installed service side, but do not on the Internet. ( (
关于这个程序我不对你负任何责任,它不是我编的)执行SubSeven.exe连接到服务端(IP地址为127.0.0.1, You on this program I will not bear any responsibility, it's not my code) to perform SubSeven.exe connect to the server (IP address 127.0.0.1,
就是你本机了),密码框会弹出来,任意输入一个密码。 That you had this machine), the password box will pop up, any input a password. 服务端是用WSOCK32!recv接收客户端的信息的。 Server is WSOCK32! Recv receive client information.
Windows的Sockets recv 接收数据功能使用一个Socket.结构如下: The Windows Sockets recv function receives data using a Socket. Structured as follows:
int recv ( int recv (
SOCKET s, SOCKET s,
char FAR* buf, char FAR * buf,
int len, int len,
int flags int flags
); );
第二行(char FAR* buf)非常重要。 The second line (char FAR * buf) is very important. 信息就储藏在那里。 Information is stored there. 现在,在softice中在recv上设置断点 Now, in softice set a breakpoint on the recv
(输入"d esp->8")点击OK送出密码。 (Enter "d esp-> 8") Click OK to send the password. SoftICE回弹出,按F11(g @ss:esp)。 SoftICE back up, press F11 (g @ ss: esp). 跳到密码部分时会在 Jump to the password part in the
SoftICE的信息栏中显示'PWD'。 SoftICE information bar 'PWD'. 现在在密码的地址中设置一个断点。 Now the address in the password to set a breakpoint. (如: bpr 405000 405010 RW) (Eg: bpr 405000 405010 RW)
Now set a bpr on the password's address (eg: bpr 405000 405010 RW) and on the copy Now set a bpr on the password's address (eg: bpr 405000 405010 RW) and on the copy
it will make at 004029c5. it will make at 004029c5.
下一次你将会停在004040dd: The next time you will stop at 004040dd:
0167:004040dd 8b0e mov ecx,[esi] 0167:004040 dd 8b0e mov ecx, [esi]
0167:004040df 8b1f mov ebx,[edi] 0167:004040 df 8b1f mov ebx, [edi]
0167:004040e1 39d9 cmp ecx,ebx 0167:004040 e1 39d9 cmp ecx, ebx
0167:004040e3 7558 jnz 0040413d 0167:004040 e3 7558 jnz 0040413d
0167:004040e5 4a dec edx 0167:004040 e5 4a dec edx
0167:004040e6 7415 jz 004040fd 0167:004040 e6 7415 jz 004040fd
0167:004040e8 8b4e04 mov ecx,[esi+04] 0167:004040 e8 8b4e04 mov ecx, [esi +04]
0167:004040eb 8b5f04 mov ebx,[edi+04] 0167:004040 eb 8b5f04 mov ebx, [edi +04]
0167:004040ee 39d9 cmp ecx,ebx 0167:004040 ee 39d9 cmp ecx, ebx
它停在了4040dd这一行,我们在我们的密码上设置了一个断点。 It stopped at 4040dd this line, we set our password on a breakpoint. 那么它在本地将保存在esi中。 Then it will be saved locally in the esi. 前四个字母移到ecx中。 Moved to the first four letters in ecx. 另外四个字母存在ebx中后进行比较...你现在认为,你发现了密码比较的地方了吗?不,不, In addition there are four letters after ebx in comparison ... you think you found a password comparison of place? No, no,
没门! No way! 其实Sub7的作者更愚蠢! Sub7 actually the author of more stupid! ! ! ! ! 在softice中输入“d edi”看看: In softice enter "d edi" look:
016F:012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510 016F: 012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510
016F:012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00 1980.io.(..."... 016F: 012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00 1980.io. (..."...
016F:012A3DF4 01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E ........Subseven 016F: 012A3DF4 01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E ........ Subseven
016F:012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01 ___< pick >..>*. 016F: 012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01 ___
016F:012A3E14 10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E .>*.8...Subseven 016F: 012A3E14 10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E.> *. 8 ... Subseven
奇怪,那不是我设置的“abuse”密码。 Strange, it was not my set of "abuse" the password. 那么让我们在连接一次试试...SubSeven显示:connected. So let us first try to connect ... SubSeven show: connected.
啊,那怎么可能? Ah, how could that be? SubSeven留一个系统密码吗? SubSeven leave a system password? 呵呵,你可以在自己的电脑上再试几次。 Oh, you can try on your own computer a few times. 啊,是的, Ah, yes,
那是系统密码。 That is the system password.
好的就到这儿了,我只是想有人会对这感兴趣的。 Good to here, I just want someone that would be interested. 我对这遍文章不负任何责任! I am not responsible for the article all over!
Tidak ada komentar:
Posting Komentar